From owner-svn-doc-head@FreeBSD.ORG Wed Feb 19 20:38:59 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1393282A; Wed, 19 Feb 2014 20:38:59 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F27A611C0; Wed, 19 Feb 2014 20:38:58 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1JKcwYW054039; Wed, 19 Feb 2014 20:38:58 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1JKcw1J054038; Wed, 19 Feb 2014 20:38:58 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402192038.s1JKcw1J054038@svn.freebsd.org> From: Dru Lavigne Date: Wed, 19 Feb 2014 20:38:58 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43996 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 20:38:59 -0000 Author: dru Date: Wed Feb 19 20:38:58 2014 New Revision: 43996 URL: http://svnweb.freebsd.org/changeset/doc/43996 Log: More shuffling to improve flow. To be followed by a bunch of commits which look at the actual tech content. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:02:33 2014 (r43995) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:38:58 2014 (r43996) @@ -1701,10 +1701,6 @@ ipnat_rules="/etc/ipnat.rules" # rule There is a way to build IPF rules that utilize the power of script symbolic substitution. For more information, see . - - - - Rule Syntax IPFILTER @@ -1735,35 +1731,12 @@ ipnat_rules="/etc/ipnat.rules" # rule PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG STATEFUL - ACTION = block | pass - - IN-OUT = in | out - - OPTIONS = log | quick | on - interface-name - - SELECTION = proto value | - source/destination IP | port = number | flags - flag-value - - PROTO = tcp/udp | udp | tcp | - icmp - - SRC_ADD,DST_ADDR = all | from - object to object - - OBJECT = IP address | - any - - PORT_NUM = port number - - TCP_FLAG = S - - STATEFUL = keep state - - - ACTION + Each keyword and its options are described below. + + + ACTION + The action keyword indicates what to do with the packet if it matches the rest of the filter rule. Each rule must have an action. The following @@ -1776,11 +1749,12 @@ ipnat_rules="/etc/ipnat.rules" # rule pass indicates that the packet should exit the firewall if the selection parameters match the packet. - - - - IN-OUT + + + + IN-OUT + A mandatory requirement is that each filter rule explicitly state which side of the I/O it is to be used on. The next keyword must be either in @@ -1794,11 +1768,12 @@ ipnat_rules="/etc/ipnat.rules" # rule out means this rule is being applied against an outbound packet destined for the interface facing the public Internet. - - - - OPTIONS + + + + OPTIONS + These options must be used in the order shown here. @@ -1833,11 +1808,12 @@ ipnat_rules="/etc/ipnat.rules" # rule state option, this option is recommended so that only the triggering packet is logged and not every packet which matches the stateful connection. - - - - SELECTION + + + + SELECTION + The keywords described in this section are used to describe attributes of the packet to be checked when determining whether or not rules match. There is a @@ -1845,11 +1821,12 @@ ipnat_rules="/etc/ipnat.rules" # rule which has to be selected. The following general-purpose attributes are provided for matching, and must be used in this order: - - - - PROTO + + + + PROTO + proto is the subject keyword which must include one of its corresponding keyword sub-option values. The sub-option indicates a specific protocol to be @@ -1862,11 +1839,12 @@ ipnat_rules="/etc/ipnat.rules" # rule either a TCP or a UDP packet, and has been added as a convenience to save duplication of otherwise identical rules. - - - - SRC_ADDR/DST_ADDR + + + + SRC_ADDR/DST_ADDR + The all keyword is equivalent to from any to any with no other match parameters. @@ -1890,11 +1868,12 @@ ipnat_rules="/etc/ipnat.rules" # rule the calculation. Additional information is available at the utility's web page: http://jodies.de/ipcalc. - - - - PORT + + + + PORT + If a port match is included, for either or both of source and destination, it is only applied to TCP and UDP packets. @@ -1920,11 +1899,12 @@ ipnat_rules="/etc/ipnat.rules" # rule To specify port ranges, place the two port numbers between <> or >< - - - - <acronym>TCP</acronym>_FLAG + + + + TCP_FLAG + Flags are only effective for TCP filtering. The letters represent one of the possible flags that can be matched against the TCP @@ -1933,15 +1913,18 @@ ipnat_rules="/etc/ipnat.rules" # rule The modernized rules processing logic uses the flags S parameter to identify the TCP session start request. - - - - STATEFUL + + + + STATEFUL + keep state indicates that on a pass rule, any packets that match the rules selection parameters should activate the stateful filtering facility. - + + + @@ -2382,7 +2365,7 @@ sh /etc/ipf.rules.script - <acronym>NAT</acronym> + Configuring <acronym>NAT</acronym> NAT @@ -2399,8 +2382,7 @@ sh /etc/ipf.rules.script NAT stands for Network - Address Translation. In &linux;, NAT is called - IP Masquerading. The IPF + Address Translation. The IPF NAT function enables the private LAN behind the firewall to share a single ISP-assigned IP address, even if that address is dynamically assigned. NAT allows each @@ -2408,7 +2390,26 @@ sh /etc/ipf.rules.script - NAT will automatically translate the + In IPF, when a packet arrives at the firewall from the LAN + with a public destination, it passes through the outbound + filter rules. NAT gets its turn at the + packet and applies its rules top down, where the first + matching rule wins. NAT tests each of its + rules against the packet's interface name and source IP + address. When a packet's interface name matches a + NAT rule, the packet's source IP address in + the private LAN is checked to see if it falls within the IP + address range specified to the left of the arrow symbol on the + NAT rule. On a match, the packet has its + source IP address rewritten with the public IP address + obtained by the 0/32 keyword. + NAT posts an entry in its internal + NAT table so when the packet returns from + the public Internet it can be mapped back to its original + private IP address and then passed to the filter rules for + processing. + + NAT will automatically translate the private LAN IP address for each system on the LAN to the single public IP address as packets exit the firewall bound for the public Internet. It also performs the reverse @@ -2433,18 +2434,25 @@ sh /etc/ipf.rules.script - + ipnat - - IP<acronym>NAT</acronym> + To enable IPNAT, add these statements + to /etc/rc.conf. - - NAT + To enable the machine to route traffic between + interfaces: - and IPFILTER - + gateway_enable="YES" - ipnat + To start IPNAT automatically each + time: + + ipnat_enable="YES" + + To specify where to load the IPNAT + rules from: + + ipnat_rules="/etc/ipnat.rules" NAT rules are loaded using ipnat. Typically, the @@ -2479,10 +2487,6 @@ sh /etc/ipf.rules.script &prompt.root; ipnat -v - - - - IP<acronym>NAT</acronym> Rules NAT rules are flexible and can accomplish many different things to fit the needs of @@ -2512,54 +2516,8 @@ sh /etc/ipf.rules.script0/32 which uses the IP address assigned to IF. - - - - How <acronym>NAT</acronym> Works - - In IPF, when a packet arrives at the firewall from the LAN - with a public destination, it passes through the outbound - filter rules. NAT gets its turn at the - packet and applies its rules top down, where the first - matching rule wins. NAT tests each of its - rules against the packet's interface name and source IP - address. When a packet's interface name matches a - NAT rule, the packet's source IP address in - the private LAN is checked to see if it falls within the IP - address range specified to the left of the arrow symbol on the - NAT rule. On a match, the packet has its - source IP address rewritten with the public IP address - obtained by the 0/32 keyword. - NAT posts an entry in its internal - NAT table so when the packet returns from - the public Internet it can be mapped back to its original - private IP address and then passed to the filter rules for - processing. - - - - Enabling IP<acronym>NAT</acronym> - - To enable IPNAT, add these statements - to /etc/rc.conf. - - To enable the machine to route traffic between - interfaces: - - gateway_enable="YES" - To start IPNAT automatically each - time: - - ipnat_enable="YES" - - To specify where to load the IPNAT - rules from: - - ipnat_rules="/etc/ipnat.rules" - - - + <acronym>NAT</acronym> for a Large LAN For networks that have large numbers of systems on the LAN @@ -2567,13 +2525,10 @@ sh /etc/ipf.rules.script - - Assigning Ports to Use - - A normal NAT rule would look like: + The first method is to assign ports to use. A normal NAT rule would look like: map dc0 192.168.1.0/24 -> 0/32 @@ -2592,12 +2547,8 @@ sh /etc/ipf.rules.script map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto - - - Using a Pool of Public Addresses - - In very large LANs there comes a point where there are + The second method is to use a pool of public addresses. In very large LANs there comes a point where there are just too many LAN addresses to fit into a single public address. If a block of public IP addresses is available, these addresses can be used as a pool, and @@ -2619,9 +2570,8 @@ sh /etc/ipf.rules.scriptmap dc0 192.168.1.0/24 -> 204.134.75.0/24 - - + Port Redirection A common practice is to have a web server, email server, @@ -2646,9 +2596,9 @@ sh /etc/ipf.rules.script rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp - + - + FTP and <acronym>NAT</acronym> FTP has two modes: active mode and passive mode. The @@ -2658,9 +2608,6 @@ sh /etc/ipf.rules.scripthttp://www.slacksite.com/other/ftp.html. - - IP<acronym>NAT</acronym> Rules - IPNAT has a built in FTP proxy option which can be specified on the NAT map rule. It can monitor all outbound packet traffic for FTP @@ -2693,10 +2640,6 @@ sh /etc/ipf.rules.scriptNAT. All LAN packets that are not FTP will not match the FTP rules but will undergo NAT if they match the third rule. - - - - IP<acronym>NAT</acronym> FTP Filter Rules Only one filter rule is needed for FTP if the NAT FTP proxy is used. @@ -2846,10 +2789,6 @@ pass in quick on rl0 proto tcp from any last rule in the ruleset. This makes it possible to see all the packets that did not match any of the rules in the ruleset. - - - - IPMON Logging &man.syslogd.8; uses its own method for segregation of log data. It uses groupings called facility and @@ -2890,10 +2829,6 @@ LOG_ERR - packets which have been logged Do not forget to change /etc/newsyslog.conf to rotate the new log file. - - - - The Format of Logged Messages Messages generated by ipmon consist of data fields separated by white space. Fields common to