Index: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml =================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -313,8 +313,11 @@ When reading the PF FAQ, - keep in mind that &os; uses the same version of - PF as OpenBSD 4.5. + keep in mind that &os;'s version of + PF has diverged substantially from + the upstream OpenBSD version over the years. Not all features + work the same way on &os; as they do in OpenBSD and vice + versa. The &a.pf; is a good place to ask questions about @@ -322,33 +325,29 @@ firewall. Check the mailing list archives before asking a question as it may have already been answered. - More information about porting PF - to &os; can be found at http://pf4freebsd.love2party.net/. - This section of the Handbook focuses on PF as it pertains to &os;. It demonstrates how to enable PF and - ALTQ. It then provides several + ALTQ. It also provides several examples for creating rulesets on a &os; system. Enabling <application>PF</application> - In order to use PF, its kernel + To use PF, its kernel module must be first loaded. This section describes the entries that can be added to /etc/rc.conf - in order to enable PF. + to enable PF. - Start by adding the following line to + Start by adding pf_enable=yes to /etc/rc.conf: - pf_enable="YES" + &prompt.root; sysrc pf_enable=yes Additional options, described in &man.pfctl.8;, can be passed to PF when it is started. - Add this entry to /etc/rc.conf and - specify any required flags between the two quotes + Add or change this entry in /etc/rc.conf + and specify any required flags between the two quotes (""): pf_flags="" # additional flags for pfctl startup @@ -366,14 +365,14 @@ Logging support for PF is provided by &man.pflog.4;. To enable logging support, add - this line to /etc/rc.conf: + pflog_enable=yes to + /etc/rc.conf: - pflog_enable="YES" + &prompt.root; sysrc pflog_enable=yes - The following lines can also be added in order to - change the default location of the log file or to specify any - additional flags to pass to &man.pflog.4; when it is - started: + The following lines can also be added to change the + default location of the log file or to specify any additional + flags to pass to &man.pflog.4; when it is started: pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup @@ -381,7 +380,7 @@ Finally, if there is a LAN behind the firewall and packets need to be forwarded for the computers on the LAN, or NAT is - required, add the following option: + required, enable the following option: gateway_enable="YES" # Enable as LAN gateway @@ -523,94 +522,6 @@ similar to &man.top.1;. - - Enabling <application>ALTQ</application> - - On &os;, ALTQ can be used with - PF to provide Quality of Service - (QOS). Once - ALTQ is enabled, queues can be - defined in the ruleset which determine the processing priority - of outbound packets. - - Before enabling ALTQ, refer to - &man.altq.4; to determine if the drivers for the network cards - installed on the system support it. - - ALTQ is not available as a - loadable kernel module. If the system's interfaces support - ALTQ, create a custom kernel using - the instructions in . The - following kernel options are available. The first is needed - to enable ALTQ. At least one of - the other options is necessary to specify the queueing - scheduler algorithm: - - options ALTQ -options ALTQ_CBQ # Class Based Queuing (CBQ) -options ALTQ_RED # Random Early Detection (RED) -options ALTQ_RIO # RED In/Out -options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) -options ALTQ_PRIQ # Priority Queuing (PRIQ) - - The following scheduler algorithms are available: - - - - CBQ - - Class Based Queuing (CBQ) is - used to divide a connection's bandwidth into different - classes or queues to prioritize traffic based on filter - rules. - - - - - RED - - Random Early Detection (RED) is - used to avoid network congestion by measuring the length - of the queue and comparing it to the minimum and maximum - thresholds for the queue. When the queue is over the - maximum, all new packets are randomly dropped. - - - - - RIO - - In Random Early Detection In and Out - (RIO) mode, RED - maintains multiple average queue lengths and multiple - threshold values, one for each - QOS level. - - - - - HFSC - - Hierarchical Fair Service Curve Packet Scheduler - (HFSC) is described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html. - - - - - PRIQ - - Priority Queuing (PRIQ) always - passes traffic that is in a higher queue first. - - - - - More information about the scheduling - algorithms and example rulesets are available at the OpenBSD's