Date: Wed, 19 Feb 2014 20:38:58 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43996 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402192038.s1JKcw1J054038@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Feb 19 20:38:58 2014 New Revision: 43996 URL: http://svnweb.freebsd.org/changeset/doc/43996 Log: More shuffling to improve flow. To be followed by a bunch of commits which look at the actual tech content. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:02:33 2014 (r43995) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:38:58 2014 (r43996) @@ -1701,10 +1701,6 @@ ipnat_rules="/etc/ipnat.rules" # rule <para>There is a way to build IPF rules that utilize the power of script symbolic substitution. For more information, see <xref linkend="firewalls-ipf-rules-script"/>.</para> - </sect2> - - <sect2> - <title>Rule Syntax</title> <indexterm> <primary><application>IPFILTER</application></primary> @@ -1735,35 +1731,12 @@ ipnat_rules="/etc/ipnat.rules" # rule PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG STATEFUL</replaceable></para> - <para><replaceable>ACTION</replaceable> = block | pass</para> - - <para><replaceable>IN-OUT</replaceable> = in | out</para> - - <para><replaceable>OPTIONS</replaceable> = log | quick | on - interface-name</para> - - <para><replaceable>SELECTION</replaceable> = proto value | - source/destination IP | port = number | flags - flag-value</para> - - <para><replaceable>PROTO</replaceable> = tcp/udp | udp | tcp | - icmp</para> - - <para><replaceable>SRC_ADD,DST_ADDR</replaceable> = all | from - object to object</para> - - <para><replaceable>OBJECT</replaceable> = IP address | - any</para> - - <para><replaceable>PORT_NUM</replaceable> = port number</para> - - <para><replaceable>TCP_FLAG</replaceable> = S</para> - - <para><replaceable>STATEFUL</replaceable> = keep state</para> - - <sect3> - <title>ACTION</title> + <para>Each keyword and its options are described below.</para> + <variablelist> + <varlistentry> + <term>ACTION</term> + <listitem> <para>The action keyword indicates what to do with the packet if it matches the rest of the filter rule. Each rule <emphasis>must</emphasis> have an action. The following @@ -1776,11 +1749,12 @@ ipnat_rules="/etc/ipnat.rules" # rule <para><literal>pass</literal> indicates that the packet should exit the firewall if the selection parameters match the packet.</para> - </sect3> - - <sect3> - <title>IN-OUT</title> + </listitem> + </varlistentry> + <varlistentry> + <term>IN-OUT</term> + <listitem> <para>A mandatory requirement is that each filter rule explicitly state which side of the I/O it is to be used on. The next keyword must be either <literal>in</literal> @@ -1794,11 +1768,12 @@ ipnat_rules="/etc/ipnat.rules" # rule <para><literal>out</literal> means this rule is being applied against an outbound packet destined for the interface facing the public Internet.</para> - </sect3> - - <sect3> - <title>OPTIONS</title> + </listitem> + </varlistentry> + <varlistentry> + <term>OPTIONS</term> + <listitem> <note> <para>These options must be used in the order shown here.</para> @@ -1833,11 +1808,12 @@ ipnat_rules="/etc/ipnat.rules" # rule state</literal> option, this option is recommended so that only the triggering packet is logged and not every packet which matches the stateful connection.</para> - </sect3> - - <sect3> - <title>SELECTION</title> + </listitem> + </varlistentry> + <varlistentry> + <term>SELECTION</term> + <listitem> <para>The keywords described in this section are used to describe attributes of the packet to be checked when determining whether or not rules match. There is a @@ -1845,11 +1821,12 @@ ipnat_rules="/etc/ipnat.rules" # rule which has to be selected. The following general-purpose attributes are provided for matching, and must be used in this order:</para> - </sect3> - - <sect3> - <title>PROTO</title> + </listitem> + </varlistentry> + <varlistentry> + <term>PROTO</term> + <listitem> <para><literal>proto</literal> is the subject keyword which must include one of its corresponding keyword sub-option values. The sub-option indicates a specific protocol to be @@ -1862,11 +1839,12 @@ ipnat_rules="/etc/ipnat.rules" # rule either a <acronym>TCP</acronym> or a <acronym>UDP</acronym> packet, and has been added as a convenience to save duplication of otherwise identical rules.</para> - </sect3> - - <sect3> - <title>SRC_ADDR/DST_ADDR</title> + </listitem> + </varlistentry> + <varlistentry> + <term>SRC_ADDR/DST_ADDR</term> + <listitem> <para>The <literal>all</literal> keyword is equivalent to <quote>from any to any</quote> with no other match parameters.</para> @@ -1890,11 +1868,12 @@ ipnat_rules="/etc/ipnat.rules" # rule the calculation. Additional information is available at the utility's web page: <uri xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>; - </sect3> - - <sect3> - <title>PORT</title> + </listitem> + </varlistentry> + <varlistentry> + <term>PORT</term> + <listitem> <para>If a port match is included, for either or both of source and destination, it is only applied to <acronym>TCP</acronym> and <acronym>UDP</acronym> packets. @@ -1920,11 +1899,12 @@ ipnat_rules="/etc/ipnat.rules" # rule <para>To specify port ranges, place the two port numbers between <literal><></literal> or <literal>><</literal></para> - </sect3> - - <sect3> - <title><acronym>TCP</acronym>_FLAG</title> + </listitem> + </varlistentry> + <varlistentry> + <term><acronym>TCP</acronym>_FLAG</term> + <listitem> <para>Flags are only effective for <acronym>TCP</acronym> filtering. The letters represent one of the possible flags that can be matched against the <acronym>TCP</acronym> @@ -1933,15 +1913,18 @@ ipnat_rules="/etc/ipnat.rules" # rule <para>The modernized rules processing logic uses the <literal>flags S</literal> parameter to identify the TCP session start request.</para> - </sect3> - - <sect3> - <title>STATEFUL</title> + </listitem> + </varlistentry> + <varlistentry> + <term>STATEFUL</term> + <listitem> <para><literal>keep state</literal> indicates that on a pass rule, any packets that match the rules selection parameters should activate the stateful filtering facility.</para> - </sect3> + </listitem> + </varlistentry> + </variablelist> </sect2> <sect2> @@ -2382,7 +2365,7 @@ sh /etc/ipf.rules.script</programlisting </sect2> <sect2> - <title><acronym>NAT</acronym></title> + <title>Configuring <acronym>NAT</acronym></title> <indexterm><primary>NAT</primary></indexterm> @@ -2399,8 +2382,7 @@ sh /etc/ipf.rules.script</programlisting </indexterm> <para><acronym>NAT</acronym> stands for <emphasis>Network - Address Translation</emphasis>. In &linux;, NAT is called - <quote>IP Masquerading</quote>. The IPF + Address Translation</emphasis>. The IPF <acronym>NAT</acronym> function enables the private LAN behind the firewall to share a single ISP-assigned IP address, even if that address is dynamically assigned. NAT allows each @@ -2408,7 +2390,26 @@ sh /etc/ipf.rules.script</programlisting having to pay the ISP for multiple Internet accounts or IP addresses.</para> - <para><acronym>NAT</acronym> will automatically translate the + <para>In IPF, when a packet arrives at the firewall from the LAN + with a public destination, it passes through the outbound + filter rules. <acronym>NAT</acronym> gets its turn at the + packet and applies its rules top down, where the first + matching rule wins. <acronym>NAT</acronym> tests each of its + rules against the packet's interface name and source IP + address. When a packet's interface name matches a + <acronym>NAT</acronym> rule, the packet's source IP address in + the private LAN is checked to see if it falls within the IP + address range specified to the left of the arrow symbol on the + <acronym>NAT</acronym> rule. On a match, the packet has its + source IP address rewritten with the public IP address + obtained by the <literal>0/32</literal> keyword. + <acronym>NAT</acronym> posts an entry in its internal + <acronym>NAT</acronym> table so when the packet returns from + the public Internet it can be mapped back to its original + private IP address and then passed to the filter rules for + processing.</para> + + <para><acronym>NAT</acronym> will automatically translate the private LAN IP address for each system on the LAN to the single public IP address as packets exit the firewall bound for the public Internet. It also performs the reverse @@ -2433,18 +2434,25 @@ sh /etc/ipf.rules.script</programlisting </listitem> </itemizedlist> - </sect2> + <indexterm><primary><command>ipnat</command></primary></indexterm> - <sect2> - <title>IP<acronym>NAT</acronym></title> + <para>To enable IP<acronym>NAT</acronym>, add these statements + to <filename>/etc/rc.conf</filename>.</para> - <indexterm> - <primary>NAT</primary> + <para>To enable the machine to route traffic between + interfaces:</para> - <secondary>and <application>IPFILTER</application></secondary> - </indexterm> + <programlisting>gateway_enable="YES"</programlisting> - <indexterm><primary><command>ipnat</command></primary></indexterm> + <para>To start IP<acronym>NAT</acronym> automatically each + time:</para> + + <programlisting>ipnat_enable="YES"</programlisting> + + <para>To specify where to load the IP<acronym>NAT</acronym> + rules from:</para> + + <programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting> <para><acronym>NAT</acronym> rules are loaded using <command>ipnat</command>. Typically, the @@ -2479,10 +2487,6 @@ sh /etc/ipf.rules.script</programlisting to rule processing and active rules/table entries:</para> <screen>&prompt.root; <userinput>ipnat -v</userinput></screen> - </sect2> - - <sect2> - <title>IP<acronym>NAT</acronym> Rules</title> <para><acronym>NAT</acronym> rules are flexible and can accomplish many different things to fit the needs of @@ -2512,54 +2516,8 @@ sh /etc/ipf.rules.script</programlisting be the static external IP address or the special keyword <literal>0/32</literal> which uses the IP address assigned to <replaceable>IF</replaceable>.</para> - </sect2> - - <sect2> - <title>How <acronym>NAT</acronym> Works</title> - - <para>In IPF, when a packet arrives at the firewall from the LAN - with a public destination, it passes through the outbound - filter rules. <acronym>NAT</acronym> gets its turn at the - packet and applies its rules top down, where the first - matching rule wins. <acronym>NAT</acronym> tests each of its - rules against the packet's interface name and source IP - address. When a packet's interface name matches a - <acronym>NAT</acronym> rule, the packet's source IP address in - the private LAN is checked to see if it falls within the IP - address range specified to the left of the arrow symbol on the - <acronym>NAT</acronym> rule. On a match, the packet has its - source IP address rewritten with the public IP address - obtained by the <literal>0/32</literal> keyword. - <acronym>NAT</acronym> posts an entry in its internal - <acronym>NAT</acronym> table so when the packet returns from - the public Internet it can be mapped back to its original - private IP address and then passed to the filter rules for - processing.</para> - </sect2> - - <sect2> - <title>Enabling IP<acronym>NAT</acronym></title> - - <para>To enable IP<acronym>NAT</acronym>, add these statements - to <filename>/etc/rc.conf</filename>.</para> - - <para>To enable the machine to route traffic between - interfaces:</para> - - <programlisting>gateway_enable="YES"</programlisting> - <para>To start IP<acronym>NAT</acronym> automatically each - time:</para> - - <programlisting>ipnat_enable="YES"</programlisting> - - <para>To specify where to load the IP<acronym>NAT</acronym> - rules from:</para> - - <programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting> - </sect2> - - <sect2> + <sect3> <title><acronym>NAT</acronym> for a Large LAN</title> <para>For networks that have large numbers of systems on the LAN @@ -2567,13 +2525,10 @@ sh /etc/ipf.rules.script</programlisting funneling all those private IP addresses into a single public IP address becomes a resource problem that may cause problems with the same port numbers being used many times across many - connections, causing collisions. There are two ways to + connections, causing collisions. This section describes two ways to relieve this resource problem.</para> - <sect3> - <title>Assigning Ports to Use</title> - - <para>A normal NAT rule would look like:</para> + <para>The first method is to assign ports to use. A normal NAT rule would look like:</para> <programlisting>map dc0 192.168.1.0/24 -> 0/32</programlisting> @@ -2592,12 +2547,8 @@ sh /etc/ipf.rules.script</programlisting available for use:</para> <programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting> - </sect3> - <sect3> - <title>Using a Pool of Public Addresses</title> - - <para>In very large LANs there comes a point where there are + <para>The second method is to use a pool of public addresses. In very large LANs there comes a point where there are just too many LAN addresses to fit into a single public address. If a block of public IP addresses is available, these addresses can be used as a <quote>pool</quote>, and @@ -2619,9 +2570,8 @@ sh /etc/ipf.rules.script</programlisting <programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting> </sect3> - </sect2> - <sect2> + <sect3> <title>Port Redirection</title> <para>A common practice is to have a web server, email server, @@ -2646,9 +2596,9 @@ sh /etc/ipf.rules.script</programlisting needs to receive public DNS requests:</para> <programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting> - </sect2> + </sect3> - <sect2> + <sect3> <title>FTP and <acronym>NAT</acronym></title> <para>FTP has two modes: active mode and passive mode. The @@ -2658,9 +2608,6 @@ sh /etc/ipf.rules.script</programlisting and the different modes, see <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>; - <sect3> - <title>IP<acronym>NAT</acronym> Rules</title> - <para>IP<acronym>NAT</acronym> has a built in FTP proxy option which can be specified on the <acronym>NAT</acronym> map rule. It can monitor all outbound packet traffic for FTP @@ -2693,10 +2640,6 @@ sh /etc/ipf.rules.script</programlisting <acronym>NAT</acronym>. All LAN packets that are not FTP will not match the FTP rules but will undergo <acronym>NAT</acronym> if they match the third rule.</para> - </sect3> - - <sect3> - <title>IP<acronym>NAT</acronym> FTP Filter Rules</title> <para>Only one filter rule is needed for FTP if the <acronym>NAT</acronym> FTP proxy is used.</para> @@ -2846,10 +2789,6 @@ pass in quick on rl0 proto tcp from any last rule in the ruleset. This makes it possible to see all the packets that did not match any of the rules in the ruleset.</para> - </sect2> - - <sect2> - <title>IPMON Logging</title> <para>&man.syslogd.8; uses its own method for segregation of log data. It uses groupings called <quote>facility</quote> and @@ -2890,10 +2829,6 @@ LOG_ERR - packets which have been logged <para>Do not forget to change <filename>/etc/newsyslog.conf</filename> to rotate the new log file.</para> - </sect2> - - <sect2> - <title>The Format of Logged Messages</title> <para>Messages generated by <command>ipmon</command> consist of data fields separated by white space. Fields common to
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402192038.s1JKcw1J054038>