Start editorial review. To be continued tomorrow.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-25 18:57:40 +00:00
parent 6f7189bc9e
commit ee993cf4cd
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44055

View file

@ -1585,7 +1585,7 @@ block drop out quick on $ext_if from any to $martians</programlisting>
</sect1>
<sect1 xml:id="firewalls-ipfw">
<title>IPFW</title>
<title><application>IPFW</application></title>
<indexterm>
<primary>firewall</primary>
@ -1593,52 +1593,39 @@ block drop out quick on $ext_if from any to $martians</programlisting>
<secondary>IPFW</secondary>
</indexterm>
<para><acronym>IPFW</acronym> is a stateful firewall written for
&os; which also provides a traffic shaper, packet scheduler,
and in-kernel NAT.</para>
<para><application>IPFW</application> is a stateful firewall written for
&os; which supports both <acronym>IPv4</acronym>
and <acronym>IPv6</acronym>. It is comprised of several components: the kernel firewall
filter rule processor and its integrated packet accounting
facility, the logging facility,
<acronym>NAT</acronym>, the &man.dummynet.4; traffic shaper,
a forward facility, a bridge
facility, and an ipstealth facility.</para>
<para>&os; provides a sample ruleset in
<filename>/etc/rc.firewall</filename>. The sample ruleset
define several firewall types for common scenarios to assist
<filename>/etc/rc.firewall</filename> which
defines several firewall types for common scenarios to assist
novice users in generating an appropriate ruleset.
&man.ipfw.8; provides a powerful syntax which advanced users can
<application>IPFW</application> provides a powerful syntax which advanced users can
use to craft customized rulesets that meet the security
requirements of a given environment.</para>
<para>IPFW is composed of several components: the kernel firewall
filter rule processor and its integrated packet accounting
facility, the logging facility, the
<literal>divert</literal> rule which triggers
<acronym>NAT</acronym>, the dummynet traffic shaper facilities,
the <literal>fwd rule</literal> forward facility, the bridge
facility, and the ipstealth facility. IPFW supports both IPv4
and IPv6.</para>
<para>This section describes how to enable
<application>IPFW</application>, provides an overview of its
rule syntax, and demonstrates several rulesets for common
configuration scenarios.</para>
<sect2 xml:id="firewalls-ipfw-enable">
<title>Enabling IPFW</title>
<title>Enabling <application>IPFW</application></title>
<indexterm>
<primary>IPFW</primary>
<primary><application>IPFW</application></primary>
<secondary>enabling</secondary>
</indexterm>
<para>IPFW is included in the basic &os; install as a run time
loadable module. The system will dynamically load the kernel
module when <filename>rc.conf</filename> contains the
statement <literal>firewall_enable="YES"</literal>. After
rebooting the system, the following white highlighted message
is displayed on the screen as part of the boot process:</para>
<screen>ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled</screen>
<para>The loadable module includes logging ability. To enable
logging and set the verbose logging limit, add these
statements to
<filename>/etc/sysctl.conf</filename> before rebooting:</para>
<programlisting>net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5</programlisting>
<para><application>IPFW</application> is included in the basic &os; install as a kernel
loadable module, meaning that a custom kernel is not needed in order to enable <application>IPFW</application>.</para>
<indexterm>
<primary>kernel options</primary>
@ -1659,76 +1646,35 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
</indexterm>
<indexterm>
<primary>IPFW</primary>
<primary><application>IPFW</application></primary>
<secondary>kernel options</secondary>
</indexterm>
<para>For those users who wish to statically compile kernel
IPFW support, the following options are available for the
<para>For those users who wish to statically compile
<application>IPFW</application> support into a custom kernel,
refer to the instructions in <xref linkend="kernelconfig"/>.
