os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Continue to shuffle and improve flow of this chapter.

Browse source 
Many more commits to come.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-14 18:45:03 +00:00
parent 019f21a9de
commit 83f00e6da3
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43926
1 changed files with 102 additions and 121 deletions

223
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -218,17 +218,39 @@
<application>ALTQ</application> (Alternate Queuing), which <application>ALTQ</application> (Alternate Queuing), which
provides Quality of Service (<acronym>QoS</acronym>).</para> provides Quality of Service (<acronym>QoS</acronym>).</para>
<para>Since the OpenBSD Project maintains the definitive <para>The OpenBSD Project maintains the definitive
reference for <application>PF</application> in the <link reference for <application>PF</application> in the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>.
this section of the Handbook focuses on Peter Hansteen maintains a thorough <application>PF</application> tutorial at <link
<application>PF</application> as it pertains to &os;, while xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
providing some general usage information.</para>
<warning>
<para>When reading the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
keep in mind that different versions of &os; contain
different versions of <application>PF</application>.
&os;&nbsp;8.<replaceable>X</replaceable> uses the same
version of <application>PF</application> as
OpenBSD&nbsp;4.1 and &os;&nbsp;9.<replaceable>X</replaceable>
and later uses the same version of
<application>PF</application> as OpenBSD&nbsp;4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
configuring and running the <application>PF</application>
firewall. Check the mailing list archives
before asking a question as it may have already been answered.</para>
<para>More information about porting <application>PF</application> <para>More information about porting <application>PF</application>
to &os; can be found at <uri to &os; can be found at <uri
xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para> xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
<para>This section of the Handbook focuses on
<application>PF</application> as it pertains to &os;. It
demonstrates how to enable <application>PF</application> and
<application>ALTQ</application>. It then provides several
examples for creating rulesets on a &os; system.</para>
<sect2> <sect2>
<title>Enabling <application>PF</application></title> <title>Enabling <application>PF</application></title>
@ -260,12 +282,6 @@
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting> <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<para>The sample <filename>pf.conf</filename>
can be found in
<filename>/usr/share/examples/pf/</filename>. The rest of
this chapter demonstrates how to create a custom
ruleset.</para>
<para>Logging support for <application>PF</application> is <para>Logging support for <application>PF</application> is
provided by &man.pflog.4;. To enable logging support, add provided by &man.pflog.4;. To enable logging support, add
this line to <filename>/etc/rc.conf</filename>:</para> this line to <filename>/etc/rc.conf</filename>:</para>
@ -344,6 +360,78 @@ device pfsync</programlisting>
<quote>state changes</quote>.</para> <quote>state changes</quote>.</para>
</note> </note>
--> -->
<para>By default, <application>PF</application> reads its
configuration rules from <filename>/etc/pf.conf</filename> and
modifies, drops, or passes packets according to the rules or
definitions specified in this file. The &os; installation
includes several sample files located in
<filename>/usr/share/examples/pf/</filename>. Refer to the
<link xlink:href="http://www.openbsd.org/faq/pf/">PF
FAQ</link> for complete coverage of
<application>PF</application> rulesets.</para>
<para>To control <application>PF</application>, use
<command>pfctl</command>. <xref
linkend="pfctl"/> summarizes some useful options to this command.
Refer to &man.pfctl.8; for a description of all available
options:</para>
<table xml:id="pfctl" frame="none" pgwide="1">
<title>Useful <command>pfctl</command> Options</title>
<tgroup cols="2">
<thead>
<row>
<entry>Command</entry>
<entry>Purpose</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>pfctl
-e</command></entry>
<entry>Enable <application>PF</application>.</entry>
</row>
<row>
<entry><command>pfctl
-d</command></entry>
<entry>Disable <application>PF</application>.</entry>
</row>
<row>
<entry><command>pfctl -F all
-f /etc/pf.conf</command></entry>
<entry>Flush all <acronym>NAT</acronym>, filter, state, and table
rules and reload
<filename>/etc/pf.conf</filename>.</entry>
</row>
<row>
<entry><command>pfctl -s [ rules | nat
state ]</command></entry>
<entry>Report on the filter rules, <acronym>NAT</acronym> rules, or state
table.</entry>
</row>
<row>
<entry><command>pfctl -vnf
/etc/pf.conf</command></entry>
<entry>Check <filename>/etc/pf.conf</filename> for
errors, but do not load ruleset.</entry>
</row>
</tbody>
</tgroup>
</table>
<tip>
<para><package>security/sudo</package> is useful for running
commands like <command>pfctl</command> that require elevated
privileges. It can be installed from the Ports
Collection.</para>
</tip>
</sect2> </sect2>
<sect2> <sect2>
@ -434,93 +522,9 @@ options ALTQ_PRIQ # Priority Queuing (PRIQ)</programlisting>
xlink:href="http://www.openbsd.org/faq/pf/queueing.html">http://www.openbsd.org/faq/pf/queueing.html</uri>.</para> xlink:href="http://www.openbsd.org/faq/pf/queueing.html">http://www.openbsd.org/faq/pf/queueing.html</uri>.</para>
</sect2> </sect2>
<sect2>
<title>Creating Filtering Rules</title>
<para>By default, <application>PF</application> reads its
configuration rules from <filename>/etc/pf.conf</filename> and
modifies, drops, or passes packets according to the rules or
definitions specified in this file. The &os; installation
includes several sample files located in
<filename>/usr/share/examples/pf/</filename>. Refer to the
<link xlink:href="http://www.openbsd.org/faq/pf/">PF
FAQ</link> for complete coverage of
<application>PF</application> rulesets.</para>
<warning>
<para>When reading the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
keep in mind that different versions of &os; contain
different versions of PF. Currently,
&os;&nbsp;8.<replaceable>X</replaceable> is using the same
version of <application>PF</application>
OpenBSD&nbsp;4.1. &os;&nbsp;9.<replaceable>X</replaceable>
and later is using the same version of
<application>PF</application> as OpenBSD&nbsp;4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
configuring and running the <application>PF</application>
firewall. Do not forget to check the mailing list archives
before asking questions.</para>
<para>To control <application>PF</application>, use
&man.pfctl.8;. Below are some useful options to this command.
