Date: Tue, 25 Feb 2014 17:59:16 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44054 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402251759.s1PHxGbF034901@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Tue Feb 25 17:59:16 2014 New Revision: 44054 URL: http://svnweb.freebsd.org/changeset/doc/44054 Log: Initial prep work for IPFW section so that it starts to match layout of other firewall sections. Many more commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:38:33 2014 (r44053) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:59:16 2014 (r44054) @@ -1639,10 +1639,6 @@ block drop out quick on $ext_if from any <programlisting>net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=5</programlisting> - </sect2> - - <sect2 xml:id="firewalls-ipfw-kernel"> - <title>Kernel Options</title> <indexterm> <primary>kernel options</primary> @@ -1720,12 +1716,8 @@ net.inet.ip.fw.verbose_limit=5</programl option or a rule to explicitly allow these connections is missing.</para> </note> - </sect2> - <sect2 xml:id="firewalls-ipfw-rc"> - <title><filename>/etc/rc.conf</filename> Options</title> - - <para>Enables the firewall:</para> + <para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para> <programlisting>firewall_enable="YES"</programlisting> @@ -1876,7 +1868,7 @@ ipfw add deny out</programlisting> </sect2> <sect2 xml:id="firewalls-ipfw-rules"> - <title>IPFW Rulesets</title> + <title>IPFW Rule Syntax</title> <indexterm> <primary>IPFW</primary> @@ -1907,14 +1899,6 @@ ipfw add deny out</programlisting> <literal>via</literal> options. For a complete rule syntax description, refer to &man.ipfw.8;.</para> - <warning> - <para>Be careful when working with firewall rules, as it is - easy to lock out even the administrator.</para> - </warning> - - <sect3 xml:id="firewalls-ipfw-rules-syntax"> - <title>Rule Syntax</title> - <indexterm> <primary>IPFW</primary> @@ -1930,25 +1914,28 @@ ipfw add deny out</programlisting> <para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION STATEFUL</replaceable></para> - <sect4> - <title>CMD</title> - + <variablelist> + <varlistentry> + <term>CMD</term> + <listitem> <para>Each new rule has to be prefixed with <parameter>add</parameter> to add the rule to the internal table.</para> - </sect4> - - <sect4> - <title>RULE_NUMBER</title> + </listitem> + </varlistentry> + <varlistentry> + <term>RULE_NUMBER</term> + <listitem> <para>Each rule is associated with a rule_number in the range of <literal>1</literal> to <literal>65535</literal>.</para> - </sect4> - - <sect4> - <title>ACTION</title> + </listitem> + </varlistentry> + <varlistentry> + <term>ACTION</term> + <listitem> <para>A rule can be associated with one of the following actions. The specified action will be executed when the packet matches the selection criterion of the rule.</para> @@ -1977,11 +1964,12 @@ ipfw add deny out</programlisting> <para>Both words mean the same thing, which is to discard packets that match this rule. The search terminates.</para> - </sect4> - - <sect4> - <title>Logging</title> + </listitem> + </varlistentry> + <varlistentry> + <term>Logging</term> + <listitem> <para>When a packet matches a rule with the <literal>log</literal> keyword, a message will be logged to &man.syslogd.8; with a facility name of @@ -2002,11 +1990,12 @@ ipfw add deny out</programlisting> final action on the packet. The administrator decides which rules to enable logging on.</para> </note> - </sect4> - - <sect4> - <title>Selection</title> + </listitem> + </varlistentry> + <varlistentry> + <term>Selection</term> + <listitem> <para>The keywords described in this section are used to describe attributes of the packet to be checked when determining whether rules match the packet or not. @@ -2087,18 +2076,12 @@ ipfw add deny out</programlisting> specified. <literal>limit</literal> and <literal>keep-state</literal> can not be used on the same rule as they provide the same stateful function.</para> - </sect4> - </sect3> - - <sect3> - <title>Stateful Rule Option</title> - - <indexterm> - <primary>IPFW</primary> - - <secondary>stateful filtering</secondary> - </indexterm> + </listitem> + </varlistentry> + <varlistentry> + <term>Stateful Rule Option</term> + <listitem> <para>The <literal>check-state</literal> option is used to identify where in the IPFW ruleset the packet is to be tested against the dynamic rules facility. On a match, the @@ -2119,7 +2102,9 @@ ipfw add deny out</programlisting> combination occurred. If this count is greater than the value specified by <literal>limit</literal>, the packet is discarded.</para> - </sect3> + </listitem> + </varlistentry> + </variablelist> <sect3> <title>Logging Firewall Messages</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402251759.s1PHxGbF034901>