Changeset View
Changeset View
Standalone View
Standalone View
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
| Show First 20 Lines • Show All 2,250 Lines • ▼ Show 20 Lines | good_tcpo="22,25,37,53,80,443,110"</programlisting> | ||||
| firewall script.</para> | firewall script.</para> | ||||
| <programlisting>ipfw disable one_pass | <programlisting>ipfw disable one_pass | ||||
| ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting> | ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting> | ||||
| <para>The inbound <acronym>NAT</acronym> rule is inserted | <para>The inbound <acronym>NAT</acronym> rule is inserted | ||||
| <emphasis>after</emphasis> the two rules which allow all | <emphasis>after</emphasis> the two rules which allow all | ||||
| traffic on the trusted and loopback interfaces and after the | traffic on the trusted and loopback interfaces and after the | ||||
| reassamble rule but <emphasis>before</emphasis> the | reassemble rule but <emphasis>before</emphasis> the | ||||
| <literal>check-state</literal> rule. It is important that the | <literal>check-state</literal> rule. It is important that the | ||||
| rule number selected for this <acronym>NAT</acronym> rule, in | rule number selected for this <acronym>NAT</acronym> rule, in | ||||
| this example <literal>100</literal>, is higher than the first | this example <literal>100</literal>, is higher than the first | ||||
| three rules and lower than the <literal>check-state</literal> | three rules and lower than the <literal>check-state</literal> | ||||
| rule. Furthermore, because of the behavior of in-kernel | rule. Furthermore, because of the behavior of in-kernel | ||||
| <acronym>NAT</acronym> it is advised to place a reassamble | <acronym>NAT</acronym> it is advised to place a reassemble | ||||
| rule just before the first <acronym>NAT</acronym> rule and | rule just before the first <acronym>NAT</acronym> rule and | ||||
| after the rules that allow traffic on trusted interface. | after the rules that allow traffic on trusted interface. | ||||
| Normally, <acronym>IP</acronym> fragmentation should not | Normally, <acronym>IP</acronym> fragmentation should not | ||||
| happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> | happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> | ||||
| tunneling traffic it might and the reassmabling of fragments | tunneling traffic it might and the reassembling of fragments | ||||
| is necessary before handing the complete packet over to the | is necessary before handing the complete packet over to the | ||||
| in-kernel <acronym>NAT</acronym> facility.</para> | in-kernel <acronym>NAT</acronym> facility.</para> | ||||
| <note> | <note> | ||||
| <para>The reassemble rule was not needed with userland | <para>The reassemble rule was not needed with userland | ||||
| &man.natd.8; because the internal workings of the | &man.natd.8; because the internal workings of the | ||||
| <application>IPFW</application> <literal>divert</literal> | <application>IPFW</application> <literal>divert</literal> | ||||
| action already takes care of reassambling packets before | action already takes care of reassembling packets before | ||||
| delivery to the socket as also stated in &man.ipfw.8;.</para> | delivery to the socket as also stated in &man.ipfw.8;.</para> | ||||
| <para>The <acronym>NAT</acronym> instance and rule number used | <para>The <acronym>NAT</acronym> instance and rule number used | ||||
| in this example does not match with the default | in this example does not match with the default | ||||
| <acronym>NAT</acronym> instance and rule number created by | <acronym>NAT</acronym> instance and rule number created by | ||||
| <filename>rc.firewall</filename>. | <filename>rc.firewall</filename>. | ||||
| <filename>rc.firewall</filename> is a script that sets up | <filename>rc.firewall</filename> is a script that sets up | ||||
| the default firewall rules present in &os;.</para></note> | the default firewall rules present in &os;.</para></note> | ||||
| <programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic | <programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic | ||||
| $cmd 010 allow all from any to any via lo0 # exclude loopback traffic | $cmd 010 allow all from any to any via lo0 # exclude loopback traffic | ||||
| $cmd 099 reass all from any to any in # reassamble inbound packets | $cmd 099 reass all from any to any in # reassemble inbound packets | ||||
| $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets | $cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets | ||||
| # Allow the packet through if it has an existing entry in the dynamic rules table | # Allow the packet through if it has an existing entry in the dynamic rules table | ||||
| $cmd 101 check-state</programlisting> | $cmd 101 check-state</programlisting> | ||||
| <para>The outbound rules are modified to replace the | <para>The outbound rules are modified to replace the | ||||
| <literal>allow</literal> action with the | <literal>allow</literal> action with the | ||||
| <literal>$skip</literal> variable, indicating that rule | <literal>$skip</literal> variable, indicating that rule | ||||
| processing will continue at rule <literal>1000</literal>. The | processing will continue at rule <literal>1000</literal>. The | ||||
| ▲ Show 20 Lines • Show All 1,951 Lines • Show Last 20 Lines | |||||