os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Whitespace-only cleanup, translators please ignore.

Browse source
This commit is contained in:
Warren Block 2014-01-27 13:12:05 +00:00
parent 215429e011
commit be1c56d976
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43662
1 changed files with 164 additions and 110 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

274
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -4,18 +4,34 @@
$FreeBSD$
-->
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="firewalls">
<info><title>Firewalls</title>
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="firewalls">
<info>
<title>Firewalls</title>
<authorgroup>
<author><personname><firstname>Joseph J.</firstname><surname>Barbish</surname></personname><contrib>Contributed by </contrib></author>
<author>
<personname>
<firstname>Joseph J.</firstname>
<surname>Barbish</surname>
</personname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
<authorgroup>
<author><personname><firstname>Brad</firstname><surname>Davis</surname></personname><contrib>Converted to SGML and updated by </contrib></author>
<author>
<personname>
<firstname>Brad</firstname>
<surname>Davis</surname>
</personname>
<contrib>Converted to SGML and updated by </contrib>
</author>
</authorgroup>
</info>
<indexterm><primary>firewall</primary></indexterm>
<indexterm>
@ -166,19 +182,26 @@
<acronym>TCP/IP</acronym> works, what the different values in
the packet control fields are, and how these values are used in
a normal session conversation. For a good introduction, refer
to <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP
Primer</link>.</para>
to
<link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's
TCP/IP Primer</link>.</para>
</sect1>
<sect1 xml:id="firewalls-pf">
<info><title>PF and <acronym>ALTQ</acronym></title>
<info>
<title>PF and <acronym>ALTQ</acronym></title>
<authorgroup>
<author><personname><firstname>John</firstname><surname>Ferrell</surname></personname><contrib>Revised and updated by </contrib></author>
<author>
<personname>
<firstname>John</firstname>
<surname>Ferrell</surname>
</personname>
<contrib>Revised and updated by </contrib>
</author>
</authorgroup>
</info>
<indexterm>
<primary>firewall</primary>
@ -193,13 +216,15 @@
Quality of Service (<acronym>QoS</acronym>).</para>
<para>Since the OpenBSD Project maintains the definitive
reference for <acronym>PF</acronym> in the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, this
section of the Handbook focuses on <acronym>PF</acronym> as it
pertains to &os;, while providing some general usage
reference for <acronym>PF</acronym> in the
<link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
this section of the Handbook focuses on <acronym>PF</acronym> as
it pertains to &os;, while providing some general usage
information.</para>
<para>More information about porting <acronym>PF</acronym> to &os;
can be found at <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
can be found at <uri
xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
<sect2>
<title>Using the PF Loadable Kernel Modules</title>
@ -208,26 +233,27 @@
loaded. Add the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_enable="YES"</programlisting>
<programlisting>pf_enable="YES"</programlisting>
<para>Then, run the startup script to load the module:</para>
<para>Then, run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>service pf start</userinput></screen>
<screen>&prompt.root; <userinput>service pf start</userinput></screen>
<para>The PF module will not load if it cannot find the
ruleset configuration file. The default location is
<filename>/etc/pf.conf</filename>. If the PF ruleset is
located somewhere else, add a line to
<filename>/etc/rc.conf</filename> which specifies the full
path to the file:</para>
