Page MenuHomeFreeBSD
Files F151675770

D18484.id51756.diff
No OneTemporary
Actions

D18484.id51756.diff
View Options

Index: chapter.xml
===================================================================
--- chapter.xml
+++ chapter.xml
@@ -1654,21 +1654,25 @@
custom kernel configuration file:</para>
<programlisting>options IPFIREWALL # enables IPFW
-options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
+options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
-options IPDIVERT # enables NAT</programlisting>
+options IPFIREWALL_NAT # enables in-kernel NAT support
+options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
+options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
+options IPFIREWALL_PMOD # enables protocols modification module support
+options IPDIVERT # enables NAT through natd(8)</programlisting>
<para>To configure the system to enable
- <application>IPFW</application> at boot time, add the
- following entry to <filename>/etc/rc.conf</filename>:</para>
+ <application>IPFW</application> at boot time, add <literal>firewall_enable="YES"</literal>
+ to <filename>/etc/rc.conf</filename>:</para>
- <programlisting>firewall_enable="YES"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen>
<para>To use one of the default firewall types provided by &os;,
add another line which specifies the type:</para>
- <programlisting>firewall_type="open"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen>
<para>The available types are:</para>
@@ -1720,11 +1724,11 @@
<literal>firewall_script</literal> is set to
<filename>/etc/ipfw.rules</filename>:</para>
- <programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen>
- <para>To enable logging, include this line:</para>
+ <para>To enable logging through &man.syslogd.8;, include this line:</para>
- <programlisting>firewall_logging="YES"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen>
<para>There is no <filename>/etc/rc.conf</filename> variable to
set logging limits. To limit the number of times a rule is
@@ -1731,10 +1735,24 @@
logged per connection attempt, specify the number using this
line in <filename>/etc/sysctl.conf</filename>:</para>
- <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
+ <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
- <para>After saving the needed edits, start the firewall. To
- enable logging limits now, also set the
+ <para>To enable logging through a dedicated interface named <literal>ipfw0</literal>, add this line
+ to <filename>/etc/rc.conf</filename> instead:</para>
+
+ <screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen>
+
+ <para>Then use <application>tcpdump</application> to see what is being logged:</para>
+
+ <screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen>
+
+ <tip>
+ <para>There's no overhead due to logging unless <application>tcpdump</application> is
+ attached.</para>
+ </tip>
+
+ <para>After saving the needed edits, start the firewall. To
+ enable &man.syslogd.8; logging limits now, also set the
<command>sysctl</command> value specified above:</para>
<screen>&prompt.root; <userinput>service ipfw start</userinput>

File Metadata

Mime Type
text/plain
Expires
Fri, Apr 10, 10:57 PM (13 h, 17 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31251694
Default Alt Text
D18484.id51756.diff (3 KB)

Event Timeline