os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Continue to shuffle and improve flow of this chapter.

Browse source 
Many more commits to come.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-14 18:45:03 +00:00
parent 019f21a9de
commit 83f00e6da3
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43926
1 changed files with 102 additions and 121 deletions

223
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -218,17 +218,39 @@
<application>ALTQ</application> (Alternate Queuing), which
provides Quality of Service (<acronym>QoS</acronym>).</para>
<para>Since the OpenBSD Project maintains the definitive
<para>The OpenBSD Project maintains the definitive
reference for <application>PF</application> in the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
this section of the Handbook focuses on
<application>PF</application> as it pertains to &os;, while
providing some general usage information.</para>
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>.
Peter Hansteen maintains a thorough <application>PF</application> tutorial at <link
xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
<warning>
<para>When reading the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
keep in mind that different versions of &os; contain
different versions of <application>PF</application>.
&os;&nbsp;8.<replaceable>X</replaceable> uses the same
version of <application>PF</application> as
OpenBSD&nbsp;4.1 and &os;&nbsp;9.<replaceable>X</replaceable>
and later uses the same version of
<application>PF</application> as OpenBSD&nbsp;4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
configuring and running the <application>PF</application>
firewall. Check the mailing list archives
before asking a question as it may have already been answered.</para>
<para>More information about porting <application>PF</application>
to &os; can be found at <uri
xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
<para>This section of the Handbook focuses on
<application>PF</application> as it pertains to &os;. It
demonstrates how to enable <application>PF</application> and
<application>ALTQ</application>. It then provides several
examples for creating rulesets on a &os; system.</para>
<sect2>
<title>Enabling <application>PF</application></title>
@ -260,12 +282,6 @@
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<para>The sample <filename>pf.conf</filename>
can be found in
<filename>/usr/share/examples/pf/</filename>. The rest of
this chapter demonstrates how to create a custom
ruleset.</para>
<para>Logging support for <application>PF</application> is
provided by &man.pflog.4;. To enable logging support, add
this line to <filename>/etc/rc.conf</filename>:</para>
@ -344,6 +360,78 @@ device pfsync</programlisting>
<quote>state changes</quote>.</para>
</note>
-->
<para>By default, <application>PF</application> reads its
configuration rules from <filename>/etc/pf.conf</filename> and
modifies, drops, or passes packets according to the rules or
definitions specified in this file. The &os; installation
includes several sample files located in
<filename>/usr/share/examples/pf/</filename>. Refer to the
<link xlink:href="http://www.openbsd.org/faq/pf/">PF
FAQ</link> for complete coverage of
<application>PF</application> rulesets.</para>
<para>To control <application>PF</application>, use
<command>pfctl</command>. <xref
linkend="pfctl"/> summarizes some useful options to this command.
Refer to &man.pfctl.8; for a description of all available
options:</para>
<table xml:id="pfctl" frame="none" pgwide="1">
<title>Useful <command>pfctl</command> Options</title>
<tgroup cols="2">
<thead>
<row>
<entry>Command</entry>
<entry>Purpose</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>pfctl
-e</command></entry>
<entry>Enable <application>PF</application>.</entry>
</row>
<row>
<entry><command>pfctl
-d</command></entry>
<entry>Disable <application>PF</application>.</entry>
</row>
<row>
<entry><command>pfctl -F all
-f /etc/pf.conf</command></entry>
<entry>Flush all <acronym>NAT</acronym>, filter, state, and table
rules and reload
<filename>/etc/pf.conf</filename>.</entry>
</row>
<row>
<entry><command>pfctl -s [ rules | nat
state ]</command></entry>
<entry>Report on the filter rules, <acronym>NAT</acronym> rules, or state
table.</entry>
</row>
<row>
<entry><command>pfctl -vnf
/etc/pf.conf</command></entry>
<entry>Check <filename>/etc/pf.conf</filename> for
errors, but do not load ruleset.</entry>
</row>
</tbody>
</tgroup>
</table>
<tip>
<para><package>security/sudo</package> is useful for running
commands like <command>pfctl</command> that require elevated
privileges. It can be installed from the Ports
Collection.</para>
</tip>
</sect2>
<sect2>
@ -434,93 +522,9 @@ options ALTQ_PRIQ # Priority Queuing (PRIQ)</programlisting>
xlink:href="http://www.openbsd.org/faq/pf/queueing.html">http://www.openbsd.org/faq/pf/queueing.html</uri>.</para>
</sect2>
<sect2>
<title>Creating Filtering Rules</title>
<para>By default, <application>PF</application> reads its
configuration rules from <filename>/etc/pf.conf</filename> and
modifies, drops, or passes packets according to the rules or
definitions specified in this file. The &os; installation
includes several sample files located in
<filename>/usr/share/examples/pf/</filename>. Refer to the
<link xlink:href="http://www.openbsd.org/faq/pf/">PF
FAQ</link> for complete coverage of
<application>PF</application> rulesets.</para>
<warning>
<para>When reading the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
keep in mind that different versions of &os; contain
different versions of PF. Currently,
&os;&nbsp;8.<replaceable>X</replaceable> is using the same
version of <application>PF</application>
OpenBSD&nbsp;4.1. &os;&nbsp;9.<replaceable>X</replaceable>
and later is using the same version of
<application>PF</application> as OpenBSD&nbsp;4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
configuring and running the <application>PF</application>
firewall. Do not forget to check the mailing list archives
before asking questions.</para>
<para>To control <application>PF</application>, use
&man.pfctl.8;. Below are some useful options to this command.
