Date: Wed, 26 Feb 2014 17:05:28 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44076 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402261705.s1QH5SsX006878@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Feb 26 17:05:28 2014 New Revision: 44076 URL: http://svnweb.freebsd.org/changeset/doc/44076 Log: Initial pass through enabling IPFW. Shuffle IPFW command to later in the chapter, might get shuffled again. Begin prep work for syntax section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 16:22:52 2014 (r44075) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 17:05:28 2014 (r44076) @@ -1675,7 +1675,7 @@ options IPDIVERT # enables NAT</pro <programlisting>firewall_type="open"</programlisting> - <para>The available values for this setting are:</para> + <para>The available types are:</para> <itemizedlist> <listitem> @@ -1702,114 +1702,48 @@ options IPDIVERT # enables NAT</pro firewall rules.</para> </listitem> <listitem> - <para><filename>filename</filename>: full path of the file - containing the firewall rules.</para> + <para><literal>filename</literal>: full path of the file + containing the firewall ruleset.</para> </listitem> </itemizedlist> - <para>To instead load a custom ruleset, either set the - <filename>filename</filename> value of - <literal>firewall_type</literal> or set the - <literal>firewall_script</literal> variable to the absolute - path of an executable script that includes - <command>IPFW</command> commands. This example script blocks - all incoming and outgoing traffic:</para> - - <programlisting>#!/bin/sh - -ipfw -q flush - -ipfw add deny in -ipfw add deny out</programlisting> - - <note> - <para>If <literal>firewall_type</literal> is set to either + <para>If <literal>firewall_type</literal> is set to either <literal>client</literal> or <literal>simple</literal>, modify the default rules found in <filename>/etc/rc.firewall</filename> to fit the - configuration of the system. The examples used in this - section assume that the <literal>firewall_script</literal> - is set to <filename>/etc/ipfw.rules</filename>.</para> - </note> - - <para>Enable logging:</para> - - <programlisting>firewall_logging="YES"</programlisting> + configuration of the system.</para> - <warning> - <para><varname>firewall_logging</varname> sets the - <varname>net.inet.ip.fw.verbose</varname> sysctl - variable to the value of <literal>1</literal>. There is no - <filename>rc.conf</filename> variable to set log - limitations, but the desired value can be set using - <command>sysctl</command> or by adding the following - variable and desired value to - <filename>/etc/sysctl.conf</filename>:</para> - - <programlisting>net.inet.ip.fw.verbose_limit=5</programlisting> - </warning> - - <para>If the machine is acting as a gateway providing - <acronym>NAT</acronym> using &man.natd.8;, refer to <xref - linkend="network-natd"/> for information regarding the - required <filename>/etc/rc.conf</filename> options.</para> - </sect2> + <para>Note that the + <literal>filename</literal> type is used to load a custom ruleset.</para> - <sect2 xml:id="firewalls-ipfw-cmd"> - <title>The <application>IPFW</application> Command</title> - - <indexterm><primary><command>ipfw</command></primary></indexterm> - - <para><command>ipfw</command> can be used to make manual, - single rule additions or deletions to the active firewall - while it is running. The problem with using this method is - that all the changes are lost when the system reboots. It is - recommended to instead write all the rules in a file and to - use that file to load the rules at boot time and to replace - the currently running firewall rules whenever that file - changes.</para> - - <para><command>ipfw</command> is a useful way to display the - running firewall rules to the console screen. The - <application>IPFW</application> accounting facility - dynamically creates a counter for each rule that counts each - packet that matches the rule. During the process of testing a - rule, listing the rule with its counter is one way to - determine if the rule is functioning as expected.</para> - - <para>To list all the running rules in sequence:</para> - - <screen>&prompt.root; <userinput>ipfw list</userinput></screen> - - <para>To list all the running rules with a time stamp of when - the last time the rule was matched:</para> - - <screen>&prompt.root; <userinput>ipfw -t list</userinput></screen> - - <para>The next example lists accounting information and the - packet count for matched rules along with the rules - themselves. The first column is the rule number, followed by - the number of matched packets and bytes, followed by the rule - itself.</para> - - <screen>&prompt.root; <userinput>ipfw -a list</userinput></screen> - - <para>To list dynamic rules in addition to static rules:</para> - - <screen>&prompt.root; <userinput>ipfw -d list</userinput></screen> + <para>An alternate way to load a custom ruleset is to set the + <literal>firewall_script</literal> variable to the absolute + path of an <emphasis>executable script</emphasis> that includes + <application>IPFW</application> commands. The examples used in this + section assume that the <literal>firewall_script</literal> + is set to <filename>/etc/ipfw.rules</filename>:</para> - <para>To also show the expired dynamic rules:</para> + <programlisting>firewall_script="/etc/ipfw.rules"</programlisting> - <screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen> + <para>To enable logging, include this line:</para> - <para>To zero the counters:</para> - - <screen>&prompt.root; <userinput>ipfw zero</userinput></screen> + <programlisting>firewall_logging="YES"</programlisting> - <para>To zero the counters for just the rule with number - <replaceable>NUM</replaceable>:</para> + <para>There is no + <filename>/etc/rc.conf</filename> variable to set logging + limits. To limit the number of times a rule is logged + per connection attempt, specify the number using this line + in + <filename>/etc/sysctl.conf</filename>:</para> - <screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen> + <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting> + + <para>After saving the needed edits, start the firewall. To + enable logging limits now, also set the + <command>sysctl</command> value specified above:</para> + + <screen>&prompt.root; <userinput>service ipfw start</userinput> +&prompt.root; <userinput>sysctl net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen> </sect2> <sect2 xml:id="firewalls-ipfw-rules"> @@ -1821,16 +1755,16 @@ ipfw add deny out</programlisting> <secondary>rule processing order</secondary> </indexterm> - <para>When a packet enters the <acronym>IPFW</acronym> firewall, + <para>When a packet enters the <application>IPFW</application> firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom of the set in ascending rule number sequence order. When the packet matches the selection parameters of a rule, the rule's - action field value is executed and the search of the ruleset + action is executed and the search of the ruleset terminates for that packet. This is referred to as <quote>first match wins</quote>. If the packet does not match any of the rules, it gets caught by the mandatory - <application>IPFW</application> default rule, number 65535, + <application>IPFW</application> default rule number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the <literal>count</literal>, <literal>skipto</literal>, or @@ -1838,11 +1772,8 @@ ipfw add deny out</programlisting> to &man.ipfw.8; for details on how these keywords affect rule processing.</para> - <para>The examples in this section create an inclusive type - firewall ruleset containing the stateful <literal>keep - state</literal>, <literal>limit</literal>, - <literal>in</literal>, <literal>out</literal> and - <literal>via</literal> options. For a complete rule syntax + <para>This section provides an overview of the rule syntax for creating + stateful rules. For a complete rule syntax description, refer to &man.ipfw.8;.</para> <indexterm> @@ -1851,11 +1782,11 @@ ipfw add deny out</programlisting> <secondary>rule syntax</secondary> </indexterm> - <para>This section describes the keywords which comprise an - <application>IPFW</application> rule. Keywords must be - written in the following order. <literal>#</literal> is used + <para>When creating an + <application>IPFW</application> rule, keywords must be + written in the following order. The <literal>#</literal> symbol is used to mark the start of a comment and may appear at the end of a - rule line or on its own line. Blank lines are ignored.</para> + rule or on its own line. Blank lines are ignored.</para> <para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION STATEFUL</replaceable></para> @@ -1915,7 +1846,7 @@ ipfw add deny out</programlisting> </varlistentry> <varlistentry> - <term>Logging</term> + <term>LOGGING</term> <listitem> <para>When a packet matches a rule with the <literal>log</literal> keyword, a message will be logged @@ -1942,7 +1873,7 @@ ipfw add deny out</programlisting> </varlistentry> <varlistentry> - <term>Selection</term> + <term>SELECTION</term> <listitem> <para>The keywords described in this section are used to describe attributes of the packet to be checked when @@ -2031,7 +1962,7 @@ ipfw add deny out</programlisting> </varlistentry> <varlistentry> - <term>Stateful Rule Option</term> + <term>STATEFUL</term> <listitem> <para>The <literal>check-state</literal> option is used to identify where in the <application>IPFW</application> @@ -2058,6 +1989,63 @@ ipfw add deny out</programlisting> </listitem> </varlistentry> </variablelist> + </sect2> + + <sect2 xml:id="firewalls-ipfw-cmd"> + <title>The <application>IPFW</application> Command</title> + + <indexterm><primary><command>ipfw</command></primary></indexterm> + + <para><command>ipfw</command> can be used to make manual, + single rule additions or deletions to the active firewall + while it is running. The problem with using this method is + that all the changes are lost when the system reboots. It is + recommended to instead write all the rules in a file and to + use that file to load the rules at boot time and to replace + the currently running firewall rules whenever that file + changes.</para> + + <para><command>ipfw</command> is a useful way to display the + running firewall rules to the console screen. The + <application>IPFW</application> accounting facility + dynamically creates a counter for each rule that counts each + packet that matches the rule. During the process of testing a + rule, listing the rule with its counter is one way to + determine if the rule is functioning as expected.</para> + + <para>To list all the running rules in sequence:</para> + + <screen>&prompt.root; <userinput>ipfw list</userinput></screen> + + <para>To list all the running rules with a time stamp of when + the last time the rule was matched:</para> + + <screen>&prompt.root; <userinput>ipfw -t list</userinput></screen> + + <para>The next example lists accounting information and the + packet count for matched rules along with the rules + themselves. The first column is the rule number, followed by + the number of matched packets and bytes, followed by the rule + itself.</para> + + <screen>&prompt.root; <userinput>ipfw -a list</userinput></screen> + + <para>To list dynamic rules in addition to static rules:</para> + + <screen>&prompt.root; <userinput>ipfw -d list</userinput></screen> + + <para>To also show the expired dynamic rules:</para> + + <screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen> + + <para>To zero the counters:</para> + + <screen>&prompt.root; <userinput>ipfw zero</userinput></screen> + + <para>To zero the counters for just the rule with number + <replaceable>NUM</replaceable>:</para> + + <screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen> <sect3> <title>Logging Firewall Messages</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402261705.s1QH5SsX006878>