White space fix only. Translators can ignore.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
dd0a14165c
commit
ec7e896314
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=43998
1 changed files with 278 additions and 260 deletions
|
|
@ -1508,26 +1508,28 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para><application>IPFILTER</application>, also known as
|
<para><application>IPFILTER</application>, also known as
|
||||||
<application>IPF</application>, is a cross-platform, open source firewall which
|
<application>IPF</application>, is a cross-platform, open source
|
||||||
has been ported to several operating systems, including &os;, NetBSD, OpenBSD, and
|
firewall which has been ported to several operating systems,
|
||||||
&solaris;.</para>
|
including &os;, NetBSD, OpenBSD, and &solaris;.</para>
|
||||||
|
|
||||||
<para><application>IPFILTER</application> is a kernel-side firewall and
|
<para><application>IPFILTER</application> is a kernel-side
|
||||||
<acronym>NAT</acronym> mechanism that can be controlled and
|
firewall and <acronym>NAT</acronym> mechanism that can be
|
||||||
monitored by userland programs. Firewall rules
|
controlled and monitored by userland programs. Firewall rules
|
||||||
can be set or deleted using <application>ipf</application>,
|
can be set or deleted using <application>ipf</application>,
|
||||||
<acronym>NAT</acronym> rules can be set or deleted using
|
<acronym>NAT</acronym> rules can be set or deleted using
|
||||||
<application>ipnat</application>, run-time statistics for the kernel parts of
|
<application>ipnat</application>, run-time statistics for the
|
||||||
<application>IPFILTER</application> can be printed using
|
kernel parts of <application>IPFILTER</application> can be
|
||||||
<application>ipfstat</application>, and
|
printed using <application>ipfstat</application>, and
|
||||||
<application>ipmon</application> can be used to log <application>IPFILTER</application>
|
<application>ipmon</application> can be used to log
|
||||||
actions to the system log files.</para>
|
<application>IPFILTER</application> actions to the system log
|
||||||
|
files.</para>
|
||||||
|
|
||||||
<para><application>IPF</application> was originally written using a rule processing logic
|
<para><application>IPF</application> was originally written using
|
||||||
of <quote>the last matching rule wins</quote> and only used
|
a rule processing logic of <quote>the last matching rule
|
||||||
stateless rules. Since then, <application>IPF</application> has been enhanced to include
|
wins</quote> and only used stateless rules. Since then,
|
||||||
the <literal>quick</literal> and
|
<application>IPF</application> has been enhanced to include the
|
||||||
<literal>keep state</literal> options.</para>
|
<literal>quick</literal> and <literal>keep state</literal>
|
||||||
|
options.</para>
|
||||||
|
|
||||||
<para>For a detailed explanation of the legacy rules processing
|
<para>For a detailed explanation of the legacy rules processing
|
||||||
method, refer to <uri
|
method, refer to <uri
|
||||||
|
|
@ -1535,15 +1537,16 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
||||||
|
|
||||||
<para>The <application>IPF</application> FAQ is at <uri
|
<para>The <application>IPF</application> FAQ is at <uri
|
||||||
xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.
|
xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.
|
||||||
A searchable archive of the IPFilter mailing list is
|
A searchable archive of the IPFilter mailing list is available
|
||||||
available at <uri
|
at <uri
|
||||||
xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri>.</para>
|
xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri>.</para>
|
||||||
|
|
||||||
<para>This section of the Handbook focuses on
|
<para>This section of the Handbook focuses on
|
||||||
<application>IPF</application> as it pertains to FreeBSD.
