Add few "option", "command", and "filename" tags
Huge amount of tags in this chapter still missed
This commit is contained in:
Denis Peplin
parent
86f3046b11
commit
ac6ca5366c
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=23224
1 changed files with 14 additions and 12 deletions
|
|
@ -437,8 +437,8 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
|
|
||||||
<programlisting><command>ipf -Fa -f /etc/ipf.rules</command></programlisting>
|
<programlisting><command>ipf -Fa -f /etc/ipf.rules</command></programlisting>
|
||||||
|
|
||||||
<para>-Fa means flush all internal rules tables.</para>
|
<para><option>-Fa</option> means flush all internal rules tables.</para>
|
||||||
<para>-f means this is the file to read for the rules to load.</para>
|
<para><option>-f</option> means this is the file to read for the rules to load.</para>
|
||||||
|
|
||||||
<para>This gives you the ability to make changes to their custom
|
<para>This gives you the ability to make changes to their custom
|
||||||
rules file, run the above IPF command thus updating the running
|
rules file, run the above IPF command thus updating the running
|
||||||
|
|
@ -491,7 +491,8 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
<acronym>TCP</acronym> cksum fails(in): 0 (out): 0
|
<acronym>TCP</acronym> cksum fails(in): 0 (out): 0
|
||||||
Packet log flags set: (0)</screen>
|
Packet log flags set: (0)</screen>
|
||||||
|
|
||||||
<para>When supplied with either -i for inbound or -o for outbound,
|
<para>When supplied with either <option>-i</option> for inbound
|
||||||
|
or <option>-o</option> for outbound,
|
||||||
it will retrieve and display the appropriate list of filter
|
it will retrieve and display the appropriate list of filter
|
||||||
rules currently installed and in use by the kernel.</para>
|
rules currently installed and in use by the kernel.</para>
|
||||||
|
|
||||||
|
|
@ -521,8 +522,9 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
354727 block out on dc0 from any to any
|
354727 block out on dc0 from any to any
|
||||||
430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
|
430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
|
||||||
|
|
||||||
<para>One of the most important functions of the ipfstat command
|
<para>One of the most important functions of the
|
||||||
is the -t flag which activates the display state table in a way
|
<command>ipfstat</command> command is the <option>-t</option>
|
||||||
|
flag which activates the display state table in a way
|
||||||
similar to the way &man.top.1; shows the &os; running process
|
similar to the way &man.top.1; shows the &os; running process
|
||||||
table. When your firewall is under attack this function gives
|
table. When your firewall is under attack this function gives
|
||||||
you the ability to identify, drill down to, and see the
|
you the ability to identify, drill down to, and see the
|
||||||
|
|
@ -539,7 +541,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
kernel option IPFILTER_LOG must be turned on. This command has
|
kernel option IPFILTER_LOG must be turned on. This command has
|
||||||
2 different modes it can be used in. Native mode is the default
|
2 different modes it can be used in. Native mode is the default
|
||||||
mode when you type the command on the command line without the
|
mode when you type the command on the command line without the
|
||||||
-D flag.</para>
|
<option>-D</option> flag.</para>
|
||||||
|
|
||||||
<para>Daemon mode is for when you want to have a continuous
|
<para>Daemon mode is for when you want to have a continuous
|
||||||
system log file available so you can review logging of past
|
system log file available so you can review logging of past
|
||||||
|
|
@ -548,7 +550,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
rotate syslogs. That is why outputting the log information to
|
rotate syslogs. That is why outputting the log information to
|
||||||
syslogd is better than the default of outputting to a regular
|
syslogd is better than the default of outputting to a regular
|
||||||
file. In <filename>rc.conf</filename> file you see the
|
file. In <filename>rc.conf</filename> file you see the
|
||||||
ipmon_flags statement uses the "-Ds" flags</para>
|
ipmon_flags statement uses the <option>-Ds</option> flags</para>
|
||||||
|
|
||||||
<programlisting>ipmon_flags="-Ds" # D = start as daemon
|
<programlisting>ipmon_flags="-Ds" # D = start as daemon
|
||||||
# s = log to syslog
|
# s = log to syslog
|
||||||
|
|
@ -578,7 +580,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
|
|
||||||
<para>Syslogd uses its own special method for segregation of log
|
<para>Syslogd uses its own special method for segregation of log
|
||||||
data. It uses special grouping called <quote>facility</quote>
|
data. It uses special grouping called <quote>facility</quote>
|
||||||
and <quote>level.</quote> IPMON in -Ds mode uses Local0 as the
|
and <quote>level.</quote> IPMON in <option>-Ds</option> mode uses Local0 as the
|
||||||
<quote>facility</quote> name. All IPMON logged data goes to
|
<quote>facility</quote> name. All IPMON logged data goes to
|
||||||
Local0. The following levels can be used to further segregate
|
Local0. The following levels can be used to further segregate
|
||||||
the logged data if desired.</para>
|
the logged data if desired.</para>
|
||||||
|
|
@ -624,7 +626,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>The Format of Logged Messages</title>
|
<title>The Format of Logged Messages</title>
|
||||||
|
|
||||||
<para>Messages generated by ipmon consist of data fields
|
<para>Messages generated by <command>ipmon</command> consist of data fields
|
||||||
separated by white space. Fields common to all messages are:
|
separated by white space. Fields common to all messages are:
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
|
|
@ -650,7 +652,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>These can be viewed with ipfstat -in.<para>
|
<para>These can be viewed with <command>ipfstat -in</command>.<para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|
@ -749,7 +751,7 @@ EOF
|
||||||
|
|
||||||
<para>That is all there is to it. The rules are not important in
|
<para>That is all there is to it. The rules are not important in
|
||||||
this example, how the Symbolic substitution field are populated
|
this example, how the Symbolic substitution field are populated
|
||||||
and used are. If the above example was in /etc/ipf.rules.script
|
and used are. If the above example was in <filename>/etc/ipf.rules.script</filename>
|
||||||
file, you could reload these rules by entering this on the command
|
file, you could reload these rules by entering this on the command
|
||||||
line:</para>
|
line:</para>
|
||||||
|
|
||||||
|
|
@ -1457,7 +1459,7 @@ block in log first quick on dc0 all
|
||||||
<para>When changing the <acronym>NAT</acronym> rules after
|
<para>When changing the <acronym>NAT</acronym> rules after
|
||||||
<acronym>NAT</acronym> has been started, Make your changes to
|
<acronym>NAT</acronym> has been started, Make your changes to
|
||||||
the file containing the nat rules, then run ipnat command with
|
the file containing the nat rules, then run ipnat command with
|
||||||
the -CF flags to delete the internal in use
|
the <option>-CF</option> flags to delete the internal in use
|
||||||
<acronym>NAT</acronym> rules and flush the contents of the
|
<acronym>NAT</acronym> rules and flush the contents of the
|
||||||
translation table of all active entries.</para>
|
translation table of all active entries.</para>
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue