Date: Tue, 25 Feb 2014 18:57:40 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44055 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402251857.s1PIvexO059586@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Tue Feb 25 18:57:40 2014 New Revision: 44055 URL: http://svnweb.freebsd.org/changeset/doc/44055 Log: Start editorial review. To be continued tomorrow. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:59:16 2014 (r44054) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 18:57:40 2014 (r44055) @@ -1585,7 +1585,7 @@ block drop out quick on $ext_if from any </sect1> <sect1 xml:id="firewalls-ipfw"> - <title>IPFW</title> + <title><application>IPFW</application></title> <indexterm> <primary>firewall</primary> @@ -1593,52 +1593,39 @@ block drop out quick on $ext_if from any <secondary>IPFW</secondary> </indexterm> - <para><acronym>IPFW</acronym> is a stateful firewall written for - &os; which also provides a traffic shaper, packet scheduler, - and in-kernel NAT.</para> + <para><application>IPFW</application> is a stateful firewall written for + &os; which supports both <acronym>IPv4</acronym> + and <acronym>IPv6</acronym>. It is comprised of several components: the kernel firewall + filter rule processor and its integrated packet accounting + facility, the logging facility, + <acronym>NAT</acronym>, the &man.dummynet.4; traffic shaper, + a forward facility, a bridge + facility, and an ipstealth facility.</para> <para>&os; provides a sample ruleset in - <filename>/etc/rc.firewall</filename>. The sample ruleset - define several firewall types for common scenarios to assist + <filename>/etc/rc.firewall</filename> which + defines several firewall types for common scenarios to assist novice users in generating an appropriate ruleset. - &man.ipfw.8; provides a powerful syntax which advanced users can + <application>IPFW</application> provides a powerful syntax which advanced users can use to craft customized rulesets that meet the security requirements of a given environment.</para> - - <para>IPFW is composed of several components: the kernel firewall - filter rule processor and its integrated packet accounting - facility, the logging facility, the - <literal>divert</literal> rule which triggers - <acronym>NAT</acronym>, the dummynet traffic shaper facilities, - the <literal>fwd rule</literal> forward facility, the bridge - facility, and the ipstealth facility. IPFW supports both IPv4 - and IPv6.</para> + + <para>This section describes how to enable + <application>IPFW</application>, provides an overview of its + rule syntax, and demonstrates several rulesets for common + configuration scenarios.</para> <sect2 xml:id="firewalls-ipfw-enable"> - <title>Enabling IPFW</title> + <title>Enabling <application>IPFW</application></title> <indexterm> - <primary>IPFW</primary> + <primary><application>IPFW</application></primary> <secondary>enabling</secondary> </indexterm> - <para>IPFW is included in the basic &os; install as a run time - loadable module. The system will dynamically load the kernel - module when <filename>rc.conf</filename> contains the - statement <literal>firewall_enable="YES"</literal>. After - rebooting the system, the following white highlighted message - is displayed on the screen as part of the boot process:</para> - - <screen>ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled</screen> - - <para>The loadable module includes logging ability. To enable - logging and set the verbose logging limit, add these - statements to - <filename>/etc/sysctl.conf</filename> before rebooting:</para> - - <programlisting>net.inet.ip.fw.verbose=1 -net.inet.ip.fw.verbose_limit=5</programlisting> + <para><application>IPFW</application> is included in the basic &os; install as a kernel + loadable module, meaning that a custom kernel is not needed in order to enable <application>IPFW</application>.</para> <indexterm> <primary>kernel options</primary> @@ -1659,76 +1646,35 @@ net.inet.ip.fw.verbose_limit=5</programl </indexterm> <indexterm> - <primary>IPFW</primary> + <primary><application>IPFW</application></primary> <secondary>kernel options</secondary> </indexterm> - <para>For those users who wish to statically compile kernel - IPFW support, the following options are available for the + <para>For those users who wish to statically compile + <application>IPFW</application> support into a custom kernel, + refer to the instructions in <xref linkend="kernelconfig"/>. + The following options are available for the custom kernel configuration file:</para> - <programlisting>options IPFIREWALL</programlisting> - - <para>This option enables IPFW as part of the kernel.