From owner-svn-doc-head@FreeBSD.ORG Tue Feb 25 15:57:18 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 406C5738; Tue, 25 Feb 2014 15:57:18 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1ECED18A1; Tue, 25 Feb 2014 15:57:18 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1PFvHDj084747; Tue, 25 Feb 2014 15:57:17 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1PFvHjb084746; Tue, 25 Feb 2014 15:57:17 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402251557.s1PFvHjb084746@svn.freebsd.org> From: Dru Lavigne Date: Tue, 25 Feb 2014 15:57:17 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44051 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Feb 2014 15:57:18 -0000 Author: dru Date: Tue Feb 25 15:57:17 2014 New Revision: 44051 URL: http://svnweb.freebsd.org/changeset/doc/44051 Log: Finish editorial pass through IPF NAT. Comment out symbolic substitution section for now. It is confusing as written and may no longer be needed with IPF's new syntax. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 12:09:06 2014 (r44050) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 15:57:17 2014 (r44051) @@ -2334,20 +2334,17 @@ map dc0 192.168.1.0/24 -> 204.134.75. This eliminates the need to open large ranges of high order ports for FTP connections. - This rule will handle all the traffic for the internal - LAN: - - map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp - - This rule handles the FTP traffic from - the gateway: - - map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp - - This rule handles all non-FTP traffic - from the internal LAN: - - map dc0 10.0.10.0/29 -> 0/32 + In this example, the first rule calls the proxy for + outbound FTP traffic from the internal + LAN. The second rule passes the + FTP traffic from the firewall to the + Internet, and the third rule handles all + non-FTP traffic from the internal + LAN: + + map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp +map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp +map dc0 10.0.10.0/29 -> 0/32 The FTP map rules go before the NAT rule so that when a packet @@ -2359,12 +2356,9 @@ map dc0 192.168.1.0/24 -> 204.134.75. FTP rules but will undergo NAT if they match the third rule. - Only one filter rule is needed for FTP - if the NAT FTP proxy is - used. - Without the FTP proxy, the following - three rules will be needed: + firewall rules would instead be needed. Note that without the proxy, + all ports above 1024 need to be allowed: # Allow out LAN PC client FTP to public Internet # Active and passive modes @@ -2376,35 +2370,32 @@ pass out quick on rl0 proto tcp from any # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state - When the file containing the NAT rules - is edited after NAT has been started, run + Whenever the file containing the NAT rules + is edited, run ipnat with to delete - the internal in use NAT rules and flush the - contents of the translation table of all active - entries. - - To reload the NAT rules, issue a - command like this: + the current NAT rules and flush the + contents of the dynamic translation table. Include + and specify the name + of the NAT ruleset to load: - &prompt.root; ipnat -CF -f - /etc/ipnat.rules + &prompt.root; ipnat -CF -f /etc/ipnat.rules - To display some NAT statistics, use - this command: + To display the NAT statistics: &prompt.root; ipnat -s To list the NAT table's current - mappings, use this command: + mappings: &prompt.root; ipnat -l To turn verbose mode on and display information relating - to rule processing and active rules/table entries: + to rule processing and active rules and table entries: &prompt.root; ipnat -v - + IPFSTAT