From owner-svn-doc-all@FreeBSD.ORG Fri Feb 14 01:30:44 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 36F55996; Fri, 14 Feb 2014 01:30:44 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 14A1E1A32; Fri, 14 Feb 2014 01:30:44 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1E1Uh5u062469; Fri, 14 Feb 2014 01:30:43 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1E1UhWt062468; Fri, 14 Feb 2014 01:30:43 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402140130.s1E1UhWt062468@svn.freebsd.org> From: Dru Lavigne Date: Fri, 14 Feb 2014 01:30:43 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43916 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2014 01:30:44 -0000 Author: dru Date: Fri Feb 14 01:30:43 2014 New Revision: 43916 URL: http://svnweb.freebsd.org/changeset/doc/43916 Log: Finish subsection on enabling PF. Comment out pfsync section for now as it is no longer true. At some point a section should be adding demonstrating how to use it. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 00:15:36 2014 (r43915) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 01:30:43 2014 (r43916) @@ -232,24 +232,27 @@ Enabling <application>PF</application> - In order to use PF, its module must be first - loaded. Add the following line to + In order to use PF, its kernel module must be first + loaded. This section describes the entries that can be added + to /etc/rc.conf in order to enable + PF. + + Start by adding the following line to /etc/rc.conf: pf_enable="YES" - Additional options can be passed to - PF when it is started. Refer to - &man.pfctl.8; for the available options and specify any - required flags by - adding another entry to /etc/rc.conf: + Additional options, described in &man.pfctl.8;, can be passed to + PF when it is started. Add this entry to + /etc/rc.conf and specify any + required flags between the two quotes (""): pf_flags="" # additional flags for pfctl startup - The module will not load if it cannot find the - ruleset configuration file. A default ruleset is located - /etc/pf.conf. If a custom ruleset is - located somewhere else, add a line to + PF will not start if it cannot find its + ruleset configuration file. The default ruleset is already created and is named + /etc/pf.conf. If a custom ruleset has + been saved somewhere else, add a line to /etc/rc.conf which specifies the full path to the file: @@ -260,33 +263,35 @@ /usr/share/examples/pf/. The rest of this chapter demonstrates how to create a custom ruleset. - Then, run the startup script to load the module: - - &prompt.root; service pf start Logging support for PF is provided by - &man.pflog.4; which can be loaded by adding the - following line to /etc/rc.conf: + &man.pflog.4;. To enable logging support, add this + line to /etc/rc.conf: pflog_enable="YES" - The following &man.rc.conf.5; statements can also be used to + The following lines can also be added in order to change the default location of the log file or to specify any - additional flags: + additional flags to pass to &man.pflog.4; when it is started: pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup - Save the edits, then run the startup script to load the logging module: - - &prompt.root; service pflog start - - If there is a LAN behind the firewall and packets need to + Finally, if there is a LAN behind the firewall and packets need to be forwarded for the computers on the LAN, or NAT is required, add the following option: gateway_enable="YES" # Enable as LAN gateway - + After saving the needed edits, + PF can be started with logging support by typing: + + &prompt.root; service pf start +&prompt.root; service pflog start + +