From owner-svn-doc-head@FreeBSD.ORG Thu Feb 13 22:45:32 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 27493CE5; Thu, 13 Feb 2014 22:45:32 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0F9241C87; Thu, 13 Feb 2014 22:45:32 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1DMjWCX098383; Thu, 13 Feb 2014 22:45:32 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1DMjW1V098382; Thu, 13 Feb 2014 22:45:32 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402132245.s1DMjW1V098382@svn.freebsd.org> From: Dru Lavigne Date: Thu, 13 Feb 2014 22:45:32 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43909 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Feb 2014 22:45:32 -0000 Author: dru Date: Thu Feb 13 22:45:31 2014 New Revision: 43909 URL: http://svnweb.freebsd.org/changeset/doc/43909 Log: Start review of firewall chapter. Many more commits to follow. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 22:11:27 2014 (r43908) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 22:45:31 2014 (r43909) @@ -41,7 +41,7 @@ - Introduction + Synopsis Firewalls make it possible to filter the incoming and outgoing traffic that flows through a system. A firewall can @@ -77,6 +77,25 @@ + &os; has three firewalls built into the base system: + PF, IPFILTER, also known as + IPF, and + IPFW. + &os; also provides two traffic shapers for controlling bandwidth + usage: &man.altq.4; and &man.dummynet.4;. + ALTQ has + traditionally been closely tied with PF and + dummynet with IPFW. + Each + firewall uses rules to control the access of packets to and from + a &os; system, although they go about it in different ways and + each has a different rule syntax. + + &os; provides multiple firewalls in order to meet the + different requirements and preferences for a wide variety of + users. Each user should evaluate which firewall best meets + their needs. + After reading this chapter, you will know: @@ -112,6 +131,18 @@ Understand basic &os; and Internet concepts. + + + Since all firewalls are based on inspecting the values of + selected packet control fields, the creator of the firewall + ruleset must have an understanding of how + TCP/IP works, what the different values in + the packet control fields are, and how these values are used in + a normal session conversation. For a good introduction, refer + to + Daryl's + TCP/IP Primer. + @@ -156,37 +187,6 @@ combination of stateful and non-stateful behavior. - - Firewall Packages - - &os; has three firewalls built into the base system: - IPFILTER, also known as - IPF, IPFIREWALL, also - known as IPFW, and PF). - &os; also provides two traffic shapers for controlling bandwidth - usage: &man.altq.4; and &man.dummynet.4;. Dummynet has - traditionally been closely tied with IPFW, - and ALTQ with PF. Each - firewall uses rules to control the access of packets to and from - a &os; system, although they go about it in different ways and - each has a different rule syntax. - - &os; provides multiple firewalls in order to meet the - different requirements and preferences for a wide variety of - users. Each user should evaluate which firewall best meets - their needs. - - Since all firewalls are based on inspecting the values of - selected packet control fields, the creator of the firewall - ruleset must have an understanding of how - TCP/IP works, what the different values in - the packet control fields are, and how these values are used in - a normal session conversation. For a good introduction, refer - to - Daryl's - TCP/IP Primer. - - PF and <acronym>ALTQ</acronym> @@ -209,20 +209,20 @@ Since &os; 5.3, a ported version of OpenBSD's - PF firewall has been included as an - integrated part of the base system. PF is a + PF firewall has been included as an + integrated part of the base system. PF is a complete, full-featured firewall that has optional support for ALTQ (Alternate Queuing), which provides Quality of Service (QoS). Since the OpenBSD Project maintains the definitive - reference for PF in the + reference for PF in the PF FAQ, - this section of the Handbook focuses on PF as + this section of the Handbook focuses on PF as it pertains to &os;, while providing some general usage information. - More information about porting PF to &os; + More information about porting PF to &os; can be found at http://pf4freebsd.love2party.net/. @@ -252,7 +252,7 @@ can be found in /usr/share/examples/pf/. - The PF module can also be loaded + The PF module can also be loaded manually from the command line: &prompt.root; kldload pf.ko @@ -286,17 +286,17 @@ device pfsync - While it is not necessary to compile PF + While