<para>The PF module will not load if it cannot find the
ruleset configuration file. The default location is
<filename>/etc/pf.conf</filename>. If the PF ruleset is
located somewhere else, add a line to
<filename>/etc/rc.conf</filename> which specifies the full
path to the file:</para>
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<para>The sample <filename>pf.conf</filename>
can be found in <filename>/usr/share/examples/pf/</filename>.</para>
<para>The sample <filename>pf.conf</filename>
can be found in
<filename>/usr/share/examples/pf/</filename>.</para>
<para>The <acronym>PF</acronym> module can also be loaded
manually from the command line:</para>
<para>The <acronym>PF</acronym> module can also be loaded
manually from the command line:</para>
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
@ -240,7 +266,6 @@
<para>Then, run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>service pflog start</userinput></screen>
</sect2>
<sect2>
@ -248,30 +273,28 @@
<indexterm>
<primary>kernel options</primary>
<secondary>device pf</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>device pflog</secondary>
</indexterm>
<indexterm>
<primary>kernel options</primary>
<secondary>device pfsync</secondary>
</indexterm>
<para>While it is not necessary to compile
<acronym>PF</acronym> support into the &os; kernel, some of
PF's advanced features are not included in the loadable
module, namely &man.pfsync.4;, which is a pseudo-device that
exposes certain changes to the state table used by
<acronym>PF</acronym>. It can be paired with &man.carp.4; to
create failover firewalls using <acronym>PF</acronym>. More
information on <acronym>CARP</acronym> can be found in <link linkend="carp">of the Handbook</link>.</para>
<para>While it is not necessary to compile <acronym>PF</acronym>
support into the &os; kernel, some of PF's advanced features
are not included in the loadable module, namely
&man.pfsync.4;, which is a pseudo-device that exposes certain
changes to the state table used by <acronym>PF</acronym>. It
can be paired with &man.carp.4; to create failover firewalls
using <acronym>PF</acronym>. More information on
<acronym>CARP</acronym> can be found in
<link linkend="carp">of the Handbook</link>.</para>
<para>The following <acronym>PF</acronym> kernel options can be
found in <filename>/usr/src/sys/conf/NOTES</filename>:</para>
@ -323,24 +346,27 @@ pflog_flags="" # additional flags for pflogd startup</programli
specified in this file. The &os; installation includes
several sample files located in
<filename>/usr/share/examples/pf/</filename>. Refer to the
<link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for
complete coverage of <acronym>PF</acronym> rulesets.</para>
<link xlink:href="http://www.openbsd.org/faq/pf/">PF
FAQ</link> for complete coverage of <acronym>PF</acronym>
rulesets.</para>
<warning>
<para>When reading the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
<para>When reading the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
keep in mind that different versions of &os; contain
different versions of PF. Currently,
&os;&nbsp;8.<replaceable>X</replaceable> is using the
same version of <acronym>PF</acronym> as
OpenBSD&nbsp;4.1. &os;&nbsp;9.<replaceable>X</replaceable>
and later is using the same version of <acronym>PF</acronym>
as OpenBSD&nbsp;4.5.</para>
&os;&nbsp;8.<replaceable>X</replaceable> is using the same
version of <acronym>PF</acronym> as OpenBSD&nbsp;4.1.
&os;&nbsp;9.<replaceable>X</replaceable> and later is using
the same version of <acronym>PF</acronym> as
OpenBSD&nbsp;4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
configuring and running the <acronym>PF</acronym> firewall.
Do not forget to check the mailing list archives before asking
questions.</para>
<para>To control <acronym>PF</acronym>, use &man.pfctl.8;.
