Start editorial review. To be continued tomorrow.
Sponsored by: iXsystems
This commit is contained in:
parent
6f7189bc9e
commit
ee993cf4cd
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44055
1 changed files with 62 additions and 116 deletions
|
@ -1585,7 +1585,7 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
|||
</sect1>
|
||||
|
||||
<sect1 xml:id="firewalls-ipfw">
|
||||
<title>IPFW</title>
|
||||
<title><application>IPFW</application></title>
|
||||
|
||||
<indexterm>
|
||||
<primary>firewall</primary>
|
||||
|
@ -1593,52 +1593,39 @@ block drop out quick on $ext_if from any to $martians</programlisting>
|
|||
<secondary>IPFW</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para><acronym>IPFW</acronym> is a stateful firewall written for
|
||||
&os; which also provides a traffic shaper, packet scheduler,
|
||||
and in-kernel NAT.</para>
|
||||
<para><application>IPFW</application> is a stateful firewall written for
|
||||
&os; which supports both <acronym>IPv4</acronym>
|
||||
and <acronym>IPv6</acronym>. It is comprised of several components: the kernel firewall
|
||||
filter rule processor and its integrated packet accounting
|
||||
facility, the logging facility,
|
||||
<acronym>NAT</acronym>, the &man.dummynet.4; traffic shaper,
|
||||
a forward facility, a bridge
|
||||
facility, and an ipstealth facility.</para>
|
||||
|
||||
<para>&os; provides a sample ruleset in
|
||||
<filename>/etc/rc.firewall</filename>. The sample ruleset
|
||||
define several firewall types for common scenarios to assist
|
||||
<filename>/etc/rc.firewall</filename> which
|
||||
defines several firewall types for common scenarios to assist
|
||||
novice users in generating an appropriate ruleset.
|
||||
&man.ipfw.8; provides a powerful syntax which advanced users can
|
||||
<application>IPFW</application> provides a powerful syntax which advanced users can
|
||||
use to craft customized rulesets that meet the security
|
||||
requirements of a given environment.</para>
|
||||
|
||||
<para>IPFW is composed of several components: the kernel firewall
|
||||
filter rule processor and its integrated packet accounting
|
||||
facility, the logging facility, the
|
||||
<literal>divert</literal> rule which triggers
|
||||
<acronym>NAT</acronym>, the dummynet traffic shaper facilities,
|
||||
the <literal>fwd rule</literal> forward facility, the bridge
|
||||
facility, and the ipstealth facility. IPFW supports both IPv4
|
||||
and IPv6.</para>
|
||||
<para>This section describes how to enable
|
||||
<application>IPFW</application>, provides an overview of its
|
||||
rule syntax, and demonstrates several rulesets for common
|
||||
configuration scenarios.</para>
|
||||
|
||||
<sect2 xml:id="firewalls-ipfw-enable">
|
||||
<title>Enabling IPFW</title>
|
||||
<title>Enabling <application>IPFW</application></title>
|
||||
|
||||
<indexterm>
|
||||
<primary>IPFW</primary>
|
||||
<primary><application>IPFW</application></primary>
|
||||
|
||||
<secondary>enabling</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>IPFW is included in the basic &os; install as a run time
|
||||
loadable module. The system will dynamically load the kernel
|
||||
module when <filename>rc.conf</filename> contains the
|
||||
statement <literal>firewall_enable="YES"</literal>. After
|
||||
rebooting the system, the following white highlighted message
|
||||
is displayed on the screen as part of the boot process:</para>
|
||||
|
||||
<screen>ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled</screen>
|
||||
|
||||
<para>The loadable module includes logging ability. To enable
|
||||
logging and set the verbose logging limit, add these
|
||||
statements to
|
||||
<filename>/etc/sysctl.conf</filename> before rebooting:</para>
|
||||
|
||||
<programlisting>net.inet.ip.fw.verbose=1
|
||||
net.inet.ip.fw.verbose_limit=5</programlisting>
|
||||
<para><application>IPFW</application> is included in the basic &os; install as a kernel
|
||||
loadable module, meaning that a custom kernel is not needed in order to enable <application>IPFW</application>.</para>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
@ -1659,76 +1646,35 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
|
|||
</indexterm>
|
||||
|
||||
<indexterm>
|
||||
<primary>IPFW</primary>
|
||||
<primary><application>IPFW</application></primary>
|
||||
|
||||
<secondary>kernel options</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>For those users who wish to statically compile kernel
|
||||
IPFW support, the following options are available for the
|
||||
<para>For those users who wish to statically compile
|
||||
<application>IPFW</application> support into a custom kernel,
|
||||
refer to the instructions in <xref linkend="kernelconfig"/>.
