Date: Tue, 26 Feb 2019 21:17:43 +0000 (UTC) From: Chris Rees <crees@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52831 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201902262117.x1QLHhqM071501@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: crees Date: Tue Feb 26 21:17:43 2019 New Revision: 52831 URL: https://svnweb.freebsd.org/changeset/doc/52831 Log: Document kernel compile options for ipfw Introduce a dedicated interface Use sysrc Submitted by: f.toscan@hotmail.it Reviewed by: bcr Differential Revision: https://reviews.freebsd.org/D18484 Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sun Feb 24 20:31:15 2019 (r52830) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 26 21:17:43 2019 (r52831) @@ -1329,7 +1329,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-whi <para>The two tables <literal><spamd></literal> and <literal><spamd-white></literal> are essential. <acronym>SMTP</acronym> traffic from an address listed - in<literal> <spamd></literal> but not in + in <literal><spamd></literal> but not in <literal><spamd-white></literal> is redirected to the <application>spamd</application> daemon listening at port 8025.</para> @@ -1623,52 +1623,21 @@ block drop out quick on $ext_if from any to $martians< custom kernel is not needed in order to enable <application>IPFW</application>.</para> - <indexterm> - <primary>kernel options</primary> - - <secondary>IPFIREWALL</secondary> - </indexterm> - - <indexterm> - <primary>kernel options</primary> - - <secondary>IPFIREWALL_VERBOSE</secondary> - </indexterm> - - <indexterm> - <primary>kernel options</primary> - - <secondary>IPFIREWALL_VERBOSE_LIMIT</secondary> - </indexterm> - - <indexterm> - <primary><application>IPFW</application></primary> - - <secondary>kernel options</secondary> - </indexterm> - <para>For those users who wish to statically compile <application>IPFW</application> support into a custom kernel, - refer to the instructions in <xref linkend="kernelconfig"/>. - The following options are available for the - custom kernel configuration file:</para> + see <xref linkend="firewalls-ipfw-kernelconfig"/>.</para> - <programlisting>options IPFIREWALL # enables IPFW -options IPFIREWALL_VERBOSE # enables logging for rules with log keyword -options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry -options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied -options IPDIVERT # enables NAT</programlisting> - <para>To configure the system to enable - <application>IPFW</application> at boot time, add the - following entry to <filename>/etc/rc.conf</filename>:</para> + <application>IPFW</application> at boot time, add + <literal>firewall_enable="YES"</literal> to + <filename>/etc/rc.conf</filename>:</para> - <programlisting>firewall_enable="YES"</programlisting> + <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen> <para>To use one of the default firewall types provided by &os;, add another line which specifies the type:</para> - <programlisting>firewall_type="open"</programlisting> + <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen> <para>The available types are:</para> @@ -1720,19 +1689,36 @@ options IPDIVERT # enables NAT</programlisting> <literal>firewall_script</literal> is set to <filename>/etc/ipfw.rules</filename>:</para> - <programlisting>firewall_script="/etc/ipfw.rules"</programlisting> + <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen> - <para>To enable logging, include this line:</para> + <para>To enable logging through &man.syslogd.8;, include this + line:</para> - <programlisting>firewall_logging="YES"</programlisting> + <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen> <para>There is no <filename>/etc/rc.conf</filename> variable to set logging limits. To limit the number of times a rule is logged per connection attempt, specify the number using this line in <filename>/etc/sysctl.conf</filename>:</para> - <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting> + <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen> + <para>To enable logging through a dedicated interface named + <literal>ipfw0</literal>, add this line to + <filename>/etc/rc.conf</filename> instead:</para> + + <screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen> + + <para>Then use <application>tcpdump</application> to see what is + being logged:</para> + + <screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen> + + <tip> + <para>There is no overhead due to logging unless + <application>tcpdump</application> is attached.</para> + </tip> + <para>After saving the needed edits, start the firewall. To enable logging limits now, also set the <command>sysctl</command> value specified above:</para> @@ -2257,7 +2243,7 @@ good_tcpo="22,25,37,53,80,443,110"</programlisting> $cmd 130 $skip icmp from any to any out via $pif $ks</programlisting> <para>The inbound rules remain the same, except for the very - last rule which removes the <literal> via $pif</literal> in + last rule which removes the <literal>via $pif</literal> in order to catch both inbound and outbound rules. The <acronym>NAT</acronym> rule must follow this last outbound rule, must have a higher number than that last rule, and the @@ -2609,6 +2595,55 @@ ks="keep-state" # just too lazy to key this eac &prompt.root; <userinput>ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state</userinput> &prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen> </sect3> + </sect2> + + <sect2 xml:id="firewalls-ipfw-kernelconfig"> + <title><application>IPFW</application> Kernel Options</title> + + <indexterm> + <primary>kernel options</primary> + + <secondary>IPFIREWALL</secondary> + </indexterm> + + <indexterm> + <primary>kernel options</primary> + + <secondary>IPFIREWALL_VERBOSE</secondary> + </indexterm> + + <indexterm> + <primary>kernel options</primary> + + <secondary>IPFIREWALL_VERBOSE_LIMIT</secondary> + </indexterm> + + <indexterm> + <primary><application>IPFW</application></primary> + + <secondary>kernel options</secondary> + </indexterm> + <para>In order to statically compile + <application>IPFW</application> support into a custom kernel, + refer to the instructions in <xref linkend="kernelconfig"/>. + The following options are available for the + custom kernel configuration file:</para> + + <programlisting>options IPFIREWALL # enables IPFW +options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) +options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry +options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied +options IPFIREWALL_NAT # enables in-kernel NAT support +options IPFIREWALL_NAT64 # enables in-kernel NAT64 support +options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support +options IPFIREWALL_PMOD # enables protocols modification module support +options IPDIVERT # enables NAT through natd(8)</programlisting> + + <note> + <para><application>IPFW</application> can be loaded as + a kernel module: options above are built by default + as modules or can be set at runtime using tunables.</para> + </note> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902262117.x1QLHhqM071501>