From owner-freebsd-doc@FreeBSD.ORG Wed Dec 15 19:10:28 2004 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E09816A4CE for ; Wed, 15 Dec 2004 19:10:28 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59DEC43D58 for ; Wed, 15 Dec 2004 19:10:27 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 8A18C11CEE; Wed, 15 Dec 2004 20:10:25 +0100 (CET) Date: Wed, 15 Dec 2004 20:10:25 +0100 From: "Simon L. Nielsen" To: freebsd-doc@freebsd.org Message-ID: <20041215191024.GA759@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TRYliJ5NKNqkz5bu" Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: Rework of firewall chapter start X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Dec 2004 19:10:28 -0000 --TRYliJ5NKNqkz5bu Content-Type: multipart/mixed; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello I started to reword and improve the first two sections of the firewall chapter. Comments (both to the direction of the changes and the actual patch)? --=20 Simon L. Nielsen --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="doc-firewall-reword-start.patch" Content-Transfer-Encoding: quoted-printable Index: chapter.sgml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.s= gml,v retrieving revision 1.7 diff -u -d -r1.7 chapter.sgml --- chapter.sgml 12 Dec 2004 23:21:03 -0000 1.7 +++ chapter.sgml 15 Dec 2004 19:08:51 -0000 @@ -32,18 +32,18 @@ Introduction =20 - All software-based firewalls provide some way to filter + Firewalls makes it possbile to filter incoming and outgoing traffic that flows through your system. - The firewall uses one or more sets of rules to + A firewall uses one or more sets of rules to inspect the network packets as they come in or go out of your network connections and either allows the traffic through or - blocks it. The rules of the firewall can inspect one or more + blocks it. The rules of a firewall can inspect one or more characteristics of the packets, including but not limited to the protocol type, the source or destination host address, and the source or destination port. =20 - Firewalls greatly enhance the security of your network, your - applications and services. They can be used to do one or more of + Firewalls can greatly enhance the security of a network or a + host. They can be used to do one or more of the following things: =20 @@ -77,24 +77,24 @@ =20 - The differences between the firewall software products + The differences between the firewalls built into &os; =20 How to use and configure the OpenBSD - PF firewall software. + PF firewall. =20 =20 - How to use and configure the - IPFILTER software. + How to use and configure + IPFILTER. =20 - How to use and configure the - IPFW software. + How to use and configure + IPFW. =20 @@ -109,50 +109,29 @@ =20 - Firewall Rule Set Types - - Constructing a software application firewall rule set may - seem to be trivial, but most people get it wrong. The most - common mistake is to create an exclusive firewall - rather than an inclusive firewall. - - An exclusive firewall allows all services through except for - those matching a set of rules that block certain - services. - - An inclusive firewall does the reverse. It only allows - services matching the rules through and blocks everything else. - This way you can control what services can originate behind the - firewall destined for the public Internet and also control which - services originating from the public Internet may access your - network. Inclusive firewalls are much, much safer than exclusive - firewalls. + Firewall Concepts =20 - When you use your browser to access a web site there are - many internal functions that happen before your screen fills - with the data from the target web site. Your browser does not - receive one large file containing all the data and display - format instructions at one time. Each internal function accesses - the public Internet in multiple send/receive cycles of packets - of information. When all the packets containing the data finally - arrive, the data contained in the packets is combined together - to fill your screen. Each service (DNS, - HTTP, etc) has its own port number. The port - number 80 is for HTTP services. So you can - code your firewall to only allow web page session start requests - originating from your LAN to pass through the - firewall out to the public Internet. + There are two basic ways to create firewall rulesets: + inclusive or exclusive. An + exclusive firewall allows all traffic through except for the + traffic matching the ruleset. An inclusive firewall does the + reverse. It only allows traffic matching the rules through and + blocks everything else. =20 - Security can be tightened further by telling the firewall to - monitor the send/receive cycles of all the packets making up - that session until the session completes. These are called - stateful capabilities and provides the maximum level of - protection. + Inclusive firewalls are generally safer than exclusive + firewalls because they significantly reduces the risk of + allowing unwanted traffic to pass through the firewall. =20 - A firewall rule set that does not implement stateful - capabilities on all the services being authorized is an insecure - firewall that is still open to many of the most common methods - of attack. + Security can be tightened further using a stateful + firewall. With a stateful firewall the firewall keeps + track of which connections are open through the firewall and + will only allow traffic through which either matches a existing + connection or opens a new one. The disadvantage of a stateful + file wall is that it is can be vulnerable to Denial of Service + (DoS) attacks if a lot of new connections + are opened very fast. In most firewalls it is possible to use a + combination of stateful and non-stateful behavior to make an + optimal firewall for the site. =20 --+QahgC5+KEYLbs62-- --TRYliJ5NKNqkz5bu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBwIwgh9pcDSc1mlERAnHEAJ423/cGrM3pTWETrmk8PusfjTJqggCglKON 3hUL1odQ7Rd7OU2mym2ZP1c= =R3VV -----END PGP SIGNATURE----- --TRYliJ5NKNqkz5bu--