Changeset View
Changeset View
Standalone View
Standalone View
chapter.xml
Context not available. | |||||
<para>The two tables <literal><spamd></literal> and | <para>The two tables <literal><spamd></literal> and | ||||
<literal><spamd-white></literal> are essential. | <literal><spamd-white></literal> are essential. | ||||
<acronym>SMTP</acronym> traffic from an address listed | <acronym>SMTP</acronym> traffic from an address listed | ||||
in<literal> <spamd></literal> but not in | in <literal><spamd></literal> but not in | ||||
<literal><spamd-white></literal> is redirected to | <literal><spamd-white></literal> is redirected to | ||||
the <application>spamd</application> daemon listening at | the <application>spamd</application> daemon listening at | ||||
port 8025.</para> | port 8025.</para> | ||||
Context not available. | |||||
custom kernel is not needed in order to enable | custom kernel is not needed in order to enable | ||||
<application>IPFW</application>.</para> | <application>IPFW</application>.</para> | ||||
<indexterm> | |||||
<primary>kernel options</primary> | |||||
<secondary>IPFIREWALL</secondary> | |||||
</indexterm> | |||||
<indexterm> | |||||
<primary>kernel options</primary> | |||||
<secondary>IPFIREWALL_VERBOSE</secondary> | |||||
</indexterm> | |||||
<indexterm> | |||||
<primary>kernel options</primary> | |||||
<secondary>IPFIREWALL_VERBOSE_LIMIT</secondary> | |||||
</indexterm> | |||||
<indexterm> | |||||
<primary><application>IPFW</application></primary> | |||||
<secondary>kernel options</secondary> | |||||
</indexterm> | |||||
<para>For those users who wish to statically compile | <para>For those users who wish to statically compile | ||||
<application>IPFW</application> support into a custom kernel, | <application>IPFW</application> support into a custom kernel, | ||||
refer to the instructions in <xref linkend="kernelconfig"/>. | see <xref linkend="firewalls-ipfw-kernelconfig"/>.</para> | ||||
The following options are available for the | |||||
custom kernel configuration file:</para> | |||||
<programlisting>options IPFIREWALL # enables IPFW | |||||
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword | |||||
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry | |||||
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied | |||||
options IPDIVERT # enables NAT</programlisting> | |||||
<para>To configure the system to enable | <para>To configure the system to enable | ||||
<application>IPFW</application> at boot time, add the | <application>IPFW</application> at boot time, add | ||||
following entry to <filename>/etc/rc.conf</filename>:</para> | <literal>firewall_enable="YES"</literal> to | ||||
<filename>/etc/rc.conf</filename>:</para> | |||||
<programlisting>firewall_enable="YES"</programlisting> | <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen> | ||||
<para>To use one of the default firewall types provided by &os;, | <para>To use one of the default firewall types provided by &os;, | ||||
add another line which specifies the type:</para> | add another line which specifies the type:</para> | ||||
<programlisting>firewall_type="open"</programlisting> | <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen> | ||||
<para>The available types are:</para> | <para>The available types are:</para> | ||||
Context not available. | |||||
<literal>firewall_script</literal> is set to | <literal>firewall_script</literal> is set to | ||||
<filename>/etc/ipfw.rules</filename>:</para> | <filename>/etc/ipfw.rules</filename>:</para> | ||||
<programlisting>firewall_script="/etc/ipfw.rules"</programlisting> | <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen> | ||||
<para>To enable logging, include this line:</para> | <para>To enable logging through &man.syslogd.8;, include this | ||||
line:</para> | |||||
<programlisting>firewall_logging="YES"</programlisting> | <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen> | ||||
<para>There is no <filename>/etc/rc.conf</filename> variable to | <para>There is no <filename>/etc/rc.conf</filename> variable to | ||||
set logging limits. To limit the number of times a rule is | set logging limits. To limit the number of times a rule is | ||||
Context not available. | |||||
logged per connection attempt, specify the number using this | logged per connection attempt, specify the number using this | ||||
line in <filename>/etc/sysctl.conf</filename>:</para> | line in <filename>/etc/sysctl.conf</filename>:</para> | ||||
<programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting> | <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen> | ||||
<para>To enable logging through a dedicated interface named | |||||
<literal>ipfw0</literal>, add this line to | |||||
<filename>/etc/rc.conf</filename> instead:</para> | |||||
<screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen> | |||||
<para>Then use <application>tcpdump</application> to see what is | |||||
being logged:</para> | |||||
<screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen> | |||||
<tip> | |||||
<para>There is no overhead due to logging unless | |||||
<application>tcpdump</application> is attached.</para> | |||||
</tip> | |||||
<para>After saving the needed edits, start the firewall. To | <para>After saving the needed edits, start the firewall. To | ||||
enable logging limits now, also set the | enable logging limits now, also set the | ||||
<command>sysctl</command> value specified above:</para> | <command>sysctl</command> value specified above:</para> | ||||
Context not available. | |||||
$cmd 130 $skip icmp from any to any out via $pif $ks</programlisting> | $cmd 130 $skip icmp from any to any out via $pif $ks</programlisting> | ||||
<para>The inbound rules remain the same, except for the very | <para>The inbound rules remain the same, except for the very | ||||
last rule which removes the <literal> via $pif</literal> in | last rule which removes the <literal>via $pif</literal> in | ||||
order to catch both inbound and outbound rules. The | order to catch both inbound and outbound rules. The | ||||
<acronym>NAT</acronym> rule must follow this last outbound | <acronym>NAT</acronym> rule must follow this last outbound | ||||
rule, must have a higher number than that last rule, and the | rule, must have a higher number than that last rule, and the | ||||
Context not available. | |||||
&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen> | &prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen> | ||||
</sect3> | </sect3> | ||||
</sect2> | </sect2> | ||||
<sect2 xml:id="firewalls-ipfw-kernelconfig"> | |||||
<title><application>IPFW</application> Kernel Options</title> | |||||
<indexterm> | |||||
<primary>kernel options</primary> | |||||
<secondary>IPFIREWALL</secondary> | |||||
</indexterm> | |||||
<indexterm> | |||||
<primary>kernel options</primary> | |||||
<secondary>IPFIREWALL_VERBOSE</secondary> | |||||
</indexterm> | |||||
<indexterm> | |||||
<primary>kernel options</primary> | |||||
<secondary>IPFIREWALL_VERBOSE_LIMIT</secondary> | |||||
</indexterm> | |||||
<indexterm> | |||||
<primary><application>IPFW</application></primary> | |||||
<secondary>kernel options</secondary> | |||||
</indexterm> | |||||
<para>In order to statically compile | |||||
<application>IPFW</application> support into a custom kernel, | |||||
refer to the instructions in <xref linkend="kernelconfig"/>. | |||||
The following options are available for the | |||||
custom kernel configuration file:</para> | |||||
<programlisting>options IPFIREWALL # enables IPFW | |||||
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) | |||||
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry | |||||
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied | |||||
options IPFIREWALL_NAT # enables in-kernel NAT support | |||||
options IPFIREWALL_NAT64 # enables in-kernel NAT64 support | |||||
options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support | |||||
options IPFIREWALL_PMOD # enables protocols modification module support | |||||
options IPDIVERT # enables NAT through natd(8)</programlisting> | |||||
<note> | |||||
<para><application>IPFW</application> can be loaded as | |||||
a kernel module: options above are built by default | |||||
as modules or can be set at runtime using tunables.</para> | |||||
</note> | |||||
</sect2> | |||||
</sect1> | </sect1> | ||||
<sect1 xml:id="firewalls-ipf"> | <sect1 xml:id="firewalls-ipf"> | ||||
Context not available. |