From owner-svn-doc-head@FreeBSD.ORG Fri Feb 14 18:45:04 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 310DEAE0; Fri, 14 Feb 2014 18:45:04 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1068B195A; Fri, 14 Feb 2014 18:45:04 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1EIj3K8077897; Fri, 14 Feb 2014 18:45:03 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1EIj3ZZ077896; Fri, 14 Feb 2014 18:45:03 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402141845.s1EIj3ZZ077896@svn.freebsd.org> From: Dru Lavigne Date: Fri, 14 Feb 2014 18:45:03 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43926 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2014 18:45:04 -0000 Author: dru Date: Fri Feb 14 18:45:03 2014 New Revision: 43926 URL: http://svnweb.freebsd.org/changeset/doc/43926 Log: Continue to shuffle and improve flow of this chapter. Many more commits to come. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 17:29:44 2014 (r43925) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 18:45:03 2014 (r43926) @@ -218,17 +218,39 @@ ALTQ (Alternate Queuing), which provides Quality of Service (QoS). - Since the OpenBSD Project maintains the definitive + The OpenBSD Project maintains the definitive reference for PF in the PF FAQ, - this section of the Handbook focuses on - PF as it pertains to &os;, while - providing some general usage information. + xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ. + Peter Hansteen maintains a thorough PF tutorial at http://home.nuug.no/~peter/pf/. + + + When reading the PF FAQ, + keep in mind that different versions of &os; contain + different versions of PF. + &os; 8.X uses the same + version of PF as + OpenBSD 4.1 and &os; 9.X + and later uses the same version of + PF as OpenBSD 4.5. + + + The &a.pf; is a good place to ask questions about + configuring and running the PF + firewall. Check the mailing list archives + before asking a question as it may have already been answered. More information about porting PF to &os; can be found at http://pf4freebsd.love2party.net/. + This section of the Handbook focuses on + PF as it pertains to &os;. It + demonstrates how to enable PF and + ALTQ. It then provides several + examples for creating rulesets on a &os; system. + Enabling <application>PF</application> @@ -260,12 +282,6 @@ pf_rules="/path/to/pf.conf" - The sample pf.conf - can be found in - /usr/share/examples/pf/. The rest of - this chapter demonstrates how to create a custom - ruleset. - Logging support for PF is provided by &man.pflog.4;. To enable logging support, add this line to /etc/rc.conf: @@ -344,6 +360,78 @@ device pfsync state changes. --> + + By default, PF reads its + configuration rules from /etc/pf.conf and + modifies, drops, or passes packets according to the rules or + definitions specified in this file. The &os; installation + includes several sample files located in + /usr/share/examples/pf/. Refer to the + PF + FAQ for complete coverage of + PF rulesets. + + To control PF, use + pfctl. summarizes some useful options to this command. + Refer to &man.pfctl.8; for a description of all available + options: + + + Useful <command>pfctl</command> Options + + + + + Command + Purpose + + + + + + pfctl + -e + Enable PF. + + + + pfctl + -d + Disable PF. + + + + pfctl -F all + -f /etc/pf.conf + Flush all NAT, filter, state, and table + rules and reload + /etc/pf.conf. + + + + pfctl -s [ rules | nat + state ] + Report on the filter rules, NAT rules, or state + table. + + + + pfctl -vnf + /etc/pf.conf + Check /etc/pf.conf for + errors, but do not load ruleset. + + + +
+ + + security/sudo is useful for running + commands like pfctl that require elevated + privileges. It can be installed from the Ports + Collection. + @@ -434,93 +522,9 @@ options ALTQ_PRIQ # Priori xlink:href="http://www.openbsd.org/faq/pf/queueing.html">http://www.openbsd.org/faq/pf/queueing.html. - - Creating Filtering Rules - - By default, PF reads its - configuration rules from /etc/pf.conf and - modifies, drops, or passes packets according to the rules or - definitions specified in this file. The &os; installation - includes several sample files located in - /usr/share/examples/pf/. Refer to the - PF - FAQ for complete coverage of - PF rulesets. - - - When reading the PF FAQ, - keep in mind that different versions of &os; contain - different versions of PF. Currently, - &os; 8.X is using the same - version of PF - OpenBSD 4.1. &os; 9.X - and later is using the same version of - PF as OpenBSD 4.5. - - - The &a.pf; is a good place to ask questions about - configuring and running the PF - firewall. Do not forget to check the mailing list archives - before asking questions. - - To control PF, use - &man.pfctl.8;. Below are some useful options to this command. - Review &man.pfctl.8; for a description of all available - options: - - - - - - Command - Purpose - - - - - - pfctl - -e - Enable PF. - - - - pfctl - -d - Disable PF. - - - - pfctl -F all - -f /etc/pf.conf - Flush all NAT, filter, state, and table - rules and reload - /etc/pf.conf. - - - - pfctl -s [ rules | nat - state ] - Report on the filter rules, NAT rules, or state - table. - - - - pfctl -vnf - /etc/pf.conf - Check /etc/pf.conf for - errors, but do not load ruleset. - - - - - - - <application>PF</application> Rule Sets and - Tools + <application>PF</application> Rulesets @@ -534,21 +538,8 @@ options ALTQ_PRIQ # Priori - This section demonstrates some useful - PF features and - PF related tools in a series of - examples. A more thorough tutorial is available at http://home.nuug.no/~peter/pf/. - - - security/sudo is useful for running - commands like pfctl that require elevated - privileges. It can be installed from the Ports - Collection. - - - - The Simplest Rule Set Ever + This section demonstrates how to create a customized + ruleset, using several examples. The simplest possible setup is for a single machine which will not run any services, and which will talk to one @@ -566,10 +557,6 @@ pass out all keep state trusted. The rule set can be loaded with &prompt.root; pfctl -e ; pfctl -f /etc/pf.conf - - - - Tighter and More Elegant For a slightly more structured and complete setup, we start by denying everything and then allowing only those @@ -653,7 +640,6 @@ pass proto udp to any port $udp_services exactly the way they will be loaded. This is extremely useful when debugging rules. - A Simple Gateway with NAT @@ -664,10 +650,6 @@ pass proto udp to any port $udp_services which is running PF and also acts as a gateway for at least one other machine. - - Gateways and the Pitfalls of <literal>in</literal>, - <literal>out</literal> and <literal>on</literal> - In the single machine setup, life is relatively simple. Traffic created on it should either pass out to the rest of the world or not, and the administrator @@ -724,7 +706,6 @@ pass proto udp to any port $udp_services For the remainder of this section, with some exceptions, we will keep the rules as simple as possible for readability. - What is the Local Network, Anyway?