From c4916f07f4ca20e9d3bba8daa8f4fb64926ad503 Mon Sep 17 00:00:00 2001
From: Chris Rees <crees@FreeBSD.org>
Date: Tue, 26 Feb 2019 21:17:43 +0000
Subject: [PATCH] Document kernel compile options for ipfw

Introduce a dedicated interface

Use sysrc

Submitted by:		f.toscan@hotmail.it
Reviewed by:		bcr
Differential Revision:	https://reviews.freebsd.org/D18484
---
 .../books/handbook/firewalls/chapter.xml      | 121 +++++++++++-------
 1 file changed, 78 insertions(+), 43 deletions(-)

diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
index 47ec23678e..c9d2356cb6 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@@ -1329,7 +1329,7 @@ rdr pass on $ext_if inet proto tcp from !&lt;spamd-white&gt; to \
 	    <para>The two tables <literal>&lt;spamd&gt;</literal> and
 	      <literal>&lt;spamd-white&gt;</literal> are essential.
 	      <acronym>SMTP</acronym> traffic from an address listed
-	      in<literal> &lt;spamd&gt;</literal> but not in
+	      in <literal>&lt;spamd&gt;</literal> but not in
 	      <literal>&lt;spamd-white&gt;</literal> is redirected to
 	      the <application>spamd</application> daemon listening at
 	      port 8025.</para>
@@ -1623,52 +1623,21 @@ block drop out quick on $ext_if from any to $martians</programlisting>
 	custom kernel is not needed in order to enable
 	<application>IPFW</application>.</para>
 
-      <indexterm>
-	<primary>kernel options</primary>
-
-	<secondary>IPFIREWALL</secondary>
-      </indexterm>
-
-      <indexterm>
-	<primary>kernel options</primary>
-
-	<secondary>IPFIREWALL_VERBOSE</secondary>
-      </indexterm>
-
-      <indexterm>
-	<primary>kernel options</primary>
-
-	<secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
-      </indexterm>
-
-      <indexterm>
-	<primary><application>IPFW</application></primary>
-
-	<secondary>kernel options</secondary>
-      </indexterm>
-
       <para>For those users who wish to statically compile
 	<application>IPFW</application> support into a custom kernel,
-	refer to the instructions in <xref linkend="kernelconfig"/>.
-	The following options are available for the
-	custom kernel configuration file:</para>
-
-      <programlisting>options    IPFIREWALL			# enables IPFW
-options    IPFIREWALL_VERBOSE		# enables logging for rules with log keyword
-options    IPFIREWALL_VERBOSE_LIMIT=5	# limits number of logged packets per-entry
-options    IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
-options    IPDIVERT			# enables NAT</programlisting>
+	see <xref linkend="firewalls-ipfw-kernelconfig"/>.</para>
 
       <para>To configure the system to enable
-	<application>IPFW</application> at boot time, add the
-	following entry to <filename>/etc/rc.conf</filename>:</para>
+	<application>IPFW</application> at boot time, add
+	<literal>firewall_enable="YES"</literal> to
+	<filename>/etc/rc.conf</filename>:</para>
 
-      <programlisting>firewall_enable="YES"</programlisting>
+      <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen>
 
       <para>To use one of the default firewall types provided by &os;,
 	add another line which specifies the type:</para>
 
-      <programlisting>firewall_type="open"</programlisting>
+      <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen>
 
       <para>The available types are:</para>
 
@@ -1720,18 +1689,35 @@ options    IPDIVERT			# enables NAT</programlisting>
 	<literal>firewall_script</literal> is set to
 	<filename>/etc/ipfw.rules</filename>:</para>
 
-      <programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
+      <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen>
 
-      <para>To enable logging, include this line:</para>
+      <para>To enable logging through &man.syslogd.8;, include this
+	line:</para>
 
-      <programlisting>firewall_logging="YES"</programlisting>
+      <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen>
 
       <para>There is no <filename>/etc/rc.conf</filename> variable to
 	set logging limits.  To limit the number of times a rule is
 	logged per connection attempt, specify the number using this
 	line in <filename>/etc/sysctl.conf</filename>:</para>
 
-      <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
+      <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
+
+      <para>To enable logging through a dedicated interface named
+	<literal>ipfw0</literal>, add this line to
+	<filename>/etc/rc.conf</filename> instead:</para>
+
+      <screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen>
+
+      <para>Then use <application>tcpdump</application> to see what is
+	being logged:</para>
+
+      <screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen>
+
+      <tip>
+	<para>There is no overhead due to logging unless
+	  <application>tcpdump</application> is attached.</para>
+      </tip>
 
       <para>After saving the needed edits, start the firewall.  To
 	enable logging limits now, also set the
@@ -2257,7 +2243,7 @@ good_tcpo="22,25,37,53,80,443,110"</programlisting>
 &dollar;cmd 130 &dollar;skip icmp from any to any out via &dollar;pif &dollar;ks</programlisting>
 
       <para>The inbound rules remain the same, except for the very
-	last rule which removes the <literal> via $pif</literal> in
+	last rule which removes the <literal>via $pif</literal> in
 	order to catch both inbound and outbound rules.  The
 	<acronym>NAT</acronym> rule must follow this last outbound
 	rule, must have a higher number than that last rule, and the
@@ -2610,6 +2596,55 @@ ks="keep-state"        # just too lazy to key this each time
 &prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
       </sect3>
     </sect2>
+
+    <sect2 xml:id="firewalls-ipfw-kernelconfig">
+      <title><application>IPFW</application> Kernel Options</title>
+
+      <indexterm>
+	<primary>kernel options</primary>
+
+	<secondary>IPFIREWALL</secondary>
+      </indexterm>
+
+      <indexterm>
+	<primary>kernel options</primary>
+
+	<secondary>IPFIREWALL_VERBOSE</secondary>
+      </indexterm>
+
+      <indexterm>
+	<primary>kernel options</primary>
+
+	<secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
+      </indexterm>
+
+      <indexterm>
+	<primary><application>IPFW</application></primary>
+
+	<secondary>kernel options</secondary>
+      </indexterm>
+      <para>In order to statically compile
+	<application>IPFW</application> support into a custom kernel,
+	refer to the instructions in <xref linkend="kernelconfig"/>.
+	The following options are available for the
+	custom kernel configuration file:</para>
+
+      <programlisting>options    IPFIREWALL			# enables IPFW
+options    IPFIREWALL_VERBOSE		# enables logging for rules with log keyword to syslogd(8)
+options    IPFIREWALL_VERBOSE_LIMIT=5	# limits number of logged packets per-entry
+options    IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
+options    IPFIREWALL_NAT		# enables in-kernel NAT support
+options    IPFIREWALL_NAT64		# enables in-kernel NAT64 support
+options    IPFIREWALL_NPTV6		# enables in-kernel IPv6 NPT support
+options    IPFIREWALL_PMOD		# enables protocols modification module support
+options    IPDIVERT			# enables NAT through natd(8)</programlisting>
+
+      <note>
+	<para><application>IPFW</application> can be loaded as
+	  a kernel module: options above are built by default
+	  as modules or can be set at runtime using tunables.</para>
+      </note>
+    </sect2>
   </sect1>
 
   <sect1 xml:id="firewalls-ipf">