os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Initial pass through enabling IPFW.

Browse source 
Shuffle IPFW command to later in the chapter, might get shuffled again.
Begin prep work for syntax section.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-26 17:05:28 +00:00
parent 179bbde3b7
commit 58286b6276
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44076
1 changed files with 100 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

212
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -1675,7 +1675,7 @@ options IPDIVERT # enables NAT</programlisting>
<programlisting>firewall_type="open"</programlisting> <programlisting>firewall_type="open"</programlisting>
<para>The available values for this setting are:</para> <para>The available types are:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -1702,114 +1702,48 @@ options IPDIVERT # enables NAT</programlisting>
firewall rules.</para> firewall rules.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><filename>filename</filename>: full path of the file <para><literal>filename</literal>: full path of the file
containing the firewall rules.</para> containing the firewall ruleset.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>To instead load a custom ruleset, either set the <para>If <literal>firewall_type</literal> is set to either
<filename>filename</filename> value of
<literal>firewall_type</literal> or set the
<literal>firewall_script</literal> variable to the absolute
path of an executable script that includes
<command>IPFW</command> commands. This example script blocks
all incoming and outgoing traffic:</para>
<programlisting>#!/bin/sh
ipfw -q flush
ipfw add deny in
ipfw add deny out</programlisting>
<note>
<para>If <literal>firewall_type</literal> is set to either
<literal>client</literal> or <literal>simple</literal>, <literal>client</literal> or <literal>simple</literal>,
modify the default rules found in modify the default rules found in
<filename>/etc/rc.firewall</filename> to fit the <filename>/etc/rc.firewall</filename> to fit the
configuration of the system. The examples used in this configuration of the system.</para>
section assume that the <literal>firewall_script</literal>
is set to <filename>/etc/ipfw.rules</filename>.</para>
</note>
<para>Enable logging:</para> <para>Note that the
<literal>filename</literal> type is used to load a custom ruleset.</para>
<para>An alternate way to load a custom ruleset is to set the
<literal>firewall_script</literal> variable to the absolute
path of an <emphasis>executable script</emphasis> that includes
<application>IPFW</application> commands. The examples used in this
section assume that the <literal>firewall_script</literal>
is set to <filename>/etc/ipfw.rules</filename>:</para>
<programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
<para>To enable logging, include this line:</para>
<programlisting>firewall_logging="YES"</programlisting> <programlisting>firewall_logging="YES"</programlisting>
<warning> <para>There is no
<para><varname>firewall_logging</varname> sets the <filename>/etc/rc.conf</filename> variable to set logging
<varname>net.inet.ip.fw.verbose</varname> sysctl limits. To limit the number of times a rule is logged
variable to the value of <literal>1</literal>. There is no per connection attempt, specify the number using this line
<filename>rc.conf</filename> variable to set log in
limitations, but the desired value can be set using
<command>sysctl</command> or by adding the following
variable and desired value to
<filename>/etc/sysctl.conf</filename>:</para> <filename>/etc/sysctl.conf</filename>:</para>
<programlisting>net.inet.ip.fw.verbose_limit=5</programlisting> <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
</warning>
<para>After saving the needed edits, start the firewall. To
<para>If the machine is acting as a gateway providing enable logging limits now, also set the
<acronym>NAT</acronym> using &man.natd.8;, refer to <xref <command>sysctl</command> value specified above:</para>
linkend="network-natd"/> for information regarding the
required <filename>/etc/rc.conf</filename> options.</para> <screen>&prompt.root; <userinput>service ipfw start</userinput>
</sect2> &prompt.root; <userinput>sysctl net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
<sect2 xml:id="firewalls-ipfw-cmd">
<title>The <application>IPFW</application> Command</title>
<indexterm><primary><command>ipfw</command></primary></indexterm>
<para><command>ipfw</command> can be used to make manual,
single rule additions or deletions to the active firewall
while it is running. The problem with using this method is
that all the changes are lost when the system reboots. It is
recommended to instead write all the rules in a file and to
use that file to load the rules at boot time and to replace
the currently running firewall rules whenever that file
changes.</para>
<para><command>ipfw</command> is a useful way to display the
running firewall rules to the console screen. The
<application>IPFW</application> accounting facility
dynamically creates a counter for each rule that counts each
packet that matches the rule. During the process of testing a
rule, listing the rule with its counter is one way to
determine if the rule is functioning as expected.</para>
<para>To list all the running rules in sequence:</para>
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
<para>To list all the running rules with a time stamp of when
the last time the rule was matched:</para>
<screen>&prompt.root; <userinput>ipfw -t list</userinput></screen>
<para>The next example lists accounting information and the
packet count for matched rules along with the rules
themselves. The first column is the rule number, followed by
the number of matched packets and bytes, followed by the rule
itself.</para>
<screen>&prompt.root; <userinput>ipfw -a list</userinput></screen>
<para>To list dynamic rules in addition to static rules:</para>
<screen>&prompt.root; <userinput>ipfw -d list</userinput></screen>
<para>To also show the expired dynamic rules:</para>
<screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen>
<para>To zero the counters:</para>
<screen>&prompt.root; <userinput>ipfw zero</userinput></screen>
<para>To zero the counters for just the rule with number
<replaceable>NUM</replaceable>:</para>
<screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen>
</sect2> </sect2>
<sect2 xml:id="firewalls-ipfw-rules"> <sect2 xml:id="firewalls-ipfw-rules">
@ -1821,16 +1755,16 @@ ipfw add deny out</programlisting>
<secondary>rule processing order</secondary> <secondary>rule processing order</secondary>
</indexterm> </indexterm>
<para>When a packet enters the <acronym>IPFW</acronym> firewall, <para>When a packet enters the <application>IPFW</application> firewall,
it is compared against the first rule in the ruleset and it is compared against the first rule in the ruleset and
progresses one rule at a time, moving from top to bottom of progresses one rule at a time, moving from top to bottom of
the set in ascending rule number sequence order. When the the set in ascending rule number sequence order. When the
packet matches the selection parameters of a rule, the rule's packet matches the selection parameters of a rule, the rule's
action field value is executed and the search of the ruleset action is executed and the search of the ruleset
terminates for that packet. This is referred to as terminates for that packet. This is referred to as
<quote>first match wins</quote>. If the packet does not match <quote>first match wins</quote>. If the packet does not match
any of the rules, it gets caught by the mandatory any of the rules, it gets caught by the mandatory
<application>IPFW</application> default rule, number 65535, <application>IPFW</application> default rule number 65535,
which denies all packets and silently discards them. However, which denies all packets and silently discards them. However,
if the packet matches a rule that contains the if the packet matches a rule that contains the
<literal>count</literal>, <literal>skipto</literal>, or <literal>count</literal>, <literal>skipto</literal>, or
@ -1838,11 +1772,8 @@ ipfw add deny out</programlisting>
to &man.ipfw.8; for details on how these keywords affect rule to &man.ipfw.8; for details on how these keywords affect rule
processing.</para> processing.</para>
<para>The examples in this section create an inclusive type <para>This section provides an overview of the rule syntax for creating
firewall ruleset containing the stateful <literal>keep stateful rules. For a complete rule syntax
state</literal>, <literal>limit</literal>,
<literal>in</literal>, <literal>out</literal> and
<literal>via</literal> options. For a complete rule syntax
description, refer to &man.ipfw.8;.</para> description, refer to &man.ipfw.8;.</para>
<indexterm> <indexterm>
@ -1851,11 +1782,11 @@ ipfw add deny out</programlisting>
<secondary>rule syntax</secondary> <secondary>rule syntax</secondary>
</indexterm> </indexterm>
<para>This section describes the keywords which comprise an <para>When creating an
<application>IPFW</application> rule. Keywords must be <application>IPFW</application> rule, keywords must be
written in the following order. <literal>#</literal> is used written in the following order. The <literal>#</literal> symbol is used
to mark the start of a comment and may appear at the end of a to mark the start of a comment and may appear at the end of a
rule line or on its own line. Blank lines are ignored.</para> rule or on its own line. Blank lines are ignored.</para>
<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION <para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
STATEFUL</replaceable></para> STATEFUL</replaceable></para>
@ -1915,7 +1846,7 @@ ipfw add deny out</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Logging</term> <term>LOGGING</term>
<listitem> <listitem>
<para>When a packet matches a rule with the <para>When a packet matches a rule with the
<literal>log</literal> keyword, a message will be logged <literal>log</literal> keyword, a message will be logged
@ -1942,7 +1873,7 @@ ipfw add deny out</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Selection</term> <term>SELECTION</term>
<listitem> <listitem>
<para>The keywords described in this section are used to <para>The keywords described in this section are used to
describe attributes of the packet to be checked when describe attributes of the packet to be checked when
@ -2031,7 +1962,7 @@ ipfw add deny out</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>Stateful Rule Option</term> <term>STATEFUL</term>
<listitem> <listitem>
<para>The <literal>check-state</literal> option is used to <para>The <literal>check-state</literal> option is used to
identify where in the <application>IPFW</application> identify where in the <application>IPFW</application>
@ -2058,6 +1989,63 @@ ipfw add deny out</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</sect2>
<sect2 xml:id="firewalls-ipfw-cmd">
<title>The <application>IPFW</application> Command</title>
<indexterm><primary><command>ipfw</command></primary></indexterm>
<para><command>ipfw</command> can be used to make manual,
single rule additions or deletions to the active firewall
while it is running. The problem with using this method is
that all the changes are lost when the system reboots. It is
recommended to instead write all the rules in a file and to
use that file to load the rules at boot time and to replace
the currently running firewall rules whenever that file
changes.</para>
<para><command>ipfw</command> is a useful way to display the
running firewall rules to the console screen. The
<application>IPFW</application> accounting facility
dynamically creates a counter for each rule that counts each
packet that matches the rule. During the process of testing a
rule, listing the rule with its counter is one way to
determine if the rule is functioning as expected.</para>
<para>To list all the running rules in sequence:</para>
<screen>&prompt.root; <userinput>ipfw list</userinput></screen>
<para>To list all the running rules with a time stamp of when
the last time the rule was matched:</para>
<screen>&prompt.root; <userinput>ipfw -t list</userinput></screen>
<para>The next example lists accounting information and the
packet count for matched rules along with the rules
themselves. The first column is the rule number, followed by
the number of matched packets and bytes, followed by the rule
itself.</para>
<screen>&prompt.root; <userinput>ipfw -a list</userinput></screen>
<para>To list dynamic rules in addition to static rules:</para>
<screen>&prompt.root; <userinput>ipfw -d list</userinput></screen>
<para>To also show the expired dynamic rules:</para>
<screen>&prompt.root; <userinput>ipfw -d -e list</userinput></screen>
<para>To zero the counters:</para>
<screen>&prompt.root; <userinput>ipfw zero</userinput></screen>
<para>To zero the counters for just the rule with number
<replaceable>NUM</replaceable>:</para>
<screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen>
<sect3> <sect3>
<title>Logging Firewall Messages</title> <title>Logging Firewall Messages</title>