From owner-svn-doc-all@FreeBSD.ORG Tue Feb 25 17:30:27 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2A26D84B; Tue, 25 Feb 2014 17:30:27 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1488B1276; Tue, 25 Feb 2014 17:30:27 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1PHUQuf023123; Tue, 25 Feb 2014 17:30:26 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1PHUQXQ023122; Tue, 25 Feb 2014 17:30:26 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402251730.s1PHUQXQ023122@svn.freebsd.org> From: Dru Lavigne Date: Tue, 25 Feb 2014 17:30:26 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44052 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Feb 2014 17:30:27 -0000 Author: dru Date: Tue Feb 25 17:30:26 2014 New Revision: 44052 URL: http://svnweb.freebsd.org/changeset/doc/44052 Log: Finish initial editorial review of IPF chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 15:57:17 2014 (r44051) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:30:26 2014 (r44052) @@ -2508,7 +2508,7 @@ sh /etc/ipf.rules.script --> - IPFSTAT + Viewing <application>IPF</application> Statistics ipfstat @@ -2518,16 +2518,16 @@ sh /etc/ipf.rules.scriptstatistics - The default behavior of &man.ipfstat.8; is to retrieve - and display the totals of the accumulated statistics gathered - by applying the rules against packets going in and out of the - firewall since it was last started, or since the last time the - accumulators were reset to zero using ipf + IPF includes &man.ipfstat.8; + which can be used to retrieve + and display statistics which are gathered + as packets match rules as they go through the + firewall. Statistics are accumulated since the firewall was + last started or since the last time they + were reset to zero using ipf -Z. - Refer to &man.ipfstat.8; for details. - - The default &man.ipfstat.8; output will look something + The default ipfstat output looks like this: input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 @@ -2540,58 +2540,47 @@ sh /etc/ipf.rules.scriptTCP RSTs sent: 0 + ICMP replies: 0 TCP RSTs sent: 0 Result cache hits(in): 1215208 (out): 1098963 IN Pullups succeeded: 2 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 - TCP cksum fails(in): 0 (out): 0 + TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0) - When supplied with either for inbound + Several options are available. When supplied with either for inbound or for outbound, the command will retrieve and display the appropriate list of filter rules currently - installed and in use by the kernel. - - ipfstat -in displays the inbound - internal rules table with rule numbers. - - ipfstat -on displays the outbound - internal rules table with rule numbers. - - The output will look something like this: + installed and in use by the kernel. To also see the rule + numbers, include . For example, + ipfstat -on displays the outbound + rules table with rule numbers: @1 pass out on xl0 from any to any @2 block out on dc0 from any to any @3 pass out quick on dc0 proto tcp/udp from any to any keep state - ipfstat -ih displays the inbound - internal rules table, prefixing each rule with a count of how - many times the rule was matched. - - ipfstat -oh displays the outbound - internal rules table, prefixing each rule with a count of how - many times the rule was matched. - - The output will look something like this: + Include to + prefix each rule with a count of how + many times the rule was matched. For example, + ipfstat -oh displays the outbound + internal rules table, prefixing each rule with its usage count: 2451423 pass out on xl0 from any to any 354727 block out on dc0 from any to any 430918 pass out quick on dc0 proto tcp/udp from any to any keep state - One of the most important options of - ipfstat is which - displays the state table in a way similar to how &man.top.1; - shows the &os; running process table. When a firewall is - under attack, this function provides the ability to identify + To display the state table in a format similar to &man.top.1;, use + ipfstat -t. When the firewall is + under attack, this option provides the ability to identify and see the attacking packets. The optional sub-flags give - the ability to select the destination or source IP, port, or + the ability to select the destination or source IP, port, or protocol to be monitored in real time. Refer to &man.ipfstat.8; for details. - IPMON + <application>IPF</application> Logging ipmon @@ -2601,17 +2590,16 @@ sh /etc/ipf.rules.scriptlogging - In order for ipmon to work properly, - the kernel option IPFILTER_LOG must be - turned on. This command has two different modes. Native mode - is the default mode when the command is used without - . - - Daemon mode provides a continuous system log file so that - logging of past events may be reviewed. &os; has a built in - facility to automatically rotate system logs. This is why - outputting the log information to &man.syslogd.8; is better - than the default of outputting to a regular file. The default + IPF provides + ipmon, which can be used to write the firewall's logging + information in a human readable format. It requires that + options IPFILTER_LOG be first added + to a custom kernel using the instructions in . + + This command is typically run in + daemon mode in order to provide a continuous system log file so that + logging of past events may be reviewed. Since &os; has a built in + &man.syslogd.8; facility to automatically rotate system logs, the default rc.conf ipmon_flags statement uses : @@ -2623,48 +2611,38 @@ sh /etc/ipf.rules.scriptLogging provides the ability to review, after the fact, information such as which packets were dropped, what addresses - they came from and where they were going. These can all - provide a significant edge in tracking down attackers. + they came from, and where they were going. This information + is useful in tracking down attackers. - Even with the logging facility enabled, IPF will not - generate any rule logging by default. The firewall + Once the logging facility is enabled in + rc.conf and started with service + ipmon start, IPF will only + log the rules which contain the log keyword. The firewall administrator decides which rules in the ruleset should be - logged and adds the log keyword to those rules. Normally, - only deny rules are logged. - - It is customary to include a default deny - everything rule with the log keyword included as the + logged and normally + only deny rules are logged. It is customary to include the + log keyword in the last rule in the ruleset. This makes it possible to see all the packets that did not match any of the rules in the ruleset. - &man.syslogd.8; uses its own method for segregation of log - data. It uses groupings called facility and - level. By default, IPMON in - mode uses local0 as - the facility name. The following levels can be + By default, ipmon -Ds mode uses + local0 as + the logging facility. The following logging levels can be used to further segregate the logged data: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked -LOG_ERR - packets which have been logged and which can be considered short +LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header - - - In order to setup IPFILTER to + In order to setup IPF to log all data to /var/log/ipfilter.log, first create the empty file: &prompt.root; touch /var/log/ipfilter.log - &man.syslogd.8; is controlled by definition statements in - /etc/syslog.conf. This file offers - considerable flexibility in how - syslog will deal with system - messages issued by software applications like IPF. - - To write all logged messages to the specified file, + Then, to write all logged messages to the specified file, add the following statement to /etc/syslog.conf: @@ -2674,7 +2652,7 @@ LOG_ERR - packets which have been logged to read the modified /etc/syslog.conf, run service syslogd reload. - Do not forget to change + Do not forget to edit /etc/newsyslog.conf to rotate the new log file. @@ -2702,23 +2680,12 @@ LOG_ERR - packets which have been logged The group and rule number of the rule in the format @0:17. - - These can be viewed with - ipfstat -in. - - The action: p for passed, b for blocked, S for a short packet, n did not match any - rules, and L for a log rule. The order - of precedence in showing flags is: S, - p, b, - n, L. A capital - P or B means that - the packet has been logged due to a global logging - setting, not a particular rule. + rules, and L for a log rule. @@ -2746,10 +2713,10 @@ LOG_ERR - packets which have been logged letters corresponding to any flags that were set. Refer to &man.ipf.5; for a list of letters and their flags. - If the packet is an ICMP packet, there will be two fields - at the end: the first always being ICMP and - the next being the ICMP message and sub-message type, - separated by a slash. For example: ICMP 3/3 for a port + If the packet is an ICMP packet, there will be two fields + at the end: the first always being icmp and + the next being the ICMP message and sub-message type, + separated by a slash. For example: icmp 3/3 for a port unreachable message.