svn commit: r43662 - head/en_US.ISO8859-1/books/handbook/firewalls
Warren Block
wblock at FreeBSD.org
Mon Jan 27 13:12:05 UTC 2014
Author: wblock
Date: Mon Jan 27 13:12:05 2014
New Revision: 43662
URL: http://svnweb.freebsd.org/changeset/doc/43662
Log:
Whitespace-only cleanup, translators please ignore.
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Mon Jan 27 12:38:53 2014 (r43661)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Mon Jan 27 13:12:05 2014 (r43662)
@@ -4,18 +4,34 @@
$FreeBSD$
-->
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="firewalls">
- <info><title>Firewalls</title>
+<chapter xmlns="http://docbook.org/ns/docbook"
+ xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+ xml:id="firewalls">
+
+ <info>
+ <title>Firewalls</title>
+
<authorgroup>
- <author><personname><firstname>Joseph J.</firstname><surname>Barbish</surname></personname><contrib>Contributed by </contrib></author>
+ <author>
+ <personname>
+ <firstname>Joseph J.</firstname>
+ <surname>Barbish</surname>
+ </personname>
+ <contrib>Contributed by </contrib>
+ </author>
</authorgroup>
+
<authorgroup>
- <author><personname><firstname>Brad</firstname><surname>Davis</surname></personname><contrib>Converted to SGML and updated by </contrib></author>
+ <author>
+ <personname>
+ <firstname>Brad</firstname>
+ <surname>Davis</surname>
+ </personname>
+ <contrib>Converted to SGML and updated by </contrib>
+ </author>
</authorgroup>
</info>
-
-
<indexterm><primary>firewall</primary></indexterm>
<indexterm>
@@ -166,19 +182,26 @@
<acronym>TCP/IP</acronym> works, what the different values in
the packet control fields are, and how these values are used in
a normal session conversation. For a good introduction, refer
- to <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP
- Primer</link>.</para>
+ to
+ <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's
+ TCP/IP Primer</link>.</para>
</sect1>
<sect1 xml:id="firewalls-pf">
- <info><title>PF and <acronym>ALTQ</acronym></title>
+ <info>
+ <title>PF and <acronym>ALTQ</acronym></title>
+
<authorgroup>
- <author><personname><firstname>John</firstname><surname>Ferrell</surname></personname><contrib>Revised and updated by </contrib></author>
+ <author>
+ <personname>
+ <firstname>John</firstname>
+ <surname>Ferrell</surname>
+ </personname>
+ <contrib>Revised and updated by </contrib>
+ </author>
</authorgroup>
</info>
-
-
<indexterm>
<primary>firewall</primary>
@@ -193,13 +216,15 @@
Quality of Service (<acronym>QoS</acronym>).</para>
<para>Since the OpenBSD Project maintains the definitive
- reference for <acronym>PF</acronym> in the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, this
- section of the Handbook focuses on <acronym>PF</acronym> as it
- pertains to &os;, while providing some general usage
+ reference for <acronym>PF</acronym> in the
+ <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
+ this section of the Handbook focuses on <acronym>PF</acronym> as
+ it pertains to &os;, while providing some general usage
information.</para>
<para>More information about porting <acronym>PF</acronym> to &os;
- can be found at <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
+ can be found at <uri
+ xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
<sect2>
<title>Using the PF Loadable Kernel Modules</title>
@@ -208,26 +233,27 @@
loaded. Add the following line to
<filename>/etc/rc.conf</filename>:</para>
- <programlisting>pf_enable="YES"</programlisting>
-
- <para>Then, run the startup script to load the module:</para>
+ <programlisting>pf_enable="YES"</programlisting>
- <screen>&prompt.root; <userinput>service pf start</userinput></screen>
-
- <para>The PF module will not load if it cannot find the
- ruleset configuration file. The default location is
- <filename>/etc/pf.conf</filename>. If the PF ruleset is
- located somewhere else, add a line to
- <filename>/etc/rc.conf</filename> which specifies the full
- path to the file:</para>
+ <para>Then, run the startup script to load the module:</para>
