doc-el commit 1021:c7fcededf6cd - Replaced english text of 'fire...
freebsd-doc-el at lists.hellug.gr
freebsd-doc-el at lists.hellug.gr
Sun Nov 9 06:50:07 EET 2008
changeset: 1021:c7fcededf6cd
user: Manolis Kiagias <sonicy at otenet.gr>
date: 2008-11-06 17:10 +0200
details: http://hg.hellug.gr/freebsd/doc-el/?cmd=changeset;node=c7fcededf6cd
description:
Replaced english text of 'firewalls' chapter with rev. 1.85 (no changes in synopsis)
diffstat:
1 file changed, 188 insertions(+), 127 deletions(-)
el_GR.ISO8859-7/books/handbook/firewalls/chapter.sgml | 315 ++++++++++-------
diffs (truncated from 432 to 300 lines):
diff -r 2cdb806b2e9f -r c7fcededf6cd el_GR.ISO8859-7/books/handbook/firewalls/chapter.sgml
--- a/el_GR.ISO8859-7/books/handbook/firewalls/chapter.sgml Thu Nov 06 17:01:33 2008 +0200
+++ b/el_GR.ISO8859-7/books/handbook/firewalls/chapter.sgml Thu Nov 06 17:10:43 2008 +0200
@@ -7,7 +7,7 @@
$FreeBSD: doc/el_GR.ISO8859-7/books/handbook/firewalls/chapter.sgml,v 1.2 2008/01/14 14:19:45 keramida Exp $
%SOURCE% en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
- %SRCID% 1.1
+ %SRCID% 1.85
-->
@@ -160,7 +160,11 @@
&man.altq.4; and &man.dummynet.4;. Dummynet has traditionally been
closely tied with <acronym>IPFW</acronym>, and
<acronym>ALTQ</acronym> with
- <acronym>IPF</acronym>/<acronym>PF</acronym>. IPF,
+ <acronym>PF</acronym>. Traffic shaping for <acronym>IPFILTER</acronym> can currently
+ be done with <acronym>IPFILTER</acronym> for NAT and filtering and
+ <acronym>IPFW</acronym> with &man.dummynet.4;
+ <emphasis>or</emphasis> by using <acronym>PF</acronym> with
+ <acronym>ALTQ</acronym>.
IPFW, and PF all use rules to control the access of packets to and
from your system, although they go about it different ways and
have different rule syntaxes.</para>
@@ -185,6 +189,17 @@
</sect1>
<sect1 id="firewalls-pf">
+ <sect1info>
+ <authorgroup>
+ <author>
+ <firstname>John</firstname>
+ <surname>Ferrell</surname>
+ <contrib>Revised and updated by </contrib>
+ <!-- 24 March 2008 -->
+ </author>
+ </authorgroup>
+ </sect1info>
+
<title>The OpenBSD Packet Filter (PF) and
<acronym>ALTQ</acronym></title>
@@ -195,60 +210,66 @@
</indexterm>
<para>As of July 2003 the OpenBSD firewall software application
- known as <acronym>PF</acronym> was ported to &os; and was made
- available in the &os; Ports Collection; the first release that
- contained <acronym>PF</acronym> as an integrated part of the
- base system was &os; 5.3 in November 2004.
- <acronym>PF</acronym> is a complete, fully featured firewall
+ known as <acronym>PF</acronym> was ported to &os; and
+ made available in the &os; Ports Collection. Released in 2004,
+ &os; 5.3 was the first release that contained
+ <acronym>PF</acronym> as an integrated part of the base system.
+ <acronym>PF</acronym> is a complete, full-featured firewall
that has optional support for <acronym>ALTQ</acronym> (Alternate
Queuing). <acronym>ALTQ</acronym> provides Quality of Service
- (<acronym>QoS</acronym>) bandwidth shaping that allows
- guaranteeing bandwidth to different services based on filtering
- rules. The OpenBSD Project does an outstanding job of
- maintaining the PF User's Guide that it will not be made part of
- this handbook firewall section as that would just be duplicated
- effort.</para>
+ (<acronym>QoS</acronym>) functionality.</para>
- <para>More info can be found at the PF for &os; web site: <ulink
+ <para>The OpenBSD Project does an outstanding job of
+ maintaining the <ulink
+ url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.
+ As such, this section of the Handbook will focus on
+ <acronym>PF</acronym> as it pertains to &os; while providing
+ some general information regarding usage. For detailed usage
+ information please refer to the <ulink
+ url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.</para>
+
+ <para>More information about <acronym>PF</acronym> for &os;
+ can be found at <ulink
url="http://pf4freebsd.love2party.net/"></ulink>.</para>
<sect2>
- <title>Enabling PF</title>
+ <title>Using the PF loadable kernel module</title>
- <para>PF is included in the basic &os; install for versions newer
- than 5.3 as a separate run time loadable module. The system
- will dynamically load the PF kernel loadable module when the
- rc.conf statement <literal>pf_enable="YES"</literal> is used.
- The loadable module was created with &man.pflog.4; logging
- enabled.</para>
+ <para>Since the release of &os; 5.3, PF has been included in the
+ basic install as a separate run time loadable module. The
+ system will dynamically load the PF kernel module when the
+ &man.rc.conf.5; statement <literal>pf_enable="YES"</literal>
+ is present. However, the <acronym>PF</acronym> module will
+ not load if the system cannot find a <acronym>PF</acronym>
+ ruleset configuration file. The default location is
+ <filename>/etc/pf.conf</filename>. If your
+ <acronym>PF</acronym> ruleset is located somewhere else put
+ <literal>pf_rules="<replaceable>/path/pf.rules</replaceable>"</literal>
+ to your <filename>/etc/rc.conf</filename> configuration file to
+ specify the location.</para>
- <note>
- <para>The module assumes the presence of <literal>options
- INET</literal> and <literal>device bpf</literal>. Unless
- <literal>NOINET6</literal> for &os; prior to 6.0-RELEASE and
- <literal>NO_INET6</literal> for later releases (for example in
- &man.make.conf.5;) was defined during the build, it also
- requires<literal>options INET6</literal>.</para>
- </note>
+ <note>
+ <para>As of &os; 7.0 the sample <filename>pf.conf</filename>
+ that was in <filename class="directory">/etc/</filename> has been
+ moved to <filename
+ class="directory">/usr/share/examples/pf/</filename>. For &os;
+ versions prior to 7.0 there is an <filename>/etc/pf.conf</filename>
+ by default.</para>
+ </note>
- <para>Once the kernel module is loaded or the kernel is statically
- built with PF support, it is possible to enable or disable
- <application>pf</application> with the <command>pfctl</command>
- command.</para>
+ <para>The <acronym>PF</acronym> module can also be loaded manually
+ from the command line:</para>
- <para>This example demonstrates how to enable
- <application>pf</application>:</para>
+ <screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
- <screen>&prompt.root; <userinput>pfctl -e</userinput></screen>
-
- <para>The <command>pfctl</command> command provides a way to work
- with the <application>pf</application> firewall. It is a good
- idea to check the &man.pfctl.8; manual page to find out more
- information about using it.</para>
+ <para>The loadable module was created with &man.pflog.4; enabled
+ which provides support for logging. If you need other
+ <acronym>PF</acronym> features you will need to compile
+ <acronym>PF</acronym> support into the kernel.</para>
</sect2>
<sect2>
- <title>Kernel options</title>
+ <title>PF kernel options</title>
<indexterm>
<primary>kernel options</primary>
@@ -268,44 +289,43 @@
<secondary>device pfsync</secondary>
</indexterm>
- <para>It is not a mandatory requirement that you enable PF by
- compiling the following options into the &os; kernel. It is
- only presented here as background information. Compiling PF
- into the kernel causes the loadable module to never be
- used.</para>
+ <para>While it is not necessary that you compile
+ <acronym>PF</acronym> support into the &os; kernel, you may want
+ to do so to take advantage of one of PF's advanced features that
+ is not included in the loadable module, namely &man.pfsync.4;, which
+ is a pseudo-device that exposes certain changes to
+ the state table used by <acronym>PF</acronym>. It can be
+ paired with &man.carp.4; to create failover firewalls using
+ <acronym>PF</acronym>. More information on
+ <acronym>CARP</acronym> can be found in
+ <link linkend="carp">chapter 29</link> of the handbook.</para>
- <para>Sample kernel config PF option statements are in the
- <filename>/usr/src/sys/conf/NOTES</filename> kernel source and
- are reproduced here:</para>
+ <para>The <acronym>PF</acronym> kernel options can be found in
+ <filename>/usr/src/sys/conf/NOTES</filename> and are reproduced
+ below:</para>
<programlisting>device pf
device pflog
device pfsync</programlisting>
- <para><literal>device pf</literal> enables support for the
- <quote>Packet Filter</quote> firewall.</para>
+ <para>The <literal>device pf</literal> option enables support for the
+ <quote>Packet Filter</quote> firewall (&man.pf.4;).</para>
- <para><literal>device pflog</literal> enables the optional
+ <para>The <literal>device pflog</literal> option enables the optional
&man.pflog.4; pseudo network device which can be used to log
traffic to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon
can be used to store the logging information to disk.</para>
- <para><literal>device pfsync</literal> enables the optional
- &man.pfsync.4; pseudo network device that is used to monitor
- <quote>state changes</quote>. As this is not part of the
- loadable module one has to build a custom kernel to use
- it.</para>
-
- <para>These settings will take effect only after you have built
- and installed a kernel with them set.</para>
+ <para>The <literal>device pfsync</literal> option enables the optional
+ &man.pfsync.4; pseudo-network device that is used to monitor
+ <quote>state changes</quote>.</para>
</sect2>
<sect2>
<title>Available rc.conf Options</title>
- <para>You need the following statements in
- <filename>/etc/rc.conf</filename> to activate PF at boot
- time:</para>
+ <para>The following &man.rc.conf.5; statements configure
+ <acronym>PF</acronym> and &man.pflog.4; at boot:</para>
<programlisting>pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
@@ -315,22 +335,114 @@
pflog_flags="" # additional flags for pflogd startup</programlisting>
<para>If you have a LAN behind this firewall and have to forward
- packets for the computers in the LAN or want to do NAT, you
- have to enable the following option as well:</para>
+ packets for the computers on the LAN or want to do NAT, you
+ will need the following option as well:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting>
</sect2>
<sect2>
+ <title>Creating Filtering Rules</title>
+
+ <para><acronym>PF</acronym> reads its configuration rules from
+ &man.pf.conf.5; (<filename>/etc/pf.conf</filename> by
+ default) and it modifies, drops, or passes packets according to
+ the rules or definitions specified there. The &os;
+ installation includes several sample files located in
+ <filename>/usr/share/examples/pf/</filename>. Please refer to
+ the <ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>
+ for complete coverage of <acronym>PF</acronym> rulesets.</para>
+
+ <warning>
+ <para>When browsing the <ulink
+ url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>,
+ please keep in mind that different versions of &os; contain
+ different versions of PF:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>&os; 5.<replaceable>X</replaceable> —
+ <acronym>PF</acronym> is at OpenBSD 3.5</para>
+ </listitem>
+
+ <listitem>
+ <para>&os; 6.<replaceable>X</replaceable> —
+ <acronym>PF</acronym> is at OpenBSD 3.7</para>
+ </listitem>
+
+ <listitem>
+ <para>&os; 7.<replaceable>X</replaceable> —
+ <acronym>PF</acronym> is at OpenBSD 4.1</para>
+ </listitem>
+ </itemizedlist>
+ </warning>
+
+ <para>The &a.pf; is a good place to ask questions about
+ configuring and running the <acronym>PF</acronym>
+ firewall. Do not forget to check the mailing list archives
+ before asking questions!</para>
+ </sect2>
+
+ <sect2>
+ <title>Working with PF</title>
+
+ <para>Use &man.pfctl.8; to control <acronym>PF</acronym>. Below
+ are some useful commands (be sure to review the &man.pfctl.8;
+ man page for all available options):</para>
+
+ <informaltable frame="none" pgwide="1">
+ <tgroup cols="2">
+ <thead>
+ <row>
+ <entry>Command</entry>
+ <entry>Purpose</entry>
+ </row>
+ </thead>
+
+ <tbody>
+ <row>
+ <entry><command>pfctl <option>-e</option></command></entry>
+ <entry>Enable PF</entry>
+ </row>
+
+ <row>
+ <entry><command>pfctl <option>-d</option></command></entry>
+ <entry>Disable PF</entry>
+ </row>
+
+ <row>
+ <entry><command>pfctl <option>-F</option> all <option>-f</option> /etc/pf.conf</command></entry>
+ <entry>Flush all rules (nat, filter, state, table, etc.) and
More information about the Freebsd-doc-el
mailing list