it is not necessary to compile PF support into the &os; kernel, some of PF's advanced features are not included in the loadable module, namely &man.pfsync.4;, which is a pseudo-device that exposes certain - changes to the state table used by PF. It + changes to the state table used by PF. It can be paired with &man.carp.4; to create failover firewalls - using PF. More information on + using PF. More information on CARP can be found in of the Handbook. - The following PF kernel options can be + The following PF kernel options can be found in /usr/src/sys/conf/NOTES: device pf @@ -320,7 +320,7 @@ device pfsync Available <filename>rc.conf</filename> Options The following &man.rc.conf.5; statements can be used to - configure PF and &man.pflog.4; at + configure PF and &man.pflog.4; at boot: pf_enable="YES" # Enable PF (load module if required) @@ -340,14 +340,14 @@ pflog_flags="" # additi Creating Filtering Rules - By default, PF reads its configuration + By default, PF reads its configuration rules from /etc/pf.conf and modifies, drops, or passes packets according to the rules or definitions specified in this file. The &os; installation includes several sample files located in /usr/share/examples/pf/. Refer to the PF - FAQ for complete coverage of PF + FAQ for complete coverage of PF rulesets. @@ -356,18 +356,18 @@ pflog_flags="" # additi keep in mind that different versions of &os; contain different versions of PF. Currently, &os; 8.X is using the same - version of PF as OpenBSD 4.1. + version of PF as OpenBSD 4.1. &os; 9.X and later is using - the same version of PF as + the same version of PF as OpenBSD 4.5. The &a.pf; is a good place to ask questions about - configuring and running the PF firewall. + configuring and running the PF firewall. Do not forget to check the mailing list archives before asking questions. - To control PF, use &man.pfctl.8;. + To control PF, use &man.pfctl.8;. Below are some useful options to this command. Review &man.pfctl.8; for a description of all available options: @@ -482,7 +482,7 @@ options ALTQ_NOPCC # Requir - <acronym>PF</acronym> Rule Sets and Tools + <application>PF</application> Rule Sets and Tools @@ -497,7 +497,7 @@ options ALTQ_NOPCC # Requir This section demonstrates some useful - PF features and PF + PF features and PF related tools in a series of examples. A more thorough tutorial is available at http://home.nuug.no/~peter/pf/. @@ -546,7 +546,7 @@ pass out all keep state Six Dumbest Ideas in Computer Security, and it is well written too.. This gives us the opportunity to introduce two of the features which - make PF such a wonderful tool: + make PF such a wonderful tool: lists and macros. @@ -563,7 +563,7 @@ udp_services = "{ domain }"Now we have demonstrated several things at once - what macros look like, that macros may be lists, and that - PF understands rules using port names + PF understands rules using port names equally well as it does port numbers. The names are the ones listed in /etc/services. This gives us something to put in our rules, which we edit @@ -574,7 +574,7 @@ pass out proto tcp to any port $tcp_serv pass proto udp to any port $udp_services keep state At this point some of us will point out that UDP is - stateless, but PF actually manages to + stateless, but PF actually manages to maintain state information despite this. Keeping state for a UDP connection means that for example when you ask a name server about a domain name, you will be able to receive its @@ -602,7 +602,7 @@ pass proto udp to any port $udp_services only, but does not load them. This provides an opportunity to correct any errors. Under any circumstances, the last valid rule set loaded will be in force until - PF is disabled or a new rule set is + PF is disabled or a new rule set is loaded. @@ -623,7 +623,7 @@ pass proto udp to any port $udp_services To most users, a single machine setup will be of limited interest, and at this point we move on to more realistic or at least more common setups, concentrating on a machine - which is running PF and also acts as a + which is running PF and also acts as a gateway for at least one other machine. @@ -851,7 +851,7 @@ pass from { lo0, $localnet } to any keep relationships between the rules in a rule set. The rules are evaluated from top to bottom, in the sequence they are written in the configuration file. For each packet or - connection evaluated by PF, + connection evaluated by PF, the last matching rule in the rule set is the one which is applied. The quick keyword offers an escape from the @@ -928,7 +928,7 @@ pass from { lo0, $localnet } to any keep gateway is