os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

In firewalls section:

Browse source 
- Use of inline elements instead of block elements where needed
- Some tags changes for consitency
- Add missing options word

This should give a better output.
(It's a 1st pass, more things need to be fixed)
This commit is contained in:
Marc Fonvieille 2004-10-24 09:10:22 +00:00
parent 60e5428835
commit 7ceb8be186
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=22655
1 changed files with 15 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

32
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -3133,7 +3133,7 @@ jdoe@example.org</screen>
<para>PF is included in the basic &os; install for versions newer than <para>PF is included in the basic &os; install for versions newer than
5.3 as a separate run time loadable module. PF will dynamically load 5.3 as a separate run time loadable module. PF will dynamically load
its kernel loadable module when the rc.conf statement its kernel loadable module when the rc.conf statement
<programlisting>pf_enable="YES"</programlisting> is used. The <literal>pf_enable="YES"</literal> is used. The
loadable module was created with &man.pflog.4; logging loadable module was created with &man.pflog.4; logging
enabled.</para> enabled.</para>
</sect3> </sect3>
@ -3149,9 +3149,9 @@ jdoe@example.org</screen>
<filename>/usr/src/sys/conf/NOTES</filename> kernel source and are <filename>/usr/src/sys/conf/NOTES</filename> kernel source and are
reproduced here.</para> reproduced here.</para>
<screen>device pf <programlisting>device pf
device pflog device pflog
device pfsync</screen> device pfsync</programlisting>
<para><literal>device pf</literal> tells the compile to include <para><literal>device pf</literal> tells the compile to include
Packet Filter as part of its core kernel.</para> Packet Filter as part of its core kernel.</para>
@ -3251,8 +3251,8 @@ pflog_flags="" # additional flags for pflogd startup</programli
<title>Enabling IPF</title> <title>Enabling IPF</title>
<para>IPF is included in the basic &os; install as a separate <para>IPF is included in the basic &os; install as a separate
run time loadable module. IPF will dynamically load its kernel run time loadable module. IPF will dynamically load its kernel
loadable module when the rc.conf statement <programlisting> loadable module when the rc.conf statement <literal>
ipfilter_enable="YES"</programlisting> is used. The loadable ipfilter_enable="YES"</literal> is used. The loadable
module was created with logging enabled and the <quote>default module was created with logging enabled and the <quote>default
pass all</quote> options. You do not need to compile IPF into pass all</quote> options. You do not need to compile IPF into
the &os; kernel just to change the default to <quote>block all the &os; kernel just to change the default to <quote>block all
@ -3276,15 +3276,15 @@ pflog_flags="" # additional flags for pflogd startup</programli
options IPFILTER_LOG options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK</screen> options IPFILTER_DEFAULT_BLOCK</screen>
<para><programlisting>IPFILTER</programlisting> tells the compile <para><literal>options IPFILTER</literal> tells the compile
to include IPFILTER as part of its core kernel.</para> to include IPFILTER as part of its core kernel.</para>
<para><programlisting>IPFILTER_LOG</programlisting> enables the <para><literal>options IPFILTER_LOG</literal> enables the
option to have IPF log traffic by writing to the ipl packet option to have IPF log traffic by writing to the ipl packet
logging psuedo&mdash;device for every rule that has the <quote>log logging psuedo&mdash;device for every rule that has the <quote>log
</quote> keyword.</para> </quote> keyword.</para>
<para><programlisting>IPFILTER_DEFAULT_BLOCK</programlisting> <para><literal>options IPFILTER_DEFAULT_BLOCK</literal>
changes the default behavior so any packet not matching a changes the default behavior so any packet not matching a
firewall <quote>pass</quote> rule gets blocked.</para> firewall <quote>pass</quote> rule gets blocked.</para>
@ -3297,22 +3297,20 @@ options IPFILTER_DEFAULT_BLOCK</screen>
<para>You need the follow statements in <filename>/etc/rc.conf <para>You need the follow statements in <filename>/etc/rc.conf
</filename> to activate IPF at boot time.</para> </filename> to activate IPF at boot time.</para>
<programlisting>ipfilter_enable="YES" # Start ipf firewall</programlisting> <programlisting>ipfilter_enable="YES" # Start ipf firewall
<programlisting>ipfilter_rules="/etc/ipf.rules" # loads rules definition text file ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
</programlisting> ipmon_enable="YES" # Start IP monitor log
<programlisting>ipmon_enable="YES" # Start IP monitor log ipmon_flags="&mdash;Ds" # D = start as daemon
</programlisting>
<screen>ipmon_flags="&mdash;Ds" # D = start as daemon
# s = log to syslog # s = log to syslog
# v = log tcp window, ack, seq # v = log tcp window, ack, seq
# n = map IP & port to names</screen> # n = map IP & port to names</programlisting>
<para>If you have a LAN behind this firewall that uses the <para>If you have a LAN behind this firewall that uses the
reserved private IP address ranges, then you need to add the reserved private IP address ranges, then you need to add the
following to enable <acronym>NAT</acronym> function.</para> following to enable <acronym>NAT</acronym> function.</para>
<screen>gateway_enable="YES" # Enable as Lan gateway <programlisting>gateway_enable="YES" # Enable as Lan gateway
ipnat_enable="YES" # Start ipnat function ipnat_enable="YES" # Start ipnat function
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</screen> ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlisting>
</sect3> </sect3>