Below are some useful options to this command. Review
&man.pfctl.8; for a description of all available
@ -440,7 +466,8 @@ options ALTQ_NOPCC # Required for SMP build</programlisting>
<para><literal>options ALTQ_HFSC</literal> enables the
<emphasis>Hierarchical Fair Service Curve Packet
Scheduler</emphasis> <acronym>HFSC</acronym>. For more
information, refer to <uri xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para>
information, refer to <uri
xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para>
<para><literal>options ALTQ_PRIQ</literal> enables
<emphasis>Priority Queuing</emphasis>
@ -454,24 +481,32 @@ options ALTQ_NOPCC # Required for SMP build</programlisting>
</sect2>
<sect2 xml:id="pf-tutorial">
<info><title><acronym>PF</acronym> Rule Sets and Tools</title>
<info>
<title><acronym>PF</acronym> Rule Sets and Tools</title>
<authorgroup>
<author><personname><firstname>Peter</firstname><surname>Hansteen</surname><othername>N. M.</othername></personname><contrib>Contributed by </contrib></author>
<author>
<personname>
<firstname>Peter</firstname>
<surname>Hansteen</surname>
<othername>N. M.</othername>
</personname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
</info>
<para>This section demonstrates some useful
<acronym>PF</acronym> features and <acronym>PF</acronym>
related tools in a series of examples. A more thorough
tutorial is available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
tutorial is available at <link
xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
<tip>
<para><package>security/sudo</package> is
useful for running commands like <command>pfctl</command>
that require elevated privileges. It can be installed from
the Ports Collection.</para>
<para><package>security/sudo</package> is useful for running
commands like <command>pfctl</command> that require elevated
privileges. It can be installed from the Ports
Collection.</para>
</tip>
<sect3 xml:id="pftut-simplest">
@ -506,7 +541,8 @@ pass out all keep state</programlisting>
of some thinking. The point of packet filtering is to
take control, not to run catch-up with what the bad guys
do. Marcus Ranum has written a very entertaining and
informative article about this, <link xlink:href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The
informative article about this, <link
xlink:href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The
Six Dumbest Ideas in Computer Security</link>, and
it is well written too.</para></footnote>. This gives
us the opportunity to introduce two of the features which
@ -892,7 +928,7 @@ pass from { lo0, $localnet } to any keep state</programlisting>
gateway is amazingly simple, thanks to the
<acronym>FTP</acronym> proxy program (called
&man.ftp-proxy.8;) included in the base system on &os; and
other systems which offer <acronym>PF</acronym>. </para>
other systems which offer <acronym>PF</acronym>.</para>
<para>The <acronym>FTP</acronym> protocol being what it is,
the proxy needs to dynamically insert rules in your rule
@ -1127,7 +1163,8 @@ pass out on $ext_if inet proto udp from any to any port 33433 &gt;&lt; 33626 kee
<para>Under any circumstances, this solution was lifted
from an openbsd-misc post. I have found that list, and
the searchable list archives (accessible among other
places from <link xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>),
places from <link
xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>),
to be a very valuable resource whenever you need OpenBSD
or <acronym>PF</acronym> related information.</para>
</sect4>
@ -1345,8 +1382,9 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
<note>
<para>These rules will <emphasis>not</emphasis> block slow
bruteforcers, sometimes referred to as <link xlink:href="http://home.nuug.no/~peter/hailmary2013/">the Hail
Mary Cloud</link>.</para>
bruteforcers, sometimes referred to as <link
xlink:href="http://home.nuug.no/~peter/hailmary2013/">the
Hail Mary Cloud</link>.</para>
</note>
<para>Once again, please keep in mind that this example rule
@ -1444,7 +1482,8 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
<programlisting>/usr/local/sbin/expiretable -v -d -t 24h bruteforce</programlisting>
<para><application>expiretable</application> is in the
Ports&nbsp;Collection on &os; as <package>security/expiretable</package>.</para>
Ports&nbsp;Collection on &os; as
<package>security/expiretable</package>.</para>
</sect4>
</sect3>
@ -1462,11 +1501,10 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
makes it possible to keep an eye on what passes into and
out of the network. <application>pftop</application> is
available through the ports system as
<package>sysutils/pftop</package>. The
name is a strong hint at what it does -
<application>pftop</application> shows a running snapshot
of traffic in a format which is strongly inspired by
&man.top.1;.</para>
<package>sysutils/pftop</package>. The name is a strong
hint at what it does - <application>pftop</application>
shows a running snapshot of traffic in a format which is
strongly inspired by &man.top.1;.</para>
</sect4>
<sect4 xml:id="pftut-spamd">
@ -1516,11 +1554,12 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
<procedure>
<step>
<para>Install the <package>mail/spamd/</package> port. In
particular, be sure to read the package message and
act upon what it says. Specifically, to use
<para>Install the <package>mail/spamd/</package> port.
In particular, be sure to read the package message
and act upon what it says. Specifically, to use
<application>spamd</application>'s greylisting
features, a file descriptor file system (see <link xlink:href="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&amp;sektion=5">fdescfs(5)</link>)
features, a file descriptor file system (see <link
xlink:href="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&amp;sektion=5">fdescfs(5)</link>)
must be mounted at <filename>/dev/fd/</filename>.
