os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Whitespace-only cleanup, translators please ignore.

Browse source
This commit is contained in:
Warren Block 2014-01-27 13:12:05 +00:00
parent 215429e011
commit be1c56d976
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43662
1 changed files with 164 additions and 110 deletions
Download patch file Download diff file Expand all files Collapse all files

274
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -4,18 +4,34 @@
$FreeBSD$ $FreeBSD$
--> -->
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="firewalls"> <chapter xmlns="http://docbook.org/ns/docbook"
<info><title>Firewalls</title> xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="firewalls">
<info>
<title>Firewalls</title>
<authorgroup> <authorgroup>
<author><personname><firstname>Joseph J.</firstname><surname>Barbish</surname></personname><contrib>Contributed by </contrib></author> <author>
<personname>
<firstname>Joseph J.</firstname>
<surname>Barbish</surname>
</personname>
<contrib>Contributed by </contrib>
</author>
</authorgroup> </authorgroup>
<authorgroup> <authorgroup>
<author><personname><firstname>Brad</firstname><surname>Davis</surname></personname><contrib>Converted to SGML and updated by </contrib></author> <author>
<personname>
<firstname>Brad</firstname>
<surname>Davis</surname>
</personname>
<contrib>Converted to SGML and updated by </contrib>
</author>
</authorgroup> </authorgroup>
</info> </info>
<indexterm><primary>firewall</primary></indexterm> <indexterm><primary>firewall</primary></indexterm>
<indexterm> <indexterm>
@ -166,19 +182,26 @@
<acronym>TCP/IP</acronym> works, what the different values in <acronym>TCP/IP</acronym> works, what the different values in
the packet control fields are, and how these values are used in the packet control fields are, and how these values are used in
a normal session conversation. For a good introduction, refer a normal session conversation. For a good introduction, refer
to <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP to
Primer</link>.</para> <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's
TCP/IP Primer</link>.</para>
</sect1> </sect1>
<sect1 xml:id="firewalls-pf"> <sect1 xml:id="firewalls-pf">
<info><title>PF and <acronym>ALTQ</acronym></title> <info>
<title>PF and <acronym>ALTQ</acronym></title>
<authorgroup> <authorgroup>
<author><personname><firstname>John</firstname><surname>Ferrell</surname></personname><contrib>Revised and updated by </contrib></author> <author>
<personname>
<firstname>John</firstname>
<surname>Ferrell</surname>
</personname>
<contrib>Revised and updated by </contrib>
</author>
</authorgroup> </authorgroup>
</info> </info>
<indexterm> <indexterm>
<primary>firewall</primary> <primary>firewall</primary>
@ -193,13 +216,15 @@
Quality of Service (<acronym>QoS</acronym>).</para> Quality of Service (<acronym>QoS</acronym>).</para>
<para>Since the OpenBSD Project maintains the definitive <para>Since the OpenBSD Project maintains the definitive
reference for <acronym>PF</acronym> in the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, this reference for <acronym>PF</acronym> in the
section of the Handbook focuses on <acronym>PF</acronym> as it <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
pertains to &os;, while providing some general usage this section of the Handbook focuses on <acronym>PF</acronym> as
it pertains to &os;, while providing some general usage
information.</para> information.</para>
<para>More information about porting <acronym>PF</acronym> to &os; <para>More information about porting <acronym>PF</acronym> to &os;
can be found at <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para> can be found at <uri
xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
<sect2> <sect2>
<title>Using the PF Loadable Kernel Modules</title> <title>Using the PF Loadable Kernel Modules</title>
@ -208,26 +233,27 @@
loaded. Add the following line to loaded. Add the following line to
<filename>/etc/rc.conf</filename>:</para> <filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_enable="YES"</programlisting> <programlisting>pf_enable="YES"</programlisting>
<para>Then, run the startup script to load the module:</para> <para>Then, run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>service pf start</userinput></screen> <screen>&prompt.root; <userinput>service pf start</userinput></screen>
<para>The PF module will not load if it cannot find the <para>The PF module will not load if it cannot find the
