From owner-svn-doc-head@FreeBSD.ORG Thu Feb 13 23:55:25 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 971162C3; Thu, 13 Feb 2014 23:55:25 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7E7A11343; Thu, 13 Feb 2014 23:55:25 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1DNtPjE025679; Thu, 13 Feb 2014 23:55:25 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1DNtPjt025678; Thu, 13 Feb 2014 23:55:25 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402132355.s1DNtPjt025678@svn.freebsd.org> From: Dru Lavigne Date: Thu, 13 Feb 2014 23:55:25 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43914 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Feb 2014 23:55:25 -0000 Author: dru Date: Thu Feb 13 23:55:24 2014 New Revision: 43914 URL: http://svnweb.freebsd.org/changeset/doc/43914 Log: Shuffle the first part of this chapter to improve its readability. Many more commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 23:21:17 2014 (r43913) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Feb 13 23:55:24 2014 (r43914) @@ -215,7 +215,7 @@ integrated part of the base system. PF is a complete, full-featured firewall that has optional support for - ALTQ (Alternate Queuing), which provides + ALTQ (Alternate Queuing), which provides Quality of Service (QoS). Since the OpenBSD Project maintains the definitive @@ -230,21 +230,25 @@ xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/. - Using the PF Loadable Kernel Modules + Enabling <application>PF</application> - In order to use PF, the PF kernel module must be first + In order to use PF, its module must be first loaded. Add the following line to /etc/rc.conf: pf_enable="YES" - Then, run the startup script to load the module: - - &prompt.root; service pf start - - The PF module will not load if it cannot find the - ruleset configuration file. The default location is - /etc/pf.conf. If the PF ruleset is + Additional options can be passed to + PF when it is started. Refer to + &man.pfctl.8; for the available options and specify any + required flags by + adding another entry to /etc/rc.conf: + + pf_flags="" # additional flags for pfctl startup + + The module will not load if it cannot find the + ruleset configuration file. A default ruleset is located + /etc/pf.conf. If a custom ruleset is located somewhere else, add a line to /etc/rc.conf which specifies the full path to the file: @@ -253,26 +257,34 @@ The sample pf.conf can be found in - /usr/share/examples/pf/. - - The PF module can also be - loaded manually from the command line: - - &prompt.root; kldload pf.ko + /usr/share/examples/pf/. The rest of + this chapter demonstrates how to create a custom ruleset. + + Then, run the startup script to load the module: - Logging support for PF is provided by - pflog.ko which can be loaded by adding the + &prompt.root; service pf start + Logging support for PF is provided by + &man.pflog.4; which can be loaded by adding the following line to /etc/rc.conf: pflog_enable="YES" - Then, run the startup script to load the module: + The following &man.rc.conf.5; statements can also be used to + change the default location of the log file or to specify any + additional flags: + + pflog_logfile="/var/log/pflog" # where pflogd should store the logfile +pflog_flags="" # additional flags for pflogd startup + + Save the edits, then run the startup script to load the logging module: &prompt.root; service pflog start - - - PF Kernel Options + If there is a LAN behind the firewall and packets need to + be forwarded for the computers on the LAN, or NAT is required, + add the following option: + + gateway_enable="YES" # Enable as LAN gateway kernel options @@ -289,6 +301,7 @@ device pfsync + While it is not necessary to compile PF support into the &os; kernel, some of PF's advanced features are not included in the @@ -297,12 +310,10 @@ used by PF. It can be paired with &man.carp.4; to create failover firewalls using PF. More information on - CARP can be found in of the Handbook. + CARP can be found in . The following PF kernel options - can be found in - /usr/src/sys/conf/NOTES: + are available: device pf device pflog @@ -319,27 +330,7 @@ device pfsync device pfsync enables the optional &man.pfsync.4; pseudo-network device that is used to monitor state changes. - - - - Available <filename>rc.conf</filename> Options - - The following &man.rc.conf.5; statements can be used to - configure PF and &man.pflog.4; at - boot: - - pf_enable="YES" # Enable PF (load module if required) -pf_rules="/etc/pf.conf" # rules definition file for pf -pf_flags="" # additional flags for pfctl startup -pflog_enable="YES" # start pflogd(8) -pflog_logfile="/var/log/pflog" # where pflogd should store the logfile -pflog_flags="" # additional flags for pflogd startup - - If there is a LAN behind the firewall and packets need to - be forwarded for the computers on the LAN, or NAT is required, - add the following option: - - gateway_enable="YES" # Enable as LAN gateway +