Do this by adding the following line to
<filename>/etc/fstab</filename>:</para>
@ -1670,7 +1709,8 @@ rdr pass on $ext_if inet proto tcp from !&lt;spamd-white&gt; to \
paper by Evan Harris
<footnote><para>The original
Harris paper and a number of other useful articles
and resources can be found at the <link xlink:href="http://www.greylisting.org/">greylisting.org</link>
and resources can be found at the <link
xlink:href="http://www.greylisting.org/">greylisting.org</link>
web site.</para></footnote>, and a number of
implementations followed over the next few months.
OpenBSD's <application>spamd</application> acquired its
@ -1893,7 +1933,8 @@ block drop out quick on $ext_if from any to $martians</programlisting>
<para>This completes our simple NATing firewall for a
small local network. A more thorough tutorial is
available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>,
available at <link
xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>,
where you will also find slides from related
presentations.</para>
</sect5>
@ -1940,13 +1981,17 @@ block drop out quick on $ext_if from any to $martians</programlisting>
for configuring an inclusive firewall ruleset.</para>
<para>For a detailed explanation of the legacy rules processing
method, refer to <uri xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri>
and <uri xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para>
method, refer to <uri
xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri>
and <uri
xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para>
<para>The IPF FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para>
<para>The IPF FAQ is at <uri
xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para>
<para>A searchable archive of the IPFilter mailing list is
available at <uri xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para>
available at <uri
xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para>
<sect2>
<title>Enabling IPF</title>
@ -2424,8 +2469,9 @@ EOF
adding <literal>ipfilter_enable="NO"</literal>to
<filename>/etc/rc.conf</filename>.</para>
<para>Then, add a script like the following to <filename>/usr/local/etc/rc.d/</filename>.
The script should have an obvious name like
<para>Then, add a script like the following to
<filename>/usr/local/etc/rc.d/</filename>. The script
should have an obvious name like
<filename>ipf.loadrules.sh</filename>, where the
<filename>.sh</filename> extension is mandatory.</para>
@ -2433,7 +2479,8 @@ EOF
sh /etc/ipf.rules.script</programlisting>
<para>The permissions on this script file must be read,
write, execute for owner <systemitem class="username">root</systemitem>:</para>
write, execute for owner
<systemitem class="username">root</systemitem>:</para>
<screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen>
</listitem>
@ -2658,9 +2705,11 @@ sh /etc/ipf.rules.script</programlisting>
<para>There is no way to match ranges of IP addresses which
do not express themselves easily using the dotted numeric
form / mask-length notation. The <package>net-mgmt/ipcalc</package> port may be
used to ease the calculation. Additional information
is available at the utility's web page: <uri xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
form / mask-length notation. The
<package>net-mgmt/ipcalc</package> port may be used to ease
the calculation. Additional information is available at the
utility's web page: <uri
xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
</sect3>
<sect3>
@ -2675,8 +2724,8 @@ sh /etc/ipf.rules.script</programlisting>
<literal>from</literal> object, it matches the source port
number. When it appears as part of the
<literal>to</literal> object, it matches the destination
port number. An example usage is <literal>from any to any
port = 80</literal></para>
port number. An example usage is
<literal>from any to any port = 80</literal></para>
<para>Single port comparisons may be done in a number of ways,
using a number of different comparison operators. Instead
@ -2793,10 +2842,10 @@ sh /etc/ipf.rules.script</programlisting>
network.</para>
<para>&os; uses interface <filename>lo0</filename> and IP
address <systemitem class="ipaddress">127.0.0.1</systemitem> for internal
communication within the operating system. The firewall rules
must contain rules to allow free movement of these internally
used packets.</para>
address <systemitem class="ipaddress">127.0.0.1</systemitem>
for internal communication within the operating system. The
firewall rules must contain rules to allow free movement of
