Document kernel compile options for ipfw
Introduce a dedicated interface Use sysrc Submitted by: f.toscan@hotmail.it Reviewed by: bcr Differential Revision: https://reviews.freebsd.org/D18484
This commit is contained in:
Chris Rees
parent
1a0067f082
commit
c4916f07f4
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=52831
1 changed files with 78 additions and 43 deletions
|
|
@ -1329,7 +1329,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \
|
|||
<para>The two tables <literal><spamd></literal> and
|
||||
<literal><spamd-white></literal> are essential.
|
||||
<acronym>SMTP</acronym> traffic from an address listed
|
||||
in<literal> <spamd></literal> but not in
|
||||
in <literal><spamd></literal> but not in
|
||||
<literal><spamd-white></literal> is redirected to
|
||||
the <application>spamd</application> daemon listening at
|
||||
port 8025.</para>
|
||||
|
|
@ -1623,52 +1623,21 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
|||
custom kernel is not needed in order to enable
|
||||
<application>IPFW</application>.</para>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPFIREWALL</secondary>
|
||||
</indexterm>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPFIREWALL_VERBOSE</secondary>
|
||||
</indexterm>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
|
||||
</indexterm>
|
||||
|
||||
<indexterm>
|
||||
<primary><application>IPFW</application></primary>
|
||||
|
||||
<secondary>kernel options</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>For those users who wish to statically compile
|
||||
<application>IPFW</application> support into a custom kernel,
|
||||
refer to the instructions in <xref linkend="kernelconfig"/>.
|
||||
The following options are available for the
|
||||
custom kernel configuration file:</para>
|
||||
|
||||
<programlisting>options IPFIREWALL # enables IPFW
|
||||
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
|
||||
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
|
||||
options IPDIVERT # enables NAT</programlisting>
|
||||
see <xref linkend="firewalls-ipfw-kernelconfig"/>.</para>
|
||||
|
||||
<para>To configure the system to enable
|
||||
<application>IPFW</application> at boot time, add the
|
||||
following entry to <filename>/etc/rc.conf</filename>:</para>
|
||||
<application>IPFW</application> at boot time, add
|
||||
<literal>firewall_enable="YES"</literal> to
|
||||
<filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>firewall_enable="YES"</programlisting>
|
||||
<screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen>
|
||||
|
||||
<para>To use one of the default firewall types provided by &os;,
|
||||
add another line which specifies the type:</para>
|
||||
|
||||
<programlisting>firewall_type="open"</programlisting>
|
||||
<screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen>
|
||||
|
||||
<para>The available types are:</para>
|
||||
|
||||
|
|
@ -1720,18 +1689,35 @@ options IPDIVERT # enables NAT</programlisting>
|
|||
<literal>firewall_script</literal> is set to
|
||||
<filename>/etc/ipfw.rules</filename>:</para>
|
||||
|
||||
<programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
|
||||
<screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen>
|
||||
|
||||
<para>To enable logging, include this line:</para>
|
||||
<para>To enable logging through &man.syslogd.8;, include this
|
||||
line:</para>
|
||||
|
||||
<programlisting>firewall_logging="YES"</programlisting>
|
||||
<screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen>
|
||||
|
||||
<para>There is no <filename>/etc/rc.conf</filename> variable to
|
||||
set logging limits. To limit the number of times a rule is
|
||||
logged per connection attempt, specify the number using this
|
||||
line in <filename>/etc/sysctl.conf</filename>:</para>
|
||||
|
||||
<programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
|
||||
<screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
|
||||
|
||||
<para>To enable logging through a dedicated interface named
|
||||
<literal>ipfw0</literal>, add this line to
|
||||
<filename>/etc/rc.conf</filename> instead:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen>
|
||||
|
||||
<para>Then use <application>tcpdump</application> to see what is
|
||||
being logged:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen>
|
||||
|
||||
<tip>
|
||||
<para>There is no overhead due to logging unless
|
||||
<application>tcpdump</application> is attached.</para>
|
||||
</tip>
|
||||
|
||||
<para>After saving the needed edits, start the firewall. To
|
||||
enable logging limits now, also set the
|
||||
|
|
@ -2257,7 +2243,7 @@ good_tcpo="22,25,37,53,80,443,110"</programlisting>
|
|||
$cmd 130 $skip icmp from any to any out via $pif $ks</programlisting>
|
||||
|
||||
<para>The inbound rules remain the same, except for the very
|
||||
last rule which removes the <literal> via $pif</literal> in
|
||||
last rule which removes the <literal>via $pif</literal> in
|
||||
order to catch both inbound and outbound rules. The
|
||||
<acronym>NAT</acronym> rule must follow this last outbound
|
||||
rule, must have a higher number than that last rule, and the
|
||||
|
|
@ -2610,6 +2596,55 @@ ks="keep-state" # just too lazy to key this each time
|
|||
&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
|
||||
</sect3>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="firewalls-ipfw-kernelconfig">
|
||||
<title><application>IPFW</application> Kernel Options</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPFIREWALL</secondary>
|
||||
</indexterm>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPFIREWALL_VERBOSE</secondary>
|
||||
</indexterm>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
|
||||
</indexterm>
|
||||
|
||||
<indexterm>
|
||||
<primary><application>IPFW</application></primary>
|
||||
|
||||
<secondary>kernel options</secondary>
|
||||
</indexterm>
|
||||
<para>In order to statically compile
|
||||
<application>IPFW</application> support into a custom kernel,
|
||||
refer to the instructions in <xref linkend="kernelconfig"/>.
|
||||
The following options are available for the
|
||||
custom kernel configuration file:</para>
|
||||
|
||||
<programlisting>options IPFIREWALL # enables IPFW
|
||||
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
|
||||
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
|
||||
options IPFIREWALL_NAT # enables in-kernel NAT support
|
||||
options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
|
||||
options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
|
||||
options IPFIREWALL_PMOD # enables protocols modification module support
|
||||
options IPDIVERT # enables NAT through natd(8)</programlisting>
|
||||
|
||||
<note>
|
||||
<para><application>IPFW</application> can be loaded as
|
||||
a kernel module: options above are built by default
|
||||
as modules or can be set at runtime using tunables.</para>
|
||||
</note>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="firewalls-ipf">
|
||||
|
|
|
|||
Loading…
Reference in a new issue