</para> - - <programlisting>options IPFIREWALL_VERBOSE</programlisting> - - <para>This option enables logging of packets that pass through - IPFW and have the <literal>log</literal> keyword specified in - the ruleset.</para> - - <programlisting>options IPFIREWALL_VERBOSE_LIMIT=5</programlisting> - - <para>This option limits the number of packets logged through - &man.syslogd.8;, on a per-entry basis. This option may be - used in hostile environments, when firewall activity logging - is desired. This will close a possible denial of service - attack via syslog flooding.</para> - - <indexterm> - <primary>kernel options</primary> - - <secondary>IPFIREWALL_DEFAULT_TO_ACCEPT</secondary> - </indexterm> - - <programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting> + <programlisting>options IPFIREWALL # enables IPFW +options IPFIREWALL_VERBOSE # enables logging for rules with log keyword +options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry +options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied +options IPDIVERT # enables NAT</programlisting> - <para>This option allows everything to pass through the firewall - by default, which is a good idea when the firewall is being - set up for the first time.</para> - - <indexterm> - <primary>kernel options</primary> - - <secondary>IPDIVERT</secondary> - </indexterm> - - <programlisting>options IPDIVERT</programlisting> - - <para>This option enables the use of <acronym>NAT</acronym> - functionality.</para> - - <note> - <para>The firewall will block all incoming and outgoing - packets if either the - <literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> kernel - option or a rule to explicitly allow these connections is - missing.</para> - </note> - - <para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para> + <para>To configure the system to enable + <application>IPFW</application> at boot time, add the + following entry to <filename>/etc/rc.conf</filename>:</para> <programlisting>firewall_enable="YES"</programlisting> - <para>To select one of the default firewall types provided by - &os;, select one by reading - <filename>/etc/rc.firewall</filename> and specify it in - the following:</para> + <para>To use one of the default firewall types provided by + &os;, add another line which specifies the type:</para> <programlisting>firewall_type="open"</programlisting> - <para>Available values for this setting are:</para> + <para>The available values for this setting are:</para> <itemizedlist> <listitem> @@ -1747,27 +1693,27 @@ net.inet.ip.fw.verbose_limit=5</programl traffic except for the loopback interface.</para> </listitem> <listitem> + <para><literal>workstation</literal>: protects only this + machine using stateful rules.</para> + </listitem> + <listitem> <para><literal>UNKNOWN</literal>: disables the loading of firewall rules.</para> </listitem> <listitem> <para><filename>filename</filename>: - absolute path of the file containing the firewall + full path of the file containing the firewall rules.</para> </listitem> </itemizedlist> - <para>Two methods are available for loading custom - <application>ipfw</application> rules. One is to set the - <literal>firewall_type</literal> variable to the absolute - path of the file which contains the firewall rules.</para> - - <para>The other method is to set the + <para>To instead load a custom ruleset, either + set the <filename>filename</filename> value of + <literal>firewall_type</literal> or set the <literal>firewall_script</literal> variable to the absolute path of an executable script that includes - <command>ipfw</command> commands. A ruleset script that - blocks all incoming and outgoing traffic would look like - this:</para> + <command>IPFW</command> commands. This example script + blocks all incoming and outgoing traffic:</para> <programlisting>#!/bin/sh @@ -1811,7 +1757,7 @@ ipfw add deny out</programlisting> </sect2> <sect2 xml:id="firewalls-ipfw-cmd"> - <title>The IPFW Command</title> + <title>The <application>IPFW</application> Command</title> <indexterm><primary><command>ipfw</command></primary></indexterm> @@ -1825,7 +1771,7 @@ ipfw add deny out</programlisting> changes.