From owner-svn-doc-head@FreeBSD.ORG Wed Feb 19 20:02:33 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ABF5AA07; Wed, 19 Feb 2014 20:02:33 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 928981DE1; Wed, 19 Feb 2014 20:02:33 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1JK2XeF041059; Wed, 19 Feb 2014 20:02:33 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1JK2XcX041058; Wed, 19 Feb 2014 20:02:33 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402192002.s1JK2XcX041058@svn.freebsd.org> From: Dru Lavigne Date: Wed, 19 Feb 2014 20:02:33 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43995 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 20:02:33 -0000 Author: dru Date: Wed Feb 19 20:02:33 2014 New Revision: 43995 URL: http://svnweb.freebsd.org/changeset/doc/43995 Log: Initial shuffle to improve the flow of this chapter. Much, much more to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 19:21:13 2014 (r43994) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:02:33 2014 (r43995) @@ -1499,33 +1499,36 @@ block drop out quick on $ext_if from any - The IPFILTER (IPF) Firewall + IPFILTER (IPF) firewall - IPFILTER + IPFILTER - IPFILTER is a cross-platform, open source firewall which - has been ported to &os;, NetBSD, OpenBSD, &sunos;, HP/UX, and + IPFILTER, also known as + IPF, is a cross-platform, open source firewall which + has been ported to &os;, NetBSD, OpenBSD, and &solaris; operating systems. - IPFILTER is based on a kernel-side firewall and + IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled and - monitored by userland interface programs. The firewall rules - can be set or deleted using &man.ipf.8;. The + monitored by userland programs. Firewall rules + can be set or deleted using ipf, NAT rules can be set or deleted using - &man.ipnat.8;. Run-time statistics for the kernel parts of - IPFILTER can be printed using &man.ipfstat.8;. To log IPFILTER - actions to the system log files, use &man.ipmon.8;. + ipnat, run-time statistics for the kernel parts of + IPFILTER can be printed using + ipfstat, and + ipmon can be used to log IPFILTER + actions to the system log files. - IPF was originally written using a rule processing logic + IPF was originally written using a rule processing logic of the last matching rule wins and only used - stateless rules. Over time, IPF has been enhanced to include a + stateless rules. Over time, IPF has been enhanced to include a quick option and a stateful keep state option which modernized the rules - processing logic. IPF's official documentation covers only the + processing logic. IPF's official documentation covers only the legacy rule coding parameters and rule file processing logic and the modernized functions are only included as additional options. @@ -1541,7 +1544,7 @@ block drop out quick on $ext_if from any and http://coombs.anu.edu.au/~avalon/ip-filter.html. - The IPF FAQ is at The IPF FAQ is at http://www.phildev.net/ipf/index.html. A searchable archive of the IPFilter mailing list is @@ -1549,500 +1552,91 @@ block drop out quick on $ext_if from any xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter. - Enabling IPF + Enabling <application>IPF</application> - IPFILTER + IPFILTER enabling - IPF is included in the basic &os; install as a kernel - loadable module. The system will dynamically load - this module at boot time when - ipfilter_enable="YES" is added to - rc.conf. The module enables logging and - default pass all. To change the - default to block all, add a - block all rule at the end of the - ruleset. - - - - Kernel Options - - - kernel options - - IPFILTER - - - - kernel options - - IPFILTER_LOG - - - - kernel options - - IPFILTER_DEFAULT_BLOCK - - - - IPFILTER - - kernel options - - - For users who prefer to statically compile IPF support - into a custom kernel, the following IPF option statements, - listed in /usr/src/sys/conf/NOTES, are - available: - - options IPFILTER -options IPFILTER_LOG -options IPFILTER_DEFAULT_BLOCK - - options IPFILTER enables support for - the IPFILTER firewall. - - options IPFILTER_LOG enables IPF - logging using the ipl packet logging - pseudo—device for every rule that has the - log keyword. - - options IPFILTER_DEFAULT_BLOCK changes - the default behavior so that any packet not matching a - firewall pass rule gets blocked. - - These settings will take effect only after installing a - kernel that has been built with the above options set. - - - - Available <filename>rc.conf</filename> Options - - To activate IPF at boot time, the following statements - need to be added to /etc/rc.conf: - - ipfilter_enable="YES" # Start ipf firewall -ipfilter_rules="/etc/ipf.rules" # loads rules definition text file -ipmon_enable="YES" # Start IP monitor log -ipmon_flags="-Ds" # D = start as daemon - # s = log to syslog - # v = log tcp window, ack, seq - # n = map IP & port to names - - If there is a LAN behind the firewall that uses the - reserved private IP address ranges, the following lines have - to be added to enable NAT - functionality: - - gateway_enable="YES" # Enable as LAN gateway -ipnat_enable="YES" # Start ipnat function -ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat - - - - IPF - - ipf - - To load the ruleset file, use &man.ipf.8;. Custom rules - are normally placed in a file, and the following command can - be used to replace the currently running firewall - rules: - - &prompt.root; ipf -Fa -f /etc/ipf.rules - - flushes all the internal rules - tables. - - specifies the file containing the - rules to load. - - This provides the ability to make changes to a custom - rules file, run the above IPF command, and thus update the - running firewall with a fresh copy of the rules without having - to reboot the system. This method is convenient for testing - new rules as the procedure can be executed as many times as - needed. - - Refer to &man.ipf.8; for details on the other flags - available with this command. - - &man.ipf.8; expects the rules file to be a standard text - file. It will not accept a rules file written as a script - with symbolic substitution. - - There is a way to build IPF rules that utilize the power - of script symbolic substitution. For more information, see - . - - - - IPFSTAT - - ipfstat - - - IPFILTER - - statistics - - - The default behavior of &man.ipfstat.8; is to retrieve - and display the totals of the accumulated statistics gathered - by applying the rules against packets going in and out of the - firewall since it was last started, or since the last time the - accumulators were reset to zero using ipf - -Z. - - Refer to &man.ipfstat.8; for details. - - The default &man.ipfstat.8; output will look something - like this: - - input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 - output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 - input packets logged: blocked 99286 passed 0 - output packets logged: blocked 0 passed 0 - packets logged: input 0 output 0 - log failures: input 3898 output 0 - fragment state(in): kept 0 lost 0 - fragment state(out): kept 0 lost 0 - packet state(in): kept 169364 lost 0 - packet state(out): kept 431395 lost 0 - ICMP replies: 0 TCP RSTs sent: 0 - Result cache hits(in): 1215208 (out): 1098963 - IN Pullups succeeded: 2 failed: 0 - OUT Pullups succeeded: 0 failed: 0 - Fastroute successes: 0 failures: 0 - TCP cksum fails(in): 0 (out): 0 - Packet log flags set: (0) - - When supplied with either for inbound - or for outbound, the command will retrieve - and display the appropriate list of filter rules currently - installed and in use by the kernel. - - ipfstat -in displays the inbound - internal rules table with rule numbers. - - ipfstat -on displays the outbound - internal rules table with rule numbers. - - The output will look something like this: - - @1 pass out on xl0 from any to any -@2 block out on dc0 from any to any -@3 pass out quick on dc0 proto tcp/udp from any to any keep state - - ipfstat -ih displays the inbound - internal rules table, prefixing each rule with a count of how - many times the rule was matched. - - ipfstat -oh displays the outbound - internal rules table, prefixing each rule with a count of how - many times the rule was matched. - - The output will look something like this: - - 2451423 pass out on xl0 from any to any -354727 block out on dc0 from any to any -430918 pass out quick on dc0 proto tcp/udp from any to any keep state - - One of the most important options of - ipfstat is which - displays the state table in a way similar to how &man.top.1; - shows the &os; running process table. When a firewall is - under attack, this function provides the ability to identify - and see the attacking packets. The optional sub-flags give - the ability to select the destination or source IP, port, or - protocol to be monitored in real time. Refer to - &man.ipfstat.8; for details. - - - - IPMON - - ipmon - - - IPFILTER - - logging - - - In order for ipmon to work properly, - the kernel option IPFILTER_LOG must be - turned on. This command has two different modes. Native mode - is the default mode when the command is used without - . - - Daemon mode provides a continuous system log file so that - logging of past events may be reviewed. &os; has a built in - facility to automatically rotate system logs. This is why - outputting the log information to &man.syslogd.8; is better - than the default of outputting to a regular file. The default - rc.conf - ipmon_flags statement uses - : - - ipmon_flags="-Ds" # D = start as daemon - # s = log to syslog - # v = log tcp window, ack, seq - # n = map IP & port to names - - Logging provides the ability to review, after the fact, - information such as which packets were dropped, what addresses - they came from and where they were going. These can all - provide a significant edge in tracking down attackers. - - Even with the logging facility enabled, IPF will not - generate any rule logging by default. The firewall - administrator decides which rules in the ruleset should be - logged and adds the log keyword to those rules. Normally, - only deny rules are logged. - - It is customary to include a default deny - everything rule with the log keyword included as the - last rule in the ruleset. This makes it possible to see all - the packets that did not match any of the rules in the - ruleset. - - - - IPMON Logging - - &man.syslogd.8; uses its own method for segregation of log - data. It uses groupings called facility and - level. By default, IPMON in - mode uses local0 as - the facility name. The following levels can be - used to further segregate the logged data: - - LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. -LOG_NOTICE - packets logged which are also passed -LOG_WARNING - packets logged which are also blocked -LOG_ERR - packets which have been logged and which can be considered short - - - - In order to setup IPFILTER to log all data to - /var/log/ipfilter.log, first - create the empty file: - - &prompt.root; touch /var/log/ipfilter.log - - &man.syslogd.8; is controlled by definition statements in - /etc/syslog.conf. This file offers - considerable flexibility in how - syslog will deal with system - messages issued by software applications like IPF. - - To write all logged messages to the specified file, - add the following statement to - /etc/syslog.conf: - - local0.* /var/log/ipfilter.log - - To activate the changes and instruct &man.syslogd.8; - to read the modified /etc/syslog.conf, - run service syslogd reload. - - Do not forget to change - /etc/newsyslog.conf to rotate the new - log file. - - - - The Format of Logged Messages - - Messages generated by ipmon consist - of data fields separated by white space. Fields common to - all messages are: - - - - The date of packet receipt. - - - - The time of packet receipt. This is in the form - HH:MM:SS.F, for hours, minutes, seconds, and fractions - of a second. - - - - The name of the interface that processed the - packet. - - - - The group and rule number of the rule in the format - @0:17. - - - - These can be viewed with - ipfstat -in. - - - - The action: p for passed, - b for blocked, S for - a short packet, n did not match any - rules, and L for a log rule. The order - of precedence in showing flags is: S, - p, b, - n, L. A capital - P or B means that - the packet has been logged due to a global logging - setting, not a particular rule. - - - - The addresses written as three fields: the source - address and port separated by a comma, the -> symbol, - and the destination address and port. For example: - 209.53.17.22,80 -> - 198.73.220.17,1722. - - - - PR followed by the protocol name - or number: for example, PR tcp. - - - - len followed by the header length - and total length of the packet: for example, - len 20 40. - - - - If the packet is a TCP packet, there - will be an additional field starting with a hyphen followed by - letters corresponding to any flags that were set. Refer to - &man.ipf.5; for a list of letters and their flags. - - If the packet is an ICMP packet, there will be two fields - at the end: the first always being ICMP and - the next being the ICMP message and sub-message type, - separated by a slash. For example: ICMP 3/3 for a port - unreachable message. - - - - Building the Rule Script with Symbolic - Substitution - - Some experienced IPF users create a file containing the - rules and code them in a manner compatible with running them - as a script with symbolic substitution. The major benefit - of doing this is that only the value associated with the - symbolic name needs to be changed, and when the script is - run all the rules containing the symbolic name will have the - value substituted in the rules. Being a script, symbolic - substitution can be used to code frequently used values and - substitute them in multiple rules. This can be seen in the - following example. - - The script syntax used here is compatible with the - &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells. - - Symbolic substitution fields are prefixed with a - $. - - Symbolic fields do not have the $ prefix. - - The value to populate the symbolic field must be enclosed - between double quotes ("). + is included in the basic &os; install as a kernel + loadable module, meaning that a custom kernel is not needed in + order to enable IPF. - Start the rule file with something like this: + + kernel options - ############# Start of IPF rules script ######################## + IPFILTER + -oif="dc0" # name of the outbound interface -odns="192.0.2.11" # ISP's DNS server IP address -myip="192.0.2.7" # my static IP address from ISP -ks="keep state" -fks="flags S keep state" + + kernel options -# You can choose between building /etc/ipf.rules file -# from this script or running this script "as is". -# -# Uncomment only one line and comment out another. -# -# 1) This can be used for building /etc/ipf.rules: -#cat > /etc/ipf.rules << EOF -# -# 2) This can be used to run script "as is": -/sbin/ipf -Fa -f - << EOF + IPFILTER_LOG + -# Allow out access to my ISP's Domain name server. -pass out quick on $oif proto tcp from any to $odns port = 53 $fks -pass out quick on $oif proto udp from any to $odns port = 53 $ks + + kernel options -# Allow out non-secure standard www function -pass out quick on $oif proto tcp from $myip to any port = 80 $fks + IPFILTER_DEFAULT_BLOCK + -# Allow out secure www function https over TLS SSL -pass out quick on $oif proto tcp from $myip to any port = 443 $fks -EOF -################## End of IPF rules script ######################## + + IPFILTER - The rules are not important in this example as it instead - focuses on how the symbolic substitution fields are populated. - If this example was in a file named - /etc/ipf.rules.script, these rules could - be reloaded by running: + kernel options + - &prompt.root; sh /etc/ipf.rules.script + For users who prefer to statically compile IPF support + into a custom kernel, refer to the instructions in . The following IPF option statements are + available: - There is one problem with using a rules file with embedded - symbolics: IPF does not understand symbolic substitution, and - cannot read such scripts directly. + options IPFILTER +options IPFILTER_LOG +options IPFILTER_DEFAULT_BLOCK - This script can be used in one of two ways: + where options IPFILTER enables support for + IPFILTER. - - - Uncomment the line that begins with - cat, and comment out the line that - begins with /sbin/ipf. Place - ipfilter_enable="YES" into - /etc/rc.conf, and run the script - once after each modification to create or update - /etc/ipf.rules. - + options IPFILTER_LOG enables IPF + logging using the ipl packet logging + pseudo—device for every rule that has the + log keyword. - - Disable IPFILTER in the system startup scripts by - adding ipfilter_enable="NO"to - /etc/rc.conf. + options IPFILTER_DEFAULT_BLOCK changes + the default behavior so that any packet not matching a + firewall pass rule gets blocked. - Then, add a script like the following to - /usr/local/etc/rc.d/. The script - should have an obvious name like - ipf.loadrules.sh, where the - .sh extension is mandatory. + To configure the system to enable IPF + at boot time, add + the following entries to + /etc/rc.conf. These entries will also enable logging and + default pass all. To change the + default to block all, add a + block all rule at the end of the + ruleset. - #!/bin/sh -sh /etc/ipf.rules.script + ipfilter_enable="YES" # Start ipf firewall +ipfilter_rules="/etc/ipf.rules" # loads rules definition text file +ipmon_enable="YES" # Start IP monitor log +ipmon_flags="-Ds" # D = start as daemon + # s = log to syslog + # v = log tcp window, ack, seq + # n = map IP & port to names - The permissions on this script file must be read, - write, execute for owner - root: + If NAT + functionality is needed, also add these lines: - &prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh - - + gateway_enable="YES" # Enable as LAN gateway +ipnat_enable="YES" # Start ipnat function +ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat - Now, when the system boots, the IPF rules will be - loaded. + To start IPF now: + + &prompt.root; service ipfilter start + @@ -2063,7 +1657,7 @@ sh /etc/ipf.rules.script - IPFILTER + IPFILTER rule processing order @@ -2076,13 +1670,44 @@ sh /etc/ipf.rules.scriptssh. + + To load the ruleset file, use &man.ipf.8;. Custom rules + are normally placed in a file, and the following command can + be used to replace the currently running firewall + rules: + + &prompt.root; ipf -Fa -f /etc/ipf.rules + + flushes all the internal rules + tables. + + specifies the file containing the + rules to load. + + This provides the ability to make changes to a custom + rules file, run the above IPF command, and thus update the + running firewall with a fresh copy of the rules without having + to reboot the system. This method is convenient for testing + new rules as the procedure can be executed as many times as + needed. + + Refer to &man.ipf.8; for details on the other flags + available with this command. + + &man.ipf.8; expects the rules file to be a standard text + file. It will not accept a rules file written as a script + with symbolic substitution. + + There is a way to build IPF rules that utilize the power + of script symbolic substitution. For more information, see + . Rule Syntax - IPFILTER + IPFILTER rule syntax @@ -2323,7 +1948,7 @@ sh /etc/ipf.rules.scriptStateful Filtering - IPFILTER + IPFILTER stateful filtering @@ -2646,6 +2271,116 @@ block in log first quick on dc0 all ################### End of rules file ##################################### + + Building the Rule Script with Symbolic + Substitution + + Some experienced IPF users create a file containing the + rules and code them in a manner compatible with running them + as a script with symbolic substitution. The major benefit + of doing this is that only the value associated with the + symbolic name needs to be changed, and when the script is + run all the rules containing the symbolic name will have the + value substituted in the rules. Being a script, symbolic + substitution can be used to code frequently used values and + substitute them in multiple rules. This can be seen in the + following example. + + The script syntax used here is compatible with the + &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells. + + Symbolic substitution fields are prefixed with a + $. + + Symbolic fields do not have the $ prefix. + + The value to populate the symbolic field must be enclosed + between double quotes ("). + + Start the rule file with something like this: + + ############# Start of IPF rules script ######################## + +oif="dc0" # name of the outbound interface +odns="192.0.2.11" # ISP's DNS server IP address +myip="192.0.2.7" # my static IP address from ISP +ks="keep state" +fks="flags S keep state" + +# You can choose between building /etc/ipf.rules file +# from this script or running this script "as is". +# +# Uncomment only one line and comment out another. +# +# 1) This can be used for building /etc/ipf.rules: +#cat > /etc/ipf.rules << EOF +# +# 2) This can be used to run script "as is": +/sbin/ipf -Fa -f - << EOF + +# Allow out access to my ISP's Domain name server. +pass out quick on $oif proto tcp from any to $odns port = 53 $fks +pass out quick on $oif proto udp from any to $odns port = 53 $ks + +# Allow out non-secure standard www function +pass out quick on $oif proto tcp from $myip to any port = 80 $fks + +# Allow out secure www function https over TLS SSL +pass out quick on $oif proto tcp from $myip to any port = 443 $fks +EOF +################## End of IPF rules script ######################## + + The rules are not important in this example as it instead + focuses on how the symbolic substitution fields are populated. + If this example was in a file named + /etc/ipf.rules.script, these rules could + be reloaded by running: + + &prompt.root; sh /etc/ipf.rules.script + + There is one problem with using a rules file with embedded + symbolics: IPF does not understand symbolic substitution, and + cannot read such scripts directly. + + This script can be used in one of two ways: + + + + Uncomment the line that begins with + cat, and comment out the line that + begins with /sbin/ipf. Place + ipfilter_enable="YES" into + /etc/rc.conf, and run the script + once after each modification to create or update + /etc/ipf.rules. + + + + Disable IPFILTER in the system startup scripts by + adding ipfilter_enable="NO"to + /etc/rc.conf. + + Then, add a script like the following to + /usr/local/etc/rc.d/. The script + should have an obvious name like + ipf.loadrules.sh, where the + .sh extension is mandatory. + + #!/bin/sh +sh /etc/ipf.rules.script + + The permissions on this script file must be read, + write, execute for owner + root: + + &prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh + + + + Now, when the system boots, the IPF rules will be + loaded. + + <acronym>NAT</acronym> @@ -2706,7 +2441,7 @@ block in log first quick on dc0 all NAT - and IPFILTER + and IPFILTER ipnat @@ -2980,6 +2715,260 @@ pass out quick on rl0 proto tcp from any pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state + + + IPFSTAT + + ipfstat + + + IPFILTER + + statistics + + + The default behavior of &man.ipfstat.8; is to retrieve + and display the totals of the accumulated statistics gathered + by applying the rules against packets going in and out of the + firewall since it was last started, or since the last time the + accumulators were reset to zero using ipf + -Z. + + Refer to &man.ipfstat.8; for details. + + The default &man.ipfstat.8; output will look something + like this: + + input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 + output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 + input packets logged: blocked 99286 passed 0 + output packets logged: blocked 0 passed 0 + packets logged: input 0 output 0 + log failures: input 3898 output 0 + fragment state(in): kept 0 lost 0 + fragment state(out): kept 0 lost 0 + packet state(in): kept 169364 lost 0 + packet state(out): kept 431395 lost 0 + ICMP replies: 0 TCP RSTs sent: 0 + Result cache hits(in): 1215208 (out): 1098963 + IN Pullups succeeded: 2 failed: 0 + OUT Pullups succeeded: 0 failed: 0 + Fastroute successes: 0 failures: 0 + TCP cksum fails(in): 0 (out): 0 + Packet log flags set: (0) + + When supplied with either for inbound + or for outbound, the command will retrieve + and display the appropriate list of filter rules currently + installed and in use by the kernel. + + ipfstat -in displays the inbound + internal rules table with rule numbers. + + ipfstat -on displays the outbound + internal rules table with rule numbers. + + The output will look something like this: + + @1 pass out on xl0 from any to any +@2 block out on dc0 from any to any +@3 pass out quick on dc0 proto tcp/udp from any to any keep state + + ipfstat -ih displays the inbound + internal rules table, prefixing each rule with a count of how + many times the rule was matched. + + ipfstat -oh displays the outbound + internal rules table, prefixing each rule with a count of how + many times the rule was matched. + + The output will look something like this: + + 2451423 pass out on xl0 from any to any +354727 block out on dc0 from any to any +430918 pass out quick on dc0 proto tcp/udp from any to any keep state + + One of the most important options of + ipfstat is which + displays the state table in a way similar to how &man.top.1; + shows the &os; running process table. When a firewall is + under attack, this function provides the ability to identify + and see the attacking packets. The optional sub-flags give + the ability to select the destination or source IP, port, or + protocol to be monitored in real time. Refer to + &man.ipfstat.8; for details. + + + + IPMON + + ipmon + + + IPFILTER + + logging + + + In order for ipmon to work properly, + the kernel option IPFILTER_LOG must be + turned on. This command has two different modes. Native mode + is the default mode when the command is used without + . + + Daemon mode provides a continuous system log file so that + logging of past events may be reviewed. &os; has a built in + facility to automatically rotate system logs. This is why + outputting the log information to &man.syslogd.8; is better + than the default of outputting to a regular file. The default + rc.conf + ipmon_flags statement uses + : + + ipmon_flags="-Ds" # D = start as daemon + # s = log to syslog + # v = log tcp window, ack, seq + # n = map IP & port to names + + Logging provides the ability to review, after the fact, + information such as which packets were dropped, what addresses + they came from and where they were going. These can all + provide a significant edge in tracking down attackers. + + Even with the logging facility enabled, IPF will not + generate any rule logging by default. The firewall + administrator decides which rules in the ruleset should be + logged and adds the log keyword to those rules. Normally, + only deny rules are logged. + + It is customary to include a default deny + everything rule with the log keyword included as the + last rule in the ruleset. This makes it possible to see all + the packets that did not match any of the rules in the + ruleset. + + + + IPMON Logging + + &man.syslogd.8; uses its own method for segregation of log + data. It uses groupings called facility and + level. By default, IPMON in + mode uses local0 as + the facility name. The following levels can be + used to further segregate the logged data: + + LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. +LOG_NOTICE - packets logged which are also passed +LOG_WARNING - packets logged which are also blocked +LOG_ERR - packets which have been logged and which can be considered short + + + + In order to setup IPFILTER to log all data to + /var/log/ipfilter.log, first + create the empty file: + + &prompt.root; touch /var/log/ipfilter.log + + &man.syslogd.8; is controlled by definition statements in + /etc/syslog.conf. This file offers + considerable flexibility in how + syslog will deal with system + messages issued by software applications like IPF. + + To write all logged messages to the specified file, + add the following statement to + /etc/syslog.conf: + + local0.* /var/log/ipfilter.log + + To activate the changes and instruct &man.syslogd.8; + to read the modified /etc/syslog.conf, + run service syslogd reload. + + Do not forget to change + /etc/newsyslog.conf to rotate the new + log file. + + + + The Format of Logged Messages + + Messages generated by ipmon consist + of data fields separated by white space. Fields common to + all messages are: *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***