Date: Tue, 25 Feb 2014 15:57:17 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44051 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402251557.s1PFvHjb084746@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Tue Feb 25 15:57:17 2014 New Revision: 44051 URL: http://svnweb.freebsd.org/changeset/doc/44051 Log: Finish editorial pass through IPF NAT. Comment out symbolic substitution section for now. It is confusing as written and may no longer be needed with IPF's new syntax. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 12:09:06 2014 (r44050) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 15:57:17 2014 (r44051) @@ -2334,20 +2334,17 @@ map dc0 192.168.1.0/24 -> 204.134.75. This eliminates the need to open large ranges of high order ports for <acronym>FTP</acronym> connections.</para> - <para>This rule will handle all the traffic for the internal - LAN:</para> - - <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting> - - <para>This rule handles the <acronym>FTP</acronym> traffic from - the gateway:</para> - - <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting> - - <para>This rule handles all non-<acronym>FTP</acronym> traffic - from the internal LAN:</para> - - <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting> + <para>In this example, the first rule calls the proxy for + outbound <acronym>FTP</acronym> traffic from the internal + <acronym>LAN</acronym>. The second rule passes the + <acronym>FTP</acronym> traffic from the firewall to the + Internet, and the third rule handles all + non-<acronym>FTP</acronym> traffic from the internal + <acronym>LAN</acronym>:</para> + + <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp +map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp +map dc0 10.0.10.0/29 -> 0/32</programlisting> <para>The <acronym>FTP</acronym> <literal>map</literal> rules go before the <acronym>NAT</acronym> rule so that when a packet @@ -2359,12 +2356,9 @@ map dc0 192.168.1.0/24 -> 204.134.75. <acronym>FTP</acronym> rules but will undergo <acronym>NAT</acronym> if they match the third rule.</para> - <para>Only one filter rule is needed for <acronym>FTP</acronym> - if the <acronym>NAT</acronym> <acronym>FTP</acronym> proxy is - used.</para> - <para>Without the <acronym>FTP</acronym> proxy, the following - three rules will be needed:</para> + firewall rules would instead be needed. Note that without the proxy, + all ports above <literal>1024</literal> need to be allowed:</para> <programlisting># Allow out LAN PC client FTP to public Internet # Active and passive modes @@ -2376,35 +2370,32 @@ pass out quick on rl0 proto tcp from any # Active mode let data channel in from FTP server pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting> - <para>When the file containing the <acronym>NAT</acronym> rules - is edited after <acronym>NAT</acronym> has been started, run + <para>Whenever the file containing the <acronym>NAT</acronym> rules + is edited, run <command>ipnat</command> with <option>-CF</option> to delete - the internal in use <acronym>NAT</acronym> rules and flush the - contents of the translation table of all active - entries.</para> - - <para>To reload the <acronym>NAT</acronym> rules, issue a - command like this:</para> + the current <acronym>NAT</acronym> rules and flush the + contents of the dynamic translation table. Include + <option>-f</option> and specify the name + of the <acronym>NAT</acronym> ruleset to load:</para> - <screen>&prompt.root; <userinput>ipnat -CF -f - /etc/ipnat.rules</userinput></screen> + <screen>&prompt.root; <userinput>ipnat -CF -f /etc/ipnat.rules</userinput></screen> - <para>To display some <acronym>NAT</acronym> statistics, use - this command:</para> + <para>To display the <acronym>NAT</acronym> statistics:</para> <screen>&prompt.root; <userinput>ipnat -s</userinput></screen> <para>To list the <acronym>NAT</acronym> table's current - mappings, use this command:</para> + mappings:</para> <screen>&prompt.root; <userinput>ipnat -l</userinput></screen> <para>To turn verbose mode on and display information relating - to rule processing and active rules/table entries:</para> + to rule processing and active rules and table entries:</para> <screen>&prompt.root; <userinput>ipnat -v</userinput></screen> </sect2> - +<!-- +This section is confusing and may no longer be needed with new syntax. <sect2 xml:id="firewalls-ipf-rules-script"> <title>Building the Rule Script with Symbolic Substitution</title> @@ -2515,7 +2506,7 @@ sh /etc/ipf.rules.script</programlisting <para>Now, when the system boots, the IPF rules will be loaded.</para> </sect2> - + --> <sect2> <title>IPFSTAT</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402251557.s1PFvHjb084746>