Minor content fix which addresses incorrect usage of it's, Let's, and
most redundant word errors. Approved by: bcr (mentor)
This commit is contained in:
Dru Lavigne
parent
9cf01fa948
commit
bbdfbf0789
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=40732
1 changed files with 30 additions and 33 deletions
|
|
@ -720,7 +720,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
|||
as a result of applying the user coded rules against packets
|
||||
going in and out of the firewall since it was last started,
|
||||
or since the last time the accumulators were reset to zero
|
||||
by the <command>ipf -Z</command> command.</para>
|
||||
using <command>ipf -Z</command>.</para>
|
||||
|
||||
<para>See the &man.ipfstat.8; manual page for details.</para>
|
||||
|
||||
|
|
@ -776,8 +776,8 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
|||
354727 block out on dc0 from any to any
|
||||
430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
|
||||
|
||||
<para>One of the most important functions of the
|
||||
<command>ipfstat</command> command is the <option>-t</option>
|
||||
<para>One of the most important functions of
|
||||
<command>ipfstat</command> is the <option>-t</option>
|
||||
flag which displays the state table in a way similar to the
|
||||
way &man.top.1; shows the &os; running process table. When
|
||||
your firewall is under attack, this function gives you the
|
||||
|
|
@ -813,7 +813,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
|||
automatically rotate system logs. That is why outputting the
|
||||
log information to &man.syslogd.8; is better than the default
|
||||
of outputting to a regular file. In the default
|
||||
<filename>rc.conf</filename> file, the
|
||||
<filename>rc.conf</filename>, the
|
||||
<literal>ipmon_flags</literal> statement uses the
|
||||
<option>-Ds</option> flags:</para>
|
||||
|
||||
|
|
@ -866,8 +866,8 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
|
|||
<screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
|
||||
|
||||
<para>The &man.syslogd.8; function is controlled by definition
|
||||
statements in the <filename>/etc/syslog.conf</filename> file.
|
||||
The <filename>syslog.conf</filename> file offers considerable
|
||||
statements in <filename>/etc/syslog.conf</filename>.
|
||||
This file offers considerable
|
||||
flexibility in how <application>syslog</application> will
|
||||
deal with system messages issued by software applications
|
||||
like IPF.</para>
|
||||
|
|
@ -915,7 +915,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The group and rule number of the rule, e.g.
|
||||
<para>The group and rule number of the rule, e.g.,
|
||||
<literal>@0:17</literal>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
|
@ -1053,7 +1053,7 @@ EOF
|
|||
<listitem>
|
||||
<para>Disable IPFILTER in system startup scripts by adding
|
||||
<literal>ipfilter_enable="NO"</literal> (this is default
|
||||
value) into <filename>/etc/rc.conf</filename> file.</para>
|
||||
value) to <filename>/etc/rc.conf</filename>.</para>
|
||||
|
||||
<para>Add a script like the following to your
|
||||
<filename
|
||||
|
|
@ -1541,8 +1541,8 @@ sh /etc/ipf.rules.script</programlisting>
|
|||
operating system of your server.</para>
|
||||
|
||||
<para>Any time there are logged messages on a rule with
|
||||
the <literal>log first</literal> option, an
|
||||
<command>ipfstat -hio</command> command should be executed
|
||||
the <literal>log first</literal> option,
|
||||
<command>ipfstat -hio</command> should be executed
|
||||
to evaluate how many times the rule has actually matched.
