svn commit: r43997 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Wed Feb 19 21:22:41 UTC 2014
Author: dru
Date: Wed Feb 19 21:22:40 2014
New Revision: 43997
URL: http://svnweb.freebsd.org/changeset/doc/43997
Log:
Initial editorial pass through intro of this chapter.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:38:58 2014 (r43996)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 21:22:40 2014 (r43997)
@@ -1509,8 +1509,8 @@ block drop out quick on $ext_if from any
<para><application>IPFILTER</application>, also known as
<application>IPF</application>, is a cross-platform, open source firewall which
- has been ported to &os;, NetBSD, OpenBSD, and
- &solaris; operating systems.</para>
+ has been ported to several operating systems, including &os;, NetBSD, OpenBSD, and
+ &solaris;.</para>
<para><application>IPFILTER</application> is a kernel-side firewall and
<acronym>NAT</acronym> mechanism that can be controlled and
@@ -1525,32 +1525,25 @@ block drop out quick on $ext_if from any
<para><application>IPF</application> was originally written using a rule processing logic
of <quote>the last matching rule wins</quote> and only used
- stateless rules. Over time, <application>IPF</application> has been enhanced to include a
- <quote>quick</quote> option and a stateful
- <quote>keep state</quote> option which modernized the rules
- processing logic. <application>IPF</application>'s official documentation covers only the
- legacy rule coding parameters and rule file processing logic and
- the modernized functions are only included as additional
- options.</para>
-
- <para>The instructions contained in this section are based on
- using rules that contain <quote>quick</quote> and
- <quote>keep state</quote> as these provide the basic framework
- for configuring an inclusive firewall ruleset.</para>
+ stateless rules. Since then, <application>IPF</application> has been enhanced to include
+ the <literal>quick</literal> and
+ <literal>keep state</literal> options.</para>
<para>For a detailed explanation of the legacy rules processing
method, refer to <uri
- xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri>
- and <uri
xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para>
<para>The <application>IPF</application> FAQ is at <uri
- xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para>
-
- <para>A searchable archive of the IPFilter mailing list is
+ xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.
+ A searchable archive of the IPFilter mailing list is
available at <uri
- xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para>
+ xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri>.</para>
+ <para>This section of the Handbook focuses on
+ <application>IPF</application> as it pertains to FreeBSD.
+ It provides examples which uses
+ rules that contain the <literal>quick</literal> and
+ <literal>keep state</literal> options.</para>
<sect2>
<title>Enabling <application>IPF</application></title>
@@ -1560,7 +1553,7 @@ block drop out quick on $ext_if from any
<secondary>enabling</secondary>
</indexterm>
- <para> is included in the basic &os; install as a kernel
+ <para><application>IPF</application> is included in the basic &os; install as a kernel
loadable module, meaning that a custom kernel is not needed in
order to enable <application>IPF</application>.</para>
@@ -1590,22 +1583,21 @@ block drop out quick on $ext_if from any
<para>For users who prefer to statically compile <application>IPF</application> support
into a custom kernel, refer to the instructions in <xref
- linkend="kernelconfig"/>. The following <application>IPF</application> option statements are
+ linkend="kernelconfig"/>. The following kernel options are
available:</para>
<programlisting>options IPFILTER
options IPFILTER_LOG
+options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK</programlisting>
<para>where <literal>options IPFILTER</literal> enables support for
- <application>IPFILTER</application>.</para>
-
- <para><literal>options IPFILTER_LOG</literal> enables IPF
+ <application>IPFILTER</application>, <literal>options IPFILTER_LOG</literal> enables <application>IPF</application>
logging using the <filename>ipl</filename> packet logging
- pseudo—device for every rule that has the
- <literal>log</literal> keyword.</para>
-
- <para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
+ pseudo device for every rule that has the
+ <literal>log</literal> keyword,
+ <literal>IPFILTER_LOOKUP</literal> enables <acronym>IP</acronym> pools in
+ order to speed up <acronym>IP</acronym> lookups, and <literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
the default behavior so that any packet not matching a
firewall <literal>pass</literal> rule gets blocked.</para>
@@ -1614,7 +1606,8 @@ options IPFILTER_DEFAULT_BLOCK</programl
the following entries to
<filename>/etc/rc.conf</filename>. These entries will also enable logging and
<literal>default pass all</literal>. To change the
- default to <literal>block all</literal>, add a
+ default policy to <literal>block all</literal> without
+ compiling a custom kernel, remember to add a
<literal>block all</literal> rule at the end of the
ruleset.</para>
@@ -1633,7 +1626,7 @@ ipmon_flags="-Ds" # D =
ipnat_enable="YES" # Start ipnat function
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlisting>
- <para>To start <application>IPF</application> now:</para>
+ <para>Then, to start <application>IPF</application> now:</para>
<programlisting>&prompt.root; <command>service ipfilter start</command></programlisting>
More information about the svn-doc-head
mailing list