svn commit: r44076 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Wed Feb 26 17:05:29 UTC 2014
Author: dru
Date: Wed Feb 26 17:05:28 2014
New Revision: 44076
URL: http://svnweb.freebsd.org/changeset/doc/44076
Log:
Initial pass through enabling IPFW.
Shuffle IPFW command to later in the chapter, might get shuffled again.
Begin prep work for syntax section.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 16:22:52 2014 (r44075)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 17:05:28 2014 (r44076)
@@ -1675,7 +1675,7 @@ options IPDIVERT # enables NAT</pro
<programlisting>firewall_type="open"</programlisting>
- <para>The available values for this setting are:</para>
+ <para>The available types are:</para>
<itemizedlist>
<listitem>
@@ -1702,114 +1702,48 @@ options IPDIVERT # enables NAT</pro
firewall rules.</para>
</listitem>
<listitem>
- <para><filename>filename</filename>: full path of the file
- containing the firewall rules.</para>
+ <para><literal>filename</literal>: full path of the file
+ containing the firewall ruleset.</para>
</listitem>
</itemizedlist>
- <para>To instead load a custom ruleset, either set the
- <filename>filename</filename> value of
- <literal>firewall_type</literal> or set the
- <literal>firewall_script</literal> variable to the absolute
- path of an executable script that includes
- <command>IPFW</command> commands. This example script blocks
- all incoming and outgoing traffic:</para>
-
- <programlisting>#!/bin/sh
-
-ipfw -q flush
-
-ipfw add deny in
-ipfw add deny out</programlisting>
-
- <note>
- <para>If <literal>firewall_type</literal> is set to either
+ <para>If <literal>firewall_type</literal> is set to either
<literal>client</literal> or <literal>simple</literal>,
modify the default rules found in
<filename>/etc/rc.firewall</filename> to fit the
- configuration of the system. The examples used in this
- section assume that the <literal>firewall_script</literal>
- is set to <filename>/etc/ipfw.rules</filename>.</para>
- </note>
-
- <para>Enable logging:</para>
-
- <programlisting>firewall_logging="YES"</programlisting>
+ configuration of the system.</para>
- <warning>
- <para><varname>firewall_logging</varname> sets the
- <varname>net.inet.ip.fw.verbose</varname> sysctl
- variable to the value of <literal>1</literal>. There is no
- <filename>rc.conf</filename> variable to set log
- limitations, but the desired value can be set using
- <command>sysctl</command> or by adding the following
- variable and desired value to
- <filename>/etc/sysctl.conf</filename>:</para>
-
- <programlisting>net.inet.ip.fw.verbose_limit=5</programlisting>
- </warning>
-
- <para>If the machine is acting as a gateway providing
- <acronym>NAT</acronym> using &man.natd.8;, refer to <xref
- linkend="network-natd"/> for information regarding the
- required <filename>/etc/rc.conf</filename> options.</para>
- </sect2>
+ <para>Note that the
+ <literal>filename</literal> type is used to load a custom ruleset.</para>
- <sect2 xml:id="firewalls-ipfw-cmd">
- <title>The <application>IPFW</application> Command</title>
-
- <indexterm><primary><command>ipfw</command></primary></indexterm>
-
- <para><command>ipfw</command> can be used to make manual,
- single rule additions or deletions to the active firewall
- while it is running. The problem with using this method is
- that all the changes are lost when the system reboots. It is
- recommended to instead write all the rules in a file and to
- use that file to load the rules at boot time and to replace
- the currently running firewall rules whenever that file
- changes.</para>
-
- <para><command>ipfw</command> is a useful way to display the
- running firewall rules to the console screen. The
- <application>IPFW</application> accounting facility
- dynamically creates a counter for each rule that counts each
- packet that matches the rule. During the process of testing a
- rule, listing the rule with its counter is one way to
- determine if the rule is functioning as expected.</para>
-
- <para>To list all the running rules in sequence:</para>
-
- <screen>&prompt.root; <userinput>ipfw list</userinput></screen>
-
- <para>To list all the running rules with a time stamp of when
- the last time the rule was matched:</para>
-
- <screen>&prompt.root; <userinput>ipfw -t list</userinput></screen>
-
- <para>The next example lists accounting information and the
- packet count for matched rules along with the rules
- themselves. The first column is the rule number, followed by
- the number of matched packets and bytes, followed by the rule
- itself.</para>
-
- <screen>&prompt.root; <userinput>ipfw -a list</userinput></screen>
-
- <para>To list dynamic rules in addition to static rules:</para>
-
- <screen>&prompt.root; <userinput>ipfw -d list</userinput></screen>
+ <para>An alternate way to load a custom ruleset is to set the
+ <literal>firewall_script</literal> variable to the absolute
+ path of an <emphasis>executable script</emphasis> that includes
+ <application>IPFW</application> commands. The examples used in this
+ section assume that the <literal>firewall_script</literal>
+ is set to <filename>/etc/ipfw.rules</filename>:</para>
- <para>To also show the expired dynamic rules:</para>
+ <programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
- <screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen>
+ <para>To enable logging, include this line:</para>
- <para>To zero the counters:</para>
-
- <screen>&prompt.root; <userinput>ipfw zero</userinput></screen>
+ <programlisting>firewall_logging="YES"</programlisting>
- <para>To zero the counters for just the rule with number
- <replaceable>NUM</replaceable>:</para>
+ <para>There is no
+ <filename>/etc/rc.conf</filename> variable to set logging
+ limits. To limit the number of times a rule is logged
+ per connection attempt, specify the number using this line
+ in
+ <filename>/etc/sysctl.conf</filename>:</para>
- <screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen>
