From owner-svn-doc-all@FreeBSD.ORG Tue Feb 25 18:57:41 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 02F29EE2; Tue, 25 Feb 2014 18:57:41 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C82831C04; Tue, 25 Feb 2014 18:57:40 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1PIveOf059587; Tue, 25 Feb 2014 18:57:40 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1PIvexO059586; Tue, 25 Feb 2014 18:57:40 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402251857.s1PIvexO059586@svn.freebsd.org> From: Dru Lavigne Date: Tue, 25 Feb 2014 18:57:40 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44055 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Feb 2014 18:57:41 -0000 Author: dru Date: Tue Feb 25 18:57:40 2014 New Revision: 44055 URL: http://svnweb.freebsd.org/changeset/doc/44055 Log: Start editorial review. To be continued tomorrow. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:59:16 2014 (r44054) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 18:57:40 2014 (r44055) @@ -1585,7 +1585,7 @@ block drop out quick on $ext_if from any - IPFW + <application>IPFW</application> firewall @@ -1593,52 +1593,39 @@ block drop out quick on $ext_if from any IPFW - IPFW is a stateful firewall written for - &os; which also provides a traffic shaper, packet scheduler, - and in-kernel NAT. + IPFW is a stateful firewall written for + &os; which supports both IPv4 + and IPv6. It is comprised of several components: the kernel firewall + filter rule processor and its integrated packet accounting + facility, the logging facility, + NAT, the &man.dummynet.4; traffic shaper, + a forward facility, a bridge + facility, and an ipstealth facility. &os; provides a sample ruleset in - /etc/rc.firewall. The sample ruleset - define several firewall types for common scenarios to assist + /etc/rc.firewall which + defines several firewall types for common scenarios to assist novice users in generating an appropriate ruleset. - &man.ipfw.8; provides a powerful syntax which advanced users can + IPFW provides a powerful syntax which advanced users can use to craft customized rulesets that meet the security requirements of a given environment. - - IPFW is composed of several components: the kernel firewall - filter rule processor and its integrated packet accounting - facility, the logging facility, the - divert rule which triggers - NAT, the dummynet traffic shaper facilities, - the fwd rule forward facility, the bridge - facility, and the ipstealth facility. IPFW supports both IPv4 - and IPv6. + + This section describes how to enable + IPFW, provides an overview of its + rule syntax, and demonstrates several rulesets for common + configuration scenarios. - Enabling IPFW + Enabling <application>IPFW</application> - IPFW + IPFW enabling - IPFW is included in the basic &os; install as a run time - loadable module. The system will dynamically load the kernel - module when rc.conf contains the - statement firewall_enable="YES". After - rebooting the system, the following white highlighted message - is displayed on the screen as part of the boot process: - - ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled - - The loadable module includes logging ability. To enable - logging and set the verbose logging limit, add these - statements to - /etc/sysctl.conf before rebooting: - - net.inet.ip.fw.verbose=1 -net.inet.ip.fw.verbose_limit=5 + IPFW is included in the basic &os; install as a kernel + loadable module, meaning that a custom kernel is not needed in order to enable IPFW. kernel options @@ -1659,76 +1646,35 @@ net.inet.ip.fw.verbose_limit=5 - IPFW + IPFW kernel options - For those users who wish to statically compile kernel - IPFW support, the following options are available for the + For those users who wish to statically compile + IPFW support into a custom kernel, + refer to the instructions in . + The following options are available for the custom kernel configuration file: - options IPFIREWALL - - This option enables IPFW as part of the kernel. - - options IPFIREWALL_VERBOSE - - This option enables logging of packets that pass through - IPFW and have the log keyword specified in - the ruleset. - - options IPFIREWALL_VERBOSE_LIMIT=5 - - This option limits the number of packets logged through - &man.syslogd.8;, on a per-entry basis. This option may be - used in hostile environments, when firewall activity logging - is desired. This will close a possible denial of service - attack via syslog flooding. - - - kernel options - - IPFIREWALL_DEFAULT_TO_ACCEPT - - - options IPFIREWALL_DEFAULT_TO_ACCEPT + options IPFIREWALL # enables IPFW +options IPFIREWALL_VERBOSE # enables logging for rules with log keyword +options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry +options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied +options IPDIVERT # enables NAT - This option allows everything to pass through the firewall - by default, which is a good idea when the firewall is being - set up for the first