Index: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
===================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@@ -313,8 +313,11 @@
When reading the PF FAQ,
- keep in mind that &os; uses the same version of
- PF as OpenBSD 4.5.
+ keep in mind that &os;'s version of
+ PF has diverged substantially from
+ the upstream OpenBSD version over the years. Not all features
+ work the same way on &os; as they do in OpenBSD and vice
+ versa.
The &a.pf; is a good place to ask questions about
@@ -322,33 +325,29 @@
firewall. Check the mailing list archives before asking a
question as it may have already been answered.
- More information about porting PF
- to &os; can be found at http://pf4freebsd.love2party.net/.
-
This section of the Handbook focuses on
PF as it pertains to &os;. It
demonstrates how to enable PF and
- ALTQ. It then provides several
+ ALTQ. It also provides several
examples for creating rulesets on a &os; system.Enabling PF
- In order to use PF, its kernel
+ To use PF, its kernel
module must be first loaded. This section describes the
entries that can be added to /etc/rc.conf
- in order to enable PF.
+ to enable PF.
- Start by adding the following line to
+ Start by adding pf_enable=yes to
/etc/rc.conf:
- pf_enable="YES"
+ &prompt.root; sysrc pf_enable=yesAdditional options, described in &man.pfctl.8;, can be
passed to PF when it is started.
- Add this entry to /etc/rc.conf and
- specify any required flags between the two quotes
+ Add or change this entry in /etc/rc.conf
+ and specify any required flags between the two quotes
(""):pf_flags="" # additional flags for pfctl startup
@@ -366,14 +365,14 @@
Logging support for PF is
provided by &man.pflog.4;. To enable logging support, add
- this line to /etc/rc.conf:
+ pflog_enable=yes to
+ /etc/rc.conf:
- pflog_enable="YES"
+ &prompt.root; sysrc pflog_enable=yes
- The following lines can also be added in order to
- change the default location of the log file or to specify any
- additional flags to pass to &man.pflog.4; when it is
- started:
+ The following lines can also be added to change the
+ default location of the log file or to specify any additional
+ flags to pass to &man.pflog.4; when it is started:pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
@@ -381,7 +380,7 @@
Finally, if there is a LAN behind the
firewall and packets need to be forwarded for the computers on
the LAN, or NAT is
- required, add the following option:
+ required, enable the following option:
gateway_enable="YES" # Enable as LAN gateway
@@ -523,94 +522,6 @@
similar to &man.top.1;.
-
- Enabling ALTQ
-
- On &os;, ALTQ can be used with
- PF to provide Quality of Service
- (QOS). Once
- ALTQ is enabled, queues can be
- defined in the ruleset which determine the processing priority
- of outbound packets.
-
- Before enabling ALTQ, refer to
- &man.altq.4; to determine if the drivers for the network cards
- installed on the system support it.
-
- ALTQ is not available as a
- loadable kernel module. If the system's interfaces support
- ALTQ, create a custom kernel using
- the instructions in . The
- following kernel options are available. The first is needed
- to enable ALTQ. At least one of
- the other options is necessary to specify the queueing
- scheduler algorithm:
-
- options ALTQ
-options ALTQ_CBQ # Class Based Queuing (CBQ)
-options ALTQ_RED # Random Early Detection (RED)
-options ALTQ_RIO # RED In/Out
-options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
-options ALTQ_PRIQ # Priority Queuing (PRIQ)
-
- The following scheduler algorithms are available:
-
-
-
- CBQ
-
- Class Based Queuing (CBQ) is
- used to divide a connection's bandwidth into different
- classes or queues to prioritize traffic based on filter
- rules.
-
-
-
-
- RED
-
- Random Early Detection (RED) is
- used to avoid network congestion by measuring the length
- of the queue and comparing it to the minimum and maximum
- thresholds for the queue. When the queue is over the
- maximum, all new packets are randomly dropped.
-
-
-
-
- RIO
-
- In Random Early Detection In and Out
- (RIO) mode, RED
- maintains multiple average queue lengths and multiple
- threshold values, one for each
- QOS level.
-
-
-
-
- HFSC
-
- Hierarchical Fair Service Curve Packet Scheduler
- (HFSC) is described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html.
-
-
-
-
- PRIQ
-
- Priority Queuing (PRIQ) always
- passes traffic that is in a higher queue first.
-
-
-
-
- More information about the scheduling
- algorithms and example rulesets are available at the OpenBSD's web archive.
-
-
PF Rulesets
@@ -685,7 +596,7 @@
track some state information. For example, when a
UDP request is passed which asks a name
server about a domain name, PF will
- watch for the response in order to pass it back.
+ watch for the response to pass it back.
Whenever an edit is made to a ruleset, the new rules must
be loaded so they can be used:
@@ -723,7 +634,7 @@
connected to the Internet and xl0 is
connected to the internal network.
- First, enable the gateway in order to let the machine
+ First, enable the gateway to let the machine
forward the network traffic it receives on one interface to
another interface. This sysctl
setting will forward IPv4 packets:
@@ -734,11 +645,12 @@
&prompt.root; sysctl net.inet6.ip6.forwarding=1
- To enable these settings at system boot, add the
- following to /etc/rc.conf:
+ To enable these settings at system boot, use
+ &man.sysrc.8; to add them to
+ /etc/rc.conf:
- gateway_enable="YES" #for ipv4
-ipv6_gateway_enable="YES" #for ipv6
+ &prompt.root; sysrc gateway_enable=yes
+&prompt.root; sysrc ipv6_gateway_enable=yesVerify with ifconfig that both of the
interfaces are up and running.
@@ -897,7 +809,7 @@
proxy program called &man.ftp-proxy.8;, which is included in
the base system of &os;. The role of the proxy is to
dynamically insert and delete rules in the ruleset, using a
- set of anchors, in order to correctly handle
+ set of anchors, to correctly handle
FTP traffic.To enable the FTP proxy, add this
@@ -1063,7 +975,7 @@
icmp_types = "{ echoreq, unreach }"Since the pass rule already uses that macro, it does
- not need to be modified in order to support the new
+ not need to be modified to support the new
ICMP type:pass inet proto icmp all icmp-type $icmp_types keep state
@@ -1302,11 +1214,9 @@
Install the mail/spamd package
- or port. In order to use
- spamd's greylisting
- features, &man.fdescfs.5; must be mounted at /dev/fd. Add the
- following line to
+ or port. To use spamd's
+ greylisting features, &man.fdescfs.5; must be mounted at
+ /dev/fd. Add the following line to
/etc/fstab: fdescfs /dev/fd fdescfs rw 0 0
@@ -1444,8 +1354,8 @@
xlink:href="http://www.greylisting.org/">greylisting.org
web site. The most amazing thing about greylisting, apart
from its simplicity, is that it still works. Spammers and
- malware writers have been very slow to adapt in order to
- bypass this technique.
+ malware writers have been very slow to adapt to bypass this
+ technique.
The basic procedure for configuring greylisting is as
follows:
@@ -1576,6 +1486,94 @@
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
+
+
+
+ Enabling ALTQ
+
+ On &os;, ALTQ can be used with
+ PF to provide Quality of Service
+ (QOS). Once
+ ALTQ is enabled, queues can be
+ defined in the ruleset which determine the processing priority
+ of outbound packets.
+
+ Before enabling ALTQ, refer to
+ &man.altq.4; to determine if the drivers for the network cards
+ installed on the system support it.
+
+ ALTQ is not available as a
+ loadable kernel module. If the system's interfaces support
+ ALTQ, create a custom kernel using
+ the instructions in . The
+ following kernel options are available. The first is needed
+ to enable ALTQ. At least one of
+ the other options is necessary to specify the queueing
+ scheduler algorithm:
+
+ options ALTQ
+options ALTQ_CBQ # Class Based Queuing (CBQ)
+options ALTQ_RED # Random Early Detection (RED)
+options ALTQ_RIO # RED In/Out
+options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
+options ALTQ_PRIQ # Priority Queuing (PRIQ)
+
+ The following scheduler algorithms are available:
+
+
+
+ CBQ
+
+ Class Based Queuing (CBQ) is
+ used to divide a connection's bandwidth into different
+ classes or queues to prioritize traffic based on filter
+ rules.
+
+
+
+
+ RED
+
+ Random Early Detection (RED) is
+ used to avoid network congestion by measuring the length
+ of the queue and comparing it to the minimum and maximum
+ thresholds for the queue. When the queue is over the
+ maximum, all new packets are randomly dropped.
+
+
+
+
+ RIO
+
+ In Random Early Detection In and Out
+ (RIO) mode, RED
+ maintains multiple average queue lengths and multiple
+ threshold values, one for each
+ QOS level.
+
+
+
+
+ HFSC
+
+ Hierarchical Fair Service Curve Packet Scheduler
+ (HFSC) is described in http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html.
+
+
+
+
+ PRIQ
+
+ Priority Queuing (PRIQ) always
+ passes traffic that is in a higher queue first.
+
+
+
+
+ More information about the scheduling
+ algorithms and example rulesets are available at the OpenBSD's web archive.