Date: Wed, 5 Mar 2014 20:28:46 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44139 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201403052028.s25KSkES087488@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Mar 5 20:28:46 2014 New Revision: 44139 URL: http://svnweb.freebsd.org/changeset/doc/44139 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Mar 5 20:11:16 2014 (r44138) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Mar 5 20:28:46 2014 (r44139) @@ -1735,13 +1735,13 @@ options IPDIVERT # enables NAT</pro logged per connection attempt, specify the number using this line in <filename>/etc/sysctl.conf</filename>:</para> - <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting> + <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting> - <para>After saving the needed edits, start the firewall. To - enable logging limits now, also set the - <command>sysctl</command> value specified above:</para> + <para>After saving the needed edits, start the firewall. To + enable logging limits now, also set the + <command>sysctl</command> value specified above:</para> - <screen>&prompt.root; <userinput>service ipfw start</userinput> + <screen>&prompt.root; <userinput>service ipfw start</userinput> &prompt.root; <userinput>sysctl net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen> </sect2> @@ -1854,8 +1854,8 @@ options IPDIVERT # enables NAT</pro <literal>limit</literal> rule.</para> <para><parameter>count</parameter>: updates counters for - all packets that match the rule. The search continues with - the next rule.</para> + all packets that match the rule. The search continues + with the next rule.</para> <para><parameter>deny | drop</parameter>: either word silently discards packets that match this rule.</para> @@ -2157,16 +2157,17 @@ pif="dc0" # interface name of NIC at <application>IPFW</application> to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers - can connect to the Internet using a single <acronym>IP</acronym> - address.</para> + can connect to the Internet using a single + <acronym>IP</acronym> address.</para> <para>To do this, the &os; machine connected to the Internet must act as a gateway. This system must have two - <acronym>NIC</acronym>s, where one is connected to the Internet - and the other is connected to the internal <acronym>LAN</acronym>. Each - machine connected to the <acronym>LAN</acronym> should be assigned - an <acronym>IP</acronym> address in the private network space, - as defined by <link + <acronym>NIC</acronym>s, where one is connected to the + Internet and the other is connected to the internal + <acronym>LAN</acronym>. Each machine connected to the + <acronym>LAN</acronym> should be assigned an + <acronym>IP</acronym> address in the private network space, as + defined by <link xlink:href="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC 1918</link>, and have the default gateway set to the &man.natd.8; system's internal <acronym>IP</acronym> @@ -2177,11 +2178,11 @@ pif="dc0" # interface name of NIC at <application>IPFW</application>. If the system has a custom kernel, the kernel configuration file needs to include <literal>option IPDIVERT</literal> along with the other - <literal>IPFIREWALL</literal> options described in <xref linkend="firewalls-ipfw-enable"/>.</para> + <literal>IPFIREWALL</literal> options described in <xref + linkend="firewalls-ipfw-enable"/>.</para> - <para>To enable <acronym>NAT</acronym> support at - boot time, the following must be in - <filename>/etc/rc.conf</filename>:</para> + <para>To enable <acronym>NAT</acronym> support at boot time, the + following must be in <filename>/etc/rc.conf</filename>:</para> <programlisting>gateway_enable="YES" # enables the gateway natd_enable="YES" # enables <acronym>NAT</acronym> @@ -2189,14 +2190,13 @@ natd_interface="rl0" # specify interfac natd_flags="-dynamic -m" # -m = preserve port numbers; additional options are listed in &man.natd.8;</programlisting> <note> - <para>It is also possible to specify a configuration file which - contains the options to pass to &man.natd.8;:</para> + <para>It is also possible to specify a configuration file + which contains the options to pass to &man.natd.8;:</para> <programlisting>natd_flags="-f /etc/natd.conf"</programlisting> <para>The specified file must contain a list of configuration - options, one per line. For - example:</para> + options, one per line. For example:</para> <programlisting>redirect_port tcp 192.168.0.2:6667 6667 redirect_port tcp 192.168.0.3:80 80</programlisting> @@ -2207,21 +2207,19 @@ redirect_port tcp 192.168.0.3:80 80</pro <para>Next, add the <acronym>NAT</acronym> rules to the firewall ruleset. When the rulest contains stateful rules, the - positioning of the <acronym>NAT</acronym> rules is - critical and the <literal>skipto</literal> action is used. - The - <literal>skipto</literal> action requires a rule number - so that it knows - which rule to jump to.</para> + positioning of the <acronym>NAT</acronym> rules is critical + and the <literal>skipto</literal> action is used. The + <literal>skipto</literal> action requires a rule number so + that it knows which rule to jump to.</para> <para>The following example builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure - the firewall for <acronym>NAT</acronym>. It starts by - adding some additional variables which represent the rule - number to skip to, the <literal>keep-state</literal> option, - and a list of <acronym>TCP</acronym> ports which will be - used to reduce the number of rules:</para> + the firewall for <acronym>NAT</acronym>. It starts by adding + some additional variables which represent the rule number to + skip to, the <literal>keep-state</literal> option, and a list + of <acronym>TCP</acronym> ports which will be used to reduce + the number of rules:</para> <programlisting>#!/bin/sh ipfw -q -f flush @@ -2264,13 +2262,13 @@ good_tcpo="22,25,37,53,80,443,110"</prog <para>The inbound rules remain the same, except for the very last rule which removes the <literal> via $pif</literal> in - order to catch both inbound and outbound rules. The + order to catch both inbound and outbound rules. The <acronym>NAT</acronym> rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the - <literal>skipto</literal> action. In this ruleset, - rule number <literal>500</literal> diverts all - packets which match the outbound rules to &man.natd.8; for + <literal>skipto</literal> action. In this ruleset, rule + number <literal>500</literal> diverts all packets which match + the outbound rules to &man.natd.8; for <acronym>NAT</acronym> processing. The next rule allows any packet which has undergone <acronym>NAT</acronym> processing to pass.</para> @@ -2281,43 +2279,47 @@ good_tcpo="22,25,37,53,80,443,110"</prog <para>In this example, rules <literal>100</literal>, <literal>101</literal>, <literal>125</literal>, - <literal>500</literal>, and <literal>510</literal> - control the address translation of the outbound and inbound packets - so that the entries in the dynamic state table always - register the private <acronym>LAN</acronym> - <acronym>IP</acronym> address.</para> + <literal>500</literal>, and <literal>510</literal> control the + address translation of the outbound and inbound packets so + that the entries in the dynamic state table always register + the private <acronym>LAN</acronym> <acronym>IP</acronym> + address.</para> - <para>Consider an internal web browser which initializes a new outbound <acronym>HTTP</acronym> - session over port 80. When the first outbound packet enters - the firewall, it does not match rule <literal>100</literal> because it is - headed out rather than in. It passes rule <literal>101</literal> because this - is the first packet and it has not been posted to the - dynamic state table yet. The packet finally matches - rule <literal>125</literal> as it is outbound on an allowed port - and has a source <acronym>IP</acronym> address from the internal <acronym>LAN</acronym>. - On matching this rule, two actions take place. - First, the <literal>keep-state</literal> action adds an entry to the dynamic - state table and the specified action, <literal>skipto rule 500</literal>, is executed. - Next, the packet undergoes <acronym>NAT</acronym> and - is sent out to the Internet. This packet makes its way to + <para>Consider an internal web browser which initializes a new + outbound <acronym>HTTP</acronym> session over port 80. When + the first outbound packet enters the firewall, it does not + match rule <literal>100</literal> because it is headed out + rather than in. It passes rule <literal>101</literal> because + this is the first packet and it has not been posted to the + dynamic state table yet. The packet finally matches rule + <literal>125</literal> as it is outbound on an allowed port + and has a source <acronym>IP</acronym> address from the + internal <acronym>LAN</acronym>. On matching this rule, two + actions take place. First, the <literal>keep-state</literal> + action adds an entry to the dynamic state table and the + specified action, <literal>skipto rule 500</literal>, is + executed. Next, the packet undergoes <acronym>NAT</acronym> + and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of - the ruleset. It matches rule <literal>100</literal> and has it destination <acronym>IP</acronym> - address mapped back to the original internal address. It - then is processed by the <literal>check-state</literal> - rule, is found in the table as an existing session, and is - released to the <acronym>LAN</acronym>.</para> - - <para>On the inbound side, the ruleset has - to deny bad packets and allow only authorized services. - A packet which matches an inbound rule - is posted - to the dynamic state table and the packet is released to the - <acronym>LAN</acronym>. The packet generated as a response is recognized by the - <literal>check-state</literal> rule as belonging to an existing - session. It is then sent to rule <literal>500</literal> to undergo + the ruleset. It matches rule <literal>100</literal> and has + it destination <acronym>IP</acronym> address mapped back to + the original internal address. It then is processed by the + <literal>check-state</literal> rule, is found in the table as + an existing session, and is released to the + <acronym>LAN</acronym>.</para> + + <para>On the inbound side, the ruleset has to deny bad packets + and allow only authorized services. A packet which matches an + inbound rule is posted to the dynamic state table and the + packet is released to the <acronym>LAN</acronym>. The packet + generated as a response is recognized by the + <literal>check-state</literal> rule as belonging to an + existing session. It is then sent to rule + <literal>500</literal> to undergo <acronym>NAT</acronym> before being released to the outbound interface.</para> + <sect3> <title>Port Redirection</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403052028.s25KSkES087488>