From owner-svn-doc-head@FreeBSD.ORG Thu Feb 13 23:01:33 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0D6DB313; Thu, 13 Feb 2014 23:01:33 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E983B1DEA; Thu, 13 Feb 2014 23:01:32 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1DN1WwN006098; Thu, 13 Feb 2014 23:01:32 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1DN1WUr006097; Thu, 13 Feb 2014 23:01:32 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402132301.s1DN1WUr006097@svn.freebsd.org> From: Dru Lavigne Date: Thu, 13 Feb 2014 23:01:32 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43912 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Feb 2014 23:01:33 -0000 Author: dru Date: Thu Feb 13 23:01:32 2014 New Revision: 43912 URL: http://svnweb.freebsd.org/changeset/doc/43912 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 22:58:18 2014 (r43911) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 23:01:32 2014 (r43912) @@ -78,24 +78,26 @@ &os; has three firewalls built into the base system: - PF, IPFILTER, also known as + PF, + IPFILTER, also known as IPF, and IPFW. &os; also provides two traffic shapers for controlling bandwidth usage: &man.altq.4; and &man.dummynet.4;. ALTQ has - traditionally been closely tied with PF and - dummynet with IPFW. - Each - firewall uses rules to control the access of packets to and from - a &os; system, although they go about it in different ways and - each has a different rule syntax. + traditionally been closely tied with + PF and + dummynet with + IPFW. Each firewall uses rules to + control the access of packets to and from a &os; system, + although they go about it in different ways and each has a + different rule syntax. &os; provides multiple firewalls in order to meet the different requirements and preferences for a wide variety of users. Each user should evaluate which firewall best meets their needs. - + After reading this chapter, you will know: @@ -133,15 +135,15 @@ - Since all firewalls are based on inspecting the values of - selected packet control fields, the creator of the firewall - ruleset must have an understanding of how - TCP/IP works, what the different values in - the packet control fields are, and how these values are used in - a normal session conversation. For a good introduction, refer - to - Daryl's - TCP/IP Primer. + Since all firewalls are based on inspecting the values of + selected packet control fields, the creator of the firewall + ruleset must have an understanding of how + TCP/IP works, what the different values in + the packet control fields are, and how these values are used + in a normal session conversation. For a good introduction, + refer to Daryl's + TCP/IP Primer. @@ -210,20 +212,21 @@ Since &os; 5.3, a ported version of OpenBSD's PF firewall has been included as an - integrated part of the base system. PF is a - complete, full-featured firewall that has optional support for + integrated part of the base system. + PF is a complete, full-featured + firewall that has optional support for ALTQ (Alternate Queuing), which provides Quality of Service (QoS). Since the OpenBSD Project maintains the definitive - reference for PF in the - PF FAQ, - this section of the Handbook focuses on PF as - it pertains to &os;, while providing some general usage - information. + reference for PF in the PF FAQ, + this section of the Handbook focuses on + PF as it pertains to &os;, while + providing some general usage information. - More information about porting PF to &os; - can be found at More information about porting PF + to &os; can be found at http://pf4freebsd.love2party.net/. @@ -252,8 +255,8 @@ can be found in /usr/share/examples/pf/. - The PF module can also be loaded - manually from the command line: + The PF module can also be + loaded manually from the command line: &prompt.root; kldload pf.ko @@ -286,18 +289,20 @@ device pfsync - While it is not necessary to compile PF - support into the &os; kernel, some of PF's advanced features - are not included in the loadable module, namely - &man.pfsync.4;, which is a pseudo-device that exposes certain - changes to the state table used by PF. It - can be paired with &man.carp.4; to create failover firewalls - using PF. More information on - CARP can be found in - of the Handbook. + While it is not necessary to compile + PF support into the &os; kernel, + some of PF's advanced features are not included in the + loadable module, namely &man.pfsync.4;, which is a + pseudo-device that exposes certain changes to the state table + used by PF. It can be paired with + &man.carp.4; to create failover firewalls using + PF. More information on + CARP can be found in of the Handbook. - The following PF kernel options can be - found in /usr/src/sys/conf/NOTES: + The following PF kernel options + can be found in + /usr/src/sys/conf/NOTES: device pf device pflog @@ -340,15 +345,15 @@ pflog_flags="" # additi Creating Filtering Rules - By default, PF reads its configuration - rules from /etc/pf.conf and modifies, - drops, or passes packets according to the rules or definitions - specified in this file. The &os; installation includes - several sample files located in + By default, PF reads its + configuration rules from /etc/pf.conf and + modifies, drops, or passes packets according to the rules or + definitions specified in this file. The &os; installation + includes