From owner-svn-doc-head@FreeBSD.ORG Fri Feb 14 20:37:26 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 750E3F46; Fri, 14 Feb 2014 20:37:26 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 433651450; Fri, 14 Feb 2014 20:37:26 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s1EKbQVm022789; Fri, 14 Feb 2014 20:37:26 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s1EKbQ44022788; Fri, 14 Feb 2014 20:37:26 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201402142037.s1EKbQ44022788@svn.freebsd.org> From: Dru Lavigne Date: Fri, 14 Feb 2014 20:37:26 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43928 - head/en_US.ISO8859-1/books/handbook/firewalls X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2014 20:37:26 -0000 Author: dru Date: Fri Feb 14 20:37:25 2014 New Revision: 43928 URL: http://svnweb.freebsd.org/changeset/doc/43928 Log: Tighten up this subsection. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 18:53:20 2014 (r43927) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 20:37:25 2014 (r43928) @@ -540,104 +540,87 @@ options ALTQ_PRIQ # Priori This section demonstrates how to create a customized - ruleset, using several examples. - - The simplest possible setup is for a single machine - which will not run any services, and which will talk to one - network which may be the Internet. A minimal - /etc/pf.conf looks like this: + ruleset. It starts with the simplest of rulesets and builds + upon its concepts using several examples to demonstrate + real-world usage of PF's many + features. + + The simplest possible ruleset is for a single machine + that does not run any services and which needs access to one + network, which may be the Internet. To create this minimal + ruleset, edit + /etc/pf.conf so it looks like this: block in all pass out all keep state - Here we deny any incoming traffic, allow traffic we make - ourselves to pass, and retain state information on our - connections. Keeping state information allows return - traffic for all connections we have initiated to pass back - to us. This rule set is used on machines that can be - trusted. The rule set can be loaded with + The first rule denies all incoming traffic by default. + The second rule allows + connections created by this system + to pass out, while retaining state information on those + connections. This state information allows return + traffic for those connections to pass back and + should only be used on machines that can be + trusted. The ruleset can be loaded with: &prompt.root; pfctl -e ; pfctl -f /etc/pf.conf - For a slightly more structured and complete setup, we - start by denying everything and then allowing only those - things we know that we need - Why write the rule set to default deny? The - short answer is, it gives better control at the expense - of some thinking. The point of packet filtering is to - take control, not to run catch-up with what the bad guys - do. Marcus Ranum has written a very entertaining and - informative article about this, The - Six Dumbest Ideas in Computer Security, and - it is well written too.. This gives - us the opportunity to introduce two of the features which - make PF such a wonderful tool: + In addition to keeping state, + PF provides lists and - macros. - - We will make some changes to - /etc/pf.conf, starting with - - block all - - Then we back up a little. Macros need to be defined - before use, so at the very top of the file, we add: + macros which can be defined for use + when creating rules. Macros can include lists and need to be defined + before use. As an example, insert these lines at the + very top of the ruleset: tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" udp_services = "{ domain }" - Now we have demonstrated several things at once - what - macros look like, that macros may be lists, and that - PF understands rules using port - names equally well as it does port numbers. The names are - the ones listed in /etc/services. This - gives us something to put in our rules, which we edit - slightly to look like this: + PF understands port + names as well as port numbers, as long as the names are listed + in /etc/services. This example + creates two macros. The first is a list of seven + TCP port names and the second is one + UDP port name. Once defined, macros can + be used in rules. In this example, all traffic is blocked + except for the connections initiated by this system for the + seven specified TCP services and the one + specified UDP service: - block all + tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }" +udp_services = "{ domain }" +block all pass out proto tcp to any port $tcp_services keep state pass proto udp to any port $udp_services keep state - At this point some of us will point out that UDP is - stateless, but PF actually - manages to maintain state information despite this. Keeping - state for a UDP connection means that for example when you - ask a name server about a domain name, you will be able to - receive its answer. - - Since we have made changes to our - pf.conf, we load the new - rules: + Even though UDP is considered to be + a stateless protocol, PF + is able to track some state information. For example, when a + UDP request is passed which + asks a name server about a domain name, PF + will watch for the response in order to pass it back. + + Whenever an edit is made to a ruleset, the new rules + must be loaded so they can be used: &prompt.root; pfctl -f /etc/pf.conf - and the new rules are applied. If there are no syntax + If there are no syntax errors, pfctl will not output any - messages during the rule load. The flag - will produce more verbose pfctl - output. - - If there