From owner-svn-doc-head@FreeBSD.ORG Wed Feb 19 21:22:41 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 04592B18; Wed, 19 Feb 2014 21:22:41 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E498815FF; Wed, 19 Feb 2014 21:22:40 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1JLMeWt073430; Wed, 19 Feb 2014 21:22:40 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1JLMeJ5073429; Wed, 19 Feb 2014 21:22:40 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402192122.s1JLMeJ5073429@svn.freebsd.org> From: Dru Lavigne Date: Wed, 19 Feb 2014 21:22:40 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43997 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 21:22:41 -0000 Author: dru Date: Wed Feb 19 21:22:40 2014 New Revision: 43997 URL: http://svnweb.freebsd.org/changeset/doc/43997 Log: Initial editorial pass through intro of this chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:38:58 2014 (r43996) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 21:22:40 2014 (r43997) @@ -1509,8 +1509,8 @@ block drop out quick on $ext_if from any IPFILTER, also known as IPF, is a cross-platform, open source firewall which - has been ported to &os;, NetBSD, OpenBSD, and - &solaris; operating systems. + has been ported to several operating systems, including &os;, NetBSD, OpenBSD, and + &solaris;. IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled and @@ -1525,32 +1525,25 @@ block drop out quick on $ext_if from any IPF was originally written using a rule processing logic of the last matching rule wins and only used - stateless rules. Over time, IPF has been enhanced to include a - quick option and a stateful - keep state option which modernized the rules - processing logic. IPF's official documentation covers only the - legacy rule coding parameters and rule file processing logic and - the modernized functions are only included as additional - options. - - The instructions contained in this section are based on - using rules that contain quick and - keep state as these provide the basic framework - for configuring an inclusive firewall ruleset. + stateless rules. Since then, IPF has been enhanced to include + the quick and + keep state options. For a detailed explanation of the legacy rules processing method, refer to http://www.munk.me.uk/ipf/ipf-howto.html - and http://coombs.anu.edu.au/~avalon/ip-filter.html. The IPF FAQ is at http://www.phildev.net/ipf/index.html. - - A searchable archive of the IPFilter mailing list is + xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html. + A searchable archive of the IPFilter mailing list is available at http://marc.theaimsgroup.com/?l=ipfilter. + xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter. + This section of the Handbook focuses on + IPF as it pertains to FreeBSD. + It provides examples which uses + rules that contain the quick and + keep state options. Enabling <application>IPF</application> @@ -1560,7 +1553,7 @@ block drop out quick on $ext_if from any enabling - is included in the basic &os; install as a kernel + IPF is included in the basic &os; install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPF. @@ -1590,22 +1583,21 @@ block drop out quick on $ext_if from any For users who prefer to statically compile IPF support into a custom kernel, refer to the instructions in . The following IPF option statements are + linkend="kernelconfig"/>. The following kernel options are available: options IPFILTER options IPFILTER_LOG +options IPFILTER_LOOKUP options IPFILTER_DEFAULT_BLOCK where options IPFILTER enables support for - IPFILTER. - - options IPFILTER_LOG enables IPF + IPFILTER, options IPFILTER_LOG enables IPF logging using the ipl packet logging - pseudo—device for every rule that has the - log keyword. - - options IPFILTER_DEFAULT_BLOCK changes + pseudo device for every rule that has the + log keyword, + IPFILTER_LOOKUP enables IP pools in + order to speed up IP lookups, and options IPFILTER_DEFAULT_BLOCK changes the default behavior so that any packet not matching a firewall pass rule gets blocked. @@ -1614,7 +1606,8 @@ options IPFILTER_DEFAULT_BLOCK/etc/rc.conf. These entries will also enable logging and default pass all. To change the - default to block all, add a + default policy to block all without + compiling a custom kernel, remember to add a block all rule at the end of the ruleset. @@ -1633,7 +1626,7 @@ ipmon_flags="-Ds" # D = ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat - To start IPF now: + Then, to start IPF now: &prompt.root; service ipfilter start