diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml index 9a4a344494..9d2c5003c1 100644 --- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -4,18 +4,34 @@ $FreeBSD$ --> - - Firewalls + + + + Firewalls + - Joseph J.BarbishContributed by + + + Joseph J. + Barbish + + Contributed by + + - BradDavisConverted to SGML and updated by + + + Brad + Davis + + Converted to SGML and updated by + - - firewall @@ -166,19 +182,26 @@ TCP/IP works, what the different values in the packet control fields are, and how these values are used in a normal session conversation. For a good introduction, refer - to Daryl's TCP/IP - Primer. + to + Daryl's + TCP/IP Primer. - PF and <acronym>ALTQ</acronym> + + PF and <acronym>ALTQ</acronym> + - JohnFerrellRevised and updated by + + + John + Ferrell + + Revised and updated by + - - firewall @@ -193,13 +216,15 @@ Quality of Service (QoS). Since the OpenBSD Project maintains the definitive - reference for PF in the PF FAQ, this - section of the Handbook focuses on PF as it - pertains to &os;, while providing some general usage + reference for PF in the + PF FAQ, + this section of the Handbook focuses on PF as + it pertains to &os;, while providing some general usage information. More information about porting PF to &os; - can be found at http://pf4freebsd.love2party.net/. + can be found at http://pf4freebsd.love2party.net/. Using the PF Loadable Kernel Modules @@ -208,26 +233,27 @@ loaded. Add the following line to /etc/rc.conf: - pf_enable="YES" + pf_enable="YES" - Then, run the startup script to load the module: + Then, run the startup script to load the module: - &prompt.root; service pf start + &prompt.root; service pf start - The PF module will not load if it cannot find the - ruleset configuration file. The default location is - /etc/pf.conf. If the PF ruleset is - located somewhere else, add a line to - /etc/rc.conf which specifies the full - path to the file: + The PF module will not load if it cannot find the + ruleset configuration file. The default location is + /etc/pf.conf. If the PF ruleset is + located somewhere else, add a line to + /etc/rc.conf which specifies the full + path to the file: - pf_rules="/path/to/pf.conf" + pf_rules="/path/to/pf.conf" - The sample pf.conf - can be found in /usr/share/examples/pf/. + The sample pf.conf + can be found in + /usr/share/examples/pf/. - The PF module can also be loaded - manually from the command line: + The PF module can also be loaded + manually from the command line: &prompt.root; kldload pf.ko @@ -240,7 +266,6 @@ Then, run the startup script to load the module: &prompt.root; service pflog start - @@ -248,30 +273,28 @@ kernel options - device pf kernel options - device pflog kernel options - device pfsync - While it is not necessary to compile - PF support into the &os; kernel, some of - PF's advanced features are not included in the loadable - module, namely &man.pfsync.4;, which is a pseudo-device that - exposes certain changes to the state table used by - PF. It can be paired with &man.carp.4; to - create failover firewalls using PF. More - information on CARP can be found in of the Handbook. + While it is not necessary to compile PF + support into the &os; kernel, some of PF's advanced features + are not included in the loadable module, namely + &man.pfsync.4;, which is a pseudo-device that exposes certain + changes to the state table used by PF. It + can be paired with &man.carp.4; to create failover firewalls + using PF. More information on + CARP can be found in + of the Handbook. The following PF kernel options can be found in /usr/src/sys/conf/NOTES: @@ -323,24 +346,27 @@ pflog_flags="" # additional flags for pflogd startup/usr/share/examples/pf/. Refer to the - PF FAQ for - complete coverage of PF rulesets. + PF + FAQ for complete coverage of PF + rulesets. - When reading the PF FAQ, + When reading the PF FAQ, keep in mind that different versions of &os; contain different versions of PF. Currently, - &os; 8.X is using the - same version of PF as - OpenBSD 4.1. &os; 9.X - and later is using the same version of PF - as OpenBSD 4.5. + &os; 8.X is using the same + version of PF as OpenBSD 4.1. + &os; 9.X and later is using + the same version of PF as + OpenBSD 4.5. The &a.pf; is a good place to ask questions about configuring and running the PF firewall. Do not forget to check the mailing list archives before asking questions. + To control PF, use &man.pfctl.8;. Below are some useful options to this command. Review &man.pfctl.8; for a description of all available @@ -440,7 +466,8 @@ options ALTQ_NOPCC # Required for SMP build options ALTQ_HFSC enables the Hierarchical Fair Service Curve Packet Scheduler HFSC. For more - information, refer to http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html. + information, refer to http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html. options ALTQ_PRIQ enables Priority Queuing @@ -454,24 +481,32 @@ options ALTQ_NOPCC # Required for SMP build - <acronym>PF</acronym> Rule Sets and Tools + + <acronym>PF</acronym> Rule Sets and Tools + - PeterHansteenN. M.Contributed