From bdavis@house.so14k.com Sun Jan 23 09:21:08 2005 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86E1016A4CE for ; Sun, 23 Jan 2005 09:21:08 +0000 (GMT) Received: from ender.liquidneon.com (ender.liquidneon.com [64.78.150.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F29043D31 for ; Sun, 23 Jan 2005 09:21:08 +0000 (GMT) (envelope-from bdavis@house.so14k.com) Received: from localhost (localhost [127.0.0.1]) by ender.liquidneon.com (Postfix) with ESMTP id 7528943DD for ; Sun, 23 Jan 2005 02:21:07 -0700 (MST) Received: from ender.liquidneon.com ([127.0.0.1]) by localhost (ender.liquidneon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14815-08 for ; Sun, 23 Jan 2005 02:21:07 -0700 (MST) Received: from mccaffrey.house.so14k.com (gw.house.so14k.com [216.87.87.128]) by ender.liquidneon.com (Postfix) with ESMTP id 9E9E34378 for ; Sun, 23 Jan 2005 02:21:05 -0700 (MST) Received: by mccaffrey.house.so14k.com (Postfix, from userid 1001) id B5E8CEB2; Sun, 23 Jan 2005 02:21:04 -0700 (MST) Message-Id: <20050123092104.B5E8CEB2@mccaffrey.house.so14k.com> Date: Sun, 23 Jan 2005 02:21:04 -0700 (MST) From: Brad Davis Reply-To: Brad Davis To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: More punctuation and spacing changes for the firewall chapter. X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 76600 >Category: docs >Synopsis: More punctuation and spacing changes for the firewall chapter. >Confidential: no >Severity: non-critical >Priority: low >Responsible: keramida >State: closed >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 23 09:30:25 GMT 2005 >Closed-Date: Sun Jan 23 21:14:54 GMT 2005 >Last-Modified: Sun Jan 23 21:14:54 GMT 2005 >Originator: Brad Davis >Release: FreeBSD 4.10-STABLE i386 >Organization: >Environment: System: FreeBSD mccaffrey.house.so14k.com 4.10-STABLE FreeBSD 4.10-STABLE #0: Fri May 28 08:02:41 MDT 2004 root@mccaffrey.house.so14k.com:/usr/obj/usr/src/sys/MCCAFFREY i386 >Description: More punctuation and spacing changes for the firewall chapter. Note that the spacing changes are for the website so that we don't have spaces before periods. >How-To-Repeat: >Fix: --- doc-ori/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml Fri Jan 21 11:05:20 2005 +++ doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml Sun Jan 23 02:14:32 2005 @@ -365,7 +365,7 @@ Sample kernel config IPF option statements are in the /usr/src/sys/conf/NOTES kernel source (/usr/src/sys/arch/conf/LINT - for &os; 4.X) and are reproduced here. + for &os; 4.X) and are reproduced here: options IPFILTER options IPFILTER_LOG @@ -401,7 +401,7 @@ # n = map IP & port to names If you have a LAN behind this firewall that uses the reserved private IP address ranges, then you need to add the - following to enable NAT functionality. + following to enable NAT functionality: gateway_enable="YES" # Enable as Lan gateway ipnat_enable="YES" # Start ipnat function @@ -414,7 +414,7 @@ The ipf command is used to load your rules file. Normally you create a file containing your custom rules and use this command to replace in mass the currently running firewall - internal rules. + internal rules: ipf -Fa -f /etc/ipf.rules @@ -531,7 +531,7 @@ rotate system logs. That is why outputting the log information to syslogd is better than the default of outputting to a regular file. In the default rc.conf file you see the - ipmon_flags statement uses the flags + ipmon_flags statement uses the flags: ipmon_flags="-Ds" # D = start as daemon # s = log to syslog @@ -564,7 +564,7 @@ and level. IPMON in mode uses local0 as the facility name. All IPMON logged data goes to local0. The following levels can be used to further segregate - the logged data if desired. + the logged data if desired: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed @@ -583,8 +583,7 @@ considerable flexibility in how syslog will deal with system messages issued by software applications like IPF. - Add the following statement to /etc/syslog.conf - : + Add the following statement to /etc/syslog.conf local0.* /var/log/ipfilter.log @@ -751,8 +750,8 @@ Add a script like the following to your /usr/local/etc/rc.d/ startup directory. The script - should have an obvious name like loadipfrules.sh - . The .sh extension is mandatory. + should have an obvious name like loadipfrules.sh. + The .sh extension is mandatory. #!/bin/sh sh /etc/ipf.rules.script @@ -982,7 +981,7 @@ There is no way to match ranges of IP addresses which do not express themselves easily as mask-length. See this web page for help on writing mask-length: - + . @@ -1174,8 +1173,7 @@ Check out this link for port numbers used by Trojans - + url="http://www.simovits.com/trojans/trojans.html">. The following rule set is a complete very secure 'inclusive' type of firewall rule set that I have used on my @@ -1404,7 +1402,7 @@ NATed private LAN IP address. According to RFC 1918, you can use the following IP ranges for private nets which will never be routed directly to the public - Internet. + Internet: @@ -1579,7 +1577,7 @@ IPNAT to only use source ports in a range. For example the following rule will tell IPNAT to modify the source port to be - within that range. + within that range: map dc0 192.168.1.0/24 -> 0.32 portmap tcp/udp 20000:60000 @@ -1628,13 +1626,13 @@ map dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80 - or + Or: map dc0 0/32 port 80 -> 10.0.10.25 port 80 - or for a LAN DNS Server on LAN address of Or for a LAN DNS Server on LAN address of 10.0.10.33 that needs to receive - public DNS requests + public DNS requests: map dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-doc->keramida Responsible-Changed-By: keramida Responsible-Changed-When: Sun Jan 23 20:58:57 GMT 2005 Responsible-Changed-Why: Working on this. http://www.freebsd.org/cgi/query-pr.cgi?pr=76600 State-Changed-From-To: open->closed State-Changed-By: keramida State-Changed-When: Sun Jan 23 21:14:45 GMT 2005 State-Changed-Why: Committed, thanks. http://www.freebsd.org/cgi/query-pr.cgi?pr=76600 >Unformatted: