Date: Mon, 11 Feb 2013 15:01:38 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40948 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201302111501.r1BF1cpO036953@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Mon Feb 11 15:01:37 2013 New Revision: 40948 URL: http://svnweb.freebsd.org/changeset/doc/40948 Log: This patch addresses the following: - rewording to remove you, etc., i.e., and references to PPP - fixes xref - general tightening, removal of redundant paragraphs, and many fixes to grammos/typos - a reference to a non-existing logging section was removed - several comments were addressed and removed Approved by gjb (mentor) Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Mon Feb 11 14:58:34 2013 (r40947) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Mon Feb 11 15:01:37 2013 (r40948) @@ -36,39 +36,37 @@ <sect1 id="firewalls-intro"> <title>Introduction</title> - <para>Firewalls make it possible to filter incoming and outgoing - traffic that flows through your system. A firewall can use one - or more sets of <quote>rules</quote> to inspect the network - packets as they come in or go out of your network connections - and either allows the traffic through or blocks it. The rules - of a firewall can inspect one or more characteristics of the - packets, including but not limited to the protocol type, the - source or destination host address, and the source or - destination port.</para> - - <para>Firewalls can greatly enhance the security of a host or a - network. They can be used to do one or more of - the following things:</para> + <para>Firewalls make it possible to filter the incoming and + outgoing traffic that flows through a system. A firewall can + use one or more sets of <quote>rules</quote> to inspect network + packets as they come in or go out of network connections and + either allows the traffic through or blocks it. The rules of + a firewall can inspect one or more characteristics of the + packets such as the protocol type, source or destination host + address, and source or destination port.</para> + + <para>Firewalls can enhance the security of a host or a network. + They can be used to do one or more of the following:</para> <itemizedlist> <listitem> - <para>To protect and insulate the applications, services and - machines of your internal network from unwanted traffic - coming in from the public Internet.</para> + <para>Protect and insulate the applications, services, and + machines of an internal network from unwanted traffic from + the public Internet.</para> </listitem> <listitem> - <para>To limit or disable access from hosts of the internal + <para>Limit or disable access from hosts of the internal network to services of the public Internet.</para> </listitem> <listitem> - <para>To support network address translation - (<acronym>NAT</acronym>), which allows your internal network + <para>Support network address translation + (<acronym>NAT</acronym>), which allows an internal network to use private <acronym>IP</acronym> addresses and share a - single connection to the public Internet (either with a - single <acronym>IP</acronym> address or by a shared pool of - automatically assigned public addresses).</para> + single connection to the public Internet using either a + single <acronym>IP</acronym> address or a shared pool of + automatically assigned public addresses.</para> </listitem> </itemizedlist> @@ -76,27 +74,27 @@ <itemizedlist> <listitem> - <para>How to properly define packet filtering rules.</para> + <para>How to define packet filtering rules.</para> </listitem> <listitem> - <para>The differences between the firewalls - built into &os;.</para> + <para>The differences between the firewalls built into + &os;.</para> </listitem> <listitem> - <para>How to use and configure the OpenBSD + <para>How to use and configure the <application>PF</application> firewall.</para> </listitem> <listitem> - <para>How to use and configure - <application>IPFILTER</application>.</para> + <para>How to use and configure the + <application>IPFILTER</application> firewall.</para> </listitem> <listitem> - <para>How to use and configure - <application>IPFW</application>.</para> + <para>How to use and configure the + <application>IPFW</application> firewall.</para> </listitem> </itemizedlist> @@ -118,81 +116,68 @@ <secondary>rulesets</secondary> </indexterm> - <para>There are two basic ways to create firewall rulesets: - <quote>inclusive</quote> or <quote>exclusive</quote>. An + <para>A firewall ruleset can be either + <quote>exclusive</quote> or <quote>inclusive</quote>. An exclusive firewall allows all traffic through except for the traffic matching the ruleset. An inclusive firewall does the - reverse. It only allows traffic matching the rules through and + reverse as it only allows traffic matching the rules through and blocks everything else.</para> - <para>An inclusive firewall offers much better control of the - outgoing traffic, making it a better choice for systems that - offer services to the public Internet. It also controls the - type of traffic originating from the public Internet that can - gain access to your private network. All traffic that does - not match the rules, is blocked and logged by design. Inclusive - firewalls are generally safer than exclusive firewalls because - they significantly reduce the risk of allowing unwanted traffic - to pass through them.</para> + <para>An inclusive firewall offers better control of the outgoing + traffic, making it a better choice for systems that offer + services to the public Internet. It also controls the type of + traffic originating from the public Internet that can gain + access to a private network. All traffic that does not match + the rules is blocked and logged. Inclusive firewalls are + generally safer than exclusive firewalls because they + significantly reduce the risk of allowing unwanted + traffic.</para> <note> <para>Unless noted otherwise, all configuration and example - rulesets in this chapter, create inclusive type - firewalls.</para> + rulesets in this chapter create inclusive firewall + rulesets.</para> </note> <para>Security can be tightened further using a <quote>stateful - firewall</quote>. This type of firewall keeps - track of which connections are opened through the firewall and - will only allow traffic through which either matches an existing - connection or opens a new one. The disadvantage of a stateful - firewall is that it can be vulnerable to Denial of Service - (<acronym>DoS</acronym>) attacks if a lot of new connections are - opened very fast. With most firewalls it is possible to use a - combination of stateful and non-stateful behavior to make an - optimal firewall for the site.</para> + firewall</quote>. This type of firewall keeps track of open + connections and only allows traffic which either matches an + existing connection or opens a new, allowed connection. The + disadvantage of a stateful firewall is that it can be vulnerable + to Denial of Service (<acronym>DoS</acronym>) attacks if a lot + of new connections are opened very fast. Most firewalls use a + combination of stateful and non-stateful behavior.</para> </sect1> <sect1 id="firewalls-apps"> <title>Firewall Packages</title> - <para>&os; has three different firewall packages built - into the base system. They are: <emphasis>IPFILTER</emphasis> - (also known as <acronym>IPF</acronym>), - <emphasis>IPFIREWALL</emphasis> (also known as - <acronym>IPFW</acronym>), and <emphasis>OpenBSD's - PacketFilter</emphasis> (also known as <acronym>PF</acronym>). - &os; also has two built in packages for traffic shaping - (basically controlling bandwidth usage): &man.altq.4; and - &man.dummynet.4;. Dummynet has traditionally been closely - tied with <acronym>IPFW</acronym>, and - <acronym>ALTQ</acronym> with - <acronym>PF</acronym>. Traffic shaping for IPFILTER can - currently be done with IPFILTER for NAT and filtering and - <acronym>IPFW</acronym> with &man.dummynet.4; - <emphasis>or</emphasis> by using <acronym>PF</acronym> with - <acronym>ALTQ</acronym>. - IPFW, and PF all use rules to control the access of packets - to and from your system, although they go about it different - ways and have a different rule syntax.</para> - - <para>The reason that &os; has multiple built in firewall packages - is that different people have different requirements and - preferences. No single firewall package is the best.</para> - - <para>The author prefers IPFILTER because its stateful rules are - much less complicated to use in a <acronym>NAT</acronym> - environment and it has a built in ftp proxy that simplifies the - rules to allow secure outbound FTP usage.</para> + <para>&os; has three firewalls built into the base system: + <emphasis>IPFILTER</emphasis>, also known as + <acronym>IPF</acronym>, <emphasis>IPFIREWALL</emphasis>, also + known as <acronym>IPFW</acronym>, and <acronym>PF</acronym>). + &os; also provides two traffic shapers for controlling bandwidth + usage: &man.altq.4; and &man.dummynet.4;. Dummynet has + traditionally been closely tied with <acronym>IPFW</acronym>, + and <acronym>ALTQ</acronym> with <acronym>PF</acronym>. Each + firewall uses rules to control the access of packets to and from + a &os; system, although they go about it in different ways and + each has a different rule syntax.</para> + + <para>&os; provides multiple firewalls in order to meet the + different requirements and preferences for a wide variety of + users. Each user should evaluate which firewall best meets + their needs.</para> <para>Since all firewalls are based on inspecting the values of selected packet control fields, the creator of the firewall - rulesets must have an understanding of how + ruleset must have an understanding of how <acronym>TCP/IP</acronym> works, what the different values in - the packet control fields are and how these values are used in a - normal session conversation. For a good explanation go to: - <ulink - url="http://www.ipprimer.com/overview.cfm"></ulink>.</para>; + the packet control fields are, and how these values are used in + a normal session conversation. For a good introduction, refer + to <ulink + url="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP + Primer</ulink>.</para> </sect1> <sect1 id="firewalls-pf"> @@ -207,8 +192,7 @@ </authorgroup> </sect1info> - <title>The OpenBSD Packet Filter (PF) and - <acronym>ALTQ</acronym></title> + <title>PF and <acronym>ALTQ</acronym></title> <indexterm> <primary>firewall</primary> @@ -216,72 +200,65 @@ <secondary>PF</secondary> </indexterm> - <para>As of July 2003 the OpenBSD firewall software application - known as <acronym>PF</acronym> was ported to &os; and - made available in the &os; Ports Collection. Released in 2004, - &os; 5.3 was the first release that contained - <acronym>PF</acronym> as an integrated part of the base system. - <acronym>PF</acronym> is a complete, full-featured firewall - that has optional support for <acronym>ALTQ</acronym> (Alternate - Queuing). <acronym>ALTQ</acronym> provides Quality of Service - (<acronym>QoS</acronym>) functionality.</para> - - <para>The OpenBSD Project does an outstanding job of - maintaining the <ulink - url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>. - As such, this section of the Handbook will focus on - <acronym>PF</acronym> as it pertains to &os; while providing - some general information regarding usage. For detailed usage - information please refer to the <ulink - url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.</para> + <para>Since &os; 5.3, a ported version of OpenBSD's + <acronym>PF</acronym> firewall has been included as an + integrated part of the base system. <acronym>PF</acronym> is a + complete, full-featured firewall that has optional support for + <acronym>ALTQ</acronym> (Alternate Queuing), which provides + Quality of Service (<acronym>QoS</acronym>).</para> + + <para>Since the OpenBSD Project maintains the definitive + reference for <acronym>PF</acronym> in the<ulink + url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, this + section of the Handbook focuses on <acronym>PF</acronym> as it + pertains to &os;, while providing some general usage + information.</para> - <para>More information about <acronym>PF</acronym> for &os; + <para>More information about porting <acronym>PF</acronym> to &os; can be found at <ulink url="http://pf4freebsd.love2party.net/"></ulink>.</para>; <sect2> <title>Using the PF Loadable Kernel Modules</title> - <para>To load the PF Kernel Module add the following line to + <para>In order to use PF, the PF kernel module must be first + loaded. Add the following line to <filename>/etc/rc.conf</filename>:</para> <programlisting>pf_enable="YES"</programlisting> - <para>Then run the startup script to load the module:</para> + <para>Then, run the startup script to load the module:</para> <screen>&prompt.root; <userinput>service pf start</userinput></screen> - <para>Note that the PF Module will not load if it cannot find - the ruleset config file. The default location is + <para>The PF module will not load if it cannot find the + ruleset configuration file. The default location is <filename>/etc/pf.conf</filename>. If the PF ruleset is - located somewhere else, PF can be instructed to look there - by adding a line like the following to - <filename>/etc/rc.conf</filename>:</para> + located somewhere else, add a line to + <filename>/etc/rc.conf</filename> which specifies the full + path to the file:</para> <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting> <para>The sample <filename>pf.conf</filename> can be found in <filename - class="directory">/usr/share/examples/pf/</filename>.</para> + class="directory">/usr/share/examples/pf/</filename>.</para> <para>The <acronym>PF</acronym> module can also be loaded manually from the command line:</para> <screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen> - <para>Logging support for PF is provided by the - <literal>pflog.ko</literal> and can be loaded by adding the + <para>Logging support for PF is provided by + <varname>pflog.ko</varname> which can be loaded by adding the following line to <filename>/etc/rc.conf</filename>:</para> <programlisting>pflog_enable="YES"</programlisting> - <para>Then run the startup script to load the module:</para> + <para>Then, run the startup script to load the module:</para> <screen>&prompt.root; <userinput>service pflog start</userinput></screen> - <para>If you need other <acronym>PF</acronym> features you will - need to compile <acronym>PF</acronym> support into the - kernel.</para> </sect2> <sect2> @@ -305,37 +282,32 @@ <secondary>device pfsync</secondary> </indexterm> - <para>While it is not necessary that you compile - <acronym>PF</acronym> support into the &os; kernel, you may - want to do so to take advantage of one of PF's advanced - features that is not included in the loadable module, namely - &man.pfsync.4;, which is a pseudo-device that exposes certain - changes to the state table used by <acronym>PF</acronym>. - It can be paired with &man.carp.4; to create failover - firewalls using <acronym>PF</acronym>. More information on - <acronym>CARP</acronym> can be found in - <xref linkend="carp"/> of the Handbook.</para> - - <para>The <acronym>PF</acronym> kernel options can be found in - <filename>/usr/src/sys/conf/NOTES</filename> and are - reproduced below:</para> + <para>While it is not necessary to compile + <acronym>PF</acronym> support into the &os; kernel, some of + PF's advanced features are not included in the loadable + module, namely &man.pfsync.4;, which is a pseudo-device that + exposes certain changes to the state table used by + <acronym>PF</acronym>. It can be paired with &man.carp.4; to + create failover firewalls using <acronym>PF</acronym>. More + information on <acronym>CARP</acronym> can be found in <link + linkend="carp">of the Handbook</link>.</para> + + <para>The following <acronym>PF</acronym> kernel options can be + found in <filename>/usr/src/sys/conf/NOTES</filename>:</para> <programlisting>device pf device pflog device pfsync</programlisting> - <para>The <literal>device pf</literal> option enables support - for the <quote>Packet Filter</quote> firewall - (&man.pf.4;).