+ <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
+
+ <para>After saving the needed edits, start the firewall. To
+ enable logging limits now, also set the
+ <command>sysctl</command> value specified above:</para>
+
+ <screen>&prompt.root; <userinput>service ipfw start</userinput>
+&prompt.root; <userinput>sysctl net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
</sect2>
<sect2 xml:id="firewalls-ipfw-rules">
@@ -1821,16 +1755,16 @@ ipfw add deny out</programlisting>
<secondary>rule processing order</secondary>
</indexterm>
- <para>When a packet enters the <acronym>IPFW</acronym> firewall,
+ <para>When a packet enters the <application>IPFW</application> firewall,
it is compared against the first rule in the ruleset and
progresses one rule at a time, moving from top to bottom of
the set in ascending rule number sequence order. When the
packet matches the selection parameters of a rule, the rule's
- action field value is executed and the search of the ruleset
+ action is executed and the search of the ruleset
terminates for that packet. This is referred to as
<quote>first match wins</quote>. If the packet does not match
any of the rules, it gets caught by the mandatory
- <application>IPFW</application> default rule, number 65535,
+ <application>IPFW</application> default rule number 65535,
which denies all packets and silently discards them. However,
if the packet matches a rule that contains the
<literal>count</literal>, <literal>skipto</literal>, or
@@ -1838,11 +1772,8 @@ ipfw add deny out</programlisting>
to &man.ipfw.8; for details on how these keywords affect rule
processing.</para>
- <para>The examples in this section create an inclusive type
- firewall ruleset containing the stateful <literal>keep
- state</literal>, <literal>limit</literal>,
- <literal>in</literal>, <literal>out</literal> and
- <literal>via</literal> options. For a complete rule syntax
+ <para>This section provides an overview of the rule syntax for creating
+ stateful rules. For a complete rule syntax
description, refer to &man.ipfw.8;.</para>
<indexterm>
@@ -1851,11 +1782,11 @@ ipfw add deny out</programlisting>
<secondary>rule syntax</secondary>
</indexterm>
- <para>This section describes the keywords which comprise an
- <application>IPFW</application> rule. Keywords must be
- written in the following order. <literal>#</literal> is used
+ <para>When creating an
+ <application>IPFW</application> rule, keywords must be
+ written in the following order. The <literal>#</literal> symbol is used
to mark the start of a comment and may appear at the end of a
- rule line or on its own line. Blank lines are ignored.</para>
+ rule or on its own line. Blank lines are ignored.</para>
<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
STATEFUL</replaceable></para>
@@ -1915,7 +1846,7 @@ ipfw add deny out</programlisting>
</varlistentry>
<varlistentry>
- <term>Logging</term>
+ <term>LOGGING</term>
<listitem>
<para>When a packet matches a rule with the
<literal>log</literal> keyword, a message will be logged
@@ -1942,7 +1873,7 @@ ipfw add deny out</programlisting>
</varlistentry>
<varlistentry>
- <term>Selection</term>
+ <term>SELECTION</term>
<listitem>
<para>The keywords described in this section are used to
describe attributes of the packet to be checked when
@@ -2031,7 +1962,7 @@ ipfw add deny out</programlisting>
</varlistentry>
<varlistentry>
- <term>Stateful Rule Option</term>
+ <term>STATEFUL</term>
<listitem>
<para>The <literal>check-state</literal> option is used to
identify where in the <application>IPFW</application>
@@ -2058,6 +1989,63 @@ ipfw add deny out</programlisting>
</listitem>
</varlistentry>
</variablelist>
+ </sect2>
+
+ <sect2 xml:id="firewalls-ipfw-cmd">
+ <title>The <application>IPFW</application> Command</title>
+
+ <indexterm><primary><command>ipfw</command></primary></indexterm>
+
+ <para><command>ipfw</command> can be used to make manual,
+ single rule additions or deletions to the active firewall
+ while it is running. The problem with using this method is
+ that all the changes are lost when the system reboots. It is
+ recommended to instead write all the rules in a file and to
+ use that file to load the rules at boot time and to replace
+ the currently running firewall rules whenever that file
+ changes.</para>
+
+ <para><command>ipfw</command> is a useful way to display the
+ running firewall rules to the console screen. The
+ <application>IPFW</application> accounting facility
+ dynamically creates a counter for each rule that counts each
+ packet that matches the rule. During the process of testing a
+ rule, listing the rule with its counter is one way to
+ determine if the rule is functioning as expected.</para>
+
+ <para>To list all the running rules in sequence:</para>
+
+ <screen>&prompt.root; <userinput>ipfw list</userinput></screen>
+
+ <para>To list all the running rules with a time stamp of when
+ the last time the rule was matched:</para>
+
+ <screen>&prompt.root; <userinput>ipfw -t list</userinput></screen>
+
+ <para>The next example lists accounting information and the
+ packet count for matched rules along with the rules
+ themselves. The first column is the rule number, followed by
+ the number of matched packets and bytes, followed by the rule
+ itself.</para>
+
+ <screen>&prompt.root; <userinput>ipfw -a list</userinput></screen>
+
+ <para>To list dynamic rules in addition to static rules:</para>
+
+ <screen>&prompt.root; <userinput>ipfw -d list</userinput></screen>
+
+ <para>To also show the expired dynamic rules:</para>
+
+ <screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen>
+
+ <para>To zero the counters:</para>
+
+ <screen>&prompt.root; <userinput>ipfw zero</userinput></screen>
+
+ <para>To zero the counters for just the rule with number
+ <replaceable>NUM</replaceable>:</para>
+
+ <screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen>
<sect3>
<title>Logging Firewall Messages</title>
More information about the svn-doc-all
mailing list