several sample files located in /usr/share/examples/pf/. Refer to the PF - FAQ for complete coverage of PF - rulesets. + FAQ for complete coverage of + PF rulesets. When reading the X is using the same - version of PF as OpenBSD 4.1. - &os; 9.X and later is using - the same version of PF as - OpenBSD 4.5. + version of PF + OpenBSD 4.1. &os; 9.X + and later is using the same version of + PF as OpenBSD 4.5. The &a.pf; is a good place to ask questions about - configuring and running the PF firewall. - Do not forget to check the mailing list archives before asking - questions. - - To control PF, use &man.pfctl.8;. - Below are some useful options to this command. Review - &man.pfctl.8; for a description of all available + configuring and running the PF + firewall. Do not forget to check the mailing list archives + before asking questions. + + To control PF, use + &man.pfctl.8;. Below are some useful options to this command. + Review &man.pfctl.8; for a description of all available options: @@ -482,7 +487,8 @@ options ALTQ_NOPCC # Requir - <application>PF</application> Rule Sets and Tools + <application>PF</application> Rule Sets and + Tools @@ -497,9 +503,9 @@ options ALTQ_NOPCC # Requir This section demonstrates some useful - PF features and PF - related tools in a series of examples. A more thorough - tutorial is available at PF features and + PF related tools in a series of + examples. A more thorough tutorial is available at http://home.nuug.no/~peter/pf/. @@ -563,9 +569,9 @@ udp_services = "{ domain }"Now we have demonstrated several things at once - what macros look like, that macros may be lists, and that - PF understands rules using port names - equally well as it does port numbers. The names are the - ones listed in /etc/services. This + PF understands rules using port + names equally well as it does port numbers. The names are + the ones listed in /etc/services. This gives us something to put in our rules, which we edit slightly to look like this: @@ -574,11 +580,11 @@ pass out proto tcp to any port $tcp_serv pass proto udp to any port $udp_services keep state At this point some of us will point out that UDP is - stateless, but PF actually manages to - maintain state information despite this. Keeping state for - a UDP connection means that for example when you ask a name - server about a domain name, you will be able to receive its - answer. + stateless, but PF actually + manages to maintain state information despite this. Keeping + state for a UDP connection means that for example when you + ask a name server about a domain name, you will be able to + receive its answer. Since we have made changes to our pf.conf, we load the new @@ -602,8 +608,8 @@ pass proto udp to any port $udp_services only, but does not load them. This provides an opportunity to correct any errors. Under any circumstances, the last valid rule set loaded will be in force until - PF is disabled or a new rule set is - loaded. + PF is disabled or a new rule set + is loaded. Use <command>pfctl -v</command> to Show the Parsed @@ -623,8 +629,8 @@ pass proto udp to any port $udp_services <para>To most users, a single machine setup will be of limited interest, and at this point we move on to more realistic or at least more common setups, concentrating on a machine - which is running <application>PF</application> and also acts as a - gateway for at least one other machine.</para> + which is running <application>PF</application> and also acts + as a gateway for at least one other machine.</para> <sect4 xml:id="pftut-gwpitfalls"> <title>Gateways and the Pitfalls of <literal>in</literal>, @@ -928,7 +934,8 @@ pass from { lo0, $localnet } to any keep gateway is amazingly simple, thanks to the <acronym>FTP</acronym> proxy program (called &man.ftp-proxy.8;) included in the base system on &os; and - other systems which offer <application>PF</application>.</para> + other systems which offer + <application>PF</application>.</para> <para>The <acronym>FTP</acronym> protocol being what it is, the proxy needs to dynamically insert rules in your rule @@ -944,8 +951,8 @@ pass from { lo0, $localnet } to any keep <para>Starting the proxy manually by running <command>/usr/sbin/ftp-proxy</command> allows testing of - the <application>PF</application> configuration changes we are - about to make.</para> + the <application>PF</application> configuration changes we + are about to make.</para> <para>For a basic configuration, only three elements need to be added to <filename>/etc/pf.conf</filename>. First, the @@ -1006,10 +1013,11 @@ rdr-anchor "ftp-proxy/*"</programlisting page.</para> <para>For ways to run an <acronym>FTP</acronym> server - protected by <application>PF</application> and &man.ftp-proxy.8;, - look into running a separate <command>ftp-proxy</command> - in reverse mode (using <option>-R</option>), on a separate - port with its own redirecting pass rule.</para> + protected by <application>PF</application> and + &man.ftp-proxy.8;, look into running a separate + <command>ftp-proxy</command> in reverse mode (using + <option>-R</option>), on a separate port with its own + redirecting pass rule.</para> </sect4> </sect3> @@ -1099,8 +1107,8 @@ pass inet proto icmp from any to $ext_if <para>Stopping probes at the gateway might be an attractive option anyway, but let us have a look at a few other - options which will show some of <application>PF</application>'s - flexibility.