From owner-svn-doc-all@FreeBSD.ORG Tue Feb 18 21:30:20 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D8B3637; Tue, 18 Feb 2014 21:30:20 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 689F41703; Tue, 18 Feb 2014 21:30:20 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1ILUKFQ057823; Tue, 18 Feb 2014 21:30:20 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1ILUKKu057822; Tue, 18 Feb 2014 21:30:20 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402182130.s1ILUKKu057822@svn.freebsd.org> From: Dru Lavigne Date: Tue, 18 Feb 2014 21:30:20 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43987 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 21:30:20 -0000 Author: dru Date: Tue Feb 18 21:30:19 2014 New Revision: 43987 URL: http://svnweb.freebsd.org/changeset/doc/43987 Log: Prep work for next round of edits. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 18 21:05:36 2014 (r43986) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 18 21:30:19 2014 (r43987) @@ -1191,30 +1191,8 @@ pass inet proto tcp from any to $localne /usr/local/sbin/expiretable -v -d -t 24h bruteforce - - Other <application>PF</application> Tools - - Over time, a number of tools have been developed which - interact with PF in various - ways. - - - The <application>pftop</application> Traffic - Viewer - - Can Erkin Acar's pftop - makes it possible to keep an eye on what passes into and - out of the network. pftop is - available through the ports system as - sysutils/pftop. The name is a strong - hint at what it does - pftop - shows a running snapshot of traffic in a format which is - strongly inspired by &man.top.1;. - - - - The <application>spamd</application> Spam Deferral - Daemon + + Protecting Against <acronym>SPAM</acronym> Not to be confused with the spamd daemon which comes @@ -1249,11 +1227,7 @@ pass inet proto tcp from any to $localne implementation with one byte SMTP replies is often referred to as stuttering. - - A Basic Blacklisting - <application>spamd</application> - - Here is the basic procedure for setting up + This example demonstrates the basic procedure for setting up spamd with automatically updated blacklists: @@ -1392,11 +1366,9 @@ rdr pass on $ext_if inet proto tcp from On a typical gateway in front of a mail server, hosts will start getting trapped within a few seconds to several minutes. - - - Adding Greylisting to the - <application>spamd</application> Setup + + Adding Greylisting to the Setup spamd also supports greylisting, which works by @@ -1505,20 +1477,16 @@ rdr pass on $ext_if inet proto tcp from administrator's main interface to managing the black, grey and white lists via the contents of the /var/db/spamdb database. - + - - Network Hygiene: Blocking, Scrubbing and so - On - - Our gateway does not feel quite complete without a few - more items in the configuration which will make it behave - a bit more sanely towards hosts on the wide net and our - local network. + + Network Hygiene - - <literal>block-policy</literal> + This section describes how + block-policy, scrub, + and antispoof can be used to make the + ruleset behave sanely. block-policy is an option which can be set in the options part of the @@ -1539,10 +1507,6 @@ rdr pass on $ext_if inet proto tcp from returns: set block-policy return - - - - <literal>scrub</literal> In PF versions up to OpenBSD 4.5 inclusive, scrub is a @@ -1573,10 +1537,6 @@ rdr pass on $ext_if inet proto tcp from possible, and you should be able to cater to various specific needs by consulting the man pages and some experimentation. - - - - <literal>antispoof</literal> antispoof is a common special case of filtering and blocking. This mechanism protects @@ -1591,9 +1551,9 @@ rdr pass on $ext_if inet proto tcp from antispoof for $ext_if antispoof for $int_if - + - + Handling Non-Routable Addresses from Elsewhere @@ -1643,9 +1603,24 @@ block drop out quick on $ext_if from any xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/, where you will also find slides from related presentations. - - + + + Viewing Traffic + + Over time, a number of tools have been developed which + interact with PF in various + ways. + + Can Erkin Acar's pftop + makes it possible to keep an eye on what passes into and + out of the network. pftop is + available through the ports system as + sysutils/pftop. The name is a strong + hint at what it does - pftop + shows a running snapshot of traffic in a format which is + strongly inspired by &man.top.1;. +