Date: Thu, 13 Feb 2014 23:55:25 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43914 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402132355.s1DNtPjt025678@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Feb 13 23:55:24 2014 New Revision: 43914 URL: http://svnweb.freebsd.org/changeset/doc/43914 Log: Shuffle the first part of this chapter to improve its readability. Many more commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 23:21:17 2014 (r43913) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 23:55:24 2014 (r43914) @@ -215,7 +215,7 @@ integrated part of the base system. <application>PF</application> is a complete, full-featured firewall that has optional support for - <acronym>ALTQ</acronym> (Alternate Queuing), which provides + <application>ALTQ</application> (Alternate Queuing), which provides Quality of Service (<acronym>QoS</acronym>).</para> <para>Since the OpenBSD Project maintains the definitive @@ -230,21 +230,25 @@ xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>; <sect2> - <title>Using the PF Loadable Kernel Modules</title> + <title>Enabling <application>PF</application></title> - <para>In order to use PF, the PF kernel module must be first + <para>In order to use <application>PF</application>, its module must be first loaded. Add the following line to <filename>/etc/rc.conf</filename>:</para> <programlisting>pf_enable="YES"</programlisting> - <para>Then, run the startup script to load the module:</para> - - <screen>&prompt.root; <userinput>service pf start</userinput></screen> - - <para>The PF module will not load if it cannot find the - ruleset configuration file. The default location is - <filename>/etc/pf.conf</filename>. If the PF ruleset is + <para>Additional options can be passed to + <application>PF</application> when it is started. Refer to + &man.pfctl.8; for the available options and specify any + required flags by + adding another entry to <filename>/etc/rc.conf</filename>:</para> + + <programlisting>pf_flags="" # additional flags for pfctl startup</programlisting> + + <para>The module will not load if it cannot find the + ruleset configuration file. A default ruleset is located + <filename>/etc/pf.conf</filename>. If a custom ruleset is located somewhere else, add a line to <filename>/etc/rc.conf</filename> which specifies the full path to the file:</para> @@ -253,26 +257,34 @@ <para>The sample <filename>pf.conf</filename> can be found in - <filename>/usr/share/examples/pf/</filename>.</para> - - <para>The <application>PF</application> module can also be - loaded manually from the command line:</para> - - <screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen> + <filename>/usr/share/examples/pf/</filename>. The rest of + this chapter demonstrates how to create a custom ruleset.</para> + + <para>Then, run the startup script to load the module:</para> - <para>Logging support for PF is provided by - <varname>pflog.ko</varname> which can be loaded by adding the + <screen>&prompt.root; <userinput>service pf start</userinput></screen> + <para>Logging support for <application>PF</application> is provided by + &man.pflog.4; which can be loaded by adding the following line to <filename>/etc/rc.conf</filename>:</para> <programlisting>pflog_enable="YES"</programlisting> - <para>Then, run the startup script to load the module:</para> + <para>The following &man.rc.conf.5; statements can also be used to + change the default location of the log file or to specify any + additional flags:</para> + + <programlisting>pflog_logfile="/var/log/pflog" # where pflogd should store the logfile +pflog_flags="" # additional flags for pflogd startup</programlisting> + + <para>Save the edits, then run the startup script to load the logging module:</para> <screen>&prompt.root; <userinput>service pflog start</userinput></screen> - </sect2> - <sect2> - <title>PF Kernel Options</title> + <para>If there is a <acronym>LAN</acronym> behind the firewall and packets need to + be forwarded for the computers on the <acronym>LAN</acronym>, or <acronym>NAT</acronym> is required, + add the following option:</para> + + <programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting> <indexterm> <primary>kernel options</primary> @@ -289,6 +301,7 @@ <secondary>device pfsync</secondary> </indexterm> + <note> <para>While it is not necessary to compile <application>PF</application> support into the &os; kernel, some of PF's advanced features are not included in the @@ -297,12 +310,10 @@ used by <application>PF</application>. It can be paired with &man.carp.4; to create failover firewalls using <application>PF</application>. More information on - <acronym>CARP</acronym> can be found in <link - linkend="carp">of the Handbook</link>.</para> + <acronym>CARP</acronym> can be found in <xref linkend="carp"/>.</para> <para>The following <application>PF</application> kernel options - can be found in - <filename>/usr/src/sys/conf/NOTES</filename>:</para> + are available:</para> <programlisting>device pf device pflog @@ -319,27 +330,7 @@ device pfsync</programlisting> <para><literal>device pfsync</literal> enables the optional &man.pfsync.4; pseudo-network device that is used to monitor <quote>state changes</quote>.</para> - </sect2> - - <sect2> - <title>Available <filename>rc.conf</filename> Options</title> - - <para>The following &man.rc.conf.5; statements can be used to - configure <application>PF</application> and &man.pflog.4; at - boot:</para> - - <programlisting>pf_enable="YES" # Enable PF (load module if required) -pf_rules="/etc/pf.conf" # rules definition file for pf -pf_flags="" # additional flags for pfctl startup -pflog_enable="YES" # start pflogd(8) -pflog_logfile="/var/log/pflog" # where pflogd should store the logfile -pflog_flags="" # additional flags for pflogd startup</programlisting> - - <para>If there is a LAN behind the firewall and packets need to - be forwarded for the computers on the LAN, or NAT is required, - add the following option:</para> - - <programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting> + </note> </sect2> <sect2>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402132355.s1DNtPjt025678>