Date: Wed, 15 Dec 2004 20:10:25 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: freebsd-doc@freebsd.org Subject: Rework of firewall chapter start Message-ID: <20041215191024.GA759@zaphod.nitro.dk>
next in thread | raw e-mail | index | archive | help
--TRYliJ5NKNqkz5bu
Content-Type: multipart/mixed; boundary="+QahgC5+KEYLbs62"
Content-Disposition: inline
--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello
I started to reword and improve the first two sections of the firewall
chapter. Comments (both to the direction of the changes and the
actual patch)?
--=20
Simon L. Nielsen
--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="doc-firewall-reword-start.patch"
Content-Transfer-Encoding: quoted-printable
Index: chapter.sgml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/ncvs/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.s=
gml,v
retrieving revision 1.7
diff -u -d -r1.7 chapter.sgml
--- chapter.sgml 12 Dec 2004 23:21:03 -0000 1.7
+++ chapter.sgml 15 Dec 2004 19:08:51 -0000
@@ -32,18 +32,18 @@
<sect1 id=3D"firewalls-intro">
<title>Introduction</title>
=20
- <para>All software-based firewalls provide some way to filter
+ <para>Firewalls makes it possbile to filter
incoming and outgoing traffic that flows through your system.
- The firewall uses one or more sets of <quote>rules</quote> to
+ A firewall uses one or more sets of <quote>rules</quote> to
inspect the network packets as they come in or go out of your
network connections and either allows the traffic through or
- blocks it. The rules of the firewall can inspect one or more
+ blocks it. The rules of a firewall can inspect one or more
characteristics of the packets, including but not limited to the
protocol type, the source or destination host address, and the
source or destination port.</para>
=20
- <para>Firewalls greatly enhance the security of your network, your
- applications and services. They can be used to do one or more of
+ <para>Firewalls can greatly enhance the security of a network or a
+ host. They can be used to do one or more of
the following things:</para>
=20
<itemizedlist>
@@ -77,24 +77,24 @@
</listitem>
=20
<listitem>
- <para>The differences between the firewall software products
+ <para>The differences between the firewalls
built into &os;</para>
</listitem>
=20
<listitem>
<para>How to use and configure the OpenBSD
- <application>PF</application> firewall software.</para>
+ <application>PF</application> firewall.</para>
</listitem>
=20
=20
<listitem>
- <para>How to use and configure the
- <application>IPFILTER</application> software.</para>
+ <para>How to use and configure
+ <application>IPFILTER</application>.</para>
</listitem>
=20
<listitem>
- <para>How to use and configure the
- <application>IPFW</application> software.</para>
+ <para>How to use and configure
+ <application>IPFW</application>.</para>
</listitem>
</itemizedlist>
=20
@@ -109,50 +109,29 @@
</sect1>
=20
<sect1 id=3D"firewalls-rulesets">
- <title>Firewall Rule Set Types</title>
-
- <para>Constructing a software application firewall rule set may
- seem to be trivial, but most people get it wrong. The most
- common mistake is to create an <quote>exclusive</quote> firewall
- rather than an <quote>inclusive</quote> firewall.</para>
-
- <para>An exclusive firewall allows all services through except for
- those matching a set of rules that block certain
- services.</para>
-
- <para>An inclusive firewall does the reverse. It only allows
- services matching the rules through and blocks everything else.
- This way you can control what services can originate behind the
- firewall destined for the public Internet and also control which
- services originating from the public Internet may access your
- network. Inclusive firewalls are much, much safer than exclusive
- firewalls.</para>
+ <title>Firewall Concepts</title>
=20
- <para>When you use your browser to access a web site there are
- many internal functions that happen before your screen fills
- with the data from the target web site. Your browser does not
- receive one large file containing all the data and display
- format instructions at one time. Each internal function accesses
- the public Internet in multiple send/receive cycles of packets
- of information. When all the packets containing the data finally
- arrive, the data contained in the packets is combined together
- to fill your screen. Each service (<acronym>DNS</acronym>,
- <acronym>HTTP</acronym>, etc) has its own port number. The port
- number 80 is for <acronym>HTTP</acronym> services. So you can
- code your firewall to only allow web page session start requests
- originating from your <acronym>LAN</acronym> to pass through the
- firewall out to the public Internet.</para>
+ <para>There are two basic ways to create firewall rulesets:
+ <quote>inclusive</quote> or <quote>exclusive</quote>. An
+ exclusive firewall allows all traffic through except for the
+ traffic matching the ruleset. An inclusive firewall does the
+ reverse. It only allows traffic matching the rules through and
+ blocks everything else.</para>
=20
- <para>Security can be tightened further by telling the firewall to
- monitor the send/receive cycles of all the packets making up
- that session until the session completes. These are called
- stateful capabilities and provides the maximum level of
- protection.</para>
+ <para>Inclusive firewalls are generally safer than exclusive
+ firewalls because they significantly reduces the risk of
+ allowing unwanted traffic to pass through the firewall.</para>
=20
- <para>A firewall rule set that does not implement stateful
- capabilities on all the services being authorized is an insecure
- firewall that is still open to many of the most common methods
- of attack.</para>
+ <para>Security can be tightened further using a <quote>stateful
+ firewall</quote>. With a stateful firewall the firewall keeps
+ track of which connections are open through the firewall and
+ will only allow traffic through which either matches a existing
+ connection or opens a new one. The disadvantage of a stateful
+ file wall is that it is can be vulnerable to Denial of Service
+ (<acronym>DoS</acronym>) attacks if a lot of new connections
+ are opened very fast. In most firewalls it is possible to use a
+ combination of stateful and non-stateful behavior to make an
+ optimal firewall for the site.</para>
</sect1>
=20
<sect1 id=3D"firewalls-apps">
--+QahgC5+KEYLbs62--
--TRYliJ5NKNqkz5bu
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBwIwgh9pcDSc1mlERAnHEAJ423/cGrM3pTWETrmk8PusfjTJqggCglKON
3hUL1odQ7Rd7OU2mym2ZP1c=
=R3VV
-----END PGP SIGNATURE-----
--TRYliJ5NKNqkz5bu--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041215191024.GA759>