|
||||
Large number of matches usually indicate that the system is
|
||||
being flooded (i.e.: under attack).</para>
|
||||
|
|
@ -1710,7 +1710,7 @@ block in log first quick on dc0 proto tcp/udp from any to any port = 139
|
|||
block in log first quick on dc0 proto tcp/udp from any to any port = 81
|
||||
|
||||
# Allow traffic in from ISP's DHCP server. This rule must contain
|
||||
# the IP address of your ISP's DHCP server as it's the only
|
||||
# the IP address of your ISP's DHCP server as it is the only
|
||||
# authorized source to send this packet type. Only necessary for
|
||||
# cable or DSL configurations. This rule is not needed for
|
||||
# 'user ppp' type connection to the public Internet.
|
||||
|
|
@ -1772,7 +1772,7 @@ block in log first quick on dc0 all
|
|||
dynamic IP address is used to identify your system to the
|
||||
public Internet.</para>
|
||||
|
||||
<para>Now lets say you have five PCs at home and each one needs
|
||||
<para>Say you have five PCs at home and each one needs
|
||||
Internet access. You would have to pay your ISP for an
|
||||
individual Internet account for each PC and have five phone
|
||||
lines.</para>
|
||||
|
|
@ -1847,16 +1847,16 @@ block in log first quick on dc0 all
|
|||
|
||||
<indexterm><primary><command>ipnat</command></primary></indexterm>
|
||||
|
||||
<para><acronym>NAT</acronym> rules are loaded by using the
|
||||
<command>ipnat</command> command. Typically the
|
||||
<para><acronym>NAT</acronym> rules are loaded by using
|
||||
<command>ipnat</command>. Typically the
|
||||
<acronym>NAT</acronym> rules are stored in
|
||||
<filename>/etc/ipnat.rules</filename>. See &man.ipnat.8; for
|
||||
details.</para>
|
||||
|
||||
<para>When changing the <acronym>NAT</acronym> rules after
|
||||
<acronym>NAT</acronym> has been started, make your changes to
|
||||
the file containing the NAT rules, then run the
|
||||
<command>ipnat</command> command with the <option>-CF</option>
|
||||
the file containing the NAT rules, then run
|
||||
<command>ipnat</command> with the <option>-CF</option>
|
||||
flags to delete the internal in use <acronym>NAT</acronym>
|
||||
rules and flush the contents of the translation table of all
|
||||
active entries.</para>
|
||||
|
|
@ -2304,8 +2304,8 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
|
|||
<programlisting>firewall_enable="YES"</programlisting>
|
||||
|
||||
<para>To select one of the default firewall types provided by
|
||||
&os;, select one by reading the
|
||||
<filename>/etc/rc.firewall</filename> file and place it in
|
||||
&os;, select one by reading
|
||||
<filename>/etc/rc.firewall</filename> and place it in
|
||||
the following:</para>
|
||||
|
||||
<programlisting>firewall_type="open"</programlisting>
|
||||
|
|
@ -2388,8 +2388,7 @@ ipfw add deny out</programlisting>
|
|||
linkend="firewalls-ipfw-enable"/>). There is no
|
||||
<filename>rc.conf</filename> variable to set log
|
||||
limitations, but it can be set via sysctl variable, manually
|
||||
or from the <filename>/etc/sysctl.conf</filename>
|
||||
file:</para>
|
||||
or from <filename>/etc/sysctl.conf</filename>:</para>
|
||||
|
||||
<programlisting>net.inet.ip.fw.verbose_limit=5</programlisting>
|
||||
</warning>
|
||||
|
|
@ -2610,8 +2609,7 @@ ipfw add deny out</programlisting>
|
|||
cases, a value of zero removes the logging limit. Once
|
||||
the limit is reached, logging can be re-enabled by
|
||||
clearing the logging counter or the packet counter for
|
||||
that rule, see the <command>ipfw reset log</command>
|
||||
command.</para>
|
||||
that rule, use <command>ipfw reset log</command>.</para>
|
||||
|
||||
<note>
|
||||
<para>Logging is done after
|
||||
|
|
@ -2779,7 +2777,7 @@ ipfw add deny out</programlisting>
|
|||
down attackers.</para>
|
||||
|
||||
<para>Even with the logging facility enabled, IPFW will not
|
||||
generate any rule logging on it's own. The firewall
|
||||
generate any rule logging on its own. The firewall
