Date: Fri, 14 Feb 2014 01:30:43 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43916 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402140130.s1E1UhWt062468@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Feb 14 01:30:43 2014 New Revision: 43916 URL: http://svnweb.freebsd.org/changeset/doc/43916 Log: Finish subsection on enabling PF. Comment out pfsync section for now as it is no longer true. At some point a section should be adding demonstrating how to use it. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 00:15:36 2014 (r43915) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 01:30:43 2014 (r43916) @@ -232,24 +232,27 @@ <sect2> <title>Enabling <application>PF</application></title> - <para>In order to use <application>PF</application>, its module must be first - loaded. Add the following line to + <para>In order to use <application>PF</application>, its kernel module must be first + loaded. This section describes the entries that can be added + to <filename>/etc/rc.conf</filename> in order to enable + <application>PF</application>.</para> + + <para>Start by adding the following line to <filename>/etc/rc.conf</filename>:</para> <programlisting>pf_enable="YES"</programlisting> - <para>Additional options can be passed to - <application>PF</application> when it is started. Refer to - &man.pfctl.8; for the available options and specify any - required flags by - adding another entry to <filename>/etc/rc.conf</filename>:</para> + <para>Additional options, described in &man.pfctl.8;, can be passed to + <application>PF</application> when it is started. Add this entry to + <filename>/etc/rc.conf</filename> and specify any + required flags between the two quotes (<literal>""</literal>):</para> <programlisting>pf_flags="" # additional flags for pfctl startup</programlisting> - <para>The module will not load if it cannot find the - ruleset configuration file. A default ruleset is located - <filename>/etc/pf.conf</filename>. If a custom ruleset is - located somewhere else, add a line to + <para><application>PF</application> will not start if it cannot find its + ruleset configuration file. The default ruleset is already created and is named + <filename>/etc/pf.conf</filename>. If a custom ruleset has + been saved somewhere else, add a line to <filename>/etc/rc.conf</filename> which specifies the full path to the file:</para> @@ -260,33 +263,35 @@ <filename>/usr/share/examples/pf/</filename>. The rest of this chapter demonstrates how to create a custom ruleset.</para> - <para>Then, run the startup script to load the module:</para> - - <screen>&prompt.root; <userinput>service pf start</userinput></screen> <para>Logging support for <application>PF</application> is provided by - &man.pflog.4; which can be loaded by adding the - following line to <filename>/etc/rc.conf</filename>:</para> + &man.pflog.4;. To enable logging support, add this + line to <filename>/etc/rc.conf</filename>:</para> <programlisting>pflog_enable="YES"</programlisting> - <para>The following &man.rc.conf.5; statements can also be used to + <para>The following lines can also be added in order to change the default location of the log file or to specify any - additional flags:</para> + additional flags to pass to &man.pflog.4; when it is started:</para> <programlisting>pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup</programlisting> - <para>Save the edits, then run the startup script to load the logging module:</para> - - <screen>&prompt.root; <userinput>service pflog start</userinput></screen> - - <para>If there is a <acronym>LAN</acronym> behind the firewall and packets need to + <para>Finally, if there is a <acronym>LAN</acronym> behind the firewall and packets need to be forwarded for the computers on the <acronym>LAN</acronym>, or <acronym>NAT</acronym> is required, add the following option:</para> <programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting> - <indexterm> + <para>After saving the needed edits, + <application>PF</application> can be started with logging support by typing:</para> + + <screen>&prompt.root; <userinput>service pf start</userinput> +&prompt.root; <userinput>service pflog start</userinput></screen> + +<!-- +This is no longer true as of 9.x. It also references the CARP section +which doesn't explain how to use it...At some point it should. + <indexterm> <primary>kernel options</primary> <secondary>device pf</secondary> </indexterm> @@ -304,8 +309,7 @@ pflog_flags="" # additi <note> <para>While it is not necessary to compile <application>PF</application> support into the &os; kernel, - some of PF's advanced features are not included in the - loadable module, namely &man.pfsync.4;, which is a + some advanced features are not included, namely &man.pfsync.4;, which is a pseudo-device that exposes certain changes to the state table used by <application>PF</application>. It can be paired with &man.carp.4; to create failover firewalls using @@ -319,6 +323,8 @@ pflog_flags="" # additi device pflog device pfsync</programlisting> + <para>where:</para> + <para><literal>device pf</literal> enables PF support.</para> <para><literal>device pflog</literal> enables the optional @@ -331,6 +337,7 @@ device pfsync</programlisting> &man.pfsync.4; pseudo-network device that is used to monitor <quote>state changes</quote>.</para> </note> + --> </sect2> <sect2>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402140130.s1E1UhWt062468>