From 7ceb8be186656ac91dc6af5dc1ca8c60bc5140cc Mon Sep 17 00:00:00 2001 From: Marc Fonvieille Date: Sun, 24 Oct 2004 09:10:22 +0000 Subject: [PATCH] In firewalls section: - Use of inline elements instead of block elements where needed - Some tags changes for consitency - Add missing options word This should give a better output. (It's a 1st pass, more things need to be fixed) --- .../books/handbook/security/chapter.sgml | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index c4c2e37ba1..b75977bac9 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -3133,7 +3133,7 @@ jdoe@example.org PF is included in the basic &os; install for versions newer than 5.3 as a separate run time loadable module. PF will dynamically load its kernel loadable module when the rc.conf statement - pf_enable="YES" is used. The + pf_enable="YES" is used. The loadable module was created with &man.pflog.4; logging enabled. @@ -3149,9 +3149,9 @@ jdoe@example.org /usr/src/sys/conf/NOTES kernel source and are reproduced here. - device pf + device pf device pflog -device pfsync +device pfsync device pf tells the compile to include Packet Filter as part of its core kernel. @@ -3251,8 +3251,8 @@ pflog_flags="" # additional flags for pflogd startupEnabling IPF IPF is included in the basic &os; install as a separate run time loadable module. IPF will dynamically load its kernel - loadable module when the rc.conf statement - ipfilter_enable="YES" is used. The loadable + loadable module when the rc.conf statement + ipfilter_enable="YES" is used. The loadable module was created with logging enabled and the default pass all options. You do not need to compile IPF into the &os; kernel just to change the default to block all @@ -3276,15 +3276,15 @@ pflog_flags="" # additional flags for pflogd startup - IPFILTER tells the compile + options IPFILTER tells the compile to include IPFILTER as part of its core kernel. - IPFILTER_LOG enables the + options IPFILTER_LOG enables the option to have IPF log traffic by writing to the ipl packet logging psuedo—device for every rule that has the log keyword. - IPFILTER_DEFAULT_BLOCK + options IPFILTER_DEFAULT_BLOCK changes the default behavior so any packet not matching a firewall pass rule gets blocked. @@ -3297,22 +3297,20 @@ options IPFILTER_DEFAULT_BLOCK You need the follow statements in /etc/rc.conf to activate IPF at boot time. - ipfilter_enable="YES" # Start ipf firewall - ipfilter_rules="/etc/ipf.rules" # loads rules definition text file - - ipmon_enable="YES" # Start IP monitor log - - ipmon_flags="—Ds" # D = start as daemon + ipfilter_enable="YES" # Start ipf firewall +ipfilter_rules="/etc/ipf.rules" # loads rules definition text file +ipmon_enable="YES" # Start IP monitor log +ipmon_flags="—Ds" # D = start as daemon # s = log to syslog # v = log tcp window, ack, seq - # n = map IP & port to names + # n = map IP & port to names If you have a LAN behind this firewall that uses the reserved private IP address ranges, then you need to add the following to enable NAT function. - gateway_enable="YES" # Enable as Lan gateway + gateway_enable="YES" # Enable as Lan gateway ipnat_enable="YES" # Start ipnat function -ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat +ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat