From owner-svn-doc-head@freebsd.org Tue Feb 26 21:17:44 2019 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 607C2150439F; Tue, 26 Feb 2019 21:17:44 +0000 (UTC) (envelope-from crees@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0444F73B19; Tue, 26 Feb 2019 21:17:44 +0000 (UTC) (envelope-from crees@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E92B2AD30; Tue, 26 Feb 2019 21:17:43 +0000 (UTC) (envelope-from crees@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x1QLHhkM071502; Tue, 26 Feb 2019 21:17:43 GMT (envelope-from crees@FreeBSD.org) Received: (from crees@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x1QLHhqM071501; Tue, 26 Feb 2019 21:17:43 GMT (envelope-from crees@FreeBSD.org) Message-Id: <201902262117.x1QLHhqM071501@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: crees set sender to crees@FreeBSD.org using -f From: Chris Rees Date: Tue, 26 Feb 2019 21:17:43 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52831 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head X-SVN-Commit-Author: crees X-SVN-Commit-Paths: head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Commit-Revision: 52831 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 0444F73B19 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.96 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.96)[-0.960,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 21:17:44 -0000 Author: crees Date: Tue Feb 26 21:17:43 2019 New Revision: 52831 URL: https://svnweb.freebsd.org/changeset/doc/52831 Log: Document kernel compile options for ipfw Introduce a dedicated interface Use sysrc Submitted by: f.toscan@hotmail.it Reviewed by: bcr Differential Revision: https://reviews.freebsd.org/D18484 Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sun Feb 24 20:31:15 2019 (r52830) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 26 21:17:43 2019 (r52831) @@ -1329,7 +1329,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-whi The two tables <spamd> and <spamd-white> are essential. SMTP traffic from an address listed - in <spamd> but not in + in <spamd> but not in <spamd-white> is redirected to the spamd daemon listening at port 8025. @@ -1623,52 +1623,21 @@ block drop out quick on $ext_if from any to $martians< custom kernel is not needed in order to enable IPFW. - - kernel options - - IPFIREWALL - - - - kernel options - - IPFIREWALL_VERBOSE - - - - kernel options - - IPFIREWALL_VERBOSE_LIMIT - - - - IPFW - - kernel options - - For those users who wish to statically compile IPFW support into a custom kernel, - refer to the instructions in . - The following options are available for the - custom kernel configuration file: + see . - options IPFIREWALL # enables IPFW -options IPFIREWALL_VERBOSE # enables logging for rules with log keyword -options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry -options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied -options IPDIVERT # enables NAT - To configure the system to enable - IPFW at boot time, add the - following entry to /etc/rc.conf: + IPFW at boot time, add + firewall_enable="YES" to + /etc/rc.conf: - firewall_enable="YES" + &prompt.root; sysrc firewall_enable="YES" To use one of the default firewall types provided by &os;, add another line which specifies the type: - firewall_type="open" + &prompt.root; sysrc firewall_type="open" The available types are: @@ -1720,19 +1689,36 @@ options IPDIVERT # enables NAT firewall_script is set to /etc/ipfw.rules: - firewall_script="/etc/ipfw.rules" + &prompt.root; sysrc firewall_script="/etc/ipfw.rules" - To enable logging, include this line: + To enable logging through &man.syslogd.8;, include this + line: - firewall_logging="YES" + &prompt.root; sysrc firewall_logging="YES" There is no /etc/rc.conf variable to set logging limits. To limit the number of times a rule is logged per connection attempt, specify the number using this line in /etc/sysctl.conf: - net.inet.ip.fw.verbose_limit=5 + &prompt.root; sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=5 + To enable logging through a dedicated interface named + ipfw0, add this line to + /etc/rc.conf instead: + + &prompt.root; sysrc firewall_logif="YES" + + Then use tcpdump to see what is + being logged: + + &prompt.root; tcpdump -t -n -i ipfw0 + + + There is no overhead due to logging unless + tcpdump is attached. + + After saving the needed edits, start the firewall. To enable logging limits now, also set the sysctl value specified above: @@ -2257,7 +2243,7 @@ good_tcpo="22,25,37,53,80,443,110" $cmd 130 $skip icmp from any to any out via $pif $ks The inbound rules remain the same, except for the very - last rule which removes the via $pif in + last rule which removes the via $pif in order to catch both inbound and outbound rules. The NAT rule must follow this last outbound rule, must have a higher number than that last rule, and the @@ -2609,6 +2595,55 @@ ks="keep-state" # just too lazy to key this eac &prompt.root; ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state &prompt.root; ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state + + + + <application>IPFW</application> Kernel Options + + + kernel options + + IPFIREWALL + + + + kernel options + + IPFIREWALL_VERBOSE + + + + kernel options + + IPFIREWALL_VERBOSE_LIMIT + + + + IPFW + + kernel options + + In order to statically compile + IPFW support into a custom kernel, + refer to the instructions in . + The following options are available for the + custom kernel configuration file: + + options IPFIREWALL # enables IPFW +options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) +options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry +options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied +options IPFIREWALL_NAT # enables in-kernel NAT support +options IPFIREWALL_NAT64 # enables in-kernel NAT64 support +options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support +options IPFIREWALL_PMOD # enables protocols modification module support +options IPDIVERT # enables NAT through natd(8) + + + IPFW can be loaded as + a kernel module: options above are built by default + as modules or can be set at runtime using tunables. +