by + + + Peter + Hansteen + N. M. + + Contributed by + - - This section demonstrates some useful PF features and PF related tools in a series of examples. A more thorough - tutorial is available at http://home.nuug.no/~peter/pf/. + tutorial is available at http://home.nuug.no/~peter/pf/. - security/sudo is - useful for running commands like pfctl - that require elevated privileges. It can be installed from - the Ports Collection. + security/sudo is useful for running + commands like pfctl that require elevated + privileges. It can be installed from the Ports + Collection. @@ -506,7 +541,8 @@ pass out all keep state of some thinking. The point of packet filtering is to take control, not to run catch-up with what the bad guys do. Marcus Ranum has written a very entertaining and - informative article about this, The + informative article about this, The Six Dumbest Ideas in Computer Security, and it is well written too.. This gives us the opportunity to introduce two of the features which @@ -892,7 +928,7 @@ pass from { lo0, $localnet } to any keep state gateway is amazingly simple, thanks to the FTP proxy program (called &man.ftp-proxy.8;) included in the base system on &os; and - other systems which offer PF. + other systems which offer PF. The FTP protocol being what it is, the proxy needs to dynamically insert rules in your rule @@ -1127,7 +1163,8 @@ pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 kee Under any circumstances, this solution was lifted from an openbsd-misc post. I have found that list, and the searchable list archives (accessible among other - places from http://marc.theaimsgroup.com/), + places from http://marc.theaimsgroup.com/), to be a very valuable resource whenever you need OpenBSD or PF related information. @@ -1345,8 +1382,9 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from These rules will not block slow - bruteforcers, sometimes referred to as the Hail - Mary Cloud. + bruteforcers, sometimes referred to as the + Hail Mary Cloud. Once again, please keep in mind that this example rule @@ -1444,7 +1482,8 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from /usr/local/sbin/expiretable -v -d -t 24h bruteforce expiretable is in the - Ports Collection on &os; as security/expiretable. + Ports Collection on &os; as + security/expiretable. @@ -1462,11 +1501,10 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from makes it possible to keep an eye on what passes into and out of the network. pftop is available through the ports system as - sysutils/pftop. The - name is a strong hint at what it does - - pftop shows a running snapshot - of traffic in a format which is strongly inspired by - &man.top.1;. + sysutils/pftop. The name is a strong + hint at what it does - pftop + shows a running snapshot of traffic in a format which is + strongly inspired by &man.top.1;. @@ -1516,11 +1554,12 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from - Install the mail/spamd/ port. In - particular, be sure to read the package message and - act upon what it says. Specifically, to use + Install the mail/spamd/ port. + In particular, be sure to read the package message + and act upon what it says. Specifically, to use spamd's greylisting - features, a file descriptor file system (see fdescfs(5)) + features, a file descriptor file system (see fdescfs(5)) must be mounted at /dev/fd/. Do this by adding the following line to /etc/fstab: @@ -1670,7 +1709,8 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ paper by Evan Harris The original Harris paper and a number of other useful articles - and resources can be found at the greylisting.org + and resources can be found at the greylisting.org web site., and a number of implementations followed over the next few months. OpenBSD's spamd acquired its @@ -1893,7 +1933,8 @@ block drop out quick on $ext_if from any to $martians This completes our simple NATing firewall for a small local network. A more thorough tutorial is - available at http://home.nuug.no/~peter/pf/, + available at http://home.nuug.no/~peter/pf/, where you will also find slides from related presentations. @@ -1940,13 +1981,17 @@ block drop out quick on $ext_if from any to $martians for configuring an inclusive firewall ruleset. For a detailed explanation of the legacy rules processing - method, refer to http://www.munk.me.uk/ipf/ipf-howto.html - and http://coombs.anu.edu.au/~avalon/ip-filter.html. + method, refer to http://www.munk.me.uk/ipf/ipf-howto.html + and http://coombs.anu.edu.au/~avalon/ip-filter.html. - The IPF FAQ is at http://www.phildev.net/ipf/index.html. + The IPF FAQ is at http://www.phildev.net/ipf/index.html. A searchable archive of the IPFilter mailing list is - available at http://marc.theaimsgroup.com/?l=ipfilter. + available at http://marc.theaimsgroup.com/?l=ipfilter. Enabling IPF @@ -2424,8 +2469,9 @@ EOF adding ipfilter_enable="NO"to /etc/rc.conf. - Then, add a script like the following to /usr/local/etc/rc.d/. - The script should have an obvious name like + Then, add a script like the following to + /usr/local/etc/rc.d/. The script + should