Date: Fri, 14 Feb 2014 18:45:03 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43926 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201402141845.s1EIj3ZZ077896@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Feb 14 18:45:03 2014 New Revision: 43926 URL: http://svnweb.freebsd.org/changeset/doc/43926 Log: Continue to shuffle and improve flow of this chapter. Many more commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 17:29:44 2014 (r43925) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 18:45:03 2014 (r43926) @@ -218,17 +218,39 @@ <application>ALTQ</application> (Alternate Queuing), which provides Quality of Service (<acronym>QoS</acronym>).</para> - <para>Since the OpenBSD Project maintains the definitive + <para>The OpenBSD Project maintains the definitive reference for <application>PF</application> in the <link - xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, - this section of the Handbook focuses on - <application>PF</application> as it pertains to &os;, while - providing some general usage information.</para> + xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>. + Peter Hansteen maintains a thorough <application>PF</application> tutorial at <link + xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para> + + <warning> + <para>When reading the <link + xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, + keep in mind that different versions of &os; contain + different versions of <application>PF</application>. + &os; 8.<replaceable>X</replaceable> uses the same + version of <application>PF</application> as + OpenBSD 4.1 and &os; 9.<replaceable>X</replaceable> + and later uses the same version of + <application>PF</application> as OpenBSD 4.5.</para> + </warning> + + <para>The &a.pf; is a good place to ask questions about + configuring and running the <application>PF</application> + firewall. Check the mailing list archives + before asking a question as it may have already been answered.</para> <para>More information about porting <application>PF</application> to &os; can be found at <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para> + <para>This section of the Handbook focuses on + <application>PF</application> as it pertains to &os;. It + demonstrates how to enable <application>PF</application> and + <application>ALTQ</application>. It then provides several + examples for creating rulesets on a &os; system.</para> + <sect2> <title>Enabling <application>PF</application></title> @@ -260,12 +282,6 @@ <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting> - <para>The sample <filename>pf.conf</filename> - can be found in - <filename>/usr/share/examples/pf/</filename>. The rest of - this chapter demonstrates how to create a custom - ruleset.</para> - <para>Logging support for <application>PF</application> is provided by &man.pflog.4;. To enable logging support, add this line to <filename>/etc/rc.conf</filename>:</para> @@ -344,6 +360,78 @@ device pfsync</programlisting> <quote>state changes</quote>.</para> </note> --> + + <para>By default, <application>PF</application> reads its + configuration rules from <filename>/etc/pf.conf</filename> and + modifies, drops, or passes packets according to the rules or + definitions specified in this file. The &os; installation + includes several sample files located in + <filename>/usr/share/examples/pf/</filename>. Refer to the + <link xlink:href="http://www.openbsd.org/faq/pf/">PF + FAQ</link> for complete coverage of + <application>PF</application> rulesets.</para> + + <para>To control <application>PF</application>, use + <command>pfctl</command>. <xref + linkend="pfctl"/> summarizes some useful options to this command. + Refer to &man.pfctl.8; for a description of all available + options:</para> + + <table xml:id="pfctl" frame="none" pgwide="1"> + <title>Useful <command>pfctl</command> Options</title> + + <tgroup cols="2"> + <thead> + <row> + <entry>Command</entry> + <entry>Purpose</entry> + </row> + </thead> + + <tbody> + <row> + <entry><command>pfctl + -e</command></entry> + <entry>Enable <application>PF</application>.</entry> + </row> + + <row> + <entry><command>pfctl + -d</command></entry> + <entry>Disable <application>PF</application>.</entry> + </row> + + <row> + <entry><command>pfctl -F all + -f /etc/pf.conf</command></entry> + <entry>Flush all <acronym>NAT</acronym>, filter, state, and table + rules and reload + <filename>/etc/pf.conf</filename>.</entry> + </row> + + <row> + <entry><command>pfctl -s [ rules | nat + state ]</command></entry> + <entry>Report on the filter rules, <acronym>NAT</acronym> rules, or state + table.</entry> + </row> + + <row> + <entry><command>pfctl -vnf + /etc/pf.conf</command></entry> + <entry>Check <filename>/etc/pf.conf</filename> for + errors, but do not load ruleset.</entry> + </row> + </tbody> + </tgroup> + </table> + + <tip> + <para><package>security/sudo</package> is useful for running + commands like <command>pfctl</command> that require elevated + privileges. It can be installed from the Ports + Collection.