</para> - - <para>The <literal>device pflog</literal> option enables the - optional &man.pflog.4; pseudo network device which can be - used to log traffic to a &man.bpf.4; descriptor. The - &man.pflogd.8; daemon can be used to store the logging - information to disk.</para> + <para><literal>device pf</literal> enables PF support.</para> + + <para><literal>device pflog</literal> enables the optional + &man.pflog.4; pseudo network device which can be used to log + traffic to a &man.bpf.4; descriptor. The &man.pflogd.8; + daemon can then be used to store the logging information to + disk.</para> - <para>The <literal>device pfsync</literal> option enables the - optional + <para><literal>device pfsync</literal> enables the optional &man.pfsync.4; pseudo-network device that is used to monitor <quote>state changes</quote>.</para> </sect2> @@ -343,8 +315,9 @@ device pfsync</programlisting> <sect2> <title>Available <filename>rc.conf</filename> Options</title> - <para>The following &man.rc.conf.5; statements configure - <acronym>PF</acronym> and &man.pflog.4; at boot:</para> + <para>The following &man.rc.conf.5; statements can be used to + configure <acronym>PF</acronym> and &man.pflog.4; at + boot:</para> <programlisting>pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf @@ -353,9 +326,9 @@ pflog_enable="YES" # start pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup</programlisting> - <para>If you have a LAN behind this firewall and have to forward - packets for the computers on the LAN or want to do NAT, you - will need the following option as well:</para> + <para>If there is a LAN behind the firewall and packets need to + be forwarded for the computers on the LAN, or NAT is required, + add the following option:</para> <programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting> </sect2> @@ -363,40 +336,40 @@ pflog_flags="" # additi <sect2> <title>Creating Filtering Rules</title> - <para><acronym>PF</acronym> reads its configuration rules from - &man.pf.conf.5; (<filename>/etc/pf.conf</filename> by - default) and it modifies, drops, or passes packets according - to the rules or definitions specified there. The &os; - installation includes several sample files located in - <filename>/usr/share/examples/pf/</filename>. Please refer - to the <ulink url="http://www.openbsd.org/faq/pf/">PF - FAQ</ulink> for complete coverage of <acronym>PF</acronym> - rulesets.</para> + <para>By default, <acronym>PF</acronym> reads its configuration + rules from <filename>/etc/pf.conf</filename> and modifies, + drops, or passes packets according to the rules or definitions + specified in this file. The &os; installation includes + several sample files located in + <filename>/usr/share/examples/pf/</filename>. Refer to the + <ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink> for + complete coverage of <acronym>PF</acronym> rulesets.</para> <warning> - <para>When browsing the <ulink - url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, - please keep in mind that different versions of &os; can - contain different versions of PF. Currently, - &os; 8.<replaceable>X</replaceable> and prior is - using the same version of <acronym>PF</acronym> as + <para>When reading the <ulink + url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, + keep in mind that different versions of &os; contain + different versions of PF. Currently, + &os; 8.<replaceable>X</replaceable> and prior is using + the same version of <acronym>PF</acronym> as OpenBSD 4.1. &os; 9.<replaceable>X</replaceable> and later is using the same version of <acronym>PF</acronym> as OpenBSD 4.5.</para> </warning> <para>The &a.pf; is a good place to ask questions about - configuring and running the <acronym>PF</acronym> - firewall. Do not forget to check the mailing list archives - before asking questions!</para> + configuring and running the <acronym>PF</acronym> firewall. + Do not forget to check the mailing list archives before asking + questions.</para> </sect2> <sect2> <title>Working with PF</title> - <para>Use &man.pfctl.8; to control <acronym>PF</acronym>. Below - are some useful commands (be sure to review the &man.pfctl.8; - man page for all available options):</para> + <para>To control <acronym>PF</acronym>, use &man.pfctl.8;. + Below are some useful options to this command. Review + &man.pfctl.8; for a description of all available + options:</para> <informaltable frame="none" pgwide="1"> <tgroup cols="2"> @@ -411,35 +384,35 @@ pflog_flags="" # additi <row> <entry><command>pfctl <option>-e</option></command></entry> - <entry>Enable PF</entry> + <entry>Enable PF.</entry> </row> <row> <entry><command>pfctl <option>-d</option></command></entry> - <entry>Disable PF</entry> + <entry>Disable PF.</entry> </row> <row> <entry><command>pfctl <option>-F</option> all <option>-f</option> /etc/pf.conf</command></entry> - <entry>Flush all rules (nat, filter, state, table, etc.) - and reload from the file - <filename>/etc/pf.conf</filename></entry> + <entry>Flush all NAT, filter, state, and table + rules and reload + <filename>/etc/pf.conf</filename>.</entry> </row> <row> <entry><command>pfctl <option>-s</option> [ rules | nat state ]</command></entry> - <entry>Report on the filter rules, nat rules, or state - table</entry> + <entry>Report on the filter rules, NAT rules, or state + table.