The following options are available for the
custom kernel configuration file:</para>
<programlisting>options IPFIREWALL</programlisting>
<programlisting>options IPFIREWALL # enables IPFW
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
options IPDIVERT # enables NAT</programlisting>
<para>This option enables IPFW as part of the kernel.</para>
<programlisting>options IPFIREWALL_VERBOSE</programlisting>
<para>This option enables logging of packets that pass through
IPFW and have the <literal>log</literal> keyword specified in
the ruleset.</para>
<programlisting>options IPFIREWALL_VERBOSE_LIMIT=5</programlisting>
<para>This option limits the number of packets logged through
&man.syslogd.8;, on a per-entry basis. This option may be
used in hostile environments, when firewall activity logging
is desired. This will close a possible denial of service
attack via syslog flooding.</para>
<indexterm>
<primary>kernel options</primary>
<secondary>IPFIREWALL_DEFAULT_TO_ACCEPT</secondary>
</indexterm>
<programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting>
<para>This option allows everything to pass through the firewall
by default, which is a good idea when the firewall is being
set up for the first time.</para>
<indexterm>
<primary>kernel options</primary>
<secondary>IPDIVERT</secondary>
</indexterm>
<programlisting>options IPDIVERT</programlisting>
<para>This option enables the use of <acronym>NAT</acronym>
functionality.</para>
<note>
<para>The firewall will block all incoming and outgoing
packets if either the
<literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> kernel
option or a rule to explicitly allow these connections is
missing.</para>
</note>
<para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>
<para>To configure the system to enable
<application>IPFW</application> at boot time, add the
following entry to <filename>/etc/rc.conf</filename>:</para>
<programlisting>firewall_enable="YES"</programlisting>
<para>To select one of the default firewall types provided by
&os;, select one by reading
<filename>/etc/rc.firewall</filename> and specify it in
the following:</para>
<para>To use one of the default firewall types provided by
&os;, add another line which specifies the type:</para>
<programlisting>firewall_type="open"</programlisting>
<para>Available values for this setting are:</para>
<para>The available values for this setting are:</para>
<itemizedlist>
<listitem>
@ -1746,28 +1692,28 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
<para><literal>closed</literal>: entirely disables IP
traffic except for the loopback interface.</para>
</listitem>
<listitem>
<para><literal>workstation</literal>: protects only this
machine using stateful rules.</para>
</listitem>
<listitem>
<para><literal>UNKNOWN</literal>: disables the loading of
firewall rules.</para>
</listitem>
<listitem>
<para><filename>filename</filename>:
absolute path of the file containing the firewall
full path of the file containing the firewall
rules.</para>
</listitem>
</itemizedlist>
<para>Two methods are available for loading custom
<application>ipfw</application> rules. One is to set the
<literal>firewall_type</literal> variable to the absolute
path of the file which contains the firewall rules.</para>
<para>The other method is to set the
<para>To instead load a custom ruleset, either
set the <filename>filename</filename> value of
<literal>firewall_type</literal> or set the
<literal>firewall_script</literal> variable to the absolute
path of an executable script that includes
<command>ipfw</command> commands. A ruleset script that
blocks all incoming and outgoing traffic would look like
this:</para>
<command>IPFW</command> commands. This example script
blocks all incoming and outgoing traffic:</para>
<programlisting>#!/bin/sh
@ -1811,7 +1757,7 @@ ipfw add deny out</programlisting>
</sect2>
<sect2 xml:id="firewalls-ipfw-cmd">
<title>The IPFW Command</title>
<title>The <application>IPFW</application> Command</title>
<indexterm><primary><command>ipfw</command></primary></indexterm>
@ -1825,7 +1771,7 @@ ipfw add deny out</programlisting>
changes.</para>
<para><command>ipfw</command> is a useful way to display the
running firewall rules to the console screen. The IPFW
running firewall rules to the console screen. The <application>IPFW</application>
accounting facility dynamically creates a counter for each
rule that counts each packet that matches the rule. During
the process of testing a rule, listing the rule with its
@ -1868,10 +1814,10 @@ ipfw add deny out</programlisting>
</sect2>
<sect2 xml:id="firewalls-ipfw-rules">
<title>IPFW Rule Syntax</title>
<title><application>IPFW</application> Rule Syntax</title>
<indexterm>
<primary>IPFW</primary>
<primary><application>IPFW</application></primary>
<secondary>rule processing order</secondary>
</indexterm>
@ -1884,7 +1830,7 @@ ipfw add deny out</programlisting>
action field value is executed and the search of the ruleset
terminates for that packet. This is referred to as
<quote>first match wins</quote>. If the packet does not match
any of the rules, it gets caught by the mandatory IPFW default
any of the rules, it gets caught by the mandatory <application>IPFW</application> default
rule, number 65535, which denies all packets and silently
discards them. However, if the packet matches a rule that
contains the <literal>count</literal>,
@ -1900,13 +1846,13 @@ ipfw add deny out</programlisting>
description, refer to &man.ipfw.8;.</para>
<indexterm>
<primary>IPFW</primary>
<primary><application>IPFW</application></primary>
<secondary>rule syntax</secondary>
</indexterm>
<para>This section describes the keywords which comprise an
<acronym>IPFW</acronym> rule. Keywords must be written in
<application>IPFW</application> rule. Keywords must be written in
the following order. <literal>#</literal> is used to mark
the start of a comment and may appear at the end of a rule
line or on its own line. Blank lines are ignored.</para>
@ -2083,7 +2029,7 @@ ipfw add deny out</programlisting>
<term>Stateful Rule Option</term>
<listitem>
<para>The <literal>check-state</literal> option is used to
identify where in the IPFW ruleset the packet is to be
identify where in the <application>IPFW</application> ruleset the packet is to be
tested against the dynamic rules facility. On a match, the
packet exits the firewall to continue on its way and a new
rule is dynamically created for the next anticipated packet
@ -2094,7 +2040,7 @@ ipfw add deny out</programlisting>
<para>The dynamic rules facility is vulnerable to resource
depletion from a SYN-flood attack which would open a huge
number of dynamic rules. To counter this type of attack
with <acronym>IPFW</acronym>, use <literal>limit</literal>.
with <application>IPFW</application>, use <literal>limit</literal>.
This keyword limits the number of simultaneous sessions by
checking that rule's source or destinations fields and using
the packet's IP address in a search of the open dynamic
@ -2110,12 +2056,12 @@ ipfw add deny out</programlisting>
<title>Logging Firewall Messages</title>
<indexterm>
<primary>IPFW</primary>
<primary><application>IPFW</application></primary>
<secondary>logging</secondary>
</indexterm>
<para>Even with the logging facility enabled, IPFW will not
<para>Even with the logging facility enabled, <application>IPFW</application> will not
generate any rule logging on its own. The firewall
administrator decides which rules in the ruleset will be
logged, and adds the <literal>log</literal> keyword to those
@ -2156,7 +2102,7 @@ ipfw add deny out</programlisting>
<sect3 xml:id="firewalls-ipfw-rules-script">
<title>Building a Rule Script</title>
<para>Most experienced IPFW users create a file containing
<para>Most experienced <application>IPFW</application> users create a file containing
the rules and code them in a manner compatible with running
them as a script. The major benefit of doing this is the
firewall rules can be refreshed in mass without the need
@ -2416,17 +2362,17 @@ pif="dc0" # public interface name of NIC
<indexterm>
<primary>NAT</primary>
<secondary>and IPFW</secondary>
<secondary>and <application>IPFW</application></secondary>
</indexterm>
<para>There are some additional configuration statements that
need to be enabled to activate the <acronym>NAT</acronym>
function of IPFW. For a customized kernel, the kernel
function of <application>IPFW</application>. For a customized kernel, the kernel
configuration file needs
<literal>option IPDIVERT</literal> added to the other
<literal>IPFIREWALL</literal> options.</para>
<para>In addition to the normal IPFW options in
<para>In addition to the normal <application>IPFW</application> options in
<filename>/etc/rc.conf</filename>, the following are
needed:</para>