os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

More shuffling to improve flow.

Browse source 
To be followed by a bunch of commits which look at the actual tech content.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-19 20:38:58 +00:00
parent 5cfc0defb0
commit 0f513f358f
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43996
1 changed files with 95 additions and 160 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

255
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -1701,10 +1701,6 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
<para>There is a way to build IPF rules that utilize the power
of script symbolic substitution. For more information, see
<xref linkend="firewalls-ipf-rules-script"/>.</para>
</sect2>
<sect2>
<title>Rule Syntax</title>
<indexterm>
<primary><application>IPFILTER</application></primary>
@ -1735,35 +1731,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG
STATEFUL</replaceable></para>
<para><replaceable>ACTION</replaceable> = block | pass</para>
<para><replaceable>IN-OUT</replaceable> = in | out</para>
<para><replaceable>OPTIONS</replaceable> = log | quick | on
interface-name</para>
<para><replaceable>SELECTION</replaceable> = proto value |
source/destination IP | port = number | flags
flag-value</para>
<para><replaceable>PROTO</replaceable> = tcp/udp | udp | tcp |
icmp</para>
<para><replaceable>SRC_ADD,DST_ADDR</replaceable> = all | from
object to object</para>
<para><replaceable>OBJECT</replaceable> = IP address |
any</para>
<para><replaceable>PORT_NUM</replaceable> = port number</para>
<para><replaceable>TCP_FLAG</replaceable> = S</para>
<para><replaceable>STATEFUL</replaceable> = keep state</para>
<sect3>
<title>ACTION</title>
<para>Each keyword and its options are described below.</para>
<variablelist>
<varlistentry>
<term>ACTION</term>
<listitem>
<para>The action keyword indicates what to do with the packet
if it matches the rest of the filter rule. Each rule
<emphasis>must</emphasis> have an action. The following
@ -1776,11 +1749,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
<para><literal>pass</literal> indicates that the packet should
exit the firewall if the selection parameters match the
packet.</para>
</sect3>
<sect3>
<title>IN-OUT</title>
</listitem>
</varlistentry>
<varlistentry>
<term>IN-OUT</term>
<listitem>
<para>A mandatory requirement is that each filter rule
explicitly state which side of the I/O it is to be used
on. The next keyword must be either <literal>in</literal>
@ -1794,11 +1768,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
<para><literal>out</literal> means this rule is being applied
against an outbound packet destined for the interface facing
the public Internet.</para>
</sect3>
<sect3>
<title>OPTIONS</title>
</listitem>
</varlistentry>
<varlistentry>
<term>OPTIONS</term>
<listitem>
<note>
<para>These options must be used in the order shown
here.</para>
@ -1833,11 +1808,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
state</literal> option, this option is recommended so that
only the triggering packet is logged and not every packet
which matches the stateful connection.</para>
</sect3>
<sect3>
<title>SELECTION</title>
</listitem>
</varlistentry>
<varlistentry>
<term>SELECTION</term>
<listitem>
<para>The keywords described in this section are used to
describe attributes of the packet to be checked when
determining whether or not rules match. There is a
@ -1845,11 +1821,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
which has to be selected. The following general-purpose
attributes are provided for matching, and must be used in
this order:</para>
</sect3>
<sect3>
<title>PROTO</title>
</listitem>
</varlistentry>
<varlistentry>
<term>PROTO</term>
<listitem>
<para><literal>proto</literal> is the subject keyword which
must include one of its corresponding keyword sub-option
values. The sub-option indicates a specific protocol to be
@ -1862,11 +1839,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
either a <acronym>TCP</acronym> or a <acronym>UDP</acronym>
packet, and has been added as a convenience to save
duplication of otherwise identical rules.</para>
</sect3>
<sect3>
<title>SRC_ADDR/DST_ADDR</title>
</listitem>
</varlistentry>
<varlistentry>
<term>SRC_ADDR/DST_ADDR</term>
<listitem>
<para>The <literal>all</literal> keyword is equivalent to
<quote>from any to any</quote> with no other match
parameters.</para>
@ -1890,11 +1868,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
the calculation. Additional information is available at the
utility's web page: <uri
xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
</sect3>
<sect3>
<title>PORT</title>
</listitem>
</varlistentry>
<varlistentry>
<term>PORT</term>
<listitem>
<para>If a port match is included, for either or both of
source and destination, it is only applied to
<acronym>TCP</acronym> and <acronym>UDP</acronym> packets.