</entry> </row> <row> <entry><command>pfctl <option>-vnf</option> /etc/pf.conf</command></entry> <entry>Check <filename>/etc/pf.conf</filename> for - errors, but do not load ruleset</entry> + errors, but do not load ruleset.</entry> </row> </tbody> </tgroup> @@ -449,11 +422,11 @@ pflog_flags="" # additi <sect2> <title>Enabling <acronym>ALTQ</acronym></title> - <para><acronym>ALTQ</acronym> is only available by compiling - support for it into the &os; kernel. <acronym>ALTQ</acronym> - is not supported by all of the available network card drivers. - Please see the &man.altq.4; manual page for a list of drivers - that are supported in your release of &os;.</para> + <para><acronym>ALTQ</acronym> is only available by compiling its + support into the &os; kernel. <acronym>ALTQ</acronym> is not + supported by all network card drivers. Refer to &man.altq.4; + for a list of drivers that are supported by the release of + &os;.</para> <para>The following kernel options will enable <acronym>ALTQ</acronym> and add additional @@ -473,28 +446,27 @@ options ALTQ_NOPCC # Requir <para><literal>options ALTQ_CBQ</literal> enables <emphasis>Class Based Queuing</emphasis> (<acronym>CBQ</acronym>). <acronym>CBQ</acronym> - allows you to divide a connection's bandwidth into different + can be used to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules.</para> <para><literal>options ALTQ_RED</literal> enables <emphasis>Random Early Detection</emphasis> (<acronym>RED</acronym>). <acronym>RED</acronym> is - used to avoid network congestion. <acronym>RED</acronym> - does this by measuring the length of the queue and comparing - it to the minimum and maximum thresholds for the queue. If - the queue is over the maximum all new packets will be dropped. - True to its name, <acronym>RED</acronym> drops packets from - different connections randomly.</para> + used to avoid network congestion by measuring the length of + the queue and comparing it to the minimum and maximum + thresholds for the queue. If the queue is over the maximum, + all new packets will be dropped. <acronym>RED</acronym> drops + packets from different connections randomly.</para> <para><literal>options ALTQ_RIO</literal> enables <emphasis>Random Early Detection In and Out</emphasis>.</para> <para><literal>options ALTQ_HFSC</literal> enables the <emphasis>Hierarchical Fair Service Curve Packet - Scheduler</emphasis>. For more information about - <acronym>HFSC</acronym> see: <ulink - url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>; + Scheduler</emphasis> <acronym>HFSC</acronym>. For more + information, refer to <ulink + url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>; <para><literal>options ALTQ_PRIQ</literal> enables <emphasis>Priority Queuing</emphasis> @@ -517,51 +489,46 @@ options ALTQ_NOPCC # Requir <secondary>IPFILTER</secondary> </indexterm> - <para>The author of IPFILTER is Darren Reed. IPFILTER is not - operating system dependent: it is an open source application and + <para>IPFILTER is a cross-platform, open source firewall which has been ported to &os;, NetBSD, OpenBSD, &sunos;, HP/UX, and - &solaris; operating systems. IPFILTER is actively being - supported and maintained, with updated versions being released - regularly.</para> + &solaris; operating systems.</para> <para>IPFILTER is based on a kernel-side firewall and <acronym>NAT</acronym> mechanism that can be controlled and monitored by userland interface programs. The firewall rules - can be set or deleted with the &man.ipf.8; utility. The - <acronym>NAT</acronym> rules can be set or deleted with the - &man.ipnat.8; utility. The &man.ipfstat.8; utility can print - run-time statistics for the kernel parts of IPFILTER. The - &man.ipmon.8; program can log IPFILTER actions to the system - log files.</para> + can be set or deleted using &man.ipf.8;. The + <acronym>NAT</acronym> rules can be set or deleted using + &man.ipnat.8;. Run-time statistics for the kernel parts of + IPFILTER can be printed using &man.ipfstat.8;. To log IPFILTER + actions to the system log files, use &man.ipmon.8;.</para> <para>IPF was originally written using a rule processing logic - of <quote>the last matching rule wins</quote> and used only - stateless type of rules. Over time IPF has been enhanced to - include a <quote>quick</quote> option and a stateful - <quote>keep state</quote> option which drastically modernized - the rules processing logic. IPF's official documentation covers - only the legacy rule coding parameters and rule file processing - logic. The modernized functions are only included as additional - options, completely understating their benefits in producing - a far superior and more secure firewall.</para> + of <quote>the last matching rule wins</quote> and only used + stateless rules. Over time, IPF has been enhanced to include a + <quote>quick</quote> option and a stateful + <quote>keep state</quote> option which modernized the rules + processing logic. IPF's official documentation covers only the + legacy rule coding parameters and rule file processing logic and + the modernized functions are only included as additional + options.