Review &man.pfctl.8; for a description of all available
options:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
<thead>
<row>
<entry>Command</entry>
<entry>Purpose</entry>
</row>
</thead>
<tbody>
<row>
<entry><command>pfctl
-e</command></entry>
<entry>Enable PF.</entry>
</row>
<row>
<entry><command>pfctl
-d</command></entry>
<entry>Disable PF.</entry>
</row>
<row>
<entry><command>pfctl -F all
-f /etc/pf.conf</command></entry>
<entry>Flush all NAT, filter, state, and table
rules and reload
<filename>/etc/pf.conf</filename>.</entry>
</row>
<row>
<entry><command>pfctl -s [ rules | nat
state ]</command></entry>
<entry>Report on the filter rules, NAT rules, or state
table.</entry>
</row>
<row>
<entry><command>pfctl -vnf
/etc/pf.conf</command></entry>
<entry>Check <filename>/etc/pf.conf</filename> for
errors, but do not load ruleset.</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</sect2>
<sect2 xml:id="pf-tutorial"> <sect2 xml:id="pf-tutorial">
<info> <info>
<title><application>PF</application> Rule Sets and <title><application>PF</application> Rulesets</title>
Tools</title>
<authorgroup> <authorgroup>
<author> <author>
@ -534,21 +538,8 @@ options ALTQ_PRIQ # Priority Queuing (PRIQ)</programlisting>
</authorgroup> </authorgroup>
</info> </info>
<para>This section demonstrates some useful <para>This section demonstrates how to create a customized
<application>PF</application> features and ruleset, using several examples.</para>
<application>PF</application> related tools in a series of
examples. A more thorough tutorial is available at <link
xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
<tip>
<para><package>security/sudo</package> is useful for running
commands like <command>pfctl</command> that require elevated
privileges. It can be installed from the Ports
Collection.</para>
</tip>
<sect3 xml:id="pftut-simplest">
<title>The Simplest Rule Set Ever</title>
<para>The simplest possible setup is for a single machine <para>The simplest possible setup is for a single machine
which will not run any services, and which will talk to one which will not run any services, and which will talk to one
@ -566,10 +557,6 @@ pass out all keep state</programlisting>
trusted. The rule set can be loaded with</para> trusted. The rule set can be loaded with</para>
<screen>&prompt.root; <userinput>pfctl -e ; pfctl -f /etc/pf.conf</userinput></screen> <screen>&prompt.root; <userinput>pfctl -e ; pfctl -f /etc/pf.conf</userinput></screen>
</sect3>
<sect3>
<title>Tighter and More Elegant</title>
<para>For a slightly more structured and complete setup, we <para>For a slightly more structured and complete setup, we
start by denying everything and then allowing only those start by denying everything and then allowing only those
@ -653,7 +640,6 @@ pass proto udp to any port $udp_services keep state</programlisting>
exactly the way they will be loaded. This is extremely exactly the way they will be loaded. This is extremely
useful when debugging rules.</para> useful when debugging rules.</para>
</tip> </tip>
</sect3>
<sect3 xml:id="pftut-gateway"> <sect3 xml:id="pftut-gateway">
<title>A Simple Gateway with NAT</title> <title>A Simple Gateway with NAT</title>
@ -664,10 +650,6 @@ pass proto udp to any port $udp_services keep state</programlisting>
which is running <application>PF</application> and also acts which is running <application>PF</application> and also acts
as a gateway for at least one other machine.</para> as a gateway for at least one other machine.</para>
<sect4 xml:id="pftut-gwpitfalls">
<title>Gateways and the Pitfalls of <literal>in</literal>,
<literal>out</literal> and <literal>on</literal></title>
<para>In the single machine setup, life is relatively <para>In the single machine setup, life is relatively
simple. Traffic created on it should either pass out to simple. Traffic created on it should either pass out to
the rest of the world or not, and the administrator the rest of the world or not, and the administrator
@ -724,7 +706,6 @@ pass proto udp to any port $udp_services keep state</programlisting>
<para>For the remainder of this section, with some <para>For the remainder of this section, with some
exceptions, we will keep the rules as simple as possible exceptions, we will keep the rules as simple as possible
for readability.</para> for readability.</para>
</sect4>
<sect4 xml:id="pftut-whatsthelocalnet"> <sect4 xml:id="pftut-whatsthelocalnet">
<title>What is the Local Network, Anyway?</title> <title>What is the Local Network, Anyway?</title>