</para> + </tip> </sect2> <sect2> @@ -434,93 +522,9 @@ options ALTQ_PRIQ # Priori xlink:href="http://www.openbsd.org/faq/pf/queueing.html">http://www.openbsd.org/faq/pf/queueing.html</uri>.</para> </sect2> - <sect2> - <title>Creating Filtering Rules</title> - - <para>By default, <application>PF</application> reads its - configuration rules from <filename>/etc/pf.conf</filename> and - modifies, drops, or passes packets according to the rules or - definitions specified in this file. The &os; installation - includes several sample files located in - <filename>/usr/share/examples/pf/</filename>. Refer to the - <link xlink:href="http://www.openbsd.org/faq/pf/">PF - FAQ</link> for complete coverage of - <application>PF</application> rulesets.</para> - - <warning> - <para>When reading the <link - xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, - keep in mind that different versions of &os; contain - different versions of PF. Currently, - &os; 8.<replaceable>X</replaceable> is using the same - version of <application>PF</application> - OpenBSD 4.1. &os; 9.<replaceable>X</replaceable> - and later is using the same version of - <application>PF</application> as OpenBSD 4.5.</para> - </warning> - - <para>The &a.pf; is a good place to ask questions about - configuring and running the <application>PF</application> - firewall. Do not forget to check the mailing list archives - before asking questions.</para> - - <para>To control <application>PF</application>, use - &man.pfctl.8;. Below are some useful options to this command. - Review &man.pfctl.8; for a description of all available - options:</para> - - <informaltable frame="none" pgwide="1"> - <tgroup cols="2"> - <thead> - <row> - <entry>Command</entry> - <entry>Purpose</entry> - </row> - </thead> - - <tbody> - <row> - <entry><command>pfctl - -e</command></entry> - <entry>Enable PF.</entry> - </row> - - <row> - <entry><command>pfctl - -d</command></entry> - <entry>Disable PF.</entry> - </row> - - <row> - <entry><command>pfctl -F all - -f /etc/pf.conf</command></entry> - <entry>Flush all NAT, filter, state, and table - rules and reload - <filename>/etc/pf.conf</filename>.</entry> - </row> - - <row> - <entry><command>pfctl -s [ rules | nat - state ]</command></entry> - <entry>Report on the filter rules, NAT rules, or state - table.</entry> - </row> - - <row> - <entry><command>pfctl -vnf - /etc/pf.conf</command></entry> - <entry>Check <filename>/etc/pf.conf</filename> for - errors, but do not load ruleset.</entry> - </row> - </tbody> - </tgroup> - </informaltable> - </sect2> - <sect2 xml:id="pf-tutorial"> <info> - <title><application>PF</application> Rule Sets and - Tools</title> + <title><application>PF</application> Rulesets</title> <authorgroup> <author> @@ -534,21 +538,8 @@ options ALTQ_PRIQ # Priori </authorgroup> </info> - <para>This section demonstrates some useful - <application>PF</application> features and - <application>PF</application> related tools in a series of - examples. A more thorough tutorial is available at <link - xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para> - - <tip> - <para><package>security/sudo</package> is useful for running - commands like <command>pfctl</command> that require elevated - privileges. It can be installed from the Ports - Collection.</para> - </tip> - - <sect3 xml:id="pftut-simplest"> - <title>The Simplest Rule Set Ever</title> + <para>This section demonstrates how to create a customized + ruleset, using several examples.</para> <para>The simplest possible setup is for a single machine which will not run any services, and which will talk to one @@ -566,10 +557,6 @@ pass out all keep state</programlisting> trusted. The rule set can be loaded with</para> <screen>&prompt.root; <userinput>pfctl -e ; pfctl -f /etc/pf.conf</userinput></screen> - </sect3> - - <sect3> - <title>Tighter and More Elegant</title> <para>For a slightly more structured and complete setup, we start by denying everything and then allowing only those @@ -653,7 +640,6 @@ pass proto udp to any port $udp_services exactly the way they will be loaded. This is extremely useful when debugging rules.</para> </tip> - </sect3> <sect3 xml:id="pftut-gateway"> <title>A Simple Gateway with NAT</title> @@ -664,10 +650,6 @@ pass proto udp to any port $udp_services which is running <application>PF</application> and also acts as a gateway for at least one other machine.</para> - <sect4 xml:id="pftut-gwpitfalls"> - <title>Gateways and the Pitfalls of <literal>in</literal>, - <literal>out</literal> and <literal>on</literal></title> - <para>In the single machine setup, life is relatively simple. Traffic created on it should either pass out to the rest of the world or not, and the administrator @@ -724,7 +706,6 @@ pass proto udp to any port $udp_services <para>For the remainder of this section, with some exceptions, we will keep the rules as simple as possible for readability.</para> - </sect4> <sect4 xml:id="pftut-whatsthelocalnet"> <title>What is the Local Network, Anyway?</title>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402141845.s1EIj3ZZ077896>