From owner-svn-doc-all@FreeBSD.ORG Wed Feb 26 17:05:29 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2D518D49; Wed, 26 Feb 2014 17:05:29 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 171921096; Wed, 26 Feb 2014 17:05:29 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1QH5S9n006879; Wed, 26 Feb 2014 17:05:28 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1QH5SsX006878; Wed, 26 Feb 2014 17:05:28 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402261705.s1QH5SsX006878@svn.freebsd.org> From: Dru Lavigne Date: Wed, 26 Feb 2014 17:05:28 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44076 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 17:05:29 -0000 Author: dru Date: Wed Feb 26 17:05:28 2014 New Revision: 44076 URL: http://svnweb.freebsd.org/changeset/doc/44076 Log: Initial pass through enabling IPFW. Shuffle IPFW command to later in the chapter, might get shuffled again. Begin prep work for syntax section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 16:22:52 2014 (r44075) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 26 17:05:28 2014 (r44076) @@ -1675,7 +1675,7 @@ options IPDIVERT # enables NATfirewall_type="open" - The available values for this setting are: + The available types are: @@ -1702,114 +1702,48 @@ options IPDIVERT # enables NAT - filename: full path of the file - containing the firewall rules. + filename: full path of the file + containing the firewall ruleset. - To instead load a custom ruleset, either set the - filename value of - firewall_type or set the - firewall_script variable to the absolute - path of an executable script that includes - IPFW commands. This example script blocks - all incoming and outgoing traffic: - - #!/bin/sh - -ipfw -q flush - -ipfw add deny in -ipfw add deny out - - - If firewall_type is set to either + If firewall_type is set to either client or simple, modify the default rules found in /etc/rc.firewall to fit the - configuration of the system. The examples used in this - section assume that the firewall_script - is set to /etc/ipfw.rules. - - - Enable logging: - - firewall_logging="YES" + configuration of the system. - - firewall_logging sets the - net.inet.ip.fw.verbose sysctl - variable to the value of 1. There is no - rc.conf variable to set log - limitations, but the desired value can be set using - sysctl or by adding the following - variable and desired value to - /etc/sysctl.conf: - - net.inet.ip.fw.verbose_limit=5 - - - If the machine is acting as a gateway providing - NAT using &man.natd.8;, refer to for information regarding the - required /etc/rc.conf options. - + Note that the + filename type is used to load a custom ruleset. - - The <application>IPFW</application> Command - - ipfw - - ipfw can be used to make manual, - single rule additions or deletions to the active firewall - while it is running. The problem with using this method is - that all the changes are lost when the system reboots. It is - recommended to instead write all the rules in a file and to - use that file to load the rules at boot time and to replace - the currently running firewall rules whenever that file - changes. - - ipfw is a useful way to display the - running firewall rules to the console screen. The - IPFW accounting facility - dynamically creates a counter for each rule that counts each - packet that matches the rule. During the process of testing a - rule, listing the rule with its counter is one way to - determine if the rule is functioning as expected. - - To list all the running rules in sequence: - - &prompt.root; ipfw list - - To list all the running rules with a time stamp of when - the last time the rule was matched: - - &prompt.root; ipfw -t list - - The next example lists accounting information and the - packet count for matched rules along with the rules - themselves. The first column is the rule number, followed by - the number of matched packets and bytes, followed by the rule - itself. - - &prompt.root; ipfw -a list - - To list dynamic rules in addition to static rules: - - &prompt.root; ipfw -d list + An alternate way to load a custom ruleset is to set the + firewall_script variable to the absolute + path of an executable script that includes + IPFW commands. The examples used in this + section assume that the firewall_script + is set to /etc/ipfw.rules: - To also show the expired dynamic rules: + firewall_script="/etc/ipfw.rules" - &prompt.root; ipfw -d -e list + To enable logging, include this line: - To zero the counters: - - &prompt.root; ipfw zero + firewall_logging="YES" - To zero the counters for just the rule with number - NUM: + There is no + /etc/rc.conf variable to set logging + limits. To limit the number of times a rule is logged + per connection attempt, specify the number using this line + in + /etc/sysctl.conf: - &prompt.root; ipfw zero NUM + net.inet.ip.fw.verbose_limit=5 + + After saving the needed edits, start the firewall. To + enable logging limits now, also set the + sysctl value specified above: + + &prompt.root; service ipfw start +&prompt.root; sysctl net.inet.ip.fw.verbose_limit=5 @@ -1821,16 +1755,16 @@ ipfw add deny out rule processing order - When a packet enters the IPFW firewall, + When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom of the set in ascending rule number sequence order. When the packet matches the selection parameters of a rule, the rule's - action field value is executed and the search of the ruleset + action is executed and the search of the ruleset terminates for that packet. This is referred to as first match wins. If the packet does not match any of the rules, it gets caught by the mandatory - IPFW default rule, number 65535, + IPFW default rule number 65535, which denies all packets and silently discards them. However, if the packet matches a rule that contains the count, skipto, or @@ -1838,11 +1772,8 @@ ipfw add deny out to &man.ipfw.8; for details on how these keywords affect rule processing. - The examples in this section create an inclusive type - firewall ruleset containing the stateful keep - state, limit, - in, out and - via options. For a complete rule syntax + This section provides an overview of the rule syntax for creating + stateful rules. For a complete rule syntax description, refer to &man.ipfw.8;. @@ -1851,11 +1782,11 @@ ipfw add deny out rule syntax - This section describes the keywords which comprise an - IPFW rule. Keywords must be - written in the following order. # is used + When creating an + IPFW rule, keywords must be + written in the following order. The # symbol is used to mark the start of a comment and may appear at the end of a - rule line or on its own line. Blank lines are ignored. + rule or on its own line. Blank lines are ignored. CMD RULE_NUMBER ACTION LOGGING SELECTION STATEFUL @@ -1915,7 +1846,7 @@ ipfw add deny out - Logging + LOGGING When a packet matches a rule with the log keyword, a message will be logged @@ -1942,7 +1873,7 @@ ipfw add deny out - Selection + SELECTION The keywords described in this section are used to describe attributes of the packet to be checked when @@ -2031,7 +1962,7 @@ ipfw add deny out - Stateful Rule Option + STATEFUL The check-state option is used to identify where in the IPFW @@ -2058,6 +1989,63 @@ ipfw add deny out + + + + The <application>IPFW</application> Command + + ipfw + + ipfw can be used to make manual, + single rule additions or deletions to the active firewall + while it is running. The problem with using this method is + that all the changes are lost when the system reboots. It is + recommended to instead write all the rules in a file and to + use that file to load the rules at boot time and to replace + the currently running firewall rules whenever that file + changes. + + ipfw is a useful way to display the + running firewall rules to the console screen. The + IPFW accounting facility + dynamically creates a counter for each rule that counts each + packet that matches the rule. During the process of testing a + rule, listing the rule with its counter is one way to + determine if the rule is functioning as expected. + + To list all the running rules in sequence: + + &prompt.root; ipfw list + + To list all the running rules with a time stamp of when + the last time the rule was matched: + + &prompt.root; ipfw -t list + + The next example lists accounting information and the + packet count for matched rules along with the rules + themselves. The first column is the rule number, followed by + the number of matched packets and bytes, followed by the rule + itself. + + &prompt.root; ipfw -a list + + To list dynamic rules in addition to static rules: + + &prompt.root; ipfw -d list + + To also show the expired dynamic rules: + + &prompt.root; ipfw -d -e list + + To zero the counters: + + &prompt.root; ipfw zero + + To zero the counters for just the rule with number + NUM: + + &prompt.root; ipfw zero NUM Logging Firewall Messages