Index: chapter.xml
===================================================================
--- chapter.xml
+++ chapter.xml
@@ -1329,7 +1329,7 @@
The two tables <spamd> and
<spamd-white> are essential.
SMTP traffic from an address listed
- in <spamd> but not in
+ in <spamd> but not in
<spamd-white> is redirected to
the spamd daemon listening at
port 8025.
@@ -1623,52 +1623,21 @@
custom kernel is not needed in order to enable
IPFW.
-
- kernel options
-
- IPFIREWALL
-
-
-
- kernel options
-
- IPFIREWALL_VERBOSE
-
-
-
- kernel options
-
- IPFIREWALL_VERBOSE_LIMIT
-
-
-
- IPFW
-
- kernel options
-
-
For those users who wish to statically compile
IPFW support into a custom kernel,
- refer to the instructions in .
- The following options are available for the
- custom kernel configuration file:
+ see .
- options IPFIREWALL # enables IPFW
-options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
-options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
-options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
-options IPDIVERT # enables NAT
-
To configure the system to enable
- IPFW at boot time, add the
- following entry to /etc/rc.conf:
+ IPFW at boot time, add
+ firewall_enable="YES" to
+ /etc/rc.conf:
- firewall_enable="YES"
+ &prompt.root; sysrc firewall_enable="YES"
To use one of the default firewall types provided by &os;,
add another line which specifies the type:
- firewall_type="open"
+ &prompt.root; sysrc firewall_type="open"
The available types are:
@@ -1720,11 +1689,12 @@
firewall_script is set to
/etc/ipfw.rules:
- firewall_script="/etc/ipfw.rules"
+ &prompt.root; sysrc firewall_script="/etc/ipfw.rules"
- To enable logging, include this line:
+ To enable logging through &man.syslogd.8;, include this
+ line:
- firewall_logging="YES"
+ &prompt.root; sysrc firewall_logging="YES"
There is no /etc/rc.conf variable to
set logging limits. To limit the number of times a rule is
@@ -1731,8 +1701,24 @@
logged per connection attempt, specify the number using this
line in /etc/sysctl.conf:
- net.inet.ip.fw.verbose_limit=5
+ &prompt.root; sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=5
+ To enable logging through a dedicated interface named
+ ipfw0, add this line to
+ /etc/rc.conf instead:
+
+ &prompt.root; sysrc firewall_logif="YES"
+
+ Then use tcpdump to see what is
+ being logged:
+
+ &prompt.root; tcpdump -t -n -i ipfw0
+
+
+ There is no overhead due to logging unless
+ tcpdump is attached.
+
+
After saving the needed edits, start the firewall. To
enable logging limits now, also set the
sysctl value specified above:
@@ -2257,7 +2243,7 @@
$cmd 130 $skip icmp from any to any out via $pif $ks
The inbound rules remain the same, except for the very
- last rule which removes the via $pif in
+ last rule which removes the via $pif in
order to catch both inbound and outbound rules. The
NAT rule must follow this last outbound
rule, must have a higher number than that last rule, and the
@@ -2610,6 +2596,55 @@
&prompt.root; ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state
+
+
+ <application>IPFW</application> Kernel Options
+
+
+ kernel options
+
+ IPFIREWALL
+
+
+
+ kernel options
+
+ IPFIREWALL_VERBOSE
+
+
+
+ kernel options
+
+ IPFIREWALL_VERBOSE_LIMIT
+
+
+
+ IPFW
+
+ kernel options
+
+ In order to statically compile
+ IPFW support into a custom kernel,
+ refer to the instructions in .
+ The following options are available for the
+ custom kernel configuration file:
+
+ options IPFIREWALL # enables IPFW
+options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
+options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
+options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
+options IPFIREWALL_NAT # enables in-kernel NAT support
+options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
+options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
+options IPFIREWALL_PMOD # enables protocols modification module support
+options IPDIVERT # enables NAT through natd(8)
+
+
+ IPFW can be loaded as
+ a kernel module: options above are built by default
+ as modules or can be set at runtime using tunables.
+
+