ruleset configuration file. The default location is ruleset configuration file. The default location is
<filename>/etc/pf.conf</filename>. If the PF ruleset is <filename>/etc/pf.conf</filename>. If the PF ruleset is
located somewhere else, add a line to located somewhere else, add a line to
<filename>/etc/rc.conf</filename> which specifies the full <filename>/etc/rc.conf</filename> which specifies the full
path to the file:</para> path to the file:</para>
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting> <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<para>The sample <filename>pf.conf</filename> <para>The sample <filename>pf.conf</filename>
can be found in <filename>/usr/share/examples/pf/</filename>.</para> can be found in
<filename>/usr/share/examples/pf/</filename>.</para>
<para>The <acronym>PF</acronym> module can also be loaded <para>The <acronym>PF</acronym> module can also be loaded
manually from the command line:</para> manually from the command line:</para>
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen> <screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
@ -240,7 +266,6 @@
<para>Then, run the startup script to load the module:</para> <para>Then, run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>service pflog start</userinput></screen> <screen>&prompt.root; <userinput>service pflog start</userinput></screen>
</sect2> </sect2>
<sect2> <sect2>
@ -248,30 +273,28 @@
<indexterm> <indexterm>
<primary>kernel options</primary> <primary>kernel options</primary>
<secondary>device pf</secondary> <secondary>device pf</secondary>
</indexterm> </indexterm>
<indexterm> <indexterm>
<primary>kernel options</primary> <primary>kernel options</primary>
<secondary>device pflog</secondary> <secondary>device pflog</secondary>
</indexterm> </indexterm>
<indexterm> <indexterm>
<primary>kernel options</primary> <primary>kernel options</primary>
<secondary>device pfsync</secondary> <secondary>device pfsync</secondary>
</indexterm> </indexterm>
<para>While it is not necessary to compile <para>While it is not necessary to compile <acronym>PF</acronym>
<acronym>PF</acronym> support into the &os; kernel, some of support into the &os; kernel, some of PF's advanced features
PF's advanced features are not included in the loadable are not included in the loadable module, namely
module, namely &man.pfsync.4;, which is a pseudo-device that &man.pfsync.4;, which is a pseudo-device that exposes certain
exposes certain changes to the state table used by changes to the state table used by <acronym>PF</acronym>. It
<acronym>PF</acronym>. It can be paired with &man.carp.4; to can be paired with &man.carp.4; to create failover firewalls
create failover firewalls using <acronym>PF</acronym>. More using <acronym>PF</acronym>. More information on
information on <acronym>CARP</acronym> can be found in <link linkend="carp">of the Handbook</link>.</para> <acronym>CARP</acronym> can be found in
<link linkend="carp">of the Handbook</link>.</para>
<para>The following <acronym>PF</acronym> kernel options can be <para>The following <acronym>PF</acronym> kernel options can be
found in <filename>/usr/src/sys/conf/NOTES</filename>:</para> found in <filename>/usr/src/sys/conf/NOTES</filename>:</para>
@ -323,24 +346,27 @@ pflog_flags="" # additional flags for pflogd startup</programli
specified in this file. The &os; installation includes specified in this file. The &os; installation includes
several sample files located in several sample files located in
<filename>/usr/share/examples/pf/</filename>. Refer to the <filename>/usr/share/examples/pf/</filename>. Refer to the
<link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for <link xlink:href="http://www.openbsd.org/faq/pf/">PF
complete coverage of <acronym>PF</acronym> rulesets.</para> FAQ</link> for complete coverage of <acronym>PF</acronym>
rulesets.</para>
<warning> <warning>
<para>When reading the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, <para>When reading the <link
xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
keep in mind that different versions of &os; contain keep in mind that different versions of &os; contain
different versions of PF. Currently, different versions of PF. Currently,
&os;&nbsp;8.<replaceable>X</replaceable> is using the &os;&nbsp;8.<replaceable>X</replaceable> is using the same
same version of <acronym>PF</acronym> as version of <acronym>PF</acronym> as OpenBSD&nbsp;4.1.
