From owner-svn-doc-head@freebsd.org Thu Apr 18 11:20:50 2019 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 295FD156D68B; Thu, 18 Apr 2019 11:20:50 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C7FD289520; Thu, 18 Apr 2019 11:20:49 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A28201E170; Thu, 18 Apr 2019 11:20:49 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x3IBKn78061629; Thu, 18 Apr 2019 11:20:49 GMT (envelope-from bcr@FreeBSD.org) Received: (from bcr@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x3IBKn32061628; Thu, 18 Apr 2019 11:20:49 GMT (envelope-from bcr@FreeBSD.org) Message-Id: <201904181120.x3IBKn32061628@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bcr set sender to bcr@FreeBSD.org using -f From: Benedict Reuschling Date: Thu, 18 Apr 2019 11:20:49 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r52936 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head X-SVN-Commit-Author: bcr X-SVN-Commit-Paths: head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Commit-Revision: 52936 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: C7FD289520 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.983,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 11:20:50 -0000 Author: bcr Date: Thu Apr 18 11:20:49 2019 New Revision: 52936 URL: https://svnweb.freebsd.org/changeset/doc/52936 Log: This patch updates the PF chapter regarding structure and various updates. After discussing some updates to the PF chapter with current maintainer kp@, I came up with the following list of changes in this patch: - Change the warning message to remove the reference to a specific PF version and point out that FreeBSDs pf has diverged from what's in OpenBSD. - Remove a link to the old pf porting efforts, which is obsolete nowadays and doesn't provide much value to the reader anymore - Change the reading flow by putting the ALTQ section at the end of the chapter. ALTQ with PF is not used by everyone, so having that at the end of the chapter is good to not overwhelm the reader too much with concepts they probably don't need. - Remove the "In order to" sentence parts which are mostly superfluous and can be replaced with "to" for increased readability - Sprinkle in some sysrc in examples where it makes sense to use it Reviewed by: kp@ Event: Aberdeen hackathon 2019 Differential Revision: https://reviews.freebsd.org/D19939 Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Apr 17 14:48:48 2019 (r52935) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Apr 18 11:20:49 2019 (r52936) @@ -313,8 +313,11 @@ When reading the PF FAQ, - keep in mind that &os; uses the same version of - PF as OpenBSD 4.5. + keep in mind that &os;'s version of + PF has diverged substantially from + the upstream OpenBSD version over the years. Not all features + work the same way on &os; as they do in OpenBSD and vice + versa. The &a.pf; is a good place to ask questions about @@ -322,33 +325,29 @@ firewall. Check the mailing list archives before asking a question as it may have already been answered. - More information about porting PF - to &os; can be found at http://pf4freebsd.love2party.net/. - This section of the Handbook focuses on PF as it pertains to &os;. It demonstrates how to enable PF and - ALTQ. It then provides several + ALTQ. It also provides several examples for creating rulesets on a &os; system. Enabling <application>PF</application> - In order to use PF, its kernel + To use PF, its kernel module must be first loaded. This section describes the entries that can be added to /etc/rc.conf - in order to enable PF. + to enable PF. - Start by adding the following line to + Start by adding pf_enable=yes to /etc/rc.conf: - pf_enable="YES" + &prompt.root; sysrc pf_enable=yes Additional options, described in &man.pfctl.8;, can be passed to PF when it is started. - Add this entry to /etc/rc.conf and - specify any required flags between the two quotes + Add or change this entry in /etc/rc.conf + and specify any required flags between the two quotes (""): pf_flags="" # additional flags for pfctl startup @@ -366,14 +365,14 @@ Logging support for PF is provided by &man.pflog.4;. To enable logging support, add - this line to /etc/rc.conf: + pflog_enable=yes to + /etc/rc.conf: - pflog_enable="YES" + &prompt.root; sysrc pflog_enable=yes - The following lines can also be added in order to - change the default location of the log file or to specify any - additional flags to pass to &man.pflog.4; when it is - started: + The following lines can also be added to change the + default location of the log file or to specify any additional + flags to pass to &man.pflog.4; when it is started: pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup @@ -381,7 +380,7 @@ pflog_flags="" # additional flags for Finally, if there is a LAN behind the firewall and packets need to be forwarded for the computers on the LAN, or NAT is - required, add the following option: + required, enable the following option: gateway_enable="YES" # Enable as LAN gateway @@ -523,94 +522,6 @@ device pfsync similar to &man.top.1;. - - Enabling <application>ALTQ</application> - - On &os;, ALTQ can be used with - PF to provide Quality of Service - (QOS). Once - ALTQ is enabled, queues can be - defined in the ruleset which determine the processing priority - of outbound packets. - - Before enabling ALTQ, refer to - &man.altq.4; to determine if the drivers for the network cards - installed on the system support it. - - ALTQ is not available as a - loadable kernel module. If the system's interfaces support - ALTQ, create a custom kernel using - the instructions in . The - following kernel options are available. The first is needed - to enable ALTQ. At least one of - the other options is necessary to specify the queueing - scheduler algorithm: - - options ALTQ -options ALTQ_CBQ # Class Based Queuing (CBQ) -options ALTQ_RED # Random Early Detection (RED) -options ALTQ_RIO # RED In/Out -options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) -options ALTQ_PRIQ # Priority Queuing (PRIQ) - - The following scheduler algorithms are available: - - - - CBQ - - Class Based Queuing (CBQ) is - used to divide a connection's bandwidth into different - classes or queues to prioritize traffic based on filter - rules. - - - - - RED - - Random Early Detection (RED) is - used to avoid network congestion by measuring the length - of the queue and comparing it to the minimum and maximum - thresholds for the queue. When the queue is over the - maximum, all new packets are randomly dropped. - - - - - RIO - - In Random Early Detection In and Out - (RIO) mode, RED - maintains multiple average queue lengths and multiple - threshold values, one for each - QOS level. - - - - - HFSC - - Hierarchical Fair Service Curve Packet Scheduler - (HFSC) is described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html. - - - - - PRIQ - - Priority Queuing (PRIQ) always - passes traffic that is in a higher queue first. - - - - - More information about the scheduling - algorithms and example rulesets are available at the OpenBSD's web archive. - - <application>PF</application> Rulesets @@ -685,7 +596,7 @@ pass proto udp to any port $udp_services keep state

UDP request is passed which asks a name server about a domain name, PF will - watch for the response in order to pass it back. + watch for the response to pass it back. Whenever an edit is made to a ruleset, the new rules must be loaded so they can be used: @@ -723,7 +634,7 @@ pass proto udp to any port $udp_services keep state

xl0 is connected to the internal network. - First, enable the gateway in order to let the machine + First, enable the gateway to let the machine forward the network traffic it receives on one interface to another interface. This sysctl setting will forward IPv4 packets: @@ -734,11 +645,12 @@ pass proto udp to any port $udp_services keep state

&prompt.root; sysctl net.inet6.ip6.forwarding=1 - To enable these settings at system boot, add the - following to /etc/rc.conf: + To enable these settings at system boot, use + &man.sysrc.8; to add them to + /etc/rc.conf: - gateway_enable="YES" #for ipv4 -ipv6_gateway_enable="YES" #for ipv6 + &prompt.root; sysrc gateway_enable=yes +&prompt.root; sysrc ipv6_gateway_enable=yes Verify with ifconfig that both of the interfaces are up and running. @@ -897,7 +809,7 @@ pass quick inet proto { tcp, udp } to any port $udp_se proxy program called &man.ftp-proxy.8;, which is included in the base system of &os;. The role of the proxy is to dynamically insert and delete rules in the ruleset, using a - set of anchors, in order to correctly handle + set of anchors, to correctly handle FTP traffic. To enable the FTP proxy, add this @@ -1063,7 +975,7 @@ pass out on $ext_if inet proto udp from any to any por icmp_types = "{ echoreq, unreach }" Since the pass rule already uses that macro, it does - not need to be modified in order to support the new + not need to be modified to support the new ICMP type: pass inet proto icmp all icmp-type $icmp_types keep state @@ -1302,11 +1214,9 @@ pass inet proto tcp from any to $localnet port $tcp_se Install the mail/spamd package - or port. In order to use - spamd's greylisting - features, &man.fdescfs.5; must be mounted at /dev/fd. Add the - following line to + or port. To use spamd's + greylisting features, &man.fdescfs.5; must be mounted at + /dev/fd. Add the following line to /etc/fstab: fdescfs /dev/fd fdescfs rw 0 0 @@ -1444,8 +1354,8 @@ rdr pass on $ext_if inet proto tcp from !<spamd-whi xlink:href="http://www.greylisting.org/">greylisting.org web site. The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers and - malware writers have been very slow to adapt in order to - bypass this technique. + malware writers have been very slow to adapt to bypass this + technique. The basic procedure for configuring greylisting is as follows: @@ -1576,6 +1486,94 @@ antispoof for $int_if block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians + + + + Enabling <application>ALTQ</application> + + On &os;, ALTQ can be used with + PF to provide Quality of Service + (QOS). Once + ALTQ is enabled, queues can be + defined in the ruleset which determine the processing priority + of outbound packets. + + Before enabling ALTQ, refer to + &man.altq.4; to determine if the drivers for the network cards + installed on the system support it. + + ALTQ is not available as a + loadable kernel module. If the system's interfaces support + ALTQ, create a custom kernel using + the instructions in . The + following kernel options are available. The first is needed + to enable ALTQ. At least one of + the other options is necessary to specify the queueing + scheduler algorithm: + + options ALTQ +options ALTQ_CBQ # Class Based Queuing (CBQ) +options ALTQ_RED # Random Early Detection (RED) +options ALTQ_RIO # RED In/Out +options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) +options ALTQ_PRIQ # Priority Queuing (PRIQ) + + The following scheduler algorithms are available: + + + + CBQ + + Class Based Queuing (CBQ) is + used to divide a connection's bandwidth into different + classes or queues to prioritize traffic based on filter + rules. + + + + + RED + + Random Early Detection (RED) is + used to avoid network congestion by measuring the length + of the queue and comparing it to the minimum and maximum + thresholds for the queue. When the queue is over the + maximum, all new packets are randomly dropped. + + + + + RIO + + In Random Early Detection In and Out + (RIO) mode, RED + maintains multiple average queue lengths and multiple + threshold values, one for each + QOS level. + + + + + HFSC + + Hierarchical Fair Service Curve Packet Scheduler + (HFSC) is described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html. + + + + + PRIQ + + Priority Queuing (PRIQ) always + passes traffic that is in a higher queue first. + + + + + More information about the scheduling + algorithms and example rulesets are available at the OpenBSD's web archive.