@ -1920,11 +1899,12 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
<para>To specify port ranges, place the two port numbers
between <literal>&lt;&gt;</literal> or
<literal>&gt;&lt;</literal></para>
</sect3>
<sect3>
<title><acronym>TCP</acronym>_FLAG</title>
</listitem>
</varlistentry>
<varlistentry>
<term><acronym>TCP</acronym>_FLAG</term>
<listitem>
<para>Flags are only effective for <acronym>TCP</acronym>
filtering. The letters represent one of the possible flags
that can be matched against the <acronym>TCP</acronym>
@ -1933,15 +1913,18 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
<para>The modernized rules processing logic uses the
<literal>flags S</literal> parameter to identify the TCP
session start request.</para>
</sect3>
<sect3>
<title>STATEFUL</title>
</listitem>
</varlistentry>
<varlistentry>
<term>STATEFUL</term>
<listitem>
<para><literal>keep state</literal> indicates that on a pass
rule, any packets that match the rules selection parameters
should activate the stateful filtering facility.</para>
</sect3>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2>
@ -2382,7 +2365,7 @@ sh /etc/ipf.rules.script</programlisting>
</sect2>
<sect2>
<title><acronym>NAT</acronym></title>
<title>Configuring <acronym>NAT</acronym></title>
<indexterm><primary>NAT</primary></indexterm>
@ -2399,8 +2382,7 @@ sh /etc/ipf.rules.script</programlisting>
</indexterm>
<para><acronym>NAT</acronym> stands for <emphasis>Network
Address Translation</emphasis>. In &linux;, NAT is called
<quote>IP Masquerading</quote>. The IPF
Address Translation</emphasis>. The IPF
<acronym>NAT</acronym> function enables the private LAN behind
the firewall to share a single ISP-assigned IP address, even
if that address is dynamically assigned. NAT allows each
@ -2408,7 +2390,26 @@ sh /etc/ipf.rules.script</programlisting>
having to pay the ISP for multiple Internet accounts or IP
addresses.</para>
<para><acronym>NAT</acronym> will automatically translate the
<para>In IPF, when a packet arrives at the firewall from the LAN
with a public destination, it passes through the outbound
filter rules. <acronym>NAT</acronym> gets its turn at the
packet and applies its rules top down, where the first
matching rule wins. <acronym>NAT</acronym> tests each of its
rules against the packet's interface name and source IP
address. When a packet's interface name matches a
<acronym>NAT</acronym> rule, the packet's source IP address in
the private LAN is checked to see if it falls within the IP
address range specified to the left of the arrow symbol on the
<acronym>NAT</acronym> rule. On a match, the packet has its
source IP address rewritten with the public IP address
obtained by the <literal>0/32</literal> keyword.
<acronym>NAT</acronym> posts an entry in its internal
<acronym>NAT</acronym> table so when the packet returns from
the public Internet it can be mapped back to its original
private IP address and then passed to the filter rules for
processing.</para>
<para><acronym>NAT</acronym> will automatically translate the
private LAN IP address for each system on the LAN to the
single public IP address as packets exit the firewall bound
for the public Internet. It also performs the reverse
@ -2433,19 +2434,26 @@ sh /etc/ipf.rules.script</programlisting>
</listitem>
</itemizedlist>
</sect2>
<sect2>
<title>IP<acronym>NAT</acronym></title>
<indexterm>
<primary>NAT</primary>
<secondary>and <application>IPFILTER</application></secondary>
</indexterm>
<indexterm><primary><command>ipnat</command></primary></indexterm>
<para>To enable IP<acronym>NAT</acronym>, add these statements
to <filename>/etc/rc.conf</filename>.</para>
<para>To enable the machine to route traffic between
interfaces:</para>
<programlisting>gateway_enable="YES"</programlisting>
<para>To start IP<acronym>NAT</acronym> automatically each
time:</para>
<programlisting>ipnat_enable="YES"</programlisting>
<para>To specify where to load the IP<acronym>NAT</acronym>
rules from:</para>
<programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
<para><acronym>NAT</acronym> rules are loaded using
<command>ipnat</command>. Typically, the
<acronym>NAT</acronym> rules are stored in
@ -2479,10 +2487,6 @@ sh /etc/ipf.rules.script</programlisting>
to rule processing and active rules/table entries:</para>
<screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
</sect2>
<sect2>
<title>IP<acronym>NAT</acronym> Rules</title>
<para><acronym>NAT</acronym> rules are flexible and can
accomplish many different things to fit the needs of
@ -2512,54 +2516,8 @@ sh /etc/ipf.rules.script</programlisting>
be the static external IP address or the special keyword
<literal>0/32</literal> which uses the IP address assigned to
<replaceable>IF</replaceable>.</para>
</sect2>
<sect2>
<title>How <acronym>NAT</acronym> Works</title>
<para>In IPF, when a packet arrives at the firewall from the LAN
with a public destination, it passes through the outbound
filter rules. <acronym>NAT</acronym> gets its turn at the
packet and applies its rules top down, where the first
matching rule wins. <acronym>NAT</acronym> tests each of its
rules against the packet's interface name and source IP
address. When a packet's interface name matches a
<acronym>NAT</acronym> rule, the packet's source IP address in
the private LAN is checked to see if it falls within the IP
address range specified to the left of the arrow symbol on the
<acronym>NAT</acronym> rule. On a match, the packet has its
source IP address rewritten with the public IP address
obtained by the <literal>0/32</literal> keyword.
