From owner-svn-doc-all@FreeBSD.ORG Tue Feb 25 17:59:16 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E64AA64E; Tue, 25 Feb 2014 17:59:16 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C3DD6152B; Tue, 25 Feb 2014 17:59:16 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1PHxGko034902; Tue, 25 Feb 2014 17:59:16 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1PHxGbF034901; Tue, 25 Feb 2014 17:59:16 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402251759.s1PHxGbF034901@svn.freebsd.org> From: Dru Lavigne Date: Tue, 25 Feb 2014 17:59:16 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44054 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Feb 2014 17:59:17 -0000 Author: dru Date: Tue Feb 25 17:59:16 2014 New Revision: 44054 URL: http://svnweb.freebsd.org/changeset/doc/44054 Log: Initial prep work for IPFW section so that it starts to match layout of other firewall sections. Many more commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:38:33 2014 (r44053) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:59:16 2014 (r44054) @@ -1639,10 +1639,6 @@ block drop out quick on $ext_if from any net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=5 - - - - Kernel Options kernel options @@ -1720,12 +1716,8 @@ net.inet.ip.fw.verbose_limit=5 - - - <filename>/etc/rc.conf</filename> Options - - Enables the firewall: + The following /etc/rc.conf option enables the firewall: firewall_enable="YES" @@ -1876,7 +1868,7 @@ ipfw add deny out - IPFW Rulesets + IPFW Rule Syntax IPFW @@ -1907,14 +1899,6 @@ ipfw add deny out via options. For a complete rule syntax description, refer to &man.ipfw.8;. - - Be careful when working with firewall rules, as it is - easy to lock out even the administrator. - - - - Rule Syntax - IPFW @@ -1930,25 +1914,28 @@ ipfw add deny out CMD RULE_NUMBER ACTION LOGGING SELECTION STATEFUL - - CMD - + + + CMD + Each new rule has to be prefixed with add to add the rule to the internal table. - - - - RULE_NUMBER + + + + RULE_NUMBER + Each rule is associated with a rule_number in the range of 1 to 65535. - - - - ACTION + + + + ACTION + A rule can be associated with one of the following actions. The specified action will be executed when the packet matches the selection criterion of the rule. @@ -1977,11 +1964,12 @@ ipfw add deny out Both words mean the same thing, which is to discard packets that match this rule. The search terminates. - - - - Logging + + + + Logging + When a packet matches a rule with the log keyword, a message will be logged to &man.syslogd.8; with a facility name of @@ -2002,11 +1990,12 @@ ipfw add deny out final action on the packet. The administrator decides which rules to enable logging on. - - - - Selection + + + + Selection + The keywords described in this section are used to describe attributes of the packet to be checked when determining whether rules match the packet or not. @@ -2087,18 +2076,12 @@ ipfw add deny out specified. limit and keep-state can not be used on the same rule as they provide the same stateful function. - - - - - Stateful Rule Option - - - IPFW - - stateful filtering - + + + + Stateful Rule Option + The check-state option is used to identify where in the IPFW ruleset the packet is to be tested against the dynamic rules facility. On a match, the @@ -2119,7 +2102,9 @@ ipfw add deny out combination occurred. If this count is greater than the value specified by limit, the packet is discarded. - + + + Logging Firewall Messages