OpenBSD&nbsp;4.1. &os;&nbsp;9.<replaceable>X</replaceable> &os;&nbsp;9.<replaceable>X</replaceable> and later is using
and later is using the same version of <acronym>PF</acronym> the same version of <acronym>PF</acronym> as
as OpenBSD&nbsp;4.5.</para> OpenBSD&nbsp;4.5.</para>
</warning> </warning>
<para>The &a.pf; is a good place to ask questions about <para>The &a.pf; is a good place to ask questions about
configuring and running the <acronym>PF</acronym> firewall. configuring and running the <acronym>PF</acronym> firewall.
Do not forget to check the mailing list archives before asking Do not forget to check the mailing list archives before asking
questions.</para> questions.</para>
<para>To control <acronym>PF</acronym>, use &man.pfctl.8;. <para>To control <acronym>PF</acronym>, use &man.pfctl.8;.
Below are some useful options to this command. Review Below are some useful options to this command. Review
&man.pfctl.8; for a description of all available &man.pfctl.8; for a description of all available
@ -440,7 +466,8 @@ options ALTQ_NOPCC # Required for SMP build</programlisting>
<para><literal>options ALTQ_HFSC</literal> enables the <para><literal>options ALTQ_HFSC</literal> enables the
<emphasis>Hierarchical Fair Service Curve Packet <emphasis>Hierarchical Fair Service Curve Packet
Scheduler</emphasis> <acronym>HFSC</acronym>. For more Scheduler</emphasis> <acronym>HFSC</acronym>. For more
information, refer to <uri xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para> information, refer to <uri
xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para>
<para><literal>options ALTQ_PRIQ</literal> enables <para><literal>options ALTQ_PRIQ</literal> enables
<emphasis>Priority Queuing</emphasis> <emphasis>Priority Queuing</emphasis>
@ -454,24 +481,32 @@ options ALTQ_NOPCC # Required for SMP build</programlisting>
</sect2> </sect2>
<sect2 xml:id="pf-tutorial"> <sect2 xml:id="pf-tutorial">
<info><title><acronym>PF</acronym> Rule Sets and Tools</title> <info>
<title><acronym>PF</acronym> Rule Sets and Tools</title>
<authorgroup> <authorgroup>
<author><personname><firstname>Peter</firstname><surname>Hansteen</surname><othername>N. M.</othername></personname><contrib>Contributed by </contrib></author> <author>
<personname>
<firstname>Peter</firstname>
<surname>Hansteen</surname>
<othername>N. M.</othername>
</personname>
<contrib>Contributed by </contrib>
</author>
</authorgroup> </authorgroup>
</info> </info>
<para>This section demonstrates some useful <para>This section demonstrates some useful
<acronym>PF</acronym> features and <acronym>PF</acronym> <acronym>PF</acronym> features and <acronym>PF</acronym>
related tools in a series of examples. A more thorough related tools in a series of examples. A more thorough
tutorial is available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para> tutorial is available at <link
xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
<tip> <tip>
<para><package>security/sudo</package> is <para><package>security/sudo</package> is useful for running
useful for running commands like <command>pfctl</command> commands like <command>pfctl</command> that require elevated
that require elevated privileges. It can be installed from privileges. It can be installed from the Ports
the Ports Collection.</para> Collection.</para>
</tip> </tip>
<sect3 xml:id="pftut-simplest"> <sect3 xml:id="pftut-simplest">
@ -506,7 +541,8 @@ pass out all keep state</programlisting>
of some thinking. The point of packet filtering is to of some thinking. The point of packet filtering is to
take control, not to run catch-up with what the bad guys take control, not to run catch-up with what the bad guys
do. Marcus Ranum has written a very entertaining and do. Marcus Ranum has written a very entertaining and
informative article about this, <link xlink:href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The informative article about this, <link
xlink:href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The
Six Dumbest Ideas in Computer Security</link>, and Six Dumbest Ideas in Computer Security</link>, and