web archive. - - <application>PF</application> Rulesets @@ -685,7 +596,7 @@ track some state information. For example, when a UDP request is passed which asks a name server about a domain name, PF will - watch for the response in order to pass it back. + watch for the response to pass it back. Whenever an edit is made to a ruleset, the new rules must be loaded so they can be used: @@ -723,7 +634,7 @@ connected to the Internet and xl0 is connected to the internal network. - First, enable the gateway in order to let the machine + First, enable the gateway to let the machine forward the network traffic it receives on one interface to another interface. This sysctl setting will forward IPv4 packets: @@ -734,11 +645,12 @@ &prompt.root; sysctl net.inet6.ip6.forwarding=1 - To enable these settings at system boot, add the - following to /etc/rc.conf: + To enable these settings at system boot, use + &man.sysrc.8; to add them to + /etc/rc.conf: - gateway_enable="YES" #for ipv4 -ipv6_gateway_enable="YES" #for ipv6 + &prompt.root; sysrc gateway_enable=yes +&prompt.root; sysrc ipv6_gateway_enable=yes Verify with ifconfig that both of the interfaces are up and running. @@ -897,7 +809,7 @@ proxy program called &man.ftp-proxy.8;, which is included in the base system of &os;. The role of the proxy is to dynamically insert and delete rules in the ruleset, using a - set of anchors, in order to correctly handle + set of anchors, to correctly handle FTP traffic. To enable the FTP proxy, add this @@ -1063,7 +975,7 @@ icmp_types = "{ echoreq, unreach }" Since the pass rule already uses that macro, it does - not need to be modified in order to support the new + not need to be modified to support the new ICMP type: pass inet proto icmp all icmp-type $icmp_types keep state @@ -1302,11 +1214,9 @@ Install the mail/spamd package - or port. In order to use - spamd's greylisting - features, &man.fdescfs.5; must be mounted at /dev/fd. Add the - following line to + or port. To use spamd's + greylisting features, &man.fdescfs.5; must be mounted at + /dev/fd. Add the following line to /etc/fstab: fdescfs /dev/fd fdescfs rw 0 0 @@ -1444,8 +1354,8 @@ xlink:href="http://www.greylisting.org/">greylisting.org web site. The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers and - malware writers have been very slow to adapt in order to - bypass this technique. + malware writers have been very slow to adapt to bypass this + technique. The basic procedure for configuring greylisting is as follows: @@ -1576,6 +1486,94 @@ block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians + + + + Enabling <application>ALTQ</application> + + On &os;, ALTQ can be used with + PF to provide Quality of Service + (QOS). Once + ALTQ is enabled, queues can be + defined in the ruleset which determine the processing priority + of outbound packets. + + Before enabling ALTQ, refer to + &man.altq.4; to determine if the drivers for the network cards + installed on the system support it. + + ALTQ is not available as a + loadable kernel module. If the system's interfaces support + ALTQ, create a custom kernel using + the instructions in . The + following kernel options are available. The first is needed + to enable ALTQ. At least one of + the other options is necessary to specify the queueing + scheduler algorithm: + + options ALTQ +options ALTQ_CBQ # Class Based Queuing (CBQ) +options ALTQ_RED # Random Early Detection (RED) +options ALTQ_RIO # RED In/Out +options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) +options ALTQ_PRIQ # Priority Queuing (PRIQ) + + The following scheduler algorithms are available: + + + + CBQ + + Class Based Queuing (CBQ) is + used to divide a connection's bandwidth into different + classes or queues to prioritize traffic based on filter + rules. + + + + + RED + + Random Early Detection (RED) is + used to avoid network congestion by measuring the length + of the queue and comparing it to the minimum and maximum + thresholds for the queue. When the queue is over the + maximum, all new packets are randomly dropped. + + + + + RIO + + In Random Early Detection In and Out + (RIO) mode, RED + maintains multiple average queue lengths and multiple + threshold values, one for each + QOS level. + + + + + HFSC + + Hierarchical Fair Service Curve Packet Scheduler + (HFSC) is described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html. + + + + + PRIQ + + Priority Queuing (PRIQ) always + passes traffic that is in a higher queue first. + + + + + More information about the scheduling + algorithms and example rulesets are available at the OpenBSD's web archive.