- <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
+ <screen>&prompt.root; <userinput>service pf start</userinput></screen>
- <para>The sample <filename>pf.conf</filename>
- can be found in <filename>/usr/share/examples/pf/</filename>.</para>
+ <para>The PF module will not load if it cannot find the
+ ruleset configuration file. The default location is
+ <filename>/etc/pf.conf</filename>. If the PF ruleset is
+ located somewhere else, add a line to
+ <filename>/etc/rc.conf</filename> which specifies the full
+ path to the file:</para>
+
+ <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
+
+ <para>The sample <filename>pf.conf</filename>
+ can be found in
+ <filename>/usr/share/examples/pf/</filename>.</para>
- <para>The <acronym>PF</acronym> module can also be loaded
- manually from the command line:</para>
+ <para>The <acronym>PF</acronym> module can also be loaded
+ manually from the command line:</para>
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
@@ -240,7 +266,6 @@
<para>Then, run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>service pflog start</userinput></screen>
-
</sect2>
<sect2>
@@ -248,30 +273,28 @@
<indexterm>
<primary>kernel options</primary>
-
<secondary>device pf</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
-
<secondary>device pflog</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
-
<secondary>device pfsync</secondary>
</indexterm>
- <para>While it is not necessary to compile
- <acronym>PF</acronym> support into the &os; kernel, some of
- PF's advanced features are not included in the loadable
- module, namely &man.pfsync.4;, which is a pseudo-device that
- exposes certain changes to the state table used by
- <acronym>PF</acronym>. It can be paired with &man.carp.4; to
- create failover firewalls using <acronym>PF</acronym>. More
- information on <acronym>CARP</acronym> can be found in <link linkend="carp">of the Handbook</link>.</para>
+ <para>While it is not necessary to compile <acronym>PF</acronym>
+ support into the &os; kernel, some of PF's advanced features
+ are not included in the loadable module, namely
+ &man.pfsync.4;, which is a pseudo-device that exposes certain
+ changes to the state table used by <acronym>PF</acronym>. It
+ can be paired with &man.carp.4; to create failover firewalls
+ using <acronym>PF</acronym>. More information on
+ <acronym>CARP</acronym> can be found in
+ <link linkend="carp">of the Handbook</link>.</para>
<para>The following <acronym>PF</acronym> kernel options can be
found in <filename>/usr/src/sys/conf/NOTES</filename>:</para>
@@ -323,24 +346,27 @@ pflog_flags="" # additi
specified in this file. The &os; installation includes
several sample files located in
<filename>/usr/share/examples/pf/</filename>. Refer to the
- <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for
- complete coverage of <acronym>PF</acronym> rulesets.</para>
+ <link xlink:href="http://www.openbsd.org/faq/pf/">PF
+ FAQ</link> for complete coverage of <acronym>PF</acronym>
+ rulesets.</para>
<warning>
- <para>When reading the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
+ <para>When reading the <link
+ xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
keep in mind that different versions of &os; contain
different versions of PF. Currently,
- &os; 8.<replaceable>X</replaceable> is using the
- same version of <acronym>PF</acronym> as
- OpenBSD 4.1. &os; 9.<replaceable>X</replaceable>
- and later is using the same version of <acronym>PF</acronym>
- as OpenBSD 4.5.</para>
+ &os; 8.<replaceable>X</replaceable> is using the same
+ version of <acronym>PF</acronym> as OpenBSD 4.1.
+ &os; 9.<replaceable>X</replaceable> and later is using
+ the same version of <acronym>PF</acronym> as
+ OpenBSD 4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
configuring and running the <acronym>PF</acronym> firewall.
Do not forget to check the mailing list archives before asking
questions.</para>
+
<para>To control <acronym>PF</acronym>, use &man.pfctl.8;.
