os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial pass through enabling IPFW.

Browse source 
Shuffle IPFW command to later in the chapter, might get shuffled again.
Begin prep work for syntax section.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-26 17:05:28 +00:00
parent 179bbde3b7
commit 58286b6276
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44076
1 changed files with 100 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

212
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -1675,7 +1675,7 @@ options IPDIVERT # enables NAT</programlisting>
<programlisting>firewall_type="open"</programlisting>
<para>The available values for this setting are:</para>
<para>The available types are:</para>
<itemizedlist>
<listitem>
@ -1702,114 +1702,48 @@ options IPDIVERT # enables NAT</programlisting>
firewall rules.</para>
</listitem>
<listitem>
<para><filename>filename</filename>: full path of the file
containing the firewall rules.</para>
<para><literal>filename</literal>: full path of the file
containing the firewall ruleset.</para>
</listitem>
</itemizedlist>
<para>To instead load a custom ruleset, either set the
<filename>filename</filename> value of
<literal>firewall_type</literal> or set the
<literal>firewall_script</literal> variable to the absolute
path of an executable script that includes
<command>IPFW</command> commands. This example script blocks
all incoming and outgoing traffic:</para>
<programlisting>#!/bin/sh
ipfw -q flush
ipfw add deny in
ipfw add deny out</programlisting>
<note>
<para>If <literal>firewall_type</literal> is set to either
<para>If <literal>firewall_type</literal> is set to either
<literal>client</literal> or <literal>simple</literal>,
modify the default rules found in
<filename>/etc/rc.firewall</filename> to fit the
configuration of the system. The examples used in this
section assume that the <literal>firewall_script</literal>
is set to <filename>/etc/ipfw.rules</filename>.</para>
</note>
configuration of the system.</para>
<para>Enable logging:</para>
<para>Note that the
<literal>filename</literal> type is used to load a custom ruleset.</para>
<para>An alternate way to load a custom ruleset is to set the
<literal>firewall_script</literal> variable to the absolute
path of an <emphasis>executable script</emphasis> that includes
<application>IPFW</application> commands. The examples used in this
section assume that the <literal>firewall_script</literal>
is set to <filename>/etc/ipfw.rules</filename>:</para>
<programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
<para>To enable logging, include this line:</para>
<programlisting>firewall_logging="YES"</programlisting>
<warning>
<para><varname>firewall_logging</varname> sets the
<varname>net.inet.ip.fw.verbose</varname> sysctl
variable to the value of <literal>1</literal>. There is no
<filename>rc.conf</filename> variable to set log
limitations, but the desired value can be set using
<command>sysctl</command> or by adding the following
variable and desired value to
<para>There is no
<filename>/etc/rc.conf</filename> variable to set logging
limits. To limit the number of times a rule is logged
per connection attempt, specify the number using this line
in
<filename>/etc/sysctl.conf</filename>:</para>
<programlisting>net.inet.ip.fw.verbose_limit=5</programlisting>
</warning>
<para>If the machine is acting as a gateway providing
<acronym>NAT</acronym> using &man.natd.8;, refer to <xref
linkend="network-natd"/> for information regarding the
required <filename>/etc/rc.conf</filename> options.</para>
</sect2>
<sect2 xml:id="firewalls-ipfw-cmd">
<title>The <application>IPFW</application> Command</title>
<indexterm><primary><command>ipfw</command></primary></indexterm>
<para><command>ipfw</command> can be used to make manual,
single rule additions or deletions to the active firewall
while it is running. The problem with using this method is
that all the changes are lost when the system reboots. It is
recommended to instead write all the rules in a file and to
use that file to load the rules at boot time and to replace
the currently running firewall rules whenever that file
changes.</para>
<para><command>ipfw</command> is a useful way to display the
running firewall rules to the console screen. The
<application>IPFW</application> accounting facility
dynamically creates a counter for each rule that counts each
packet that matches the rule. During the process of testing a
rule, listing the rule with its counter is one way to
determine if the rule is functioning as expected.</para>
<para>To list all the running rules in sequence:</para>
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
<para>To list all the running rules with a time stamp of when
the last time the rule was matched:</para>
<screen>&prompt.root; <userinput>ipfw -t list</userinput></screen>
<para>The next example lists accounting information and the
packet count for matched rules along with the rules
themselves. The first column is the rule number, followed by
the number of matched packets and bytes, followed by the rule
itself.</para>
<screen>&prompt.root; <userinput>ipfw -a list</userinput></screen>
<para>To list dynamic rules in addition to static rules:</para>
<screen>&prompt.root; <userinput>ipfw -d list</userinput></screen>
<para>To also show the expired dynamic rules:</para>
<screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen>
<para>To zero the counters:</para>
<screen>&prompt.root; <userinput>ipfw zero</userinput></screen>
<para>To zero the counters for just the rule with number
<replaceable>NUM</replaceable>:</para>
<screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen>
<programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