|
<application>IPF</application> as it pertains to FreeBSD. It
|
||||||
It provides examples which uses
|
provides examples which uses rules that contain the
|
||||||
rules that contain the <literal>quick</literal> and
|
<literal>quick</literal> and <literal>keep state</literal>
|
||||||
<literal>keep state</literal> options.</para>
|
options.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Enabling <application>IPF</application></title>
|
<title>Enabling <application>IPF</application></title>
|
||||||
|
|
||||||
|
|
@ -1553,9 +1556,10 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
||||||
<secondary>enabling</secondary>
|
<secondary>enabling</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para><application>IPF</application> is included in the basic &os; install as a kernel
|
<para><application>IPF</application> is included in the basic
|
||||||
loadable module, meaning that a custom kernel is not needed in
|
&os; install as a kernel loadable module, meaning that a
|
||||||
order to enable <application>IPF</application>.</para>
|
custom kernel is not needed in order to enable
|
||||||
|
<application>IPF</application>.</para>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>kernel options</primary>
|
<primary>kernel options</primary>
|
||||||
|
|
@ -1581,35 +1585,37 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
||||||
<secondary>kernel options</secondary>
|
<secondary>kernel options</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>For users who prefer to statically compile <application>IPF</application> support
|
<para>For users who prefer to statically compile
|
||||||
into a custom kernel, refer to the instructions in <xref
|
<application>IPF</application> support into a custom kernel,
|
||||||
linkend="kernelconfig"/>. The following kernel options are
|
refer to the instructions in <xref linkend="kernelconfig"/>.
|
||||||
available:</para>
|
The following kernel options are available:</para>
|
||||||
|
|
||||||
<programlisting>options IPFILTER
|
<programlisting>options IPFILTER
|
||||||
options IPFILTER_LOG
|
options IPFILTER_LOG
|
||||||
options IPFILTER_LOOKUP
|
options IPFILTER_LOOKUP
|
||||||
options IPFILTER_DEFAULT_BLOCK</programlisting>
|
options IPFILTER_DEFAULT_BLOCK</programlisting>
|
||||||
|
|
||||||
<para>where <literal>options IPFILTER</literal> enables support for
|
<para>where <literal>options IPFILTER</literal> enables support
|
||||||
<application>IPFILTER</application>, <literal>options IPFILTER_LOG</literal> enables <application>IPF</application>
|
for <application>IPFILTER</application>,
|
||||||
logging using the <filename>ipl</filename> packet logging
|
<literal>options IPFILTER_LOG</literal> enables
|
||||||
pseudo device for every rule that has the
|
<application>IPF</application> logging using the
|
||||||
<literal>log</literal> keyword,
|
<filename>ipl</filename> packet logging pseudo device for
|
||||||
<literal>IPFILTER_LOOKUP</literal> enables <acronym>IP</acronym> pools in
|
every rule that has the <literal>log</literal> keyword,
|
||||||
order to speed up <acronym>IP</acronym> lookups, and <literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
|
<literal>IPFILTER_LOOKUP</literal> enables
|
||||||
the default behavior so that any packet not matching a
|
<acronym>IP</acronym> pools in order to speed up
|
||||||
firewall <literal>pass</literal> rule gets blocked.</para>
|
<acronym>IP</acronym> lookups, and <literal>options
|
||||||
|
IPFILTER_DEFAULT_BLOCK</literal> changes the default
|
||||||
|
behavior so that any packet not matching a firewall
|
||||||
|
<literal>pass</literal> rule gets blocked.</para>
|
||||||
|
|
||||||
<para>To configure the system to enable <application>IPF</application>
|
<para>To configure the system to enable
|
||||||
at boot time, add
|
<application>IPF</application> at boot time, add the following
|
||||||
the following entries to
|
entries to <filename>/etc/rc.conf</filename>. These entries
|
||||||
<filename>/etc/rc.conf</filename>. These entries will also enable logging and
|
will also enable logging and <literal>default pass
|
||||||
<literal>default pass all</literal>. To change the
|
all</literal>. To change the default policy to
|
||||||
default policy to <literal>block all</literal> without
|
<literal>block all</literal> without compiling a custom
|
||||||
compiling a custom kernel, remember to add a
|
kernel, remember to add a <literal>block all</literal> rule at
|
||||||
<literal>block all</literal> rule at the end of the
|
the end of the ruleset.</para>
|
||||||
ruleset.</para>
|
|
||||||
|
|
||||||
<programlisting>ipfilter_enable="YES" # Start ipf firewall
|
<programlisting>ipfilter_enable="YES" # Start ipf firewall
|
||||||
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
|
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
|
||||||
|
|
@ -1619,17 +1625,16 @@ ipmon_flags="-Ds" # D = start as daemon
|
||||||
# v = log tcp window, ack, seq
|
# v = log tcp window, ack, seq
|
||||||
# n = map IP & port to names</programlisting>
|
# n = map IP & port to names</programlisting>
|
||||||
|
|
||||||
<para>If <acronym>NAT</acronym>
|
<para>If <acronym>NAT</acronym> functionality is needed, also
|
||||||
functionality is needed, also add these lines:</para>
|
add these lines:</para>
|
||||||
|
|
||||||
<programlisting>gateway_enable="YES" # Enable as LAN gateway
|
<programlisting>gateway_enable="YES" # Enable as LAN gateway
|
||||||
ipnat_enable="YES" # Start ipnat function
|
ipnat_enable="YES" # Start ipnat function
|
||||||
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlisting>
|
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlisting>
|
||||||
|
|
||||||
<para>Then, to start <application>IPF</application> now:</para>
|
<para>Then, to start <application>IPF</application> now:</para>
|
||||||
|
|
||||||
<programlisting>&prompt.root; <command>service ipfilter start</command></programlisting>
|
<programlisting>&prompt.root; <command>service ipfilter start</command></programlisting>
|
||||||
|
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
|
|
@ -1640,8 +1645,8 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
The bi-directional exchange of packets between hosts comprises
|
The bi-directional exchange of packets between hosts comprises
|
||||||
a session conversation. The firewall ruleset processes both
|
a session conversation. The firewall ruleset processes both
|
||||||
the packets arriving from the public Internet, as well as the
|
the packets arriving from the public Internet, as well as the
|
||||||
packets produced by the system as a response to them.
|
packets produced by the system as a response to them. Each
|
||||||
Each <acronym>TCP/IP</acronym> service is predefined by its
|
<acronym>TCP/IP</acronym> service is predefined by its
|
||||||
protocol and listening port. Packets destined for a specific
|
protocol and listening port. Packets destined for a specific
|
||||||
service originate from the source address using an
|
service originate from the source address using an
|
||||||
unprivileged port and target the specific service port on the
|
unprivileged port and target the specific service port on the
|
||||||
|
|
@ -1693,7 +1698,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
|
|
||||||
<para>There is a way to build IPF rules that utilize the power
|
<para>There is a way to build IPF rules that utilize the power
|
||||||
of script symbolic substitution. For more information, see
|
of script symbolic substitution. For more information, see
|
||||||
<xref linkend="firewalls-ipf-rules-script"/>.</para>
|
<xref linkend="firewalls-ipf-rules-script"/>.</para>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary><application>IPFILTER</application></primary>
|
<primary><application>IPFILTER</application></primary>
|
||||||
|
|
@ -1728,196 +1733,205 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlist
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>ACTION</term>
|
<term>ACTION</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The action keyword indicates what to do with the packet
|
<para>The action keyword indicates what to do with the
|
||||||
if it matches the rest of the filter rule. Each rule
|
packet if it matches the rest of the filter rule. Each
|
||||||
<emphasis>must</emphasis> have an action. The following
|
rule <emphasis>must</emphasis> have an action. The
|
||||||
actions are recognized:</para>
|
following actions are recognized:</para>
|
||||||
|
|
||||||
<para><literal>block</literal> indicates that the packet
|
<para><literal>block</literal> indicates that the packet
|
||||||
should be dropped if the selection parameters match the
|
should be dropped if the selection parameters match the
|
||||||
packet.</para>
|
packet.</para>
|
||||||
|
|
||||||
<para><literal>pass</literal> indicates that the packet should
|
<para><literal>pass</literal> indicates that the packet
|
||||||
exit the firewall if the selection parameters match the
|
should exit the firewall if the selection parameters
|
||||||
packet.</para>
|
match the packet.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>IN-OUT</term>
|
<term>IN-OUT</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A mandatory requirement is that each filter rule
|
<para>A mandatory requirement is that each filter rule
|
||||||
explicitly state which side of the I/O it is to be used
|
explicitly state which side of the I/O it is to be used
|
||||||
on. The next keyword must be either <literal>in</literal>
|
on. The next keyword must be either
|
||||||
or <literal>out</literal> and one or the other has to be
|
<literal>in</literal> or <literal>out</literal> and one
|
||||||
included or the rule will not pass syntax checks.</para>
|
or the other has to be included or the rule will not
|
||||||
|
pass syntax checks.</para>
|
||||||
|
|
||||||
<para><literal>in</literal> means this rule is being applied
|
<para><literal>in</literal> means this rule is being
|
||||||
against an inbound packet which has just been received on
|
applied against an inbound packet which has just been
|
||||||
the interface facing the public Internet.</para>
|
received on the interface facing the public
|
||||||
|
Internet.</para>
|
||||||
|
|
||||||
<para><literal>out</literal> means this rule is being applied
|
<para><literal>out</literal> means this rule is being
|
||||||
against an outbound packet destined for the interface facing
|
applied against an outbound packet destined for the
|
||||||
the public Internet.</para>
|
interface facing the public Internet.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>OPTIONS</term>
|
<term>OPTIONS</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<note>
|
<note>
|
||||||
<para>These options must be used in the order shown
|
<para>These options must be used in the order shown
|
||||||
here.</para>
|
here.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<para><literal>log</literal> indicates that the packet header
|
<para><literal>log</literal> indicates that the packet
|
||||||
will be written to the &man.ipl.4; packet log pseudo-device
|
header will be written to the &man.ipl.4; packet log
|
||||||
if the selection parameters match the packet.</para>
|
pseudo-device if the selection parameters match the
|
||||||
|
packet.</para>
|
||||||
|
|
||||||
<para><literal>quick</literal> indicates that if the selection
|
<para><literal>quick</literal> indicates that if the
|
||||||
parameters match the packet, this rule will be the last
|
selection parameters match the packet, this rule will be
|
||||||
rule checked, and no further processing of any following
|
the last rule checked, and no further processing of any
|
||||||
rules will occur for this packet.</para>
|
following rules will occur for this packet.</para>
|
||||||
|
|
||||||
<para><literal>on</literal> indicates the interface name to
|
<para><literal>on</literal> indicates the interface name
|
||||||
be incorporated into the selection parameters. Interface
|
to be incorporated into the selection parameters.
|
||||||
names are as displayed by &man.ifconfig.8;. Using this
|
Interface names are as displayed by &man.ifconfig.8;.
|
||||||
option, the rule will only match if the packet is going
|
Using this option, the rule will only match if the
|
||||||
through that interface in the specified direction.</para>
|
packet is going through that interface in the specified
|
||||||
|
direction.</para>
|
||||||
|
|
||||||
<para>When a packet is logged, the headers of the packet are
|
<para>When a packet is logged, the headers of the packet
|
||||||
written to the &man.ipl.4; packet logging pseudo-device.
|
are written to the &man.ipl.4; packet logging
|
||||||
Immediately following the <literal>log</literal> keyword,
|
pseudo-device. Immediately following the
|
||||||
the following qualifiers may be used in this order:</para>
|
<literal>log</literal> keyword, the following qualifiers
|
||||||
|
may be used in this order:</para>
|
||||||
|
|
||||||
<para><literal>body</literal> indicates that the first 128
|
<para><literal>body</literal> indicates that the first 128
|
||||||
bytes of the packet contents will be logged after the
|
bytes of the packet contents will be logged after the
|
||||||
headers.</para>
|
headers.</para>
|
||||||
|
|
||||||
<para><literal>first</literal>. If the <literal>log</literal>
|
<para><literal>first</literal>. If the
|
||||||
keyword is being used in conjunction with a <literal>keep
|
<literal>log</literal> keyword is being used in
|
||||||
state</literal> option, this option is recommended so that
|
conjunction with a <literal>keep state</literal> option,
|
||||||
only the triggering packet is logged and not every packet
|
this option is recommended so that only the triggering
|
||||||
which matches the stateful connection.</para>
|
packet is logged and not every packet which matches the
|
||||||
</listitem>
|
stateful connection.</para>
|
||||||
</varlistentry>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SELECTION</term>
|
<term>SELECTION</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The keywords described in this section are used to
|
<para>The keywords described in this section are used to
|
||||||
describe attributes of the packet to be checked when
|
describe attributes of the packet to be checked when
|
||||||
determining whether or not rules match. There is a
|
determining whether or not rules match. There is a
|
||||||
keyword subject, and it has sub-option keywords, one of
|
keyword subject, and it has sub-option keywords, one of
|
||||||
which has to be selected. The following general-purpose
|
which has to be selected. The following general-purpose
|
||||||
attributes are provided for matching, and must be used in
|
attributes are provided for matching, and must be used
|
||||||
this order:</para>
|
in this order:</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>PROTO</term>
|
<term>PROTO</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>proto</literal> is the subject keyword which
|
<para><literal>proto</literal> is the subject keyword
|
||||||
must include one of its corresponding keyword sub-option
|
which must include one of its corresponding keyword
|
||||||
values. The sub-option indicates a specific protocol to be
|
sub-option values. The sub-option indicates a specific
|
||||||
matched against.</para>
|
protocol to be matched against.</para>
|
||||||
|
|
||||||
<para><literal>tcp/udp | udp | tcp | icmp</literal> or any
|
<para><literal>tcp/udp | udp | tcp | icmp</literal> or any
|
||||||
protocol names found in <filename>/etc/protocols</filename>
|
protocol names found in
|
||||||
are recognized and may be used. The special protocol
|
<filename>/etc/protocols</filename> are recognized and
|
||||||
keyword <literal>tcp/udp</literal> may be used to match
|
may be used. The special protocol keyword
|
||||||
either a <acronym>TCP</acronym> or a <acronym>UDP</acronym>
|
<literal>tcp/udp</literal> may be used to match either a
|
||||||
packet, and has been added as a convenience to save
|
<acronym>TCP</acronym> or a <acronym>UDP</acronym>
|
||||||
duplication of otherwise identical rules.</para>
|
packet, and has been added as a convenience to save
|
||||||
</listitem>
|
duplication of otherwise identical rules.</para>
|
||||||
</varlistentry>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>SRC_ADDR/DST_ADDR</term>
|
<term>SRC_ADDR/DST_ADDR</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The <literal>all</literal> keyword is equivalent to
|
<para>The <literal>all</literal> keyword is equivalent to
|
||||||
<quote>from any to any</quote> with no other match
|
<quote>from any to any</quote> with no other match
|
||||||
parameters.</para>
|
parameters.</para>
|
||||||
|
|
||||||
<para><literal>from | to src to dst</literal>: the
|
<para><literal>from | to src to dst</literal>: the
|
||||||
<literal>from</literal> and <literal>to</literal>
|
<literal>from</literal> and <literal>to</literal>
|
||||||
keywords are used to match against IP addresses. Rules
|
keywords are used to match against IP addresses. Rules
|
||||||
must specify <emphasis>both</emphasis> the source and
|
must specify <emphasis>both</emphasis> the source and
|
||||||
destination parameters. <literal>any</literal> is a special
|
destination parameters. <literal>any</literal> is a
|
||||||
keyword that matches any IP address. Examples include:
|
special keyword that matches any IP address. Examples
|
||||||
<literal>from any to any</literal>, <literal>from 0.0.0.0/0
|
include: <literal>from any to any</literal>,
|
||||||
to any</literal>, <literal>from any to
|
<literal>from 0.0.0.0/0 to any</literal>, <literal>from
|
||||||
0.0.0.0/0</literal>, <literal>from 0.0.0.0 to
|
any to 0.0.0.0/0</literal>, <literal>from 0.0.0.0 to
|
||||||
any</literal>, and <literal>from any to
|
any</literal>, and <literal>from any to
|
||||||
0.0.0.0</literal>.</para>
|
0.0.0.0</literal>.</para>
|
||||||
|
|
||||||
<para>There is no way to match ranges of IP addresses which
|
<para>There is no way to match ranges of IP addresses
|
||||||
do not express themselves easily using the dotted numeric
|
which do not express themselves easily using the dotted
|
||||||
form / mask-length notation. The
|
numeric form / mask-length notation. The
|
||||||
<package>net-mgmt/ipcalc</package> port may be used to ease
|
<package>net-mgmt/ipcalc</package> port may be used to
|
||||||
the calculation. Additional information is available at the
|
ease the calculation. Additional information is
|
||||||
utility's web page: <uri
|
available at the utility's web page: <uri
|
||||||
xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
|
xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>PORT</term>
|
<term>PORT</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>If a port match is included, for either or both of
|
<para>If a port match is included, for either or both of
|
||||||
source and destination, it is only applied to
|
source and destination, it is only applied to
|
||||||
<acronym>TCP</acronym> and <acronym>UDP</acronym> packets.
|
<acronym>TCP</acronym> and <acronym>UDP</acronym>
|
||||||
When composing port comparisons, either the service name
|
packets. When composing port comparisons, either the
|
||||||
from <filename>/etc/services</filename> or an integer port
|
service name from <filename>/etc/services</filename> or
|
||||||
number may be used. When the port appears as part of the
|
an integer port number may be used. When the port
|
||||||
<literal>from</literal> object, it matches the source port
|
appears as part of the <literal>from</literal> object,
|
||||||
number. When it appears as part of the
|
it matches the source port number. When it appears as
|
||||||
<literal>to</literal> object, it matches the destination
|
part of the <literal>to</literal> object, it matches the
|
||||||
port number. An example usage is
|
destination port number. An example usage is
|
||||||
<literal>from any to any port = 80</literal></para>
|
<literal>from any to any port = 80</literal></para>
|
||||||
|
|
||||||
<para>Single port comparisons may be done in a number of ways,
|
<para>Single port comparisons may be done in a number of
|
||||||
using a number of different comparison operators. Instead
|
ways, using a number of different comparison operators.
|
||||||
of the <literal>=</literal> shown in the example above,
|
Instead of the <literal>=</literal> shown in the example
|
||||||
the following operators may be used: <literal>!=</literal>,
|
above, the following operators may be used:
|
||||||
<literal><</literal>, <literal>></literal>,
|
<literal>!=</literal>, <literal><</literal>,
|
||||||
<literal><=</literal>, <literal>>=</literal>,
|
<literal>></literal>, <literal><=</literal>,
|
||||||
<literal>eq</literal>, <literal>ne</literal>,
|
<literal>>=</literal>, <literal>eq</literal>,
|
||||||
<literal>lt</literal>, <literal>gt</literal>,
|
<literal>ne</literal>, <literal>lt</literal>,
|
||||||
<literal>le</literal>, and <literal>ge</literal>.</para>
|
<literal>gt</literal>, <literal>le</literal>, and
|
||||||
|
<literal>ge</literal>.</para>
|
||||||
|
|
||||||
<para>To specify port ranges, place the two port numbers
|
<para>To specify port ranges, place the two port numbers
|
||||||
between <literal><></literal> or
|
between <literal><></literal> or
|
||||||
<literal>><</literal></para>
|
<literal>><</literal></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><acronym>TCP</acronym>_FLAG</term>
|
<term><acronym>TCP</acronym>_FLAG</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Flags are only effective for <acronym>TCP</acronym>
|
<para>Flags are only effective for <acronym>TCP</acronym>
|
||||||
filtering. The letters represent one of the possible flags
|
filtering. The letters represent one of the possible
|
||||||
that can be matched against the <acronym>TCP</acronym>
|
flags that can be matched against the
|
||||||
packet header.</para>
|
<acronym>TCP</acronym> packet header.</para>
|
||||||
|
|
||||||
<para>The modernized rules processing logic uses the
|
<para>The modernized rules processing logic uses the
|
||||||
<literal>flags S</literal> parameter to identify the TCP
|
<literal>flags S</literal> parameter to identify the TCP
|
||||||
session start request.</para>
|
session start request.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>STATEFUL</term>
|
<term>STATEFUL</term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>keep state</literal> indicates that on a pass
|
<para><literal>keep state</literal> indicates that on a
|
||||||
rule, any packets that match the rules selection parameters
|
pass rule, any packets that match the rules selection
|
||||||
should activate the stateful filtering facility.</para>
|
parameters should activate the stateful filtering
|
||||||
</listitem>
|
facility.</para>
|
||||||
</varlistentry>
|
</listitem>
|
||||||
</variablelist>
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
|
|
@ -2332,8 +2346,9 @@ EOF
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Disable <application>IPFILTER</application> in the system startup scripts by
|
<para>Disable <application>IPFILTER</application> in the
|
||||||
adding <literal>ipfilter_enable="NO"</literal>to
|
system startup scripts by adding
|
||||||
|
<literal>ipfilter_enable="NO"</literal>to
|
||||||
<filename>/etc/rc.conf</filename>.</para>
|
<filename>/etc/rc.conf</filename>.</para>
|
||||||
|
|
||||||
<para>Then, add a script like the following to
|
<para>Then, add a script like the following to
|
||||||
|
|
@ -2383,7 +2398,7 @@ sh /etc/ipf.rules.script</programlisting>
|
||||||
having to pay the ISP for multiple Internet accounts or IP
|
having to pay the ISP for multiple Internet accounts or IP
|
||||||
addresses.</para>
|
addresses.</para>
|
||||||
|
|
||||||
<para>In IPF, when a packet arrives at the firewall from the LAN
|
<para>In IPF, when a packet arrives at the firewall from the LAN
|
||||||
with a public destination, it passes through the outbound
|
with a public destination, it passes through the outbound
|
||||||
filter rules. <acronym>NAT</acronym> gets its turn at the
|
filter rules. <acronym>NAT</acronym> gets its turn at the
|
||||||
packet and applies its rules top down, where the first
|
packet and applies its rules top down, where the first
|
||||||
|
|
@ -2402,7 +2417,7 @@ sh /etc/ipf.rules.script</programlisting>
|
||||||
private IP address and then passed to the filter rules for
|
private IP address and then passed to the filter rules for
|
||||||
processing.</para>
|
processing.</para>
|
||||||
|
|
||||||
<para><acronym>NAT</acronym> will automatically translate the
|
<para><acronym>NAT</acronym> will automatically translate the
|
||||||
private LAN IP address for each system on the LAN to the
|
private LAN IP address for each system on the LAN to the
|
||||||
single public IP address as packets exit the firewall bound
|
single public IP address as packets exit the firewall bound
|
||||||
for the public Internet. It also performs the reverse
|
for the public Internet. It also performs the reverse
|
||||||
|
|
@ -2510,18 +2525,19 @@ sh /etc/ipf.rules.script</programlisting>
|
||||||
<literal>0/32</literal> which uses the IP address assigned to
|
<literal>0/32</literal> which uses the IP address assigned to
|
||||||
<replaceable>IF</replaceable>.</para>
|
<replaceable>IF</replaceable>.</para>
|
||||||
|
|
||||||
<sect3>
|
<sect3>
|
||||||
<title><acronym>NAT</acronym> for a Large LAN</title>
|
<title><acronym>NAT</acronym> for a Large LAN</title>
|
||||||
|
|
||||||
<para>For networks that have large numbers of systems on the LAN
|
<para>For networks that have large numbers of systems on the
|
||||||
or networks with more than a single LAN, the process of
|
LAN or networks with more than a single LAN, the process of
|
||||||
funneling all those private IP addresses into a single public
|
funneling all those private IP addresses into a single
|
||||||
IP address becomes a resource problem that may cause problems
|
public IP address becomes a resource problem that may cause
|
||||||
with the same port numbers being used many times across many
|
problems with the same port numbers being used many times
|
||||||
connections, causing collisions. This section describes two ways to
|
across many connections, causing collisions. This section
|
||||||
relieve this resource problem.</para>
|
describes two ways to relieve this resource problem.</para>
|
||||||
|
|
||||||
<para>The first method is to assign ports to use. A normal NAT rule would look like:</para>
|
<para>The first method is to assign ports to use. A normal
|
||||||
|
NAT rule would look like:</para>
|
||||||
|
|
||||||
<programlisting>map dc0 192.168.1.0/24 -> 0/32</programlisting>
|
<programlisting>map dc0 192.168.1.0/24 -> 0/32</programlisting>
|
||||||
|
|
||||||
|
|
@ -2541,7 +2557,8 @@ sh /etc/ipf.rules.script</programlisting>
|
||||||
|
|
||||||
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting>
|
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting>
|
||||||
|
|
||||||
<para>The second method is to use a pool of public addresses. In very large LANs there comes a point where there are
|
<para>The second method is to use a pool of public addresses.
|
||||||
|
In very large LANs there comes a point where there are
|
||||||
just too many LAN addresses to fit into a single public
|
just too many LAN addresses to fit into a single public
|
||||||
address. If a block of public IP addresses is available,
|
address. If a block of public IP addresses is available,
|
||||||
these addresses can be used as a <quote>pool</quote>, and
|
these addresses can be used as a <quote>pool</quote>, and
|
||||||
|
|
@ -2564,19 +2581,20 @@ sh /etc/ipf.rules.script</programlisting>
|
||||||
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
|
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
|
||||||
</sect3>
|
</sect3>
|
||||||
|
|
||||||
<sect3>
|
<sect3>
|
||||||
<title>Port Redirection</title>
|
<title>Port Redirection</title>
|
||||||
|
|
||||||
<para>A common practice is to have a web server, email server,
|
<para>A common practice is to have a web server, email server,
|
||||||
database server, and DNS server each segregated to a different
|
database server, and DNS server each segregated to a
|
||||||
system on the LAN. In this case, the traffic from these
|
different system on the LAN. In this case, the traffic from
|
||||||
servers still has to undergo <acronym>NAT</acronym>, but there
|
these servers still has to undergo <acronym>NAT</acronym>,
|
||||||
has to be some way to direct the inbound traffic to the
|
but there has to be some way to direct the inbound traffic
|
||||||
correct server. For example, a web server operating on LAN
|
to the correct server. For example, a web server operating
|
||||||
address <systemitem class="ipaddress">10.0.10.25</systemitem>
|
on LAN address <systemitem
|
||||||
and using a single public IP address of
|
class="ipaddress">10.0.10.25</systemitem> and using a
|
||||||
<systemitem class="ipaddress">20.20.20.5</systemitem>, would
|
single public IP address of <systemitem
|
||||||
use this rule:</para>
|
class="ipaddress">20.20.20.5</systemitem>, would use this
|
||||||
|
rule:</para>
|
||||||
|
|
||||||
<programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting>
|
<programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting>
|
||||||
|
|
||||||
|
|
@ -2589,17 +2607,17 @@ sh /etc/ipf.rules.script</programlisting>
|
||||||
needs to receive public DNS requests:</para>
|
needs to receive public DNS requests:</para>
|
||||||
|
|
||||||
<programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting>
|
<programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting>
|
||||||
</sect3>
|
</sect3>
|
||||||
|
|
||||||
<sect3>
|
<sect3>
|
||||||
<title>FTP and <acronym>NAT</acronym></title>
|
<title>FTP and <acronym>NAT</acronym></title>
|
||||||
|
|
||||||
<para>FTP has two modes: active mode and passive mode. The
|
<para>FTP has two modes: active mode and passive mode. The
|
||||||
difference is in how the data channel is acquired. Passive
|
difference is in how the data channel is acquired. Passive
|
||||||
mode is more secure as the data channel is acquired by the
|
mode is more secure as the data channel is acquired by the
|
||||||
ordinal ftp session requester. For a good explanation of FTP
|
ordinal ftp session requester. For a good explanation of
|
||||||
and the different modes, see <uri
|
FTP and the different modes, see <uri
|
||||||
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
|
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
|
||||||
|
|
||||||
<para>IP<acronym>NAT</acronym> has a built in FTP proxy option
|
<para>IP<acronym>NAT</acronym> has a built in FTP proxy option
|
||||||
which can be specified on the <acronym>NAT</acronym> map
|
which can be specified on the <acronym>NAT</acronym> map
|
||||||
|
|
@ -2797,9 +2815,9 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
|
||||||
|
|
||||||
<!-- XXX: "can be considered short" == "with incomplete header" -->
|
<!-- XXX: "can be considered short" == "with incomplete header" -->
|
||||||
|
|
||||||
<para>In order to setup <application>IPFILTER</application> to log all data to
|
<para>In order to setup <application>IPFILTER</application> to
|
||||||
<filename>/var/log/ipfilter.log</filename>, first
|
log all data to <filename>/var/log/ipfilter.log</filename>,
|
||||||
create the empty file:</para>
|
first create the empty file:</para>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
|
<screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
|
||||||
|
|
||||||
|
|
@ -2896,7 +2914,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
|
||||||
the next being the ICMP message and sub-message type,
|
the next being the ICMP message and sub-message type,
|
||||||
separated by a slash. For example: ICMP 3/3 for a port
|
separated by a slash. For example: ICMP 3/3 for a port
|
||||||
unreachable message.</para>
|
unreachable message.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
<sect1 xml:id="firewalls-ipfw">
|
<sect1 xml:id="firewalls-ipfw">
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue