Start editorial review. To be continued tomorrow.

Sponsored by: iXsystems

en_US.ISO8859-1/books/handbook/firewalls/chapter.xml

@@ -1585,7 +1585,7 @@ block drop out quick on $ext_if from any to $martians</programlisting>
   </sect1>
 
   <sect1 xml:id="firewalls-ipfw">
-    <title>IPFW</title>
+    <title><application>IPFW</application></title>
 
     <indexterm>
       <primary>firewall</primary>
@@ -1593,52 +1593,39 @@ block drop out quick on $ext_if from any to $martians</programlisting>
       <secondary>IPFW</secondary>
     </indexterm>
 
-    <para><acronym>IPFW</acronym> is a stateful firewall written for
+    <para><application>IPFW</application> is a stateful firewall written for
-      &os; which also provides a traffic shaper, packet scheduler,
+      &os; which supports both <acronym>IPv4</acronym>
-      and in-kernel NAT.</para>
+      and <acronym>IPv6</acronym>.  It is comprised of several components:  the kernel firewall
+      filter rule processor and its integrated packet accounting
+      facility, the logging facility,
+      <acronym>NAT</acronym>, the &man.dummynet.4; traffic shaper,
+      a forward facility, a bridge
+      facility, and an ipstealth facility.</para>
 
     <para>&os; provides a sample ruleset in
-      <filename>/etc/rc.firewall</filename>.  The sample ruleset
+      <filename>/etc/rc.firewall</filename> which
-      define several firewall types for common scenarios to assist
+      defines several firewall types for common scenarios to assist
       novice users in generating an appropriate ruleset.
-      &man.ipfw.8; provides a powerful syntax which advanced users can
+      <application>IPFW</application> provides a powerful syntax which advanced users can
       use to craft customized rulesets that meet the security
       requirements of a given environment.</para>
-
+      
-    <para>IPFW is composed of several components:  the kernel firewall
+    <para>This section describes how to enable
-      filter rule processor and its integrated packet accounting
+      <application>IPFW</application>, provides an overview of its
-      facility, the logging facility, the
+      rule syntax, and demonstrates several rulesets for common
-      <literal>divert</literal> rule which triggers
+      configuration scenarios.</para>
-      <acronym>NAT</acronym>, the dummynet traffic shaper facilities,
-      the <literal>fwd rule</literal> forward facility, the bridge
-      facility, and the ipstealth facility.  IPFW supports both IPv4
-      and IPv6.</para>
 
     <sect2 xml:id="firewalls-ipfw-enable">
-      <title>Enabling IPFW</title>
+      <title>Enabling <application>IPFW</application></title>
 
       <indexterm>
-	<primary>IPFW</primary>
+	<primary><application>IPFW</application></primary>
 
 	<secondary>enabling</secondary>
       </indexterm>
 
-      <para>IPFW is included in the basic &os; install as a run time
+      <para><application>IPFW</application> is included in the basic &os; install as a kernel
-	loadable module.  The system will dynamically load the kernel
+	loadable module, meaning that a custom kernel is not needed in order to enable <application>IPFW</application>.</para> 
-	module when <filename>rc.conf</filename> contains the
-	statement <literal>firewall_enable="YES"</literal>.  After
-	rebooting the system, the following white highlighted message
-	is displayed on the screen as part of the boot process:</para>
-
-      <screen>ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled</screen>
-
-      <para>The loadable module includes logging ability.  To enable
-	logging and set the verbose logging limit, add these
-	statements to
-	<filename>/etc/sysctl.conf</filename> before rebooting:</para>
-
-      <programlisting>net.inet.ip.fw.verbose=1
-net.inet.ip.fw.verbose_limit=5</programlisting>
 
       <indexterm>
 	<primary>kernel options</primary>
@@ -1659,76 +1646,35 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
       </indexterm>
 
       <indexterm>
-	<primary>IPFW</primary>
+	<primary><application>IPFW</application></primary>
 
 	<secondary>kernel options</secondary>
       </indexterm>
 
-      <para>For those users who wish to statically compile kernel
+      <para>For those users who wish to statically compile
-	IPFW support, the following options are available for the
+	<application>IPFW</application> support into a custom kernel,
+	refer to the instructions in <xref linkend="kernelconfig"/>.
+	The following options are available for the
 	custom kernel configuration file:</para>
 
-      <programlisting>options    IPFIREWALL</programlisting>
+      <programlisting>options    IPFIREWALL			# enables IPFW
+options    IPFIREWALL_VERBOSE		# enables logging for rules with log keyword
+options    IPFIREWALL_VERBOSE_LIMIT=5	# limits number of logged packets per-entry
+options    IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
+options    IPDIVERT			# enables NAT</programlisting>
 
-      <para>This option enables IPFW as part of the kernel.</para>
+      <para>To configure the system to enable
-
+	<application>IPFW</application> at boot time, add the
-      <programlisting>options    IPFIREWALL_VERBOSE</programlisting>
+	following entry to <filename>/etc/rc.conf</filename>:</para>
-
-      <para>This option enables logging of packets that pass through
-	IPFW and have the <literal>log</literal> keyword specified in
-	the ruleset.</para>
-
-      <programlisting>options    IPFIREWALL_VERBOSE_LIMIT=5</programlisting>
-
-      <para>This option limits the number of packets logged through
-	&man.syslogd.8;, on a per-entry basis.  This option may be
-	used in hostile environments, when firewall activity logging
-	is desired.  This will close a possible denial of service
-	attack via syslog flooding.</para>
-
-      <indexterm>
-	<primary>kernel options</primary>
-
-	<secondary>IPFIREWALL_DEFAULT_TO_ACCEPT</secondary>
-      </indexterm>
-
-      <programlisting>options    IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting>
-
-      <para>This option allows everything to pass through the firewall
-	by default, which is a good idea when the firewall is being
-	set up for the first time.</para>
-
-      <indexterm>
-	<primary>kernel options</primary>
-
-	<secondary>IPDIVERT</secondary>
-      </indexterm>
-
-      <programlisting>options    IPDIVERT</programlisting>
-
-      <para>This option enables the use of <acronym>NAT</acronym>
-	functionality.</para>
-
-      <note>
-	<para>The firewall will block all incoming and outgoing
-	  packets if either the
-	  <literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> kernel
-	  option or a rule to explicitly allow these connections is
-	  missing.</para>
-      </note>
-
-      <para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>
 
       <programlisting>firewall_enable="YES"</programlisting>
 
-      <para>To select one of the default firewall types provided by
+      <para>To use one of the default firewall types provided by
-	&os;, select one by reading
+	&os;, add another line which specifies the type:</para>
-	<filename>/etc/rc.firewall</filename> and specify it in
-	the following:</para>
 
       <programlisting>firewall_type="open"</programlisting>
 
-      <para>Available values for this setting are:</para>
+      <para>The available values for this setting are:</para>
 
       <itemizedlist>
 	<listitem>
@@ -1746,28 +1692,28 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
 	  <para><literal>closed</literal>: entirely disables IP
 	    traffic except for the loopback interface.</para>
 	</listitem>
+	<listitem>
+	  <para><literal>workstation</literal>: protects only this
+	    machine using stateful rules.</para>
+	</listitem>
 	<listitem>
 	  <para><literal>UNKNOWN</literal>: disables the loading of
 	    firewall rules.</para>
 	</listitem>
 	<listitem>
 	  <para><filename>filename</filename>:
-	    absolute path of the file containing the firewall
+	    full path of the file containing the firewall
 	    rules.</para>
 	</listitem>
       </itemizedlist>
 
-      <para>Two methods are available for loading custom
+      <para>To instead load a custom ruleset, either
-	<application>ipfw</application> rules.  One is to set the
+	set the <filename>filename</filename> value of
-	<literal>firewall_type</literal> variable to the absolute
+	<literal>firewall_type</literal> or set the
-	path of the file which contains the firewall rules.</para>
-
-      <para>The other method is to set the
 	<literal>firewall_script</literal> variable to the absolute
 	path of an executable script that includes
-	<command>ipfw</command> commands.  A ruleset script that
+	<command>IPFW</command> commands.  This example script
-	blocks all incoming and outgoing traffic would look like
+	blocks all incoming and outgoing traffic:</para>
-	this:</para>
 
       <programlisting>#!/bin/sh
 
@@ -1811,7 +1757,7 @@ ipfw add deny out</programlisting>
     </sect2>
 
     <sect2 xml:id="firewalls-ipfw-cmd">
-      <title>The IPFW Command</title>
+      <title>The <application>IPFW</application> Command</title>
 
       <indexterm><primary><command>ipfw</command></primary></indexterm>
 
@@ -1825,7 +1771,7 @@ ipfw add deny out</programlisting>
 	changes.</para>
 
       <para><command>ipfw</command> is a useful way to display the
-	running firewall rules to the console screen.  The IPFW
+	running firewall rules to the console screen.  The <application>IPFW</application>
 	accounting facility dynamically creates a counter for each
 	rule that counts each packet that matches the rule.  During
 	the process of testing a rule, listing the rule with its
@@ -1868,10 +1814,10 @@ ipfw add deny out</programlisting>
     </sect2>
 
     <sect2 xml:id="firewalls-ipfw-rules">
-      <title>IPFW Rule Syntax</title>
+      <title><application>IPFW</application> Rule Syntax</title>
 
       <indexterm>
-	<primary>IPFW</primary>
+	<primary><application>IPFW</application></primary>
 
 	<secondary>rule processing order</secondary>
       </indexterm>
@@ -1884,7 +1830,7 @@ ipfw add deny out</programlisting>
 	action field value is executed and the search of the ruleset
 	terminates for that packet.  This is referred to as
 	<quote>first match wins</quote>.  If the packet does not match
-	any of the rules, it gets caught by the mandatory IPFW default
+	any of the rules, it gets caught by the mandatory <application>IPFW</application> default
 	rule, number 65535, which denies all packets and silently
 	discards them.  However, if the packet matches a rule that
 	contains the <literal>count</literal>,
@@ -1900,13 +1846,13 @@ ipfw add deny out</programlisting>
 	description, refer to &man.ipfw.8;.</para>
 
 	<indexterm>
-	  <primary>IPFW</primary>
+	  <primary><application>IPFW</application></primary>
 
 	  <secondary>rule syntax</secondary>
 	</indexterm>
 
 	<para>This section describes the keywords which comprise an
-	  <acronym>IPFW</acronym> rule.  Keywords must be written in
+	  <application>IPFW</application> rule.  Keywords must be written in
 	  the following order.  <literal>#</literal> is used to mark
 	  the start of a comment and may appear at the end of a rule
 	  line or on its own line.  Blank lines are ignored.</para>
@@ -2083,7 +2029,7 @@ ipfw add deny out</programlisting>
 	<term>Stateful Rule Option</term>
 	<listitem>
 	<para>The <literal>check-state</literal> option is used to
-	  identify where in the IPFW ruleset the packet is to be
+	  identify where in the <application>IPFW</application> ruleset the packet is to be
 	  tested against the dynamic rules facility.  On a match, the
 	  packet exits the firewall to continue on its way and a new
 	  rule is dynamically created for the next anticipated packet
@@ -2094,7 +2040,7 @@ ipfw add deny out</programlisting>
 	<para>The dynamic rules facility is vulnerable to resource
 	  depletion from a SYN-flood attack which would open a huge
 	  number of dynamic rules.  To counter this type of attack
-	  with  <acronym>IPFW</acronym>, use <literal>limit</literal>.
+	  with  <application>IPFW</application>, use <literal>limit</literal>.
 	  This keyword limits the number of simultaneous sessions by
 	  checking that rule's source or destinations fields and using
 	  the packet's IP address in a search of the open dynamic
@@ -2110,12 +2056,12 @@ ipfw add deny out</programlisting>
 	<title>Logging Firewall Messages</title>
 
 	<indexterm>
-	  <primary>IPFW</primary>
+	  <primary><application>IPFW</application></primary>
 
 	  <secondary>logging</secondary>
 	</indexterm>
 
-	<para>Even with the logging facility enabled, IPFW will not
+	<para>Even with the logging facility enabled, <application>IPFW</application> will not
 	  generate any rule logging on its own.  The firewall
 	  administrator decides which rules in the ruleset will be
 	  logged, and adds the <literal>log</literal> keyword to those
@@ -2156,7 +2102,7 @@ ipfw add deny out</programlisting>
       <sect3 xml:id="firewalls-ipfw-rules-script">
 	<title>Building a Rule Script</title>
 
-	<para>Most experienced IPFW users create a file containing
+	<para>Most experienced <application>IPFW</application> users create a file containing
 	  the rules and code them in a manner compatible with running
 	  them as a script.  The major benefit of doing this is the
 	  firewall rules can be refreshed in mass without the need
@@ -2416,17 +2362,17 @@ pif="dc0"     # public interface name of NIC
 	<indexterm>
 	  <primary>NAT</primary>
 
-	  <secondary>and IPFW</secondary>
+	  <secondary>and <application>IPFW</application></secondary>
 	</indexterm>
 
 	<para>There are some additional configuration statements that
 	  need to be enabled to activate the <acronym>NAT</acronym>
-	  function of IPFW.  For a customized kernel, the kernel
+	  function of <application>IPFW</application>.  For a customized kernel, the kernel
 	  configuration file needs
 	  <literal>option IPDIVERT</literal> added to the other
 	  <literal>IPFIREWALL</literal> options.</para>
 
-	<para>In addition to the normal IPFW options in
+	<para>In addition to the normal <application>IPFW</application> options in
 	  <filename>/etc/rc.conf</filename>, the following are
 	  needed:</para>