|
||||
The following options are available for the
|
||||
custom kernel configuration file:</para>
|
||||
|
||||
<programlisting>options IPFIREWALL</programlisting>
|
||||
<programlisting>options IPFIREWALL # enables IPFW
|
||||
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
|
||||
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
|
||||
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
|
||||
options IPDIVERT # enables NAT</programlisting>
|
||||
|
||||
<para>This option enables IPFW as part of the kernel.</para>
|
||||
|
||||
<programlisting>options IPFIREWALL_VERBOSE</programlisting>
|
||||
|
||||
<para>This option enables logging of packets that pass through
|
||||
IPFW and have the <literal>log</literal> keyword specified in
|
||||
the ruleset.</para>
|
||||
|
||||
<programlisting>options IPFIREWALL_VERBOSE_LIMIT=5</programlisting>
|
||||
|
||||
<para>This option limits the number of packets logged through
|
||||
&man.syslogd.8;, on a per-entry basis. This option may be
|
||||
used in hostile environments, when firewall activity logging
|
||||
is desired. This will close a possible denial of service
|
||||
attack via syslog flooding.</para>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPFIREWALL_DEFAULT_TO_ACCEPT</secondary>
|
||||
</indexterm>
|
||||
|
||||
<programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting>
|
||||
|
||||
<para>This option allows everything to pass through the firewall
|
||||
by default, which is a good idea when the firewall is being
|
||||
set up for the first time.</para>
|
||||
|
||||
<indexterm>
|
||||
<primary>kernel options</primary>
|
||||
|
||||
<secondary>IPDIVERT</secondary>
|
||||
</indexterm>
|
||||
|
||||
<programlisting>options IPDIVERT</programlisting>
|
||||
|
||||
<para>This option enables the use of <acronym>NAT</acronym>
|
||||
functionality.</para>
|
||||
|
||||
<note>
|
||||
<para>The firewall will block all incoming and outgoing
|
||||
packets if either the
|
||||
<literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> kernel
|
||||
option or a rule to explicitly allow these connections is
|
||||
missing.</para>
|
||||
</note>
|
||||
|
||||
<para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>
|
||||
<para>To configure the system to enable
|
||||
<application>IPFW</application> at boot time, add the
|
||||
following entry to <filename>/etc/rc.conf</filename>:</para>
|
||||
|
||||
<programlisting>firewall_enable="YES"</programlisting>
|
||||
|
||||
<para>To select one of the default firewall types provided by
|
||||
&os;, select one by reading
|
||||
<filename>/etc/rc.firewall</filename> and specify it in
|
||||
the following:</para>
|
||||
<para>To use one of the default firewall types provided by
|
||||
&os;, add another line which specifies the type:</para>
|
||||
|
||||
<programlisting>firewall_type="open"</programlisting>
|
||||
|
||||
<para>Available values for this setting are:</para>
|
||||
<para>The available values for this setting are:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
@ -1746,28 +1692,28 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
|
|||
<para><literal>closed</literal>: entirely disables IP
|
||||
traffic except for the loopback interface.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>workstation</literal>: protects only this
|
||||
machine using stateful rules.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><literal>UNKNOWN</literal>: disables the loading of
|
||||
firewall rules.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para><filename>filename</filename>:
|
||||
absolute path of the file containing the firewall
|
||||
full path of the file containing the firewall
|
||||
rules.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Two methods are available for loading custom
|
||||
<application>ipfw</application> rules. One is to set the
|
||||
<literal>firewall_type</literal> variable to the absolute
|
||||
path of the file which contains the firewall rules.</para>
|
||||
|
||||
<para>The other method is to set the
|
||||
<para>To instead load a custom ruleset, either
|
||||
set the <filename>filename</filename> value of
|
||||
<literal>firewall_type</literal> or set the
|
||||
<literal>firewall_script</literal> variable to the absolute
|
||||
path of an executable script that includes
|
||||
<command>ipfw</command> commands. A ruleset script that
|
||||
blocks all incoming and outgoing traffic would look like
|
||||
this:</para>
|
||||
<command>IPFW</command> commands. This example script
|
||||
blocks all incoming and outgoing traffic:</para>
|
||||
|
||||
<programlisting>#!/bin/sh
|
||||
|
||||
|
@ -1811,7 +1757,7 @@ ipfw add deny out</programlisting>
|
|||
</sect2>
|
||||
|
||||
<sect2 xml:id="firewalls-ipfw-cmd">
|
||||
<title>The IPFW Command</title>
|
||||
<title>The <application>IPFW</application> Command</title>
|
||||
|
||||
<indexterm><primary><command>ipfw</command></primary></indexterm>
|
||||
|
||||
|
@ -1825,7 +1771,7 @@ ipfw add deny out</programlisting>
|
|||
changes.</para>
|
||||
|
||||
<para><command>ipfw</command> is a useful way to display the
|
||||
running firewall rules to the console screen. The IPFW
|
||||
running firewall rules to the console screen. The <application>IPFW</application>
|
||||
accounting facility dynamically creates a counter for each
|
||||
rule that counts each packet that matches the rule. During
|
||||
the process of testing a rule, listing the rule with its
|
||||
|
@ -1868,10 +1814,10 @@ ipfw add deny out</programlisting>
|
|||
</sect2>
|
||||
|
||||
<sect2 xml:id="firewalls-ipfw-rules">
|
||||
<title>IPFW Rule Syntax</title>
|
||||
<title><application>IPFW</application> Rule Syntax</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>IPFW</primary>
|
||||
<primary><application>IPFW</application></primary>
|
||||
|
||||
<secondary>rule processing order</secondary>
|
||||
</indexterm>
|
||||
|
@ -1884,7 +1830,7 @@ ipfw add deny out</programlisting>
|
|||
action field value is executed and the search of the ruleset
|
||||
terminates for that packet. This is referred to as
|
||||
<quote>first match wins</quote>. If the packet does not match
|
||||
any of the rules, it gets caught by the mandatory IPFW default
|
||||
any of the rules, it gets caught by the mandatory <application>IPFW</application> default
|
||||
rule, number 65535, which denies all packets and silently
|
||||
discards them. However, if the packet matches a rule that
|
||||
contains the <literal>count</literal>,
|
||||
|
@ -1900,13 +1846,13 @@ ipfw add deny out</programlisting>
|
|||
description, refer to &man.ipfw.8;.</para>
|
||||
|
||||
<indexterm>
|
||||
<primary>IPFW</primary>
|
||||
<primary><application>IPFW</application></primary>
|
||||
|
||||
<secondary>rule syntax</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>This section describes the keywords which comprise an
|
||||
<acronym>IPFW</acronym> rule. Keywords must be written in
|
||||
<application>IPFW</application> rule. Keywords must be written in
|
||||
the following order. <literal>#</literal> is used to mark
|
||||
the start of a comment and may appear at the end of a rule
|
||||
line or on its own line. Blank lines are ignored.</para>
|
||||
|
@ -2083,7 +2029,7 @@ ipfw add deny out</programlisting>
|
|||
<term>Stateful Rule Option</term>
|
||||
<listitem>
|
||||
<para>The <literal>check-state</literal> option is used to
|
||||
identify where in the IPFW ruleset the packet is to be
|
||||
identify where in the <application>IPFW</application> ruleset the packet is to be
|
||||
tested against the dynamic rules facility. On a match, the
|
||||
packet exits the firewall to continue on its way and a new
|
||||
rule is dynamically created for the next anticipated packet
|
||||
|
@ -2094,7 +2040,7 @@ ipfw add deny out</programlisting>
|
|||
<para>The dynamic rules facility is vulnerable to resource
|
||||
depletion from a SYN-flood attack which would open a huge
|
||||
number of dynamic rules. To counter this type of attack
|
||||
with <acronym>IPFW</acronym>, use <literal>limit</literal>.
|
||||
with <application>IPFW</application>, use <literal>limit</literal>.
|
||||
This keyword limits the number of simultaneous sessions by
|
||||
checking that rule's source or destinations fields and using
|
||||
the packet's IP address in a search of the open dynamic
|
||||
|
@ -2110,12 +2056,12 @@ ipfw add deny out</programlisting>
|
|||
<title>Logging Firewall Messages</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>IPFW</primary>
|
||||
<primary><application>IPFW</application></primary>
|
||||
|
||||
<secondary>logging</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>Even with the logging facility enabled, IPFW will not
|
||||
<para>Even with the logging facility enabled, <application>IPFW</application> will not
|
||||
generate any rule logging on its own. The firewall
|
||||
administrator decides which rules in the ruleset will be
|
||||
logged, and adds the <literal>log</literal> keyword to those
|
||||
|
@ -2156,7 +2102,7 @@ ipfw add deny out</programlisting>
|
|||
<sect3 xml:id="firewalls-ipfw-rules-script">
|
||||
<title>Building a Rule Script</title>
|
||||
|
||||
<para>Most experienced IPFW users create a file containing
|
||||
<para>Most experienced <application>IPFW</application> users create a file containing
|
||||
the rules and code them in a manner compatible with running
|
||||
them as a script. The major benefit of doing this is the
|
||||
firewall rules can be refreshed in mass without the need
|
||||
|
@ -2416,17 +2362,17 @@ pif="dc0" # public interface name of NIC
|
|||
<indexterm>
|
||||
<primary>NAT</primary>
|
||||
|
||||
<secondary>and IPFW</secondary>
|
||||
<secondary>and <application>IPFW</application></secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>There are some additional configuration statements that
|
||||
need to be enabled to activate the <acronym>NAT</acronym>
|
||||
function of IPFW. For a customized kernel, the kernel
|
||||
function of <application>IPFW</application>. For a customized kernel, the kernel
|
||||
configuration file needs
|
||||
<literal>option IPDIVERT</literal> added to the other
|
||||
<literal>IPFIREWALL</literal> options.</para>
|
||||
|
||||
<para>In addition to the normal IPFW options in
|
||||
<para>In addition to the normal <application>IPFW</application> options in
|
||||
<filename>/etc/rc.conf</filename>, the following are
|
||||
needed:</para>
|
||||
|
||||
|
|
Loading…
Reference in a new issue