<para>After saving the needed edits, start the firewall. To
enable logging limits now, also set the
<command>sysctl</command> value specified above:</para>
<screen>&prompt.root; <userinput>service ipfw start</userinput>
&prompt.root; <userinput>sysctl net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
</sect2>
<sect2 xml:id="firewalls-ipfw-rules">
@ -1821,16 +1755,16 @@ ipfw add deny out</programlisting>
<secondary>rule processing order</secondary>
</indexterm>
<para>When a packet enters the <acronym>IPFW</acronym> firewall,
<para>When a packet enters the <application>IPFW</application> firewall,
it is compared against the first rule in the ruleset and
progresses one rule at a time, moving from top to bottom of
the set in ascending rule number sequence order. When the
packet matches the selection parameters of a rule, the rule's
action field value is executed and the search of the ruleset
action is executed and the search of the ruleset
terminates for that packet. This is referred to as
<quote>first match wins</quote>. If the packet does not match
any of the rules, it gets caught by the mandatory
<application>IPFW</application> default rule, number 65535,
<application>IPFW</application> default rule number 65535,
which denies all packets and silently discards them. However,
if the packet matches a rule that contains the
<literal>count</literal>, <literal>skipto</literal>, or
@ -1838,11 +1772,8 @@ ipfw add deny out</programlisting>
to &man.ipfw.8; for details on how these keywords affect rule
processing.</para>
<para>The examples in this section create an inclusive type
firewall ruleset containing the stateful <literal>keep
state</literal>, <literal>limit</literal>,
<literal>in</literal>, <literal>out</literal> and
<literal>via</literal> options. For a complete rule syntax
<para>This section provides an overview of the rule syntax for creating
stateful rules. For a complete rule syntax
description, refer to &man.ipfw.8;.</para>
<indexterm>
@ -1851,11 +1782,11 @@ ipfw add deny out</programlisting>
<secondary>rule syntax</secondary>
</indexterm>
<para>This section describes the keywords which comprise an
<application>IPFW</application> rule. Keywords must be
written in the following order. <literal>#</literal> is used
<para>When creating an
<application>IPFW</application> rule, keywords must be
written in the following order. The <literal>#</literal> symbol is used
to mark the start of a comment and may appear at the end of a
rule line or on its own line. Blank lines are ignored.</para>
rule or on its own line. Blank lines are ignored.</para>
<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
STATEFUL</replaceable></para>
@ -1915,7 +1846,7 @@ ipfw add deny out</programlisting>
</varlistentry>
<varlistentry>
<term>Logging</term>
<term>LOGGING</term>
<listitem>
<para>When a packet matches a rule with the
<literal>log</literal> keyword, a message will be logged
@ -1942,7 +1873,7 @@ ipfw add deny out</programlisting>
</varlistentry>
<varlistentry>
<term>Selection</term>
<term>SELECTION</term>
<listitem>
<para>The keywords described in this section are used to
describe attributes of the packet to be checked when
@ -2031,7 +1962,7 @@ ipfw add deny out</programlisting>
</varlistentry>
<varlistentry>
<term>Stateful Rule Option</term>
<term>STATEFUL</term>
<listitem>
<para>The <literal>check-state</literal> option is used to
identify where in the <application>IPFW</application>
@ -2058,6 +1989,63 @@ ipfw add deny out</programlisting>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 xml:id="firewalls-ipfw-cmd">
<title>The <application>IPFW</application> Command</title>
<indexterm><primary><command>ipfw</command></primary></indexterm>
<para><command>ipfw</command> can be used to make manual,
single rule additions or deletions to the active firewall
while it is running. The problem with using this method is
that all the changes are lost when the system reboots. It is
recommended to instead write all the rules in a file and to
use that file to load the rules at boot time and to replace
the currently running firewall rules whenever that file
changes.</para>
<para><command>ipfw</command> is a useful way to display the
running firewall rules to the console screen. The
<application>IPFW</application> accounting facility
dynamically creates a counter for each rule that counts each
packet that matches the rule. During the process of testing a
rule, listing the rule with its counter is one way to
determine if the rule is functioning as expected.</para>
<para>To list all the running rules in sequence:</para>
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
<para>To list all the running rules with a time stamp of when
the last time the rule was matched:</para>
<screen>&prompt.root; <userinput>ipfw -t list</userinput></screen>
<para>The next example lists accounting information and the
packet count for matched rules along with the rules
themselves. The first column is the rule number, followed by
the number of matched packets and bytes, followed by the rule
itself.</para>
<screen>&prompt.root; <userinput>ipfw -a list</userinput></screen>
<para>To list dynamic rules in addition to static rules:</para>
<screen>&prompt.root; <userinput>ipfw -d list</userinput></screen>
<para>To also show the expired dynamic rules:</para>
<screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen>
<para>To zero the counters:</para>
<screen>&prompt.root; <userinput>ipfw zero</userinput></screen>
<para>To zero the counters for just the rule with number
<replaceable>NUM</replaceable>:</para>
<screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen>
<sect3>
<title>Logging Firewall Messages</title>