have an obvious name like ipf.loadrules.sh, where the .sh extension is mandatory. @@ -2433,7 +2479,8 @@ EOF sh /etc/ipf.rules.script The permissions on this script file must be read, - write, execute for owner root: + write, execute for owner + root: &prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh @@ -2658,9 +2705,11 @@ sh /etc/ipf.rules.script There is no way to match ranges of IP addresses which do not express themselves easily using the dotted numeric - form / mask-length notation. The net-mgmt/ipcalc port may be - used to ease the calculation. Additional information - is available at the utility's web page: http://jodies.de/ipcalc. + form / mask-length notation. The + net-mgmt/ipcalc port may be used to ease + the calculation. Additional information is available at the + utility's web page: http://jodies.de/ipcalc. @@ -2675,8 +2724,8 @@ sh /etc/ipf.rules.script from object, it matches the source port number. When it appears as part of the to object, it matches the destination - port number. An example usage is from any to any - port = 80 + port number. An example usage is + from any to any port = 80 Single port comparisons may be done in a number of ways, using a number of different comparison operators. Instead @@ -2793,10 +2842,10 @@ sh /etc/ipf.rules.script network. &os; uses interface lo0 and IP - address 127.0.0.1 for internal - communication within the operating system. The firewall rules - must contain rules to allow free movement of these internally - used packets. + address 127.0.0.1 + for internal communication within the operating system. The + firewall rules must contain rules to allow free movement of + these internally used packets. The interface which faces the public Internet is the one specified in the rules that authorize and control access of @@ -2857,13 +2906,13 @@ sh /etc/ipf.rules.script being flooded or is under attack. To lookup unknown port numbers, refer to - /etc/services. Alternatively, visit - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers + /etc/services. Alternatively, visit http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers and do a port number lookup to find the purpose of a particular port number. - Check out this link for port numbers used by Trojans - http://www.sans.org/security-resources/idfaq/oddports.php. + Check out this link for port numbers used by Trojans http://www.sans.org/security-resources/idfaq/oddports.php. The following ruleset creates an inclusive firewall ruleset which can be @@ -3166,7 +3215,8 @@ block in log first quick on dc0 all The LAN_IP_RANGE is used by the internal clients use for IP Addressing. Usually, this is - something like 192.168.1.0/24. + something like 192.168.1.0/24. The PUBLIC_ADDRESS can either be the static external IP address or the special keyword @@ -3290,8 +3340,9 @@ block in log first quick on dc0 all servers still has to undergo NAT, but there has to be some way to direct the inbound traffic to the correct server. For example, a web server operating on LAN - address 10.0.10.25 and using a single public - IP address of 20.20.20.5, would + address 10.0.10.25 + and using a single public IP address of + 20.20.20.5, would use this rule: rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80 @@ -3300,8 +3351,9 @@ block in log first quick on dc0 all rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80 - For a LAN DNS server on a private address of 10.0.10.33 that needs to receive - public DNS requests: + For a LAN DNS server on a private address of + 10.0.10.33 that + needs to receive public DNS requests: rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp @@ -3313,7 +3365,8 @@ block in log first quick on dc0 all difference is in how the data channel is acquired. Passive mode is more secure as the data channel is acquired by the ordinal ftp session requester. For a good explanation of FTP - and the different modes, see http://www.slacksite.com/other/ftp.html. + and the different modes, see http://www.slacksite.com/other/ftp.html. IP<acronym>NAT</acronym> Rules @@ -3821,23 +3874,24 @@ ipfw add deny out any IP address configured on an interface in the &os; system to represent the PC the firewall is running on. Example usage includes from me to any, - from any to me, from 0.0.0.0/0 - to any, from any to - 0.0.0.0/0, from 0.0.0.0 to - any. from any to 0.0.0.0, + from any to me, + from 0.0.0.0/0 to any, + from any to 0.0.0.0/0, + from 0.0.0.0 to any. + from any to 0.0.0.0, and from me to 0.0.0.0. IP addresses are specified in dotted IP address format followed by the mask in CIDR notation, or as a single host in dotted IP address format. This keyword is a mandatory requirement. - The net-mgmt/ipcalc - port may be used to assist the mask calculation. + The net-mgmt/ipcalc port may be used to + assist the mask calculation. port number For protocols which support port numbers, such as TCP and UDP, it is mandatory to include the port number of the service - that will be matched. Service names from + that will be matched. Service names from /etc/services may be used instead of numeric port values.