</para> <para>The instructions contained in this section are based on - using rules that contain the <quote>quick</quote> option and the - stateful <quote>keep state</quote> option. This is the basic - framework for coding an inclusive firewall ruleset.</para> - - <para>For detailed explanation of the legacy rules processing - method see: <ulink - url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>; + using rules that contain <quote>quick</quote> and + <quote>keep state</quote> as these provide the basic framework + for configuring an inclusive firewall ruleset.</para> + + <para>For a detailed explanation of the legacy rules processing + method, refer to <ulink + url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>; and <ulink - url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>; + url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>; <para>The IPF FAQ is at <ulink - url="http://www.phildev.net/ipf/index.html"></ulink>.</para>; + url="http://www.phildev.net/ipf/index.html"></ulink>.</para>; - <para>A searchable archive of the open-source IPFilter mailing - list is available at <ulink - url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>; + <para>A searchable archive of the IPFilter mailing list is + available at <ulink + url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>; <sect2> <title>Enabling IPF</title> @@ -572,17 +539,15 @@ options ALTQ_NOPCC # Requir <secondary>enabling</secondary> </indexterm> - <para>IPF is included in the basic &os; install as a separate - run time loadable module. The system will dynamically load - the IPF kernel loadable module when the - <filename>rc.conf</filename> statement - <literal>ipfilter_enable="YES"</literal> is used. The - loadable module was created with logging enabled and the - <literal>default pass all</literal> options. There is no - need to compile IPF into the &os; kernel just to change the - default to <literal>block all</literal>. This can be done - just by adding a <literal>block all</literal> rule at the - end of your ruleset.</para> + <para>IPF is included in the basic &os; install as a kernel + loadable module. The system will dynamically load + this module at boot time when + <varname>ipfilter_enable="YES"</varname> is added to + <filename>rc.conf</filename>. The module enables logging and + <literal>default pass all</literal>. To change the + default to <literal>block all</literal>, add a + <literal>block all</literal> rule at the end of the + ruleset.</para> </sect2> <sect2> @@ -612,15 +577,10 @@ options ALTQ_NOPCC # Requir <secondary>kernel options</secondary> </indexterm> - <para>It is not a mandatory requirement to enable IPF by - compiling the following options into the &os; kernel. It is - only presented here as background information. Compiling IPF - into the kernel causes the loadable module to never be - used.</para> - - <para>Sample kernel config IPF option statements are in the - <filename>/usr/src/sys/conf/NOTES</filename> kernel source - and are reproduced here:</para> + <para>For users who prefer to statically compile IPF support + into a custom kernel, the following IPF option statements, + listed in <filename>/usr/src/sys/conf/NOTES</filename>, are + available:</para> <programlisting>options IPFILTER options IPFILTER_LOG @@ -629,15 +589,14 @@ options IPFILTER_DEFAULT_BLOCK</programl <para><literal>options IPFILTER</literal> enables support for the <quote>IPFILTER</quote> firewall.</para> - <para><literal>options IPFILTER_LOG</literal> enables the option - to have IPF log traffic by writing to the - <devicename>ipl</devicename> packet logging + <para><literal>options IPFILTER_LOG</literal> enables IPF + logging using the <devicename>ipl</devicename> packet logging pseudo—device for every rule that has the <literal>log</literal> keyword.</para> <para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes - the default behavior so any packet not matching a firewall - <literal>pass</literal> rule gets blocked.</para> + the default behavior so that any packet not matching a + firewall <literal>pass</literal> rule gets blocked.</para> <para>These settings will take effect only after installing a kernel that has been built with the above options set.</para> @@ -657,9 +616,9 @@ ipmon_flags="-Ds" # D = # v = log tcp window, ack, seq # n = map IP & port to names</programlisting> - <para>If there is a LAN behind this firewall that uses the - reserved private IP address ranges, the following lines will - have to be added to enable <acronym>NAT</acronym> + <para>If there is a LAN behind the firewall that uses the + reserved private IP address ranges, the following lines have + to be added to enable <acronym>NAT</acronym> functionality:</para> <programlisting>gateway_enable="YES" # Enable as LAN gateway @@ -672,36 +631,36 @@ ipnat_rules="/etc/ipnat.rules" # rule <indexterm><primary><command>ipf</command></primary></indexterm> - <para>The &man.ipf.8; command is used to load your ruleset file. - Your custom rules would normally be placed in a file, and the - following command could then be used to replace in mass the - currently running firewall rules:</para> + <para>To load the ruleset file, use &man.ipf.8;. Custom rules + are normally placed in a file, and the following command can + be used to replace the currently running firewall + rules:</para> <screen>&prompt.root; <userinput>ipf -Fa -f /etc/ipf.rules</userinput></screen> - <para><option>-Fa</option> means flush all internal rules + <para><option>-Fa</option> flushes all the internal rules tables.</para> - <para><option>-f</option> means this is the file to read for - the rules to load.</para> + <para><option>-f</option> specifies the file containing the + rules to load.</para> - <para>This gives you the ability to make changes to your custom + <para>This provides the ability to make changes to a custom rules file, run the above IPF command, and thus update the - running firewall with a fresh copy of all the rules without - having to reboot the system. This method is very convenient - for testing new rules as the procedure can be executed as many - times as needed.</para> - - <para>See the &man.ipf.8; manual page for details on the other - flags available with this command.</para> - - <para>The &man.ipf.8; command expects the rules file to be a - standard text file. It will not accept a rules file written - as a script with symbolic substitution.</para> + running firewall with a fresh copy of the rules without having + to reboot the system. This method is convenient for testing + new rules as the procedure can be executed as many times as + needed.</para> + + <para>Refer to &man.ipf.8; for details on the other flags + available with this command.</para> + + <para>&man.ipf.8; expects the rules file to be a standard text + file. It will not accept a rules file written as a script + with symbolic substitution.</para> - <para>There is a way to build IPF rules that utilizes the power + <para>There is a way to build IPF rules that utilize the power of script symbolic substitution. For more information, see - <xref linkend="firewalls-ipf-rules-script"/>.</para> + <link linkend="firewalls-ipf-rules-script"></link>.</para> </sect2> <sect2> @@ -717,15 +676,15 @@ ipnat_rules="/etc/ipnat.rules" # rule <para>The default behavior of &man.ipfstat.8; is to retrieve and display the totals of the accumulated statistics gathered - as a result of applying the user coded rules against packets - going in and out of the firewall since it was last started, - or since the last time the accumulators were reset to zero - using <command>ipf -Z</command>.</para> + by applying the rules against packets going in and out of the + firewall since it was last started, or since the last time the + accumulators were reset to zero using <command>ipf + -Z</command>.</para> - <para>See the &man.ipfstat.8; manual page for details.</para> + <para>Refer to &man.ipfstat.8; for details.</para> - <para>The default &man.ipfstat.8; command output will look - something like this:</para> + <para>The default &man.ipfstat.8; output will look something + like this:</para> <screen>input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 @@ -751,10 +710,10 @@ ipnat_rules="/etc/ipnat.rules" # rule installed and in use by the kernel.</para> <para><command>ipfstat -in</command> displays the inbound - internal rules table with rule number.</para> + internal rules table with rule numbers.</para> <para><command>ipfstat -on</command> displays the outbound - internal rules table with the rule number.</para> + internal rules table with rule numbers.</para> <para>The output will look something like this:</para> @@ -776,16 +735,15 @@ ipnat_rules="/etc/ipnat.rules" # rule 354727 block out on dc0 from any to any 430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen> - <para>One of the most important functions of - <command>ipfstat</command> is the <option>-t</option> - flag which displays the state table in a way similar to the - way &man.top.1; shows the &os; running process table. When - your firewall is under attack, this function gives you the - ability to identify, drill down to, and see the attacking - packets. The optional sub-flags give the ability to select - the destination or source IP, port, or protocol that you want - to monitor in real time. See the &man.ipfstat.8; manual page - for details.</para> + <para>One of the most important options of + <command>ipfstat</command> is <option>-t</option> which + displays the state table in a way similar to how &man.top.1; + shows the &os; running process table. When a firewall is + under attack, this function provides the ability to identify + and see the attacking packets. The optional sub-flags give + the ability to select the destination or source IP, port, or + protocol to be monitored in real time. Refer to + &man.ipfstat.8; for details.</para> </sect2> <sect2> @@ -801,55 +759,51 @@ ipnat_rules="/etc/ipnat.rules" # rule <para>In order for <command>ipmon</command> to work properly, the kernel option <literal>IPFILTER_LOG</literal> must be - turned on. This command has two different modes that it can - be used in. Native mode is the default mode when the command - is typed on the command line without the <option>-D</option> - flag.</para> - - <para>Daemon mode is for when a continuous - system log file is desired, so that logging of past events - may be reviewed. This is how &os; and IPFILTER are configured - to work together. &os; has a built in facility to - automatically rotate system logs. That is why outputting the - log information to &man.syslogd.8; is better than the default - of outputting to a regular file. In the default - <filename>rc.conf</filename>, the - <literal>ipmon_flags</literal> statement uses the - <option>-Ds</option> flags:</para> + turned on. This command has two different modes. Native mode + is the default mode when the command is used without + <option>-D</option>.</para> + + <para>Daemon mode provides a continuous system log file so that + logging of past events may be reviewed. &os; has a built in + facility to automatically rotate system logs. This is why + outputting the log information to &man.syslogd.8; is better + than the default of outputting to a regular file. The default + <filename>rc.conf</filename> + <literal>ipmon_flags</literal> statement uses + <option>-Ds</option>:</para> <programlisting>ipmon_flags="-Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq # n = map IP & port to names</programlisting> - <para>The benefits of logging are obvious. It provides the - ability to review, after the fact, information such as which - packets had been dropped, what addresses they came from and - where they were going. These can all provide a significant - edge in tracking down attackers.</para> + <para>Logging provides the ability to review, after the fact, + information such as which packets were dropped, what addresses + they came from and where they were going. These can all + provide a significant edge in tracking down attackers.</para> <para>Even with the logging facility enabled, IPF will not - generate any rule logging on its own. The firewall - administrator decides what rules in the ruleset he wants to - log and adds the log keyword to those rules. Normally only - deny rules are logged.</para> - - <para>It is very customary to include a default deny everything - rule with the log keyword included as your last rule in the - ruleset. This makes it possible to see all the packets that - did not match any of the rules in the ruleset.</para> + generate any rule logging by default. The firewall + administrator decides which rules in the ruleset should be + logged and adds the log keyword to those rules. Normally, + only deny rules are logged.</para> + + <para>It is customary to include a <quote>default deny + everything</quote> rule with the log keyword included as the + last rule in the ruleset. This makes it possible to see all + the packets that did not match any of the rules in the + ruleset.</para> </sect2> <sect2> <title>IPMON Logging</title> - <para><application>Syslogd</application> uses its own special - method for segregation of log data. It uses special groupings - called <quote>facility</quote> and <quote>level</quote>. - IPMON in <option>-Ds</option> mode uses - <literal>local0</literal> as the <quote>facility</quote> - name by default. The following levels can be used to further - segregate the logged data if desired:</para> + <para>&man.syslogd.8; uses its own method for segregation of log + data. It uses groupings called <quote>facility</quote> and + <quote>level</quote>. By default, IPMON in + <option>-Ds</option> mode uses <literal>local0</literal> as + the <quote>facility</quote> name. The following levels can be + used to further segregate the logged data:</para> <screen>LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed @@ -858,37 +812,31 @@ LOG_ERR - packets which have been logged <!-- XXX: "can be considered short" == "with incomplete header" --> - <para>To setup IPFILTER to log all data to - <filename>/var/log/ipfilter.log</filename>, the file will - need to be created beforehand. The following command will - do that:</para> + <para>In order to setup IPFILTER to log all data to + <filename>/var/log/ipfilter.log</filename>, first + create the empty file:</para> <screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen> - <para>The &man.syslogd.8; function is controlled by definition - statements in <filename>/etc/syslog.conf</filename>. - This file offers considerable - flexibility in how <application>syslog</application> will - deal with system messages issued by software applications - like IPF.</para> + <para>&man.syslogd.8; is controlled by definition statements in + <filename>/etc/syslog.conf</filename>. This file offers + considerable flexibility in how + <application>syslog</application> will deal with system + messages issued by software applications like IPF.</para> - <para>Add the following statement to + <para>To write all logged messages to the specified file, + add the following statement to <filename>/etc/syslog.conf</filename>:</para> <programlisting>local0.* /var/log/ipfilter.log</programlisting> - <para>The <literal>local0.*</literal> - means to write all the logged messages to the coded - file location.</para> - - <para>To activate the changes to <filename>/etc/syslog.conf - </filename> you can reboot or bump the &man.syslogd.8; - daemon into re-reading <filename>/etc/syslog.conf</filename> - by running <command>service syslogd reload</command></para> + <para>To activate the changes and instruct &man.syslogd.8; + to read the modified <filename>/etc/syslog.conf</filename>, + run <command>service syslogd reload</command>.</para> <para>Do not forget to change <filename>/etc/newsyslog.conf</filename> to rotate the new - log created above.</para> + log file.</para> </sect2> <sect2> @@ -906,16 +854,16 @@ LOG_ERR - packets which have been logged <listitem> <para>The time of packet receipt. This is in the form HH:MM:SS.F, for hours, minutes, seconds, and fractions - of a second (which can be several digits long).</para> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302111501.r1BF1cpO036953>