os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Shuffle the first part of this chapter to improve its readability.

Browse source 
Many more commits to come.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-13 23:55:24 +00:00
parent fcb53eaa02
commit cab236e410
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43914
1 changed files with 37 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -215,7 +215,7 @@
integrated part of the base system. integrated part of the base system.
<application>PF</application> is a complete, full-featured <application>PF</application> is a complete, full-featured
firewall that has optional support for firewall that has optional support for
<acronym>ALTQ</acronym> (Alternate Queuing), which provides <application>ALTQ</application> (Alternate Queuing), which provides
Quality of Service (<acronym>QoS</acronym>).</para> Quality of Service (<acronym>QoS</acronym>).</para>
<para>Since the OpenBSD Project maintains the definitive <para>Since the OpenBSD Project maintains the definitive
@ -230,21 +230,25 @@
xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para> xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
<sect2> <sect2>
<title>Using the PF Loadable Kernel Modules</title> <title>Enabling <application>PF</application></title>
<para>In order to use PF, the PF kernel module must be first <para>In order to use <application>PF</application>, its module must be first
loaded. Add the following line to loaded. Add the following line to
<filename>/etc/rc.conf</filename>:</para> <filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_enable="YES"</programlisting> <programlisting>pf_enable="YES"</programlisting>
<para>Then, run the startup script to load the module:</para> <para>Additional options can be passed to
<application>PF</application> when it is started. Refer to
&man.pfctl.8; for the available options and specify any
required flags by
adding another entry to <filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_flags="" # additional flags for pfctl startup</programlisting>
<screen>&prompt.root; <userinput>service pf start</userinput></screen> <para>The module will not load if it cannot find the
ruleset configuration file. A default ruleset is located
<para>The PF module will not load if it cannot find the <filename>/etc/pf.conf</filename>. If a custom ruleset is
ruleset configuration file. The default location is
<filename>/etc/pf.conf</filename>. If the PF ruleset is
located somewhere else, add a line to located somewhere else, add a line to
<filename>/etc/rc.conf</filename> which specifies the full <filename>/etc/rc.conf</filename> which specifies the full
path to the file:</para> path to the file:</para>
@ -253,26 +257,34 @@
<para>The sample <filename>pf.conf</filename> <para>The sample <filename>pf.conf</filename>
can be found in can be found in
<filename>/usr/share/examples/pf/</filename>.</para> <filename>/usr/share/examples/pf/</filename>. The rest of
this chapter demonstrates how to create a custom ruleset.</para>
<para>Then, run the startup script to load the module:</para>
<para>The <application>PF</application> module can also be <screen>&prompt.root; <userinput>service pf start</userinput></screen>
loaded manually from the command line:</para> <para>Logging support for <application>PF</application> is provided by
&man.pflog.4; which can be loaded by adding the
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
<para>Logging support for PF is provided by
<varname>pflog.ko</varname> which can be loaded by adding the
following line to <filename>/etc/rc.conf</filename>:</para> following line to <filename>/etc/rc.conf</filename>:</para>
<programlisting>pflog_enable="YES"</programlisting> <programlisting>pflog_enable="YES"</programlisting>
<para>Then, run the startup script to load the module:</para> <para>The following &man.rc.conf.5; statements can also be used to
change the default location of the log file or to specify any
additional flags:</para>
<programlisting>pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup</programlisting>
<para>Save the edits, then run the startup script to load the logging module:</para>
<screen>&prompt.root; <userinput>service pflog start</userinput></screen> <screen>&prompt.root; <userinput>service pflog start</userinput></screen>
</sect2>
<sect2> <para>If there is a <acronym>LAN</acronym> behind the firewall and packets need to
<title>PF Kernel Options</title> be forwarded for the computers on the <acronym>LAN</acronym>, or <acronym>NAT</acronym> is required,
add the following option:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting>
<indexterm> <indexterm>
<primary>kernel options</primary> <primary>kernel options</primary>
@ -289,6 +301,7 @@
<secondary>device pfsync</secondary> <secondary>device pfsync</secondary>
</indexterm> </indexterm>
<note>
<para>While it is not necessary to compile <para>While it is not necessary to compile
<application>PF</application> support into the &os; kernel, <application>PF</application> support into the &os; kernel,
some of PF's advanced features are not included in the some of PF's advanced features are not included in the
@ -297,12 +310,10 @@
used by <application>PF</application>. It can be paired with used by <application>PF</application>. It can be paired with
&man.carp.4; to create failover firewalls using &man.carp.4; to create failover firewalls using
<application>PF</application>. More information on <application>PF</application>. More information on
<acronym>CARP</acronym> can be found in <link <acronym>CARP</acronym> can be found in <xref linkend="carp"/>.</para>
linkend="carp">of the Handbook</link>.</para>
<para>The following <application>PF</application> kernel options <para>The following <application>PF</application> kernel options
can be found in are available:</para>
<filename>/usr/src/sys/conf/NOTES</filename>:</para>
<programlisting>device pf <programlisting>device pf
device pflog device pflog
@ -319,27 +330,7 @@ device pfsync</programlisting>
<para><literal>device pfsync</literal> enables the optional <para><literal>device pfsync</literal> enables the optional
&man.pfsync.4; pseudo-network device that is used to monitor &man.pfsync.4; pseudo-network device that is used to monitor
<quote>state changes</quote>.</para> <quote>state changes</quote>.</para>
</sect2> </note>
<sect2>
<title>Available <filename>rc.conf</filename> Options</title>
<para>The following &man.rc.conf.5; statements can be used to
configure <application>PF</application> and &man.pflog.4; at
boot:</para>
<programlisting>pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup</programlisting>
<para>If there is a LAN behind the firewall and packets need to
be forwarded for the computers on the LAN, or NAT is required,
add the following option:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting>
</sect2> </sect2>
<sect2> <sect2>