Review &man.pfctl.8; for a description of all available
options:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
<thead>
<row>
<entry>Command</entry>
<entry>Purpose</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>pfctl
-e</command></entry>
<entry>Enable PF.</entry>
</row>
<row>
<entry><command>pfctl
-d</command></entry>
<entry>Disable PF.</entry>
</row>
<row>
<entry><command>pfctl -F all
-f /etc/pf.conf</command></entry>
<entry>Flush all NAT, filter, state, and table
rules and reload
<filename>/etc/pf.conf</filename>.</entry>
</row>
<row>
<entry><command>pfctl -s [ rules | nat
state ]</command></entry>
<entry>Report on the filter rules, NAT rules, or state
table.</entry>
</row>
<row>
<entry><command>pfctl -vnf
/etc/pf.conf</command></entry>
<entry>Check <filename>/etc/pf.conf</filename> for
errors, but do not load ruleset.</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</sect2>
<sect2 xml:id="pf-tutorial">
<info>
<title><application>PF</application> Rule Sets and
Tools</title>
<title><application>PF</application> Rulesets</title>
<authorgroup>
<author>
@ -534,21 +538,8 @@ options ALTQ_PRIQ # Priority Queuing (PRIQ)</programlisting>
</authorgroup>
</info>
<para>This section demonstrates some useful
<application>PF</application> features and
<application>PF</application> related tools in a series of
examples. A more thorough tutorial is available at <link
xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
<tip>
<para><package>security/sudo</package> is useful for running
commands like <command>pfctl</command> that require elevated
privileges. It can be installed from the Ports
Collection.</para>
</tip>
<sect3 xml:id="pftut-simplest">
<title>The Simplest Rule Set Ever</title>
<para>This section demonstrates how to create a customized
ruleset, using several examples.</para>
<para>The simplest possible setup is for a single machine
which will not run any services, and which will talk to one
@ -566,10 +557,6 @@ pass out all keep state</programlisting>
trusted. The rule set can be loaded with</para>
<screen>&prompt.root; <userinput>pfctl -e ; pfctl -f /etc/pf.conf</userinput></screen>
</sect3>
<sect3>
<title>Tighter and More Elegant</title>
<para>For a slightly more structured and complete setup, we
start by denying everything and then allowing only those
@ -653,7 +640,6 @@ pass proto udp to any port $udp_services keep state</programlisting>
exactly the way they will be loaded. This is extremely
useful when debugging rules.</para>
</tip>
</sect3>
<sect3 xml:id="pftut-gateway">
<title>A Simple Gateway with NAT</title>
@ -664,10 +650,6 @@ pass proto udp to any port $udp_services keep state</programlisting>
which is running <application>PF</application> and also acts
as a gateway for at least one other machine.</para>
<sect4 xml:id="pftut-gwpitfalls">
<title>Gateways and the Pitfalls of <literal>in</literal>,
<literal>out</literal> and <literal>on</literal></title>
<para>In the single machine setup, life is relatively
simple. Traffic created on it should either pass out to
the rest of the world or not, and the administrator
@ -724,7 +706,6 @@ pass proto udp to any port $udp_services keep state</programlisting>
<para>For the remainder of this section, with some
exceptions, we will keep the rules as simple as possible
for readability.</para>
</sect4>
<sect4 xml:id="pftut-whatsthelocalnet">
<title>What is the Local Network, Anyway?</title>