<acronym>NAT</acronym> posts an entry in its internal
<acronym>NAT</acronym> table so when the packet returns from
the public Internet it can be mapped back to its original
private IP address and then passed to the filter rules for
processing.</para>
</sect2>
<sect2>
<title>Enabling IP<acronym>NAT</acronym></title>
<para>To enable IP<acronym>NAT</acronym>, add these statements
to <filename>/etc/rc.conf</filename>.</para>
<para>To enable the machine to route traffic between
interfaces:</para>
<programlisting>gateway_enable="YES"</programlisting>
<para>To start IP<acronym>NAT</acronym> automatically each
time:</para>
<programlisting>ipnat_enable="YES"</programlisting>
<para>To specify where to load the IP<acronym>NAT</acronym>
rules from:</para>
<programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
</sect2>
<sect2>
<sect3>
<title><acronym>NAT</acronym> for a Large LAN</title>
<para>For networks that have large numbers of systems on the LAN
@ -2567,13 +2525,10 @@ sh /etc/ipf.rules.script</programlisting>
funneling all those private IP addresses into a single public
IP address becomes a resource problem that may cause problems
with the same port numbers being used many times across many
connections, causing collisions. There are two ways to
connections, causing collisions. This section describes two ways to
relieve this resource problem.</para>
<sect3>
<title>Assigning Ports to Use</title>
<para>A normal NAT rule would look like:</para>
<para>The first method is to assign ports to use. A normal NAT rule would look like:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32</programlisting>
@ -2592,12 +2547,8 @@ sh /etc/ipf.rules.script</programlisting>
available for use:</para>
<programlisting>map dc0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp auto</programlisting>
</sect3>
<sect3>
<title>Using a Pool of Public Addresses</title>
<para>In very large LANs there comes a point where there are
<para>The second method is to use a pool of public addresses. In very large LANs there comes a point where there are
just too many LAN addresses to fit into a single public
address. If a block of public IP addresses is available,
these addresses can be used as a <quote>pool</quote>, and
@ -2619,9 +2570,8 @@ sh /etc/ipf.rules.script</programlisting>
<programlisting>map dc0 192.168.1.0/24 -&gt; 204.134.75.0/24</programlisting>
</sect3>
</sect2>
<sect2>
<sect3>
<title>Port Redirection</title>
<para>A common practice is to have a web server, email server,
@ -2646,9 +2596,9 @@ sh /etc/ipf.rules.script</programlisting>
needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -&gt; 10.0.10.33 port 53 udp</programlisting>
</sect2>
</sect3>
<sect2>
<sect3>
<title>FTP and <acronym>NAT</acronym></title>
<para>FTP has two modes: active mode and passive mode. The
@ -2658,9 +2608,6 @@ sh /etc/ipf.rules.script</programlisting>
and the different modes, see <uri
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
<sect3>
<title>IP<acronym>NAT</acronym> Rules</title>
<para>IP<acronym>NAT</acronym> has a built in FTP proxy option
which can be specified on the <acronym>NAT</acronym> map
rule. It can monitor all outbound packet traffic for FTP
@ -2693,10 +2640,6 @@ sh /etc/ipf.rules.script</programlisting>
<acronym>NAT</acronym>. All LAN packets that are not FTP
will not match the FTP rules but will undergo
<acronym>NAT</acronym> if they match the third rule.</para>
</sect3>
<sect3>
<title>IP<acronym>NAT</acronym> FTP Filter Rules</title>
<para>Only one filter rule is needed for FTP if the
<acronym>NAT</acronym> FTP proxy is used.</para>
@ -2846,10 +2789,6 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro
last rule in the ruleset. This makes it possible to see all
the packets that did not match any of the rules in the
ruleset.</para>
</sect2>
<sect2>
<title>IPMON Logging</title>
<para>&man.syslogd.8; uses its own method for segregation of log
data. It uses groupings called <quote>facility</quote> and
@ -2890,10 +2829,6 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
<para>Do not forget to change
<filename>/etc/newsyslog.conf</filename> to rotate the new
log file.</para>
</sect2>
<sect2>
<title>The Format of Logged Messages</title>
<para>Messages generated by <command>ipmon</command> consist
of data fields separated by white space. Fields common to