Below are some useful options to this command. Review
&man.pfctl.8; for a description of all available
@@ -440,7 +466,8 @@ options ALTQ_NOPCC # Requir
<para><literal>options ALTQ_HFSC</literal> enables the
<emphasis>Hierarchical Fair Service Curve Packet
Scheduler</emphasis> <acronym>HFSC</acronym>. For more
- information, refer to <uri xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para>
+ information, refer to <uri
+ xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para>
<para><literal>options ALTQ_PRIQ</literal> enables
<emphasis>Priority Queuing</emphasis>
@@ -454,24 +481,32 @@ options ALTQ_NOPCC # Requir
</sect2>
<sect2 xml:id="pf-tutorial">
- <info><title><acronym>PF</acronym> Rule Sets and Tools</title>
+ <info>
+ <title><acronym>PF</acronym> Rule Sets and Tools</title>
+
<authorgroup>
- <author><personname><firstname>Peter</firstname><surname>Hansteen</surname><othername>N. M.</othername></personname><contrib>Contributed by </contrib></author>
+ <author>
+ <personname>
+ <firstname>Peter</firstname>
+ <surname>Hansteen</surname>
+ <othername>N. M.</othername>
+ </personname>
+ <contrib>Contributed by </contrib>
+ </author>
</authorgroup>
</info>
-
-
<para>This section demonstrates some useful
<acronym>PF</acronym> features and <acronym>PF</acronym>
related tools in a series of examples. A more thorough
- tutorial is available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
+ tutorial is available at <link
+ xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
<tip>
- <para><package>security/sudo</package> is
- useful for running commands like <command>pfctl</command>
- that require elevated privileges. It can be installed from
- the Ports Collection.</para>
+ <para><package>security/sudo</package> is useful for running
+ commands like <command>pfctl</command> that require elevated
+ privileges. It can be installed from the Ports
+ Collection.</para>
</tip>
<sect3 xml:id="pftut-simplest">
@@ -506,7 +541,8 @@ pass out all keep state</programlisting>
of some thinking. The point of packet filtering is to
take control, not to run catch-up with what the bad guys
do. Marcus Ranum has written a very entertaining and
- informative article about this, <link xlink:href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The
+ informative article about this, <link
+ xlink:href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The
Six Dumbest Ideas in Computer Security</link>, and
it is well written too.</para></footnote>. This gives
us the opportunity to introduce two of the features which
@@ -892,7 +928,7 @@ pass from { lo0, $localnet } to any keep
gateway is amazingly simple, thanks to the
<acronym>FTP</acronym> proxy program (called
&man.ftp-proxy.8;) included in the base system on &os; and
- other systems which offer <acronym>PF</acronym>. </para>
+ other systems which offer <acronym>PF</acronym>.</para>
<para>The <acronym>FTP</acronym> protocol being what it is,
the proxy needs to dynamically insert rules in your rule
@@ -1127,7 +1163,8 @@ pass out on $ext_if inet proto udp from
<para>Under any circumstances, this solution was lifted
from an openbsd-misc post. I have found that list, and
the searchable list archives (accessible among other
- places from <link xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>),
+ places from <link
+ xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>),
to be a very valuable resource whenever you need OpenBSD
or <acronym>PF</acronym> related information.</para>
</sect4>
@@ -1345,8 +1382,9 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail
<note>
<para>These rules will <emphasis>not</emphasis> block slow
- bruteforcers, sometimes referred to as <link xlink:href="http://home.nuug.no/~peter/hailmary2013/">the Hail
- Mary Cloud</link>.</para>
+ bruteforcers, sometimes referred to as <link
+ xlink:href="http://home.nuug.no/~peter/hailmary2013/">the
+ Hail Mary Cloud</link>.</para>
</note>
<para>Once again, please keep in mind that this example rule
@@ -1444,7 +1482,8 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail
<programlisting>/usr/local/sbin/expiretable -v -d -t 24h bruteforce</programlisting>
<para><application>expiretable</application> is in the
- Ports Collection on &os; as <package>security/expiretable</package>.</para>
+ Ports Collection on &os; as
+ <package>security/expiretable</package>.</para>
</sect4>
</sect3>
@@ -1462,11 +1501,10 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail
makes it possible to keep an eye on what passes into and
out of the network. <application>pftop</application> is
available through the ports system as
- <package>sysutils/pftop</package>. The
- name is a strong hint at what it does -
- <application>pftop</application> shows a running snapshot
- of traffic in a format which is strongly inspired by
- &man.top.1;.</para>
+ <package>sysutils/pftop</package>. The name is a strong
+ hint at what it does - <application>pftop</application>
+ shows a running snapshot of traffic in a format which is
+ strongly inspired by &man.top.1;.</para>
</sect4>
<sect4 xml:id="pftut-spamd">
@@ -1516,11 +1554,12 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail
<procedure>
<step>
- <para>Install the <package>mail/spamd/</package> port. In
- particular, be sure to read the package message and
- act upon what it says. Specifically, to use
+ <para>Install the <package>mail/spamd/</package> port.