</para> <para><command>ipfw</command> is a useful way to display the - running firewall rules to the console screen. The IPFW + running firewall rules to the console screen. The <application>IPFW</application> accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. During the process of testing a rule, listing the rule with its @@ -1868,10 +1814,10 @@ ipfw add deny out</programlisting> </sect2> <sect2 xml:id="firewalls-ipfw-rules"> - <title>IPFW Rule Syntax</title> + <title><application>IPFW</application> Rule Syntax</title> <indexterm> - <primary>IPFW</primary> + <primary><application>IPFW</application></primary> <secondary>rule processing order</secondary> </indexterm> @@ -1884,7 +1830,7 @@ ipfw add deny out</programlisting> action field value is executed and the search of the ruleset terminates for that packet. This is referred to as <quote>first match wins</quote>. If the packet does not match - any of the rules, it gets caught by the mandatory IPFW default + any of the rules, it gets caught by the mandatory <application>IPFW</application> default rule, number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the <literal>count</literal>, @@ -1900,13 +1846,13 @@ ipfw add deny out</programlisting> description, refer to &man.ipfw.8;.</para> <indexterm> - <primary>IPFW</primary> + <primary><application>IPFW</application></primary> <secondary>rule syntax</secondary> </indexterm> <para>This section describes the keywords which comprise an - <acronym>IPFW</acronym> rule. Keywords must be written in + <application>IPFW</application> rule. Keywords must be written in the following order. <literal>#</literal> is used to mark the start of a comment and may appear at the end of a rule line or on its own line. Blank lines are ignored.</para> @@ -2083,7 +2029,7 @@ ipfw add deny out</programlisting> <term>Stateful Rule Option</term> <listitem> <para>The <literal>check-state</literal> option is used to - identify where in the IPFW ruleset the packet is to be + identify where in the <application>IPFW</application> ruleset the packet is to be tested against the dynamic rules facility. On a match, the packet exits the firewall to continue on its way and a new rule is dynamically created for the next anticipated packet @@ -2094,7 +2040,7 @@ ipfw add deny out</programlisting> <para>The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack which would open a huge number of dynamic rules. To counter this type of attack - with <acronym>IPFW</acronym>, use <literal>limit</literal>. + with <application>IPFW</application>, use <literal>limit</literal>. This keyword limits the number of simultaneous sessions by checking that rule's source or destinations fields and using the packet's IP address in a search of the open dynamic @@ -2110,12 +2056,12 @@ ipfw add deny out</programlisting> <title>Logging Firewall Messages</title> <indexterm> - <primary>IPFW</primary> + <primary><application>IPFW</application></primary> <secondary>logging</secondary> </indexterm> - <para>Even with the logging facility enabled, IPFW will not + <para>Even with the logging facility enabled, <application>IPFW</application> will not generate any rule logging on its own. The firewall administrator decides which rules in the ruleset will be logged, and adds the <literal>log</literal> keyword to those @@ -2156,7 +2102,7 @@ ipfw add deny out</programlisting> <sect3 xml:id="firewalls-ipfw-rules-script"> <title>Building a Rule Script</title> - <para>Most experienced IPFW users create a file containing + <para>Most experienced <application>IPFW</application> users create a file containing the rules and code them in a manner compatible with running them as a script. The major benefit of doing this is the firewall rules can be refreshed in mass without the need @@ -2416,17 +2362,17 @@ pif="dc0" # public interface name of <indexterm> <primary>NAT</primary> - <secondary>and IPFW</secondary> + <secondary>and <application>IPFW</application></secondary> </indexterm> <para>There are some additional configuration statements that need to be enabled to activate the <acronym>NAT</acronym> - function of IPFW. For a customized kernel, the kernel + function of <application>IPFW</application>. For a customized kernel, the kernel configuration file needs <literal>option IPDIVERT</literal> added to the other <literal>IPFIREWALL</literal> options.</para> - <para>In addition to the normal IPFW options in + <para>In addition to the normal <application>IPFW</application> options in <filename>/etc/rc.conf</filename>, the following are needed:</para>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402251857.s1PIvexO059586>