Initial prep work for IPFW section so that it starts to match layout
of other firewall sections. Many more commits to come. Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
12caad51ae
commit
6f7189bc9e
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44054
1 changed files with 34 additions and 49 deletions
|
|
@ -1639,10 +1639,6 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
||||||
|
|
||||||
<programlisting>net.inet.ip.fw.verbose=1
|
<programlisting>net.inet.ip.fw.verbose=1
|
||||||
net.inet.ip.fw.verbose_limit=5</programlisting>
|
net.inet.ip.fw.verbose_limit=5</programlisting>
|
||||||
</sect2>
|
|
||||||
|
|
||||||
<sect2 xml:id="firewalls-ipfw-kernel">
|
|
||||||
<title>Kernel Options</title>
|
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>kernel options</primary>
|
<primary>kernel options</primary>
|
||||||
|
|
@ -1720,12 +1716,8 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
|
||||||
option or a rule to explicitly allow these connections is
|
option or a rule to explicitly allow these connections is
|
||||||
missing.</para>
|
missing.</para>
|
||||||
</note>
|
</note>
|
||||||
</sect2>
|
|
||||||
|
|
||||||
<sect2 xml:id="firewalls-ipfw-rc">
|
<para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>
|
||||||
<title><filename>/etc/rc.conf</filename> Options</title>
|
|
||||||
|
|
||||||
<para>Enables the firewall:</para>
|
|
||||||
|
|
||||||
<programlisting>firewall_enable="YES"</programlisting>
|
<programlisting>firewall_enable="YES"</programlisting>
|
||||||
|
|
||||||
|
|
@ -1876,7 +1868,7 @@ ipfw add deny out</programlisting>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 xml:id="firewalls-ipfw-rules">
|
<sect2 xml:id="firewalls-ipfw-rules">
|
||||||
<title>IPFW Rulesets</title>
|
<title>IPFW Rule Syntax</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>IPFW</primary>
|
<primary>IPFW</primary>
|
||||||
|
|
@ -1907,14 +1899,6 @@ ipfw add deny out</programlisting>
|
||||||
<literal>via</literal> options. For a complete rule syntax
|
<literal>via</literal> options. For a complete rule syntax
|
||||||
description, refer to &man.ipfw.8;.</para>
|
description, refer to &man.ipfw.8;.</para>
|
||||||
|
|
||||||
<warning>
|
|
||||||
<para>Be careful when working with firewall rules, as it is
|
|
||||||
easy to lock out even the administrator.</para>
|
|
||||||
</warning>
|
|
||||||
|
|
||||||
<sect3 xml:id="firewalls-ipfw-rules-syntax">
|
|
||||||
<title>Rule Syntax</title>
|
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>IPFW</primary>
|
<primary>IPFW</primary>
|
||||||
|
|
||||||
|
|
@ -1930,25 +1914,28 @@ ipfw add deny out</programlisting>
|
||||||
<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
|
<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
|
||||||
STATEFUL</replaceable></para>
|
STATEFUL</replaceable></para>
|
||||||
|
|
||||||
<sect4>
|
<variablelist>
|
||||||
<title>CMD</title>
|
<varlistentry>
|
||||||
|
<term>CMD</term>
|
||||||
|
<listitem>
|
||||||
<para>Each new rule has to be prefixed with
|
<para>Each new rule has to be prefixed with
|
||||||
<parameter>add</parameter> to add the rule to the internal
|
<parameter>add</parameter> to add the rule to the internal
|
||||||
table.</para>
|
table.</para>
|
||||||
</sect4>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
<sect4>
|
|
||||||
<title>RULE_NUMBER</title>
|
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>RULE_NUMBER</term>
|
||||||
|
<listitem>
|
||||||
<para>Each rule is associated with a rule_number in the
|
<para>Each rule is associated with a rule_number in the
|
||||||
range of <literal>1</literal> to
|
range of <literal>1</literal> to
|
||||||
<literal>65535</literal>.</para>
|
<literal>65535</literal>.</para>
|
||||||
</sect4>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
<sect4>
|
|
||||||
<title>ACTION</title>
|
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>ACTION</term>
|
||||||
|
<listitem>
|
||||||
<para>A rule can be associated with one of the following
|
<para>A rule can be associated with one of the following
|
||||||
actions. The specified action will be executed when the
|
actions. The specified action will be executed when the
|
||||||
packet matches the selection criterion of the rule.</para>
|
packet matches the selection criterion of the rule.</para>
|
||||||
|
|
@ -1977,11 +1964,12 @@ ipfw add deny out</programlisting>
|
||||||
<para>Both words mean the same thing, which is to discard
|
<para>Both words mean the same thing, which is to discard
|
||||||
packets that match this rule. The search
|
packets that match this rule. The search
|
||||||
terminates.</para>
|
terminates.</para>
|
||||||
</sect4>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
<sect4>
|
|
||||||
<title>Logging</title>
|
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Logging</term>
|
||||||
|
<listitem>
|
||||||
<para>When a packet matches a rule with the
|
<para>When a packet matches a rule with the
|
||||||
<literal>log</literal> keyword, a message will be logged
|
<literal>log</literal> keyword, a message will be logged
|
||||||
to &man.syslogd.8; with a facility name of
|
to &man.syslogd.8; with a facility name of
|
||||||
|
|
@ -2002,11 +1990,12 @@ ipfw add deny out</programlisting>
|
||||||
final action on the packet. The administrator decides
|
final action on the packet. The administrator decides
|
||||||
which rules to enable logging on.</para>
|
which rules to enable logging on.</para>
|
||||||
</note>
|
</note>
|
||||||
</sect4>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
<sect4>
|
|
||||||
<title>Selection</title>
|
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Selection</term>
|
||||||
|
<listitem>
|
||||||
<para>The keywords described in this section are used to
|
<para>The keywords described in this section are used to
|
||||||
describe attributes of the packet to be checked when
|
describe attributes of the packet to be checked when
|
||||||
determining whether rules match the packet or not.
|
determining whether rules match the packet or not.
|
||||||
|
|
@ -2087,18 +2076,12 @@ ipfw add deny out</programlisting>
|
||||||
specified. <literal>limit</literal> and
|
specified. <literal>limit</literal> and
|
||||||
<literal>keep-state</literal> can not be used on the same
|
<literal>keep-state</literal> can not be used on the same
|
||||||
rule as they provide the same stateful function.</para>
|
rule as they provide the same stateful function.</para>
|
||||||
</sect4>
|
</listitem>
|
||||||
</sect3>
|
</varlistentry>
|
||||||
|
|
||||||
<sect3>
|
|
||||||
<title>Stateful Rule Option</title>
|
|
||||||
|
|
||||||
<indexterm>
|
|
||||||
<primary>IPFW</primary>
|
|
||||||
|
|
||||||
<secondary>stateful filtering</secondary>
|
|
||||||
</indexterm>
|
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Stateful Rule Option</term>
|
||||||
|
<listitem>
|
||||||
<para>The <literal>check-state</literal> option is used to
|
<para>The <literal>check-state</literal> option is used to
|
||||||
identify where in the IPFW ruleset the packet is to be
|
identify where in the IPFW ruleset the packet is to be
|
||||||
tested against the dynamic rules facility. On a match, the
|
tested against the dynamic rules facility. On a match, the
|
||||||
|
|
@ -2119,7 +2102,9 @@ ipfw add deny out</programlisting>
|
||||||
combination occurred. If this count is greater than the
|
combination occurred. If this count is greater than the
|
||||||
value specified by <literal>limit</literal>, the packet is
|
value specified by <literal>limit</literal>, the packet is
|
||||||
discarded.</para>
|
discarded.</para>
|
||||||
</sect3>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
<sect3>
|
<sect3>
|
||||||
<title>Logging Firewall Messages</title>
|
<title>Logging Firewall Messages</title>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue