From owner-svn-doc-all@FreeBSD.ORG Thu Jan 24 14:28:06 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 87670C25; Thu, 24 Jan 2013 14:28:06 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 6B3BDAA5; Thu, 24 Jan 2013 14:28:06 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r0OES6aF065629; Thu, 24 Jan 2013 14:28:06 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r0OES60F065628; Thu, 24 Jan 2013 14:28:06 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201301241428.r0OES60F065628@svn.freebsd.org> From: Dru Lavigne Date: Thu, 24 Jan 2013 14:28:06 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40732 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 14:28:06 -0000 Author: dru Date: Thu Jan 24 14:28:05 2013 New Revision: 40732 URL: http://svnweb.freebsd.org/changeset/doc/40732 Log: Minor content fix which addresses incorrect usage of it's, Let's, and most redundant word errors. Approved by: bcr (mentor) Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Jan 24 10:39:46 2013 (r40731) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Jan 24 14:28:05 2013 (r40732) @@ -720,7 +720,7 @@ ipnat_rules="/etc/ipnat.rules" # rule as a result of applying the user coded rules against packets going in and out of the firewall since it was last started, or since the last time the accumulators were reset to zero - by the ipf -Z command. + using ipf -Z. See the &man.ipfstat.8; manual page for details. @@ -776,8 +776,8 @@ ipnat_rules="/etc/ipnat.rules" # rule 354727 block out on dc0 from any to any 430918 pass out quick on dc0 proto tcp/udp from any to any keep state - One of the most important functions of the - ipfstat command is the + One of the most important functions of + ipfstat is the flag which displays the state table in a way similar to the way &man.top.1; shows the &os; running process table. When your firewall is under attack, this function gives you the @@ -813,7 +813,7 @@ ipnat_rules="/etc/ipnat.rules" # rule automatically rotate system logs. That is why outputting the log information to &man.syslogd.8; is better than the default of outputting to a regular file. In the default - rc.conf file, the + rc.conf, the ipmon_flags statement uses the flags: @@ -866,8 +866,8 @@ LOG_ERR - packets which have been logged &prompt.root; touch /var/log/ipfilter.log The &man.syslogd.8; function is controlled by definition - statements in the /etc/syslog.conf file. - The syslog.conf file offers considerable + statements in /etc/syslog.conf. + This file offers considerable flexibility in how syslog will deal with system messages issued by software applications like IPF. @@ -915,7 +915,7 @@ LOG_ERR - packets which have been logged - The group and rule number of the rule, e.g. + The group and rule number of the rule, e.g., @0:17. @@ -1053,7 +1053,7 @@ EOF Disable IPFILTER in system startup scripts by adding ipfilter_enable="NO" (this is default - value) into /etc/rc.conf file. + value) to /etc/rc.conf. Add a script like the following to your Any time there are logged messages on a rule with - the log first option, an - ipfstat -hio command should be executed + the log first option, + ipfstat -hio should be executed to evaluate how many times the rule has actually matched. Large number of matches usually indicate that the system is being flooded (i.e.: under attack). @@ -1710,7 +1710,7 @@ block in log first quick on dc0 proto tc block in log first quick on dc0 proto tcp/udp from any to any port = 81 # Allow traffic in from ISP's DHCP server. This rule must contain -# the IP address of your ISP's DHCP server as it's the only +# the IP address of your ISP's DHCP server as it is the only # authorized source to send this packet type. Only necessary for # cable or DSL configurations. This rule is not needed for # 'user ppp' type connection to the public Internet. @@ -1772,7 +1772,7 @@ block in log first quick on dc0 all dynamic IP address is used to identify your system to the public Internet. - Now lets say you have five PCs at home and each one needs + Say you have five PCs at home and each one needs Internet access. You would have to pay your ISP for an individual Internet account for each PC and have five phone lines. @@ -1847,16 +1847,16 @@ block in log first quick on dc0 all ipnat - NAT rules are loaded by using the - ipnat command. Typically the + NAT rules are loaded by using + ipnat. Typically the NAT rules are stored in /etc/ipnat.rules. See &man.ipnat.8; for details. When changing the NAT rules after NAT has been started, make your changes to - the file containing the NAT rules, then run the - ipnat command with the + the file containing the NAT rules, then run + ipnat with the flags to delete the internal in use NAT rules and flush the contents of the translation table of all active entries. @@ -2304,8 +2304,8 @@ net.inet.ip.fw.verbose_limit=5firewall_enable="YES" To select one of the default firewall types provided by - &os;, select one by reading the - /etc/rc.firewall file and place it in + &os;, select one by reading + /etc/rc.firewall and place it in the following: firewall_type="open" @@ -2388,8 +2388,7 @@ ipfw add deny out linkend="firewalls-ipfw-enable"/>). There is no rc.conf variable to set log limitations, but it can be set via sysctl variable, manually - or from the /etc/sysctl.conf - file: + or from /etc/sysctl.conf: net.inet.ip.fw.verbose_limit=5 @@ -2610,8 +2609,7 @@ ipfw add deny out cases, a value of zero removes the logging limit. Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for - that rule, see the ipfw reset log - command. + that rule, use ipfw reset log. Logging is done after @@ -2779,7 +2777,7 @@ ipfw add deny out down attackers. Even with the logging facility enabled, IPFW will not - generate any rule logging on it's own. The firewall + generate any rule logging on its own. The firewall administrator decides what rules in the ruleset will be logged, and adds the log verb to those rules. Normally only deny rules are logged, like the deny @@ -2816,9 +2814,8 @@ ipfw add deny out last message repeated 45 times All logged packets messages are written by default to - /var/log/security file, which is - defined in the /etc/syslog.conf - file. + /var/log/security, which is + defined in /etc/syslog.conf. @@ -2864,8 +2861,8 @@ ks="keep-state" # just too lazy t in this example, how the symbolic substitution field are populated and used are. - If the above example was in the - /etc/ipfw.rules file, the rules could + If the above example was in + /etc/ipfw.rules, the rules could be reloaded by entering the following on the command line. @@ -3223,7 +3220,7 @@ natd_flags="-dynamic -m" # -m skipto rule 500 for the network address translation. - Lets say a LAN user uses their web browser to get a web + Say a LAN user uses their web browser to get a web page. Web pages are transmitted over port 80. So the packet enters the firewall. It does not match rule 100 because it is headed out rather than in. It passes rule @@ -3231,7 +3228,7 @@ natd_flags="-dynamic -m" # -m posted to the keep-state dynamic table yet. The packet finally comes to rule 125 a matches. It is outbound through the NIC facing the public Internet. The packet still has - it's source IP address as a private LAN IP address. On + its source IP address as a private LAN IP address. On the match to this rule, two actions take place. The keep-state option will post this rule into the keep-state dynamic rules table and the specified @@ -3254,14 +3251,14 @@ natd_flags="-dynamic -m" # -m entry is found, the associated action, skipto 500, is executed. The packet jumps to rule 500 gets NATed and released - on it's way out. + on its way out. On the inbound side, everything coming in that is part of an existing session conversation is being automatically handled by the check-state rule and the properly placed divert natd rules. All we have to address is denying all the bad packets and only - allowing in the authorized services. Lets say there is an + allowing in the authorized services. Say there is an apache server running on the firewall box and we want people on the public Internet to be able to access the local web site. The new inbound start request packet matches rule @@ -3454,7 +3451,7 @@ pif="rl0" # public interface name of $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain -# the IP address of your ISP's DHCP server as it's the only +# the IP address of your ISP's DHCP server as it is the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to