have been extensive changes to the rule set, - the rules can be tested before attempting to load them. The - command to do this is + messages during the rule load. Rules can also be tested before attempting to load them: &prompt.root; pfctl -nf /etc/pf.conf - causes the rules to be interpreted - only, but does not load them. This provides an opportunity - to correct any errors. Under any circumstances, the last - valid rule set loaded will be in force until - PF is disabled or a new rule set + Including causes the rules to be interpreted + only, but not loaded. This provides an opportunity + to correct any errors. At all times, the last + valid ruleset loaded will be enforced until either + PF is disabled or a new ruleset is loaded. - Use <command>pfctl -v</command> to Show the Parsed - Rule Set - - Adding the to a - pfctl ruleset load (even a dry run with - ) will display the fully parsed rules + Adding to a + pfctl ruleset verify or load will display the fully parsed rules exactly the way they will be loaded. This is extremely useful when debugging rules. @@ -699,10 +682,10 @@ pass proto udp to any port $udp_services good these days, and we will get back to them later. For now we just accept the fact that for simple setups, interface-bound rules with in/out rules tend to add more - clutter than they are worth to rule sets. + clutter than they are worth to rulesets. - For a busy network admin, a readable rule set is a - safer rule set. + For a busy network admin, a readable ruleset is a + safer ruleset. For the remainder of this section, with some exceptions, we will keep the rules as simple as possible @@ -713,7 +696,7 @@ pass proto udp to any port $udp_services Above, we introduced the interface:network notation. That is a - nice piece of shorthand, but the rule set can be made even + nice piece of shorthand, but the ruleset can be made even more readable and maintainable by taking the macro use a tiny bit further. @@ -809,7 +792,7 @@ pass from { lo0, $localnet } to any keep the last time during this tutorial we will find this of any interest whatsoever. In truly simple setups like this one, we may not gain very much by using macros like these, - but once the rule sets grow somewhat larger, you will + but once the rulesets grow somewhat larger, you will learn to appreciate the readability this provides. Also note the nat rule. This is @@ -825,7 +808,7 @@ pass from { lo0, $localnet } to any keep interruptions even if the external IP address changes. - On the other hand, this rule set probably allows more + On the other hand, this ruleset probably allows more traffic to pass out of the network than actually desired. One reasonable setup could contain the macro @@ -866,9 +849,9 @@ pass from { lo0, $localnet } to any keep pass quick inet proto { tcp, udp } to any port $udp_services keep state Note the quick keyword in this - rule. We have started writing rule sets which consist of + rule. We have started writing rulesets which consist of several rules, and it is time to take a look at the - relationships between the rules in a rule set. The rules + relationships between the rules in a ruleset. The rules are evaluated from top to bottom, in the sequence they are written in the configuration file. For each packet or connection evaluated by PF, @@ -1083,7 +1066,7 @@ rdr-anchor "ftp-proxy/*"One of the early workarounds was to simply block either all ICMP traffic or at least ICMP ECHO, which is what ping uses. Now - these rule sets have been around for roughly fifteen years, + these rulesets have been around for roughly fifteen years, and the people who put them there are still scared. @@ -1128,7 +1111,7 @@ pass inet proto icmp from any to $ext_if Letting <command>ping</command> Through - The rule set we have developed so far has one clear + The ruleset we have developed so far has one clear disadvantage: common troubleshooting commands such as &man.ping.8; and &man.traceroute.8; will not work. That may not matter too much to end users, and since it was @@ -1138,9 +1121,9 @@ pass inet proto icmp from any to $ext_if we are better off without it. If you are in my perceived target audience, you will be rather fond of having those troubleshooting tools avalable. With a couple of small - additions to the rule set, they will be. &man.ping.8; + additions to the ruleset, they will be. &man.ping.8; uses ICMP, and in order to keep our - rule set tidy, we start by defining another macro: + ruleset tidy, we start by defining another macro: icmp_types = "echoreq" @@ -1261,7 +1244,7 @@ pass out on $ext_if inet proto udp from Quite right, and PF offers mechanisms for handling these situations as well. Tables are one such feature, mainly useful as lists which can be - manipulated without needing to reload the entire rule set, + manipulated without needing to reload the entire ruleset, and where fast lookups are desirable. Table names are always enclosed in < >, like this: @@ -1361,7 +1344,7 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail table <bruteforce> persist - Then somewhere fairly early in the rule set, add a rule + Then somewhere fairly early in the ruleset, add a rule to block the bruteforcers: block quick from <bruteforce> @@ -1598,7 +1581,7 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail - Next, edit the rule set to include + Next, edit the ruleset to include table <spamd> persist table <spamd-white> persist @@ -1698,7 +1681,7 @@ rdr pass on $ext_if inet proto tcp from spamd_flags="-v" # for normal use: "" and see spamd-setup(8) When done with editing the setup, - reload the rule set, start + reload the ruleset, start spamd with the options desired using the /usr/local/etc/rc.d/obspamd