these internally used packets.</para>
<para>The interface which faces the public Internet is the one
specified in the rules that authorize and control access of
@ -2857,13 +2906,13 @@ sh /etc/ipf.rules.script</programlisting>
being flooded or is under attack.</para>
<para>To lookup unknown port numbers, refer to
<filename>/etc/services</filename>. Alternatively, visit
<uri xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
<filename>/etc/services</filename>. Alternatively, visit <uri
xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
and do a port number lookup to find the purpose of a
particular port number.</para>
<para>Check out this link for port numbers used by Trojans
<uri xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
<para>Check out this link for port numbers used by Trojans <uri
xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
<para>The following ruleset creates an
<literal>inclusive</literal> firewall ruleset which can be
@ -3166,7 +3215,8 @@ block in log first quick on dc0 all
<para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the
internal clients use for IP Addressing. Usually, this is
something like <systemitem class="ipaddress">192.168.1.0/24</systemitem>.</para>
something like <systemitem
class="ipaddress">192.168.1.0/24</systemitem>.</para>
<para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either
be the static external IP address or the special keyword
@ -3290,8 +3340,9 @@ block in log first quick on dc0 all
servers still has to undergo <acronym>NAT</acronym>, but there
has to be some way to direct the inbound traffic to the
correct server. For example, a web server operating on LAN
address <systemitem class="ipaddress">10.0.10.25</systemitem> and using a single public
IP address of <systemitem class="ipaddress">20.20.20.5</systemitem>, would
address <systemitem class="ipaddress">10.0.10.25</systemitem>
and using a single public IP address of
<systemitem class="ipaddress">20.20.20.5</systemitem>, would
use this rule:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 80 -&gt; 10.0.10.25 port 80</programlisting>
@ -3300,8 +3351,9 @@ block in log first quick on dc0 all
<programlisting>rdr dc0 0.0.0.0/0 port 80 -&gt; 10.0.10.25 port 80</programlisting>
<para>For a LAN DNS server on a private address of <systemitem class="ipaddress">10.0.10.33</systemitem> that needs to receive
public DNS requests:</para>
<para>For a LAN DNS server on a private address of
<systemitem class="ipaddress">10.0.10.33</systemitem> that
needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -&gt; 10.0.10.33 port 53 udp</programlisting>
</sect2>
@ -3313,7 +3365,8 @@ block in log first quick on dc0 all
difference is in how the data channel is acquired. Passive
mode is more secure as the data channel is acquired by the
ordinal ftp session requester. For a good explanation of FTP
and the different modes, see <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
and the different modes, see <uri
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
<sect3>
<title>IP<acronym>NAT</acronym> Rules</title>
@ -3821,23 +3874,24 @@ ipfw add deny out</programlisting>
any IP address configured on an interface in the &os;
system to represent the PC the firewall is running on.
Example usage includes <literal>from me to any</literal>,
<literal>from any to me</literal>, <literal>from 0.0.0.0/0
to any</literal>, <literal>from any to
0.0.0.0/0</literal>, <literal>from 0.0.0.0 to
any</literal>. <literal>from any to 0.0.0.0</literal>,
<literal>from any to me</literal>,
<literal>from 0.0.0.0/0 to any</literal>,
<literal>from any to 0.0.0.0/0</literal>,
<literal>from 0.0.0.0 to any</literal>.
<literal>from any to 0.0.0.0</literal>,
and <literal>from me to 0.0.0.0</literal>. IP addresses
are specified in dotted IP address format followed by the
mask in CIDR notation, or as a single host in dotted IP
address format. This keyword is a mandatory requirement.
The <package>net-mgmt/ipcalc</package>
port may be used to assist the mask calculation.</para>
The <package>net-mgmt/ipcalc</package> port may be used to
assist the mask calculation.</para>
<para><parameter>port number</parameter></para>
<para>For protocols which support port numbers, such as
<acronym>TCP</acronym> and <acronym>UDP</acronym>, it
is mandatory to include the port number of the service
that will be matched. Service names from
that will be matched. Service names from
<filename>/etc/services</filename> may be used instead
of numeric port values.</para>