amazingly simple, thanks to the FTP proxy program (called &man.ftp-proxy.8;) included in the base system on &os; and - other systems which offer PF. + other systems which offer PF. The FTP protocol being what it is, the proxy needs to dynamically insert rules in your rule @@ -944,7 +944,7 @@ pass from { lo0, $localnet } to any keep Starting the proxy manually by running /usr/sbin/ftp-proxy allows testing of - the PF configuration changes we are + the PF configuration changes we are about to make. For a basic configuration, only three elements need to @@ -1006,7 +1006,7 @@ rdr-anchor "ftp-proxy/*" For ways to run an FTP server - protected by PF and &man.ftp-proxy.8;, + protected by PF and &man.ftp-proxy.8;, look into running a separate ftp-proxy in reverse mode (using ), on a separate port with its own redirecting pass rule. @@ -1099,7 +1099,7 @@ pass inet proto icmp from any to $ext_if Stopping probes at the gateway might be an attractive option anyway, but let us have a look at a few other - options which will show some of PF's + options which will show some of PF's flexibility. @@ -1166,7 +1166,7 @@ pass out on $ext_if inet proto udp from places from http://marc.theaimsgroup.com/), to be a very valuable resource whenever you need OpenBSD - or PF related information. + or PF related information. @@ -1207,7 +1207,7 @@ pass out on $ext_if inet proto udp from pass inet proto icmp all icmp-type $icmp_types keep state - PF allows filtering on all + PF allows filtering on all variations of ICMP types and codes. For those who want to delve into what to pass (or not) of ICMP traffic, the list of possible @@ -1235,7 +1235,7 @@ pass out on $ext_if inet proto udp from and rigid. There will after all be some kinds of data which are relevant to filtering and redirection at a given time, but do not deserve to be put into a configuration file! - Quite right, and PF offers mechanisms for + Quite right, and PF offers mechanisms for handling these situations as well. Tables are one such feature, mainly useful as lists which can be manipulated without needing to reload the entire rule set, and where @@ -1323,7 +1323,7 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail 22222 for a repeat performance. Since OpenBSD 3.7, and soon after in &os; version 6.0, - PF has offered a slightly more elegant + PF has offered a slightly more elegant solution. Pass rules can be written so they maintain certain limits on what connecting hosts can do. For good measure, violators can be banished to a table of addresses @@ -1488,10 +1488,10 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail - Other <acronym>PF</acronym> Tools + Other <application>PF</application> Tools Over time, a number of tools have been developed which - interact with PF in various ways. + interact with PF in various ways. The <application>pftop</application> Traffic @@ -1514,11 +1514,11 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail <para>Not to be confused with the <application>spamd</application> daemon which comes bundled with <application>spamassassin</application>, the - <acronym>PF</acronym> companion + <application>PF</application> companion <application>spamd</application> was designed to run on a PF gateway to form part of the outer defense against spam. <application>spamd</application> hooks into the - <acronym>PF</acronym> configuration via a set of + <application>PF</application> configuration via a set of redirections.</para> <para>The main point underlying the @@ -1819,7 +1819,7 @@ rdr pass on $ext_if inet proto tcp from can be set in the <literal>options</literal> part of the ruleset, which precedes the redirection and filtering rules. This option determines which feedback, if any, - <acronym>PF</acronym> will give to hosts which try to + <application>PF</application> will give to hosts which try to create connections which are subsequently blocked. The option has two possible values, <literal>drop</literal>, which drops blocked packets with no feedback, and @@ -1838,7 +1838,7 @@ rdr pass on $ext_if inet proto tcp from <sect5 xml:id="pftut-scrub"> <title><literal>scrub</literal> - In PF versions up to OpenBSD 4.5 + In PF versions up to OpenBSD 4.5 inclusive, scrub is a keyword which enables network packet normalization, causing fragmented packets to be assembled and removing ambiguity. @@ -1853,7 +1853,7 @@ rdr pass on $ext_if inet proto tcp from Some services, such as NFS, require some specific fragment handling options. This is extensively - documented in the PF user guide and + documented in the PF user guide and man pages provide all the information you could need.