+ In particular, be sure to read the package message
+ and act upon what it says. Specifically, to use
<application>spamd</application>'s greylisting
- features, a file descriptor file system (see <link xlink:href="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&sektion=5">fdescfs(5)</link>)
+ features, a file descriptor file system (see <link
+ xlink:href="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&sektion=5">fdescfs(5)</link>)
must be mounted at <filename>/dev/fd/</filename>.
Do this by adding the following line to
<filename>/etc/fstab</filename>:</para>
@@ -1670,7 +1709,8 @@ rdr pass on $ext_if inet proto tcp from
paper by Evan Harris
<footnote><para>The original
Harris paper and a number of other useful articles
- and resources can be found at the <link xlink:href="http://www.greylisting.org/">greylisting.org</link>
+ and resources can be found at the <link
+ xlink:href="http://www.greylisting.org/">greylisting.org</link>
web site.</para></footnote>, and a number of
implementations followed over the next few months.
OpenBSD's <application>spamd</application> acquired its
@@ -1893,7 +1933,8 @@ block drop out quick on $ext_if from any
<para>This completes our simple NATing firewall for a
small local network. A more thorough tutorial is
- available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>,
+ available at <link
+ xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>,
where you will also find slides from related
presentations.</para>
</sect5>
@@ -1940,13 +1981,17 @@ block drop out quick on $ext_if from any
for configuring an inclusive firewall ruleset.</para>
<para>For a detailed explanation of the legacy rules processing
- method, refer to <uri xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri>
- and <uri xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para>
+ method, refer to <uri
+ xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri>
+ and <uri
+ xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para>
- <para>The IPF FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para>
+ <para>The IPF FAQ is at <uri
+ xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para>
<para>A searchable archive of the IPFilter mailing list is
- available at <uri xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para>
+ available at <uri
+ xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para>
<sect2>
<title>Enabling IPF</title>
@@ -2424,8 +2469,9 @@ EOF
adding <literal>ipfilter_enable="NO"</literal>to
<filename>/etc/rc.conf</filename>.</para>
- <para>Then, add a script like the following to <filename>/usr/local/etc/rc.d/</filename>.
- The script should have an obvious name like
+ <para>Then, add a script like the following to
+ <filename>/usr/local/etc/rc.d/</filename>. The script
+ should have an obvious name like
<filename>ipf.loadrules.sh</filename>, where the
<filename>.sh</filename> extension is mandatory.</para>
@@ -2433,7 +2479,8 @@ EOF
sh /etc/ipf.rules.script</programlisting>
<para>The permissions on this script file must be read,
- write, execute for owner <systemitem class="username">root</systemitem>:</para>
+ write, execute for owner
+ <systemitem class="username">root</systemitem>:</para>
<screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen>
</listitem>
@@ -2658,9 +2705,11 @@ sh /etc/ipf.rules.script</programlisting
<para>There is no way to match ranges of IP addresses which
do not express themselves easily using the dotted numeric
- form / mask-length notation. The <package>net-mgmt/ipcalc</package> port may be
- used to ease the calculation. Additional information
- is available at the utility's web page: <uri xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
+ form / mask-length notation. The
+ <package>net-mgmt/ipcalc</package> port may be used to ease
+ the calculation. Additional information is available at the
+ utility's web page: <uri
+ xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
</sect3>
<sect3>
@@ -2675,8 +2724,8 @@ sh /etc/ipf.rules.script</programlisting
<literal>from</literal> object, it matches the source port
number. When it appears as part of the
<literal>to</literal> object, it matches the destination
- port number. An example usage is <literal>from any to any
- port = 80</literal></para>
+ port number. An example usage is
+ <literal>from any to any port = 80</literal></para>
<para>Single port comparisons may be done in a number of ways,
using a number of different comparison operators. Instead
@@ -2793,10 +2842,10 @@ sh /etc/ipf.rules.script</programlisting
network.</para>
<para>&os; uses interface <filename>lo0</filename> and IP
- address <systemitem class="ipaddress">127.0.0.1</systemitem> for internal
- communication within the operating system. The firewall rules
- must contain rules to allow free movement of these internally
