Index: chapter.xml
===================================================================
--- chapter.xml
+++ chapter.xml
@@ -1654,21 +1654,25 @@
custom kernel configuration file:
options IPFIREWALL # enables IPFW
-options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
+options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
-options IPDIVERT # enables NAT
+options IPFIREWALL_NAT # enables in-kernel NAT support
+options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
+options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
+options IPFIREWALL_PMOD # enables protocols modification module support
+options IPDIVERT # enables NAT through natd(8)
To configure the system to enable
- IPFW at boot time, add the
- following entry to /etc/rc.conf:
+ IPFW at boot time, add firewall_enable="YES"
+ to /etc/rc.conf:
- firewall_enable="YES"
+ &prompt.root; sysrc firewall_enable="YES"
To use one of the default firewall types provided by &os;,
add another line which specifies the type:
- firewall_type="open"
+ &prompt.root; sysrc firewall_type="open"
The available types are:
@@ -1720,11 +1724,11 @@
firewall_script is set to
/etc/ipfw.rules:
- firewall_script="/etc/ipfw.rules"
+ &prompt.root; sysrc firewall_script="/etc/ipfw.rules"
- To enable logging, include this line:
+ To enable logging through &man.syslogd.8;, include this line:
- firewall_logging="YES"
+ &prompt.root; sysrc firewall_logging="YES"
There is no /etc/rc.conf variable to
set logging limits. To limit the number of times a rule is
@@ -1731,10 +1735,24 @@
logged per connection attempt, specify the number using this
line in /etc/sysctl.conf:
- net.inet.ip.fw.verbose_limit=5
+ &prompt.root; sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=5
- After saving the needed edits, start the firewall. To
- enable logging limits now, also set the
+ To enable logging through a dedicated interface named ipfw0, add this line
+ to /etc/rc.conf instead:
+
+ &prompt.root; sysrc firewall_logif="YES"
+
+ Then use tcpdump to see what is being logged:
+
+ &prompt.root; tcpdump -t -n -i ipfw0
+
+
+ There's no overhead due to logging unless tcpdump is
+ attached.
+
+
+ After saving the needed edits, start the firewall. To
+ enable &man.syslogd.8; logging limits now, also set the
sysctl value specified above:
&prompt.root; service ipfw start