From 52b27f712ce745e092add894bd58d970086a0758 Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Fri, 21 Feb 2014 18:39:20 +0000 Subject: [PATCH] This section is reeeeeally out of date. Modernize the first few keywords. Much more to come. Sponsored by: iXsystems --- .../books/handbook/firewalls/chapter.xml | 65 ++++++++++++------- 1 file changed, 41 insertions(+), 24 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml index c2096b6597..8220cb7903 100644 --- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -1659,7 +1659,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat&prompt.root; service ipfilter start - To load the ruleset file, specify the name of the file using ipf. + To load the firewall rules, specify the name of the ruleset file using ipf. The following command can be used to replace the currently running firewall rules: @@ -1691,9 +1691,13 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat This section describes the IPF rule syntax - used to create stateful rules where the first - matching rule wins. Refer to &man.ipf.8; for more details, including the legacy - rule syntax. + used to create stateful rules. When creating rules, keep in + mind that the default way in which filter rules are applied + is for the last matching rule to be + used. Even if the first rule to match a packet is a + pass, if there is a later matching rule + that is a block, the packet will be dropped. + Refer to &man.ipf.5; for more details about rule syntax. When creating rules, a # character is used to mark the start of a comment and may appear at the end of a rule, to explain its function, @@ -1718,38 +1722,51 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnatACTION The action keyword indicates what to do with the - packet if it matches the rest of the filter rule. Each + packet if it matches that rule. Every rule must have an action. The following actions are recognized: - block indicates that the packet - should be dropped if the selection parameters match the - packet. + block: drops the packet. - pass indicates that the packet - should exit the firewall if the selection parameters - match the packet. + pass: allows the packet. + + log: generates a log record. + + count: counts the number of + packets and bytes which can provide an indication of + how often a rule is used. + + auth: queues the packet for + further processing by another program. + + call: provides access to + functions built into IPF that + allow more complex actions. + + decapsulate: removes any headers + in order to process the contents of the packet. IN-OUT - A mandatory requirement is that each filter rule - explicitly state which side of the I/O it is to be used - on. The next keyword must be either - in or out and one - or the other has to be included or the rule will not - pass syntax checks. + Next, each rule must + explicitly state the direction of traffic using one of + these keywords: - in means this rule is being - applied against an inbound packet which has just been - received on the interface facing the public - Internet. + in: the rule is + applied against an inbound packet. - out means this rule is being - applied against an outbound packet destined for the - interface facing the public Internet. + out: the rule is + applied against an outbound packet. + + all: the rule applies to either + direction. + + If the system has multiple interfaces, the interface + can be specified along with the direction. An example would + be in on fxp0.