it is well written too.</para></footnote>. This gives it is well written too.</para></footnote>. This gives
us the opportunity to introduce two of the features which us the opportunity to introduce two of the features which
@ -892,7 +928,7 @@ pass from { lo0, $localnet } to any keep state</programlisting>
gateway is amazingly simple, thanks to the gateway is amazingly simple, thanks to the
<acronym>FTP</acronym> proxy program (called <acronym>FTP</acronym> proxy program (called
&man.ftp-proxy.8;) included in the base system on &os; and &man.ftp-proxy.8;) included in the base system on &os; and
other systems which offer <acronym>PF</acronym>. </para> other systems which offer <acronym>PF</acronym>.</para>
<para>The <acronym>FTP</acronym> protocol being what it is, <para>The <acronym>FTP</acronym> protocol being what it is,
the proxy needs to dynamically insert rules in your rule the proxy needs to dynamically insert rules in your rule
@ -1127,7 +1163,8 @@ pass out on $ext_if inet proto udp from any to any port 33433 &gt;&lt; 33626 kee
<para>Under any circumstances, this solution was lifted <para>Under any circumstances, this solution was lifted
from an openbsd-misc post. I have found that list, and from an openbsd-misc post. I have found that list, and
the searchable list archives (accessible among other the searchable list archives (accessible among other
places from <link xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>), places from <link
xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>),
to be a very valuable resource whenever you need OpenBSD to be a very valuable resource whenever you need OpenBSD
or <acronym>PF</acronym> related information.</para> or <acronym>PF</acronym> related information.</para>
</sect4> </sect4>
@ -1345,8 +1382,9 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
<note> <note>
<para>These rules will <emphasis>not</emphasis> block slow <para>These rules will <emphasis>not</emphasis> block slow
bruteforcers, sometimes referred to as <link xlink:href="http://home.nuug.no/~peter/hailmary2013/">the Hail bruteforcers, sometimes referred to as <link
Mary Cloud</link>.</para> xlink:href="http://home.nuug.no/~peter/hailmary2013/">the
Hail Mary Cloud</link>.</para>
</note> </note>
<para>Once again, please keep in mind that this example rule <para>Once again, please keep in mind that this example rule
@ -1444,7 +1482,8 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
<programlisting>/usr/local/sbin/expiretable -v -d -t 24h bruteforce</programlisting> <programlisting>/usr/local/sbin/expiretable -v -d -t 24h bruteforce</programlisting>
<para><application>expiretable</application> is in the <para><application>expiretable</application> is in the
Ports&nbsp;Collection on &os; as <package>security/expiretable</package>.</para> Ports&nbsp;Collection on &os; as
<package>security/expiretable</package>.</para>
</sect4> </sect4>
</sect3> </sect3>
@ -1462,11 +1501,10 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
makes it possible to keep an eye on what passes into and makes it possible to keep an eye on what passes into and
out of the network. <application>pftop</application> is out of the network. <application>pftop</application> is
available through the ports system as available through the ports system as
<package>sysutils/pftop</package>. The <package>sysutils/pftop</package>. The name is a strong
name is a strong hint at what it does - hint at what it does - <application>pftop</application>
<application>pftop</application> shows a running snapshot shows a running snapshot of traffic in a format which is
of traffic in a format which is strongly inspired by strongly inspired by &man.top.1;.</para>
&man.top.1;.</para>
</sect4> </sect4>
<sect4 xml:id="pftut-spamd"> <sect4 xml:id="pftut-spamd">
@ -1516,11 +1554,12 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from
<procedure> <procedure>
<step> <step>
<para>Install the <package>mail/spamd/</package> port. In <para>Install the <package>mail/spamd/</package> port.
