From owner-svn-doc-all@FreeBSD.ORG Fri Feb 21 17:50:52 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F88072D; Fri, 21 Feb 2014 17:50:52 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5B0D719CC; Fri, 21 Feb 2014 17:50:52 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1LHoqox080254; Fri, 21 Feb 2014 17:50:52 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1LHoq99080229; Fri, 21 Feb 2014 17:50:52 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402211750.s1LHoq99080229@svn.freebsd.org> From: Dru Lavigne Date: Fri, 21 Feb 2014 17:50:52 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44017 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Feb 2014 17:50:52 -0000 Author: dru Date: Fri Feb 21 17:50:51 2014 New Revision: 44017 URL: http://svnweb.freebsd.org/changeset/doc/44017 Log: Prep work for edits on IPF rulesets. Move paragraphs that apply to all firewalls to Firewall Concepts section. That section will be reviewed last, to make sure it includes the concepts covered in all the firewalls. Move how to load ruleset to previous section to match layout of PF firewall section. Next up, review ruleset syntax. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 21 17:19:20 2014 (r44016) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 21 17:50:51 2014 (r44017) @@ -156,6 +156,20 @@ rulesets + A ruleset contains a group of rules which pass or + block packets based on the values contained in the packet. + The bi-directional exchange of packets between hosts comprises + a session conversation. The firewall ruleset processes both + the packets arriving from the public Internet, as well as the + packets produced by the system as a response to them. Each + TCP/IP service is predefined by its + protocol and listening port. Packets destined for a specific + service originate from the source address using an + unprivileged port and target the specific service port on the + destination address. All the above parameters can be used as + selection criteria to create rules which will pass or block + services. + A firewall ruleset can be either exclusive or inclusive. An exclusive firewall allows all traffic through except for the @@ -187,6 +201,15 @@ to Denial of Service (DoS) attacks if a lot of new connections are opened very fast. Most firewalls use a combination of stateful and non-stateful behavior. + + + When working with the firewall rules, be very + careful. Some configurations can + lock the administrator out of the server. To be + on the safe side, consider performing the initial firewall + configuration from the local console rather than doing it + remotely over ssh. + @@ -1635,55 +1658,20 @@ ipnat_rules="/etc/ipnat.rules" # rule Then, to start IPF now: &prompt.root; service ipfilter start - - - IPF Rulesets - - A ruleset contains a group of IPF rules which pass or - block packets based on the values contained in the packet. - The bi-directional exchange of packets between hosts comprises - a session conversation. The firewall ruleset processes both - the packets arriving from the public Internet, as well as the - packets produced by the system as a response to them. Each - TCP/IP service is predefined by its - protocol and listening port. Packets destined for a specific - service originate from the source address using an - unprivileged port and target the specific service port on the - destination address. All the above parameters can be used as - selection criteria to create rules which will pass or block - services. - - - IPFILTER - - rule processing order - - - - When working with the firewall rules, be very - careful. Some configurations can - lock the administrator out of the server. To be - on the safe side, consider performing the initial firewall - configuration from the local console rather than doing it - remotely over ssh. - - - To load the ruleset file, use &man.ipf.8;. Custom rules - are normally placed in a file, and the following command can + To load the ruleset file, specify the name of the file using ipf. + The following command can be used to replace the currently running firewall rules: &prompt.root; ipf -Fa -f /etc/ipf.rules - flushes all the internal rules - tables. - - specifies the file containing the + where flushes all the internal rules + tables and specifies the file containing the rules to load. This provides the ability to make changes to a custom - rules file, run the above IPF command, and thus update the + ruleset and update the running firewall with a fresh copy of the rules without having to reboot the system. This method is convenient for testing new rules as the procedure can be executed as many times as @@ -1691,14 +1679,10 @@ ipnat_rules="/etc/ipnat.rules" # rule Refer to &man.ipf.8; for details on the other flags available with this command. + - &man.ipf.8; expects the rules file to be a standard text - file. It will not accept a rules file written as a script - with symbolic substitution. - - There is a way to build IPF rules that utilize the power - of script symbolic substitution. For more information, see - . + + IPF Rulesets IPFILTER @@ -1706,21 +1690,19 @@ ipnat_rules="/etc/ipnat.rules" # rule rule syntax - The rule syntax presented here has been simplified to - only address the modern stateful rule context and first - matching rule wins logic. For the complete legacy - rule syntax, refer to &man.ipf.8;. - - A # character is used to mark the - start of a comment and may appear at the end of a rule line - or on its own line. Blank lines are ignored. - - Rules contain keywords which must be written in a specific - order from left to right on the line. Keywords are identified - in bold type. Some keywords have sub-options which may be - keywords themselves and also include more sub-options. Each - of the headings in the below syntax has a bold section header - which expands on the content. + This section describes the IPF rule syntax + used to create stateful rules where the first + matching rule wins. Refer to &man.ipf.8; for more details, including the legacy + rule syntax. + + When creating rules, a # character is used to mark the + start of a comment and may appear at the end of a rule, to explain its function, + or on its own line. Any blank lines are ignored. + + The keywords which are used in rules must be written in a specific + order, from left to right. Some keywords have sub-options which may be + keywords themselves and also include more sub-options. The + keyword order is as follows: @@ -1729,7 +1711,7 @@ ipnat_rules="/etc/ipnat.rules" # rule PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG STATEFUL - Each keyword and its options are described below. + This section describes each keyword and its options.