Date: Wed, 22 Sep 2004 03:04:20 +0200 From: Max Laier <max@love2party.net> To: freebsd-doc@freebsd.org Subject: Re: New firewall section (was: Re: HEADS UP: doc/ slush begins) Message-ID: <200409220304.22302.max@love2party.net> In-Reply-To: <200409220301.38350.max@love2party.net> References: <200409220056.59900.max@love2party.net> <200409220301.38350.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2686509.4eBZ3qlo7A Content-Type: multipart/mixed; boundary="Boundary-01=_W+MUB3RfLuQhMDL" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_W+MUB3RfLuQhMDL Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 22 September 2004 03:01, Max Laier wrote: > On Wednesday 22 September 2004 00:56, Max Laier wrote: > > [ Sorry for joining in late or broken references. Have not been on -doc, > > yet ] > > > > On Thursday 01 January 1970 00:59, wrote: > > > > Referring to ... http://freebsd.so14k.com/firewall/ > > > > > > > > Is everyone else happy (doceng/translators) if this were to go in > > > > before the release? > > > > I'd like to put in "a few" more words about pf in terms of FreeBSD > > (something in the flavor of 14.8.5.1 through 14.8.5.3) I will followup > > with a writeup of what I have in mind in ~2-4h. Do with it, whatever you > > feel is appropriate. > > > > Great work, please don't let me delay you here! But thanks for > > considering. > > Attached is the updated <sect2> for pf. Just some scribbling, but I guess > people will still find it usefull to get the grip. Just tell me what you > think of it and what I can do to help. Thanks! The mailinglist doesn't seem to like "Type: text/sgml" ... resend, sorry! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_W+MUB3RfLuQhMDL Content-Type: text/plain; charset="iso-8859-1"; name="pf.firewall.sgml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="pf.firewall.sgml" <sect2> <title>OpenBSD's Packet Filter (PF) firewall</title> <para>As of July 2003 the OpenBSD firewall software application named PF was ported to &os;. It is part of &os version 5.3 and later. PF is a complete, full featured firewall that contains ALTQ for bandwidth usage management much the same as dummynet provides in IPFW. Of all the &os; firewalls, PF has the best user documentation. The OpenBSD project does such an outstanding job of maintaining the PF users' guide that it will not be made part of this handbook firewall section as that would just be duplicated effort.</para> <para>For older 5.x version of &os; you can find PF in the &os; ports collection here: <filename role="package">security/pf</filename>.</para> <para>More info can be found at the PF for &os; web-site: <ulink url="http://pf4freebsd.love2party.net/index.html">; </ulink>.</para> <para>The OpenBSD PF user's guide is here: <ulink url="http://www.openbsd.org/faq/pf/index.html"></ulink>. </para> <warning> <para>PF in &os; 5.x is at the level of OpenBSD version 3.5. The port from the &os; ports collection at the level of OpenBSD version 3.4. Keep that in mind when browsering the user's guide.</para> </warning> <sect3> <title>Enabling PF</title> <para>PF is included in the basic &os; install for versions newer than 5.3 as a separate run time loadable module. PF will dynamically load its kernel loadable module when the rc.conf statement <programlisting> pf_enable="YES"</programlisting> is used. The loadable module was created with &man.pflog.4; logging enabled.</para> </sect3> <sect3> <title>Kernel options</title> <para>It is not a mandatory requirement that you enable PF by compiling the following options into the &os; kernel. It is only presented here as background information. Compiling PF into the kernel causes the loadable module to never be used. </para> <para>Sample kernel config PF option statements are in the <filename>/usr/src/sys/conf/NOTES</filename> kernel source and are reproduced here.</para> <screen>device pf device pflog device pfsync</screen> <para><programlisting>pf</programlisting> tells the compile to include Packet Filter as part of its core kernel.</para> <para><programlisting>pflog</programlisting> enables the optional &man.pflog.4; pseudo network device which can be used to log traffic to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon can be used to store the logging information to disk.</para> <para><programlisting>pfsync</programlisting> enables the optional &man.pfsync.4; pseudo network device that is used to monitor <quote>state changes</quote>. As this is not part of the loadable module one has to build a costum kernel to use it.</para> <para>These settings will take affect only after you have built and installed a kernel with them set.</para> </sect3> <sect3> <title>Available rc.conf Options</title> <para>You need the follow statements in <filename>/etc/rc.conf </filename> to activate PF at boot time.</para> <screen>pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup</screen> <para>If you have a LAN behind this firewall and have to forward packets for the computers in the LAN or want to do NAT you have to enable the following option as well.</para> <screen>gateway_enable="YES" # Enable as Lan gateway</screen> </sect3> </sect2> --Boundary-01=_W+MUB3RfLuQhMDL-- --nextPart2686509.4eBZ3qlo7A Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBUM+WXyyEoT62BG0RAmnjAJ0elIjBSHYj00k90jQzlZL1h1Y1ZwCdEYEa zeiJtwDaKyOHjoaF4fjcYS8= =CpRv -----END PGP SIGNATURE----- --nextPart2686509.4eBZ3qlo7A--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200409220304.22302.max>