|
||||
administrator decides what rules in the ruleset will be
|
||||
logged, and adds the <literal>log</literal> verb to those
|
||||
rules. Normally only deny rules are logged, like the deny
|
||||
|
|
@ -2816,9 +2814,8 @@ ipfw add deny out</programlisting>
|
|||
<programlisting>last message repeated 45 times</programlisting>
|
||||
|
||||
<para>All logged packets messages are written by default to
|
||||
<filename>/var/log/security</filename> file, which is
|
||||
defined in the <filename>/etc/syslog.conf</filename>
|
||||
file.</para>
|
||||
<filename>/var/log/security</filename>, which is
|
||||
defined in <filename>/etc/syslog.conf</filename>.</para>
|
||||
</sect3>
|
||||
|
||||
<sect3 id="firewalls-ipfw-rules-script">
|
||||
|
|
@ -2864,8 +2861,8 @@ ks="keep-state" # just too lazy to key this each time
|
|||
in this example, how the symbolic substitution field are
|
||||
populated and used are.</para>
|
||||
|
||||
<para>If the above example was in the
|
||||
<filename>/etc/ipfw.rules</filename> file, the rules could
|
||||
<para>If the above example was in
|
||||
<filename>/etc/ipfw.rules</filename>, the rules could
|
||||
be reloaded by entering the following on the command
|
||||
line.</para>
|
||||
|
||||
|
|
@ -3223,7 +3220,7 @@ natd_flags="-dynamic -m" # -m = preserve port numbers if possible</pr
|
|||
<literal>skipto rule 500</literal> for the network address
|
||||
translation.</para>
|
||||
|
||||
<para>Lets say a LAN user uses their web browser to get a web
|
||||
<para>Say a LAN user uses their web browser to get a web
|
||||
page. Web pages are transmitted over port 80. So the
|
||||
packet enters the firewall. It does not match rule 100
|
||||
because it is headed out rather than in. It passes rule
|
||||
|
|
@ -3231,7 +3228,7 @@ natd_flags="-dynamic -m" # -m = preserve port numbers if possible</pr
|
|||
posted to the keep-state dynamic table yet. The packet
|
||||
finally comes to rule 125 a matches. It is outbound through
|
||||
the NIC facing the public Internet. The packet still has
|
||||
it's source IP address as a private LAN IP address. On
|
||||
its source IP address as a private LAN IP address. On
|
||||
the match to this rule, two actions take place. The
|
||||
<literal>keep-state</literal> option will post this rule
|
||||
into the keep-state dynamic rules table and the specified
|
||||
|
|
@ -3254,14 +3251,14 @@ natd_flags="-dynamic -m" # -m = preserve port numbers if possible</pr
|
|||
entry is found, the associated action,
|
||||
<literal>skipto 500</literal>, is executed. The packet
|
||||
jumps to rule 500 gets <acronym>NAT</acronym>ed and released
|
||||
on it's way out.</para>
|
||||
on its way out.</para>
|
||||
|
||||
<para>On the inbound side, everything coming in that is part
|
||||
of an existing session conversation is being automatically
|
||||
handled by the <literal>check-state</literal> rule and the
|
||||
properly placed <literal>divert natd</literal> rules. All
|
||||
we have to address is denying all the bad packets and only
|
||||
allowing in the authorized services. Lets say there is an
|
||||
allowing in the authorized services. Say there is an
|
||||
apache server running on the firewall box and we want people
|
||||
on the public Internet to be able to access the local web
|
||||
site. The new inbound start request packet matches rule
|
||||
|
|
@ -3454,7 +3451,7 @@ pif="rl0" # public interface name of NIC
|
|||
$cmd 332 deny tcp from any to any established in via $pif
|
||||
|
||||
# Allow traffic in from ISP's DHCP server. This rule must contain
|
||||
# the IP address of your ISP's DHCP server as it's the only
|
||||
# the IP address of your ISP's DHCP server as it is the only
|
||||
# authorized source to send this packet type.
|
||||
# Only necessary for cable or DSL configurations.
|
||||
# This rule is not needed for 'user ppp' type connection to
|
||||
|
|
|
|||
Loading…
Reference in a new issue