D18484.id53028.diff
No OneTemporary
Actions

Size

6 KB

Referenced Files

None

Subscribers

None

D18484.id53028.diff
View Options

	Index: chapter.xml
	===================================================================
	--- chapter.xml
	+++ chapter.xml
	@@ -1329,7 +1329,7 @@
	<para>The two tables <literal><spamd></literal> and
	<literal><spamd-white></literal> are essential.
	<acronym>SMTP</acronym> traffic from an address listed
	- in<literal> <spamd></literal> but not in
	+ in <literal><spamd></literal> but not in
	<literal><spamd-white></literal> is redirected to
	the <application>spamd</application> daemon listening at
	port 8025.</para>
	@@ -1623,52 +1623,21 @@
	custom kernel is not needed in order to enable
	<application>IPFW</application>.</para>

	- <indexterm>
	- <primary>kernel options</primary>
	-
	- <secondary>IPFIREWALL</secondary>
	- </indexterm>
	-
	- <indexterm>
	- <primary>kernel options</primary>
	-
	- <secondary>IPFIREWALL_VERBOSE</secondary>
	- </indexterm>
	-
	- <indexterm>
	- <primary>kernel options</primary>
	-
	- <secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
	- </indexterm>
	-
	- <indexterm>
	- <primary><application>IPFW</application></primary>
	-
	- <secondary>kernel options</secondary>
	- </indexterm>
	-
	<para>For those users who wish to statically compile
	<application>IPFW</application> support into a custom kernel,
	- refer to the instructions in <xref linkend="kernelconfig"/>.
	- The following options are available for the
	- custom kernel configuration file:</para>
	+ see <xref linkend="firewalls-ipfw-kernelconfig"/>.</para>

	- <programlisting>options IPFIREWALL # enables IPFW
	-options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
	-options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
	-options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
	-options IPDIVERT # enables NAT</programlisting>
	-
	<para>To configure the system to enable
	- <application>IPFW</application> at boot time, add the
	- following entry to <filename>/etc/rc.conf</filename>:</para>
	+ <application>IPFW</application> at boot time, add
	+ <literal>firewall_enable="YES"</literal> to
	+ <filename>/etc/rc.conf</filename>:</para>

	- <programlisting>firewall_enable="YES"</programlisting>
	+ <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen>

	<para>To use one of the default firewall types provided by &os;,
	add another line which specifies the type:</para>

	- <programlisting>firewall_type="open"</programlisting>
	+ <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen>

	<para>The available types are:</para>

	@@ -1720,11 +1689,12 @@
	<literal>firewall_script</literal> is set to
	<filename>/etc/ipfw.rules</filename>:</para>

	- <programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
	+ <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen>

	- <para>To enable logging, include this line:</para>
	+ <para>To enable logging through &man.syslogd.8;, include this
	+ line:</para>

	- <programlisting>firewall_logging="YES"</programlisting>
	+ <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen>

	<para>There is no <filename>/etc/rc.conf</filename> variable to
	set logging limits. To limit the number of times a rule is
	@@ -1731,8 +1701,24 @@
	logged per connection attempt, specify the number using this
	line in <filename>/etc/sysctl.conf</filename>:</para>

	- <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
	+ <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>

	+ <para>To enable logging through a dedicated interface named
	+ <literal>ipfw0</literal>, add this line to
	+ <filename>/etc/rc.conf</filename> instead:</para>
	+
	+ <screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen>
	+
	+ <para>Then use <application>tcpdump</application> to see what is
	+ being logged:</para>
	+
	+ <screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen>
	+
	+ <tip>
	+ <para>There is no overhead due to logging unless
	+ <application>tcpdump</application> is attached.</para>
	+ </tip>
	+
	<para>After saving the needed edits, start the firewall. To
	enable logging limits now, also set the
	<command>sysctl</command> value specified above:</para>
	@@ -2257,7 +2243,7 @@
	&dollar;cmd 130 &dollar;skip icmp from any to any out via &dollar;pif &dollar;ks</programlisting>

	<para>The inbound rules remain the same, except for the very
	- last rule which removes the <literal> via $pif</literal> in
	+ last rule which removes the <literal>via $pif</literal> in
	order to catch both inbound and outbound rules. The
	<acronym>NAT</acronym> rule must follow this last outbound
	rule, must have a higher number than that last rule, and the
	@@ -2610,6 +2596,55 @@
	&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
	</sect3>
	</sect2>
	+
	+ <sect2 xml:id="firewalls-ipfw-kernelconfig">
	+ <title><application>IPFW</application> Kernel Options</title>
	+
	+ <indexterm>
	+ <primary>kernel options</primary>
	+
	+ <secondary>IPFIREWALL</secondary>
	+ </indexterm>
	+
	+ <indexterm>
	+ <primary>kernel options</primary>
	+
	+ <secondary>IPFIREWALL_VERBOSE</secondary>
	+ </indexterm>
	+
	+ <indexterm>
	+ <primary>kernel options</primary>
	+
	+ <secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
	+ </indexterm>
	+
	+ <indexterm>
	+ <primary><application>IPFW</application></primary>
	+
	+ <secondary>kernel options</secondary>
	+ </indexterm>
	+ <para>In order to statically compile
	+ <application>IPFW</application> support into a custom kernel,
	+ refer to the instructions in <xref linkend="kernelconfig"/>.
	+ The following options are available for the
	+ custom kernel configuration file:</para>
	+
	+ <programlisting>options IPFIREWALL # enables IPFW
	+options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
	+options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
	+options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
	+options IPFIREWALL_NAT # enables in-kernel NAT support
	+options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
	+options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
	+options IPFIREWALL_PMOD # enables protocols modification module support
	+options IPDIVERT # enables NAT through natd(8)</programlisting>
	+
	+ <note>
	+ <para><application>IPFW</application> can be loaded as
	+ a kernel module: options above are built by default
	+ as modules or can be set at runtime using tunables.</para>
	+ </note>
	+ </sect2>
	</sect1>

	<sect1 xml:id="firewalls-ipf">

File Metadata

Mime Type: text/plain
Expires: Tue, Apr 14, 12:13 PM (2 h, 21 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31472921
Default Alt Text: D18484.id53028.diff (6 KB)

D18484.id53028.diffNo OneTemporaryActions

D18484.id53028.diffView Options

File Metadata

Event Timeline

D18484.id53028.diff
No OneTemporary
Actions

D18484.id53028.diff
View Options