</para> + options which will show some of + <application>PF</application>'s flexibility.</para> </sect4> <sect4 xml:id="pftut-letpingthru"> @@ -1166,7 +1174,8 @@ pass out on $ext_if inet proto udp from places from <link xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>), to be a very valuable resource whenever you need OpenBSD - or <application>PF</application> related information.</para> + or <application>PF</application> related + information.</para> </sect4> <sect4 xml:id="pftut-pathmtudisc"> @@ -1235,12 +1244,13 @@ pass out on $ext_if inet proto udp from and rigid. There will after all be some kinds of data which are relevant to filtering and redirection at a given time, but do not deserve to be put into a configuration file! - Quite right, and <application>PF</application> offers mechanisms for - handling these situations as well. Tables are one such - feature, mainly useful as lists which can be manipulated - without needing to reload the entire rule set, and where - fast lookups are desirable. Table names are always enclosed - in <literal>< ></literal>, like this:</para> + Quite right, and <application>PF</application> offers + mechanisms for handling these situations as well. Tables + are one such feature, mainly useful as lists which can be + manipulated without needing to reload the entire rule set, + and where fast lookups are desirable. Table names are + always enclosed in <literal>< ></literal>, like + this:</para> <programlisting>table <clients> { 192.168.2.0/24, !192.168.2.5 }</programlisting> @@ -1323,13 +1333,14 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail 22222 for a repeat performance.</para> <para>Since OpenBSD 3.7, and soon after in &os; version 6.0, - <application>PF</application> has offered a slightly more elegant - solution. Pass rules can be written so they maintain - certain limits on what connecting hosts can do. For good - measure, violators can be banished to a table of addresses - which are denied some or all access. If desired, it is even - possible to drop all existing connections from machines - which overreach the limits. Here is how it is done:</para> + <application>PF</application> has offered a slightly more + elegant solution. Pass rules can be written so they + maintain certain limits on what connecting hosts can do. + For good measure, violators can be banished to a table of + addresses which are denied some or all access. If desired, + it is even possible to drop all existing connections from + machines which overreach the limits. Here is how it is + done:</para> <para>First, set up the table. In the tables section, add</para> @@ -1491,7 +1502,8 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail <title>Other <application>PF</application> Tools Over time, a number of tools have been developed which - interact with PF in various ways. + interact with PF in various + ways. The <application>pftop</application> Traffic @@ -1819,13 +1831,14 @@ rdr pass on $ext_if inet proto tcp from can be set in the <literal>options</literal> part of the ruleset, which precedes the redirection and filtering rules. This option determines which feedback, if any, - <application>PF</application> will give to hosts which try to - create connections which are subsequently blocked. The - option has two possible values, <literal>drop</literal>, - which drops blocked packets with no feedback, and - <literal>return</literal>, which returns with status - codes such as <computeroutput>Connection - refused</computeroutput> or similar.</para> + <application>PF</application> will give to hosts which + try to create connections which are subsequently + blocked. The option has two possible values, + <literal>drop</literal>, which drops blocked packets + with no feedback, and <literal>return</literal>, which + returns with status codes such as + <computeroutput>Connection refused</computeroutput> or + similar.</para> <para>The correct strategy for block policies has been the subject of rather a lot of discussion. We choose to @@ -1838,24 +1851,24 @@ rdr pass on $ext_if inet proto tcp from <sect5 xml:id="pftut-scrub"> <title><literal>scrub</literal> - In PF versions up to OpenBSD 4.5 - inclusive, scrub is a keyword which - enables network packet normalization, causing fragmented - packets to be assembled and removing ambiguity. - Enabling scrub provides a measure of - protection against certain kinds of attacks based on - incorrect handling of packet fragments. A number of - supplementing options are available, but we choose the - simplest form which is suitable for most + In PF versions up to + OpenBSD 4.5 inclusive, scrub is a + keyword which enables network packet normalization, + causing fragmented packets to be assembled and removing + ambiguity. Enabling scrub provides a + measure of protection against certain kinds of attacks + based on incorrect handling of packet fragments. A + number of supplementing options are available, but we + choose the simplest form which is suitable for most configurations. scrub in all Some services, such as NFS, require some specific fragment handling options. This is extensively - documented in the PF user guide and - man pages provide all the information you could - need. + documented in the PF user + guide and man pages provide all the information you + could need. One fairly common example is this,