particular, be sure to read the package message and In particular, be sure to read the package message
act upon what it says. Specifically, to use and act upon what it says. Specifically, to use
<application>spamd</application>'s greylisting <application>spamd</application>'s greylisting
features, a file descriptor file system (see <link xlink:href="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&amp;sektion=5">fdescfs(5)</link>) features, a file descriptor file system (see <link
xlink:href="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&amp;sektion=5">fdescfs(5)</link>)
must be mounted at <filename>/dev/fd/</filename>. must be mounted at <filename>/dev/fd/</filename>.
Do this by adding the following line to Do this by adding the following line to
<filename>/etc/fstab</filename>:</para> <filename>/etc/fstab</filename>:</para>
@ -1670,7 +1709,8 @@ rdr pass on $ext_if inet proto tcp from !&lt;spamd-white&gt; to \
paper by Evan Harris paper by Evan Harris
<footnote><para>The original <footnote><para>The original
Harris paper and a number of other useful articles Harris paper and a number of other useful articles
and resources can be found at the <link xlink:href="http://www.greylisting.org/">greylisting.org</link> and resources can be found at the <link
xlink:href="http://www.greylisting.org/">greylisting.org</link>
web site.</para></footnote>, and a number of web site.</para></footnote>, and a number of
implementations followed over the next few months. implementations followed over the next few months.
OpenBSD's <application>spamd</application> acquired its OpenBSD's <application>spamd</application> acquired its
@ -1893,7 +1933,8 @@ block drop out quick on $ext_if from any to $martians</programlisting>
<para>This completes our simple NATing firewall for a <para>This completes our simple NATing firewall for a
small local network. A more thorough tutorial is small local network. A more thorough tutorial is
available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>, available at <link
xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>,
where you will also find slides from related where you will also find slides from related
presentations.</para> presentations.</para>
</sect5> </sect5>
@ -1940,13 +1981,17 @@ block drop out quick on $ext_if from any to $martians</programlisting>
for configuring an inclusive firewall ruleset.</para> for configuring an inclusive firewall ruleset.</para>
<para>For a detailed explanation of the legacy rules processing <para>For a detailed explanation of the legacy rules processing
method, refer to <uri xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri> method, refer to <uri
and <uri xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para> xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri>
and <uri
xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para>
<para>The IPF FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para> <para>The IPF FAQ is at <uri
xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para>
<para>A searchable archive of the IPFilter mailing list is <para>A searchable archive of the IPFilter mailing list is
available at <uri xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para> available at <uri
xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para>
<sect2> <sect2>
<title>Enabling IPF</title> <title>Enabling IPF</title>
@ -2424,8 +2469,9 @@ EOF
adding <literal>ipfilter_enable="NO"</literal>to adding <literal>ipfilter_enable="NO"</literal>to
<filename>/etc/rc.conf</filename>.</para> <filename>/etc/rc.conf</filename>.</para>
<para>Then, add a script like the following to <filename>/usr/local/etc/rc.d/</filename>. <para>Then, add a script like the following to
The script should have an obvious name like <filename>/usr/local/etc/rc.d/</filename>. The script
should have an obvious name like
<filename>ipf.loadrules.sh</filename>, where the <filename>ipf.loadrules.sh</filename>, where the
<filename>.sh</filename> extension is mandatory.</para> <filename>.sh</filename> extension is mandatory.</para>
@ -2433,7 +2479,8 @@ EOF
sh /etc/ipf.rules.script</programlisting> sh /etc/ipf.rules.script</programlisting>
<para>The permissions on this script file must be read, <para>The permissions on this script file must be read,
write, execute for owner <systemitem class="username">root</systemitem>:</para> write, execute for owner
<systemitem class="username">root</systemitem>:</para>
<screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen> <screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen>
</listitem> </listitem>
@ -2658,9 +2705,11 @@ sh /etc/ipf.rules.script</programlisting>
<para>There is no way to match ranges of IP addresses which <para>There is no way to match ranges of IP addresses which
do not express themselves easily using the dotted numeric do not express themselves easily using the dotted numeric
form / mask-length notation. The <package>net-mgmt/ipcalc</package> port may be form / mask-length notation. The
used to ease the calculation. Additional information <package>net-mgmt/ipcalc</package> port may be used to ease
is available at the utility's web page: <uri xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para> the calculation. Additional information is available at the
utility's web page: <uri
xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
</sect3> </sect3>
<sect3> <sect3>
@ -2675,8 +2724,8 @@ sh /etc/ipf.rules.script</programlisting>
<literal>from</literal> object, it matches the source port <literal>from</literal> object, it matches the source port
number. When it appears as part of the number. When it appears as part of the
<literal>to</literal> object, it matches the destination <literal>to</literal> object, it matches the destination
port number. An example usage is <literal>from any to any port number. An example usage is
port = 80</literal></para> <literal>from any to any port = 80</literal></para>
<para>Single port comparisons may be done in a number of ways, <para>Single port comparisons may be done in a number of ways,
using a number of different comparison operators. Instead using a number of different comparison operators. Instead
@ -2793,10 +2842,10 @@ sh /etc/ipf.rules.script</programlisting>
network.</para> network.</para>
<para>&os; uses interface <filename>lo0</filename> and IP <para>&os; uses interface <filename>lo0</filename> and IP
address <systemitem class="ipaddress">127.0.0.1</systemitem> for internal address <systemitem class="ipaddress">127.0.0.1</systemitem>
communication within the operating system. The firewall rules for internal communication within the operating system. The
must contain rules to allow free movement of these internally firewall rules must contain rules to allow free movement of
used packets.</para> these internally used packets.</para>
<para>The interface which faces the public Internet is the one <para>The interface which faces the public Internet is the one
specified in the rules that authorize and control access of specified in the rules that authorize and control access of
@ -2857,13 +2906,13 @@ sh /etc/ipf.rules.script</programlisting>
being flooded or is under attack.</para> being flooded or is under attack.</para>
<para>To lookup unknown port numbers, refer to <para>To lookup unknown port numbers, refer to
<filename>/etc/services</filename>. Alternatively, visit <filename>/etc/services</filename>. Alternatively, visit <uri
<uri xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri> xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
and do a port number lookup to find the purpose of a and do a port number lookup to find the purpose of a
particular port number.</para> particular port number.</para>
<para>Check out this link for port numbers used by Trojans <para>Check out this link for port numbers used by Trojans <uri
<uri xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para> xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
<para>The following ruleset creates an <para>The following ruleset creates an
<literal>inclusive</literal> firewall ruleset which can be <literal>inclusive</literal> firewall ruleset which can be
@ -3166,7 +3215,8 @@ block in log first quick on dc0 all
<para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the <para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the
internal clients use for IP Addressing. Usually, this is internal clients use for IP Addressing. Usually, this is
something like <systemitem class="ipaddress">192.168.1.0/24</systemitem>.</para> something like <systemitem
class="ipaddress">192.168.1.0/24</systemitem>.</para>
<para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either <para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either
be the static external IP address or the special keyword be the static external IP address or the special keyword
@ -3290,8 +3340,9 @@ block in log first quick on dc0 all
servers still has to undergo <acronym>NAT</acronym>, but there servers still has to undergo <acronym>NAT</acronym>, but there
has to be some way to direct the inbound traffic to the has to be some way to direct the inbound traffic to the
correct server. For example, a web server operating on LAN correct server. For example, a web server operating on LAN
address <systemitem class="ipaddress">10.0.10.25</systemitem> and using a single public address <systemitem class="ipaddress">10.0.10.25</systemitem>
IP address of <systemitem class="ipaddress">20.20.20.5</systemitem>, would and using a single public IP address of
<systemitem class="ipaddress">20.20.20.5</systemitem>, would
use this rule:</para> use this rule:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 80 -&gt; 10.0.10.25 port 80</programlisting> <programlisting>rdr dc0 20.20.20.5/32 port 80 -&gt; 10.0.10.25 port 80</programlisting>
@ -3300,8 +3351,9 @@ block in log first quick on dc0 all
<programlisting>rdr dc0 0.0.0.0/0 port 80 -&gt; 10.0.10.25 port 80</programlisting> <programlisting>rdr dc0 0.0.0.0/0 port 80 -&gt; 10.0.10.25 port 80</programlisting>
<para>For a LAN DNS server on a private address of <systemitem class="ipaddress">10.0.10.33</systemitem> that needs to receive <para>For a LAN DNS server on a private address of
public DNS requests:</para> <systemitem class="ipaddress">10.0.10.33</systemitem> that
needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -&gt; 10.0.10.33 port 53 udp</programlisting> <programlisting>rdr dc0 20.20.20.5/32 port 53 -&gt; 10.0.10.33 port 53 udp</programlisting>
</sect2> </sect2>
@ -3313,7 +3365,8 @@ block in log first quick on dc0 all
difference is in how the data channel is acquired. Passive difference is in how the data channel is acquired. Passive
mode is more secure as the data channel is acquired by the mode is more secure as the data channel is acquired by the
ordinal ftp session requester. For a good explanation of FTP ordinal ftp session requester. For a good explanation of FTP
and the different modes, see <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para> and the different modes, see <uri
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
<sect3> <sect3>
<title>IP<acronym>NAT</acronym> Rules</title> <title>IP<acronym>NAT</acronym> Rules</title>
@ -3821,23 +3874,24 @@ ipfw add deny out</programlisting>
any IP address configured on an interface in the &os; any IP address configured on an interface in the &os;
system to represent the PC the firewall is running on. system to represent the PC the firewall is running on.
Example usage includes <literal>from me to any</literal>, Example usage includes <literal>from me to any</literal>,
<literal>from any to me</literal>, <literal>from 0.0.0.0/0 <literal>from any to me</literal>,
to any</literal>, <literal>from any to <literal>from 0.0.0.0/0 to any</literal>,
0.0.0.0/0</literal>, <literal>from 0.0.0.0 to <literal>from any to 0.0.0.0/0</literal>,
any</literal>. <literal>from any to 0.0.0.0</literal>, <literal>from 0.0.0.0 to any</literal>.
<literal>from any to 0.0.0.0</literal>,
and <literal>from me to 0.0.0.0</literal>. IP addresses and <literal>from me to 0.0.0.0</literal>. IP addresses
are specified in dotted IP address format followed by the are specified in dotted IP address format followed by the
mask in CIDR notation, or as a single host in dotted IP mask in CIDR notation, or as a single host in dotted IP
address format. This keyword is a mandatory requirement. address format. This keyword is a mandatory requirement.
The <package>net-mgmt/ipcalc</package> The <package>net-mgmt/ipcalc</package> port may be used to
port may be used to assist the mask calculation.</para> assist the mask calculation.</para>
<para><parameter>port number</parameter></para> <para><parameter>port number</parameter></para>
<para>For protocols which support port numbers, such as <para>For protocols which support port numbers, such as
<acronym>TCP</acronym> and <acronym>UDP</acronym>, it <acronym>TCP</acronym> and <acronym>UDP</acronym>, it
is mandatory to include the port number of the service is mandatory to include the port number of the service
that will be matched. Service names from that will be matched. Service names from
<filename>/etc/services</filename> may be used instead <filename>/etc/services</filename> may be used instead
of numeric port values.</para> of numeric port values.</para>