time. - - - kernel options - - IPDIVERT - - - options IPDIVERT - - This option enables the use of NAT - functionality. - - - The firewall will block all incoming and outgoing - packets if either the - IPFIREWALL_DEFAULT_TO_ACCEPT kernel - option or a rule to explicitly allow these connections is - missing. - - - The following /etc/rc.conf option enables the firewall: + To configure the system to enable + IPFW at boot time, add the + following entry to /etc/rc.conf: firewall_enable="YES" - To select one of the default firewall types provided by - &os;, select one by reading - /etc/rc.firewall and specify it in - the following: + To use one of the default firewall types provided by + &os;, add another line which specifies the type: firewall_type="open" - Available values for this setting are: + The available values for this setting are: @@ -1747,27 +1693,27 @@ net.inet.ip.fw.verbose_limit=5 + workstation: protects only this + machine using stateful rules. + + UNKNOWN: disables the loading of firewall rules. filename: - absolute path of the file containing the firewall + full path of the file containing the firewall rules. - Two methods are available for loading custom - ipfw rules. One is to set the - firewall_type variable to the absolute - path of the file which contains the firewall rules. - - The other method is to set the + To instead load a custom ruleset, either + set the filename value of + firewall_type or set the firewall_script variable to the absolute path of an executable script that includes - ipfw commands. A ruleset script that - blocks all incoming and outgoing traffic would look like - this: + IPFW commands. This example script + blocks all incoming and outgoing traffic: #!/bin/sh @@ -1811,7 +1757,7 @@ ipfw add deny out - The IPFW Command + The <application>IPFW</application> Command ipfw @@ -1825,7 +1771,7 @@ ipfw add deny out changes. ipfw is a useful way to display the - running firewall rules to the console screen. The IPFW + running firewall rules to the console screen. The IPFW accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. During the process of testing a rule, listing the rule with its @@ -1868,10 +1814,10 @@ ipfw add deny out - IPFW Rule Syntax + <application>IPFW</application> Rule Syntax - IPFW + IPFW rule processing order @@ -1884,7 +1830,7 @@ ipfw add deny out action field value is executed and the search of the ruleset terminates for that packet. This is referred to as first match wins. If the packet does not match - any of the rules, it gets caught by the mandatory IPFW default + any of the rules, it gets caught by the mandatory IPFW default rule, number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the count, @@ -1900,13 +1846,13 @@ ipfw add deny out description, refer to &man.ipfw.8;. - IPFW + IPFW rule syntax This section describes the keywords which comprise an - IPFW rule. Keywords must be written in + IPFW rule. Keywords must be written in the following order. # is used to mark the start of a comment and may appear at the end of a rule line or on its own line. Blank lines are ignored. @@ -2083,7 +2029,7 @@ ipfw add deny out Stateful Rule Option The check-state option is used to - identify where in the IPFW ruleset the packet is to be + identify where in the IPFW ruleset the packet is to be tested against the dynamic rules facility. On a match, the packet exits the firewall to continue on its way and a new rule is dynamically created for the next anticipated packet @@ -2094,7 +2040,7 @@ ipfw add deny out The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack - with IPFW, use limit. + with IPFW, use limit. This keyword limits the number of simultaneous sessions by checking that rule's source or destinations fields and using the packet's IP address in a search of the open dynamic @@ -2110,12 +2056,12 @@ ipfw add deny out Logging Firewall Messages - IPFW + IPFW logging - Even with the logging facility enabled, IPFW will not + Even with the logging facility enabled, IPFW will not generate any rule logging on its own. The firewall administrator decides which rules in the ruleset will be logged, and adds the log keyword to those @@ -2156,7 +2102,7 @@ ipfw add deny out Building a Rule Script - Most experienced IPFW users create a file containing + Most experienced IPFW users create a file containing the rules and code them in a manner compatible with running them as a script. The major benefit of doing this is the firewall rules can be refreshed in mass without the need @@ -2416,17 +2362,17 @@ pif="dc0" # public interface name of NAT - and IPFW + and IPFW There are some additional configuration statements that need to be enabled to activate the NAT - function of IPFW. For a customized kernel, the kernel + function of IPFW. For a customized kernel, the kernel configuration file needs option IPDIVERT added to the other IPFIREWALL options. - In addition to the normal IPFW options in + In addition to the normal IPFW options in /etc/rc.conf, the following are needed: