Date: Wed, 19 Feb 2014 21:22:40 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43997 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402192122.s1JLMeJ5073429@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Feb 19 21:22:40 2014 New Revision: 43997 URL: http://svnweb.freebsd.org/changeset/doc/43997 Log: Initial editorial pass through intro of this chapter. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:38:58 2014 (r43996) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 21:22:40 2014 (r43997) @@ -1509,8 +1509,8 @@ block drop out quick on $ext_if from any <para><application>IPFILTER</application>, also known as <application>IPF</application>, is a cross-platform, open source firewall which - has been ported to &os;, NetBSD, OpenBSD, and - &solaris; operating systems.</para> + has been ported to several operating systems, including &os;, NetBSD, OpenBSD, and + &solaris;.</para> <para><application>IPFILTER</application> is a kernel-side firewall and <acronym>NAT</acronym> mechanism that can be controlled and @@ -1525,32 +1525,25 @@ block drop out quick on $ext_if from any <para><application>IPF</application> was originally written using a rule processing logic of <quote>the last matching rule wins</quote> and only used - stateless rules. Over time, <application>IPF</application> has been enhanced to include a - <quote>quick</quote> option and a stateful - <quote>keep state</quote> option which modernized the rules - processing logic. <application>IPF</application>'s official documentation covers only the - legacy rule coding parameters and rule file processing logic and - the modernized functions are only included as additional - options.</para> - - <para>The instructions contained in this section are based on - using rules that contain <quote>quick</quote> and - <quote>keep state</quote> as these provide the basic framework - for configuring an inclusive firewall ruleset.</para> + stateless rules. Since then, <application>IPF</application> has been enhanced to include + the <literal>quick</literal> and + <literal>keep state</literal> options.</para> <para>For a detailed explanation of the legacy rules processing method, refer to <uri - xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri>; - and <uri xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para>; <para>The <application>IPF</application> FAQ is at <uri - xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para>; - - <para>A searchable archive of the IPFilter mailing list is + xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>. + A searchable archive of the IPFilter mailing list is available at <uri - xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para>; + xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri>.</para>; + <para>This section of the Handbook focuses on + <application>IPF</application> as it pertains to FreeBSD. + It provides examples which uses + rules that contain the <literal>quick</literal> and + <literal>keep state</literal> options.</para> <sect2> <title>Enabling <application>IPF</application></title> @@ -1560,7 +1553,7 @@ block drop out quick on $ext_if from any <secondary>enabling</secondary> </indexterm> - <para> is included in the basic &os; install as a kernel + <para><application>IPF</application> is included in the basic &os; install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable <application>IPF</application>.</para> @@ -1590,22 +1583,21 @@ block drop out quick on $ext_if from any <para>For users who prefer to statically compile <application>IPF</application> support into a custom kernel, refer to the instructions in <xref - linkend="kernelconfig"/>. The following <application>IPF</application> option statements are + linkend="kernelconfig"/>. The following kernel options are available:</para> <programlisting>options IPFILTER options IPFILTER_LOG +options IPFILTER_LOOKUP options IPFILTER_DEFAULT_BLOCK</programlisting> <para>where <literal>options IPFILTER</literal> enables support for - <application>IPFILTER</application>.</para> - - <para><literal>options IPFILTER_LOG</literal> enables IPF + <application>IPFILTER</application>, <literal>options IPFILTER_LOG</literal> enables <application>IPF</application> logging using the <filename>ipl</filename> packet logging - pseudo—device for every rule that has the - <literal>log</literal> keyword.</para> - - <para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes + pseudo device for every rule that has the + <literal>log</literal> keyword, + <literal>IPFILTER_LOOKUP</literal> enables <acronym>IP</acronym> pools in + order to speed up <acronym>IP</acronym> lookups, and <literal>options IPFILTER_DEFAULT_BLOCK</literal> changes the default behavior so that any packet not matching a firewall <literal>pass</literal> rule gets blocked.</para> @@ -1614,7 +1606,8 @@ options IPFILTER_DEFAULT_BLOCK</programl the following entries to <filename>/etc/rc.conf</filename>. These entries will also enable logging and <literal>default pass all</literal>. To change the - default to <literal>block all</literal>, add a + default policy to <literal>block all</literal> without + compiling a custom kernel, remember to add a <literal>block all</literal> rule at the end of the ruleset.</para> @@ -1633,7 +1626,7 @@ ipmon_flags="-Ds" # D = ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlisting> - <para>To start <application>IPF</application> now:</para> + <para>Then, to start <application>IPF</application> now:</para> <programlisting>&prompt.root; <command>service ipfilter start</command></programlisting>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402192122.s1JLMeJ5073429>