- used packets.</para>
+ address <systemitem class="ipaddress">127.0.0.1</systemitem>
+ for internal communication within the operating system. The
+ firewall rules must contain rules to allow free movement of
+ these internally used packets.</para>
<para>The interface which faces the public Internet is the one
specified in the rules that authorize and control access of
@@ -2857,13 +2906,13 @@ sh /etc/ipf.rules.script</programlisting
being flooded or is under attack.</para>
<para>To lookup unknown port numbers, refer to
- <filename>/etc/services</filename>. Alternatively, visit
- <uri xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
+ <filename>/etc/services</filename>. Alternatively, visit <uri
+ xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
and do a port number lookup to find the purpose of a
particular port number.</para>
- <para>Check out this link for port numbers used by Trojans
- <uri xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
+ <para>Check out this link for port numbers used by Trojans <uri
+ xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
<para>The following ruleset creates an
<literal>inclusive</literal> firewall ruleset which can be
@@ -3166,7 +3215,8 @@ block in log first quick on dc0 all
<para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the
internal clients use for IP Addressing. Usually, this is
- something like <systemitem class="ipaddress">192.168.1.0/24</systemitem>.</para>
+ something like <systemitem
+ class="ipaddress">192.168.1.0/24</systemitem>.</para>
<para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either
be the static external IP address or the special keyword
@@ -3290,8 +3340,9 @@ block in log first quick on dc0 all
servers still has to undergo <acronym>NAT</acronym>, but there
has to be some way to direct the inbound traffic to the
correct server. For example, a web server operating on LAN
- address <systemitem class="ipaddress">10.0.10.25</systemitem> and using a single public
- IP address of <systemitem class="ipaddress">20.20.20.5</systemitem>, would
+ address <systemitem class="ipaddress">10.0.10.25</systemitem>
+ and using a single public IP address of
+ <systemitem class="ipaddress">20.20.20.5</systemitem>, would
use this rule:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting>
@@ -3300,8 +3351,9 @@ block in log first quick on dc0 all
<programlisting>rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80</programlisting>
- <para>For a LAN DNS server on a private address of <systemitem class="ipaddress">10.0.10.33</systemitem> that needs to receive
- public DNS requests:</para>
+ <para>For a LAN DNS server on a private address of
+ <systemitem class="ipaddress">10.0.10.33</systemitem> that
+ needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting>
</sect2>
@@ -3313,7 +3365,8 @@ block in log first quick on dc0 all
difference is in how the data channel is acquired. Passive
mode is more secure as the data channel is acquired by the
ordinal ftp session requester. For a good explanation of FTP
- and the different modes, see <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
+ and the different modes, see <uri
+ xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
<sect3>
<title>IP<acronym>NAT</acronym> Rules</title>
@@ -3821,23 +3874,24 @@ ipfw add deny out</programlisting>
any IP address configured on an interface in the &os;
system to represent the PC the firewall is running on.
Example usage includes <literal>from me to any</literal>,
- <literal>from any to me</literal>, <literal>from 0.0.0.0/0
- to any</literal>, <literal>from any to
- 0.0.0.0/0</literal>, <literal>from 0.0.0.0 to
- any</literal>. <literal>from any to 0.0.0.0</literal>,
+ <literal>from any to me</literal>,
+ <literal>from 0.0.0.0/0 to any</literal>,
+ <literal>from any to 0.0.0.0/0</literal>,
+ <literal>from 0.0.0.0 to any</literal>.
+ <literal>from any to 0.0.0.0</literal>,
and <literal>from me to 0.0.0.0</literal>. IP addresses
are specified in dotted IP address format followed by the
mask in CIDR notation, or as a single host in dotted IP
address format. This keyword is a mandatory requirement.
- The <package>net-mgmt/ipcalc</package>
- port may be used to assist the mask calculation.</para>
+ The <package>net-mgmt/ipcalc</package> port may be used to
+ assist the mask calculation.</para>
<para><parameter>port number</parameter></para>
<para>For protocols which support port numbers, such as
<acronym>TCP</acronym> and <acronym>UDP</acronym>, it
is mandatory to include the port number of the service
- that will be matched. Service names from
+ that will be matched. Service names from
<filename>/etc/services</filename> may be used instead
of numeric port values.</para>
More information about the svn-doc-all
mailing list