# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2026-02-22 15:58+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/handbook/firewalls/_index.adoc:1 #, no-wrap msgid "FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them" msgstr "" #. type: YAML Front Matter: part #: documentation/content/en/books/handbook/firewalls/_index.adoc:1 #, no-wrap msgid "IV. Network Communication" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/handbook/firewalls/_index.adoc:1 #, no-wrap msgid "Chapter 33. Firewalls" msgstr "" #. type: Title = #: documentation/content/en/books/handbook/firewalls/_index.adoc:15 #, no-wrap msgid "Firewalls" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:53 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:58 msgid "" "Firewalls make it possible to filter the incoming and outgoing traffic that " "flows through a system. A firewall can use one or more sets of \"rules\" to " "inspect network packets as they come in or go out of network connections and " "either allows the traffic through or blocks it. The rules of a firewall can " "inspect one or more characteristics of the packets such as the protocol " "type, source or destination host address, and source or destination port." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:61 msgid "" "Firewalls can enhance the security of a host or a network. They can be used " "to do one or more of the following:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:63 msgid "" "Protect and insulate the applications, services, and machines of an internal " "network from unwanted traffic from the public Internet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:64 msgid "" "Limit or disable access from hosts of the internal network to services of " "the public Internet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:65 msgid "" "Support network address translation (NAT), which allows an internal network " "to use private IP addresses and share a single connection to the public " "Internet using either a single IP address or a shared pool of automatically " "assigned public addresses." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:70 msgid "" "FreeBSD has three firewalls built into the base system: PF, IPFW, and " "IPFILTER, also known as IPF. FreeBSD also provides two traffic shapers for " "controlling bandwidth usage: man:altq[4] and man:dummynet[4]. ALTQ has " "traditionally been closely tied with PF and dummynet with IPFW. Each " "firewall uses rules to control the access of packets to and from a FreeBSD " "system, although they go about it in different ways and each has a different " "rule syntax." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:73 msgid "" "FreeBSD provides multiple firewalls in order to meet the different " "requirements and preferences for a wide variety of users. Each user should " "evaluate which firewall best meets their needs." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:75 msgid "Read this chapter to learn:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:77 msgid "How to define packet filtering rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:78 msgid "The differences between the firewalls built into FreeBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:79 msgid "How to use and configure the PF firewall." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:80 msgid "How to use and configure the IPFW firewall." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:81 msgid "How to use and configure the IPFILTER firewall." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:83 msgid "Before reading this chapter:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:85 msgid "Understand basic FreeBSD and Internet concepts." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:90 msgid "" "Since all firewalls are based on inspecting the values of selected packet " "control fields, the creator of the firewall ruleset must have an " "understanding of how TCP/IP works, what the different values in the packet " "control fields are, and how these values are used in a normal session " "conversation. For a good introduction, refer to http://" "www.ipprimer.com[Daryl's TCP/IP Primer]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:93 #, no-wrap msgid "Firewall Concepts" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:101 msgid "" "A ruleset contains a group of rules which pass or block packets based on the " "values contained in the packet. The bi-directional exchange of packets " "between hosts comprises a session conversation. The firewall ruleset " "processes both the packets arriving from the public Internet, as well as the " "packets produced by the system as a response to them. Each TCP/IP service " "is predefined by its protocol and listening port. Packets destined for a " "specific service originate from the source address using an unprivileged " "port and target the specific service port on the destination address. All " "the above parameters can be used as selection criteria to create rules which " "will pass or block services." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:104 msgid "" "To lookup unknown port numbers, refer to [.filename]#/etc/services#. " "Alternatively, visit https://en.wikipedia.org/wiki/" "List_of_TCP_and_UDP_port_numbers[https://en.wikipedia.org/wiki/" "List_of_TCP_and_UDP_port_numbers] and do a port number lookup to find the " "purpose of a particular port number." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:106 msgid "" "Check out this link for http://web.archive.org/web/20150803024617/http://" "www.sans.org/security-resources/idfaq/oddports.php[port numbers used by " "Trojans]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:111 msgid "" "FTP has two modes: active mode and passive mode. The difference is in how " "the data channel is acquired. Passive mode is more secure as the data " "channel is acquired by the ordinal ftp session requester. For a good " "explanation of FTP and the different modes, see http://www.slacksite.com/" "other/ftp.html[http://www.slacksite.com/other/ftp.html]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:115 msgid "" "A firewall ruleset can be either \"exclusive\" or \"inclusive\". An " "exclusive firewall allows all traffic through except for the traffic " "matching the ruleset. An inclusive firewall does the reverse as it only " "allows traffic matching the rules through and blocks everything else." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:120 msgid "" "An inclusive firewall offers better control of the outgoing traffic, making " "it a better choice for systems that offer services to the public Internet. " "It also controls the type of traffic originating from the public Internet " "that can gain access to a private network. All traffic that does not match " "the rules is blocked and logged. Inclusive firewalls are generally safer " "than exclusive firewalls because they significantly reduce the risk of " "allowing unwanted traffic." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:124 msgid "" "Unless noted otherwise, all configuration and example rulesets in this " "chapter create inclusive firewall rulesets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:128 msgid "" "Security can be tightened further using a \"stateful firewall\". This type " "of firewall keeps track of open connections and only allows traffic which " "either matches an existing connection or opens a new, allowed connection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:133 msgid "" "Stateful filtering treats traffic as a bi-directional exchange of packets " "comprising a session. When state is specified on a matching rule the " "firewall dynamically generates internal rules for each anticipated packet " "being exchanged during the session. It has sufficient matching capabilities " "to determine if a packet is valid for a session. Any packets that do not " "properly fit the session template are automatically rejected." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:135 msgid "When the session completes, it is removed from the dynamic state table." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:140 msgid "" "Stateful filtering allows one to focus on blocking/passing new sessions. If " "the new session is passed, all its subsequent packets are allowed " "automatically and any impostor packets are automatically rejected. If a new " "session is blocked, none of its subsequent packets are allowed. Stateful " "filtering provides advanced matching abilities capable of defending against " "the flood of different attack methods employed by attackers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:144 msgid "" "NAT stands for _Network Address Translation_. NAT function enables the " "private LAN behind the firewall to share a single ISP-assigned IP address, " "even if that address is dynamically assigned. NAT allows each computer in " "the LAN to have Internet access, without having to pay the ISP for multiple " "Internet accounts or IP addresses." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:147 msgid "" "NAT will automatically translate the private LAN IP address for each system " "on the LAN to the single public IP address as packets exit the firewall " "bound for the public Internet. It also performs the reverse translation for " "returning packets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:149 msgid "" "According to RFC 1918, the following IP address ranges are reserved for " "private networks which will never be routed directly to the public Internet, " "and therefore are available for use with NAT:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:151 msgid "`10.0.0.0/8`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:152 msgid "`172.16.0.0/12`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:153 msgid "`192.168.0.0/16`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:159 msgid "" "When working with the firewall rules, be _very careful_. Some " "configurations _can lock the administrator out_ of the server. To be on the " "safe side, consider performing the initial firewall configuration from the " "local console rather than doing it remotely over ssh." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:162 #, no-wrap msgid "PF" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:166 msgid "" "Since FreeBSD 5.3, a ported version of OpenBSD's PF firewall has been " "included as an integrated part of the base system. PF is a complete, full-" "featured firewall that has optional support for ALTQ (Alternate Queuing), " "which provides Quality of Service (QoS)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:169 msgid "" "The OpenBSD Project maintains the definitive reference for PF in the http://" "www.openbsd.org/faq/pf/[PF FAQ]. Peter Hansteen maintains a thorough PF " "tutorial at http://home.nuug.no/\\~peter/pf/[http://home.nuug.no/~peter/pf/]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:174 msgid "" "When reading the http://www.openbsd.org/faq/pf/[PF FAQ], keep in mind that " "FreeBSD's version of PF has diverged substantially from the upstream OpenBSD " "version over the years. Not all features work the same way on FreeBSD as " "they do in OpenBSD and vice versa." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:178 msgid "" "The {freebsd-pf} is a good place to ask questions about configuring and " "running the PF firewall. Check the mailing list archives before asking a " "question as it may have already been answered." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:182 msgid "" "This section of the Handbook focuses on PF as it pertains to FreeBSD. It " "demonstrates how to enable PF and ALTQ. It also provides several examples " "for creating rulesets on a FreeBSD system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:183 #, no-wrap msgid "Enabling PF" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:187 msgid "" "To use PF, its kernel module must be first loaded. This section describes " "the entries that can be added to [.filename]#/etc/rc.conf# to enable PF." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:189 msgid "Start by adding `pf_enable=yes` to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:193 #, no-wrap msgid "# sysrc pf_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:197 msgid "" "Additional options, described in man:pfctl[8], can be passed to PF when it " "is started. Add or change this entry in [.filename]#/etc/rc.conf# and " "specify any required flags between the two quotes (`\"\"`):" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:201 #, no-wrap msgid "pf_flags=\"\" # additional flags for pfctl startup\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:207 msgid "" "PF will not start if it cannot find its ruleset configuration file. By " "default, FreeBSD does not ship with a ruleset and there is no [.filename]#/" "etc/pf.conf#. Example rulesets can be found in [.filename]#/usr/share/" "examples/pf/#. If a custom ruleset has been saved somewhere else, add a " "line to [.filename]#/etc/rc.conf# which specifies the full path to the file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:211 #, no-wrap msgid "pf_rules=\"/path/to/pf.conf\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:215 msgid "" "Logging support for PF is provided by man:pflog[4]. To enable logging " "support, add `pflog_enable=yes` to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:219 #, no-wrap msgid "# sysrc pflog_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:222 msgid "" "The following lines can also be added to change the default location of the " "log file or to specify any additional flags to pass to man:pflog[4] when it " "is started:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:227 #, no-wrap msgid "" "pflog_logfile=\"/var/log/pflog\" # where pflogd should store the logfile\n" "pflog_flags=\"\" # additional flags for pflogd startup\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:230 msgid "" "Finally, if there is a LAN behind the firewall and packets need to be " "forwarded for the computers on the LAN, or NAT is required, enable the " "following option:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:234 #, no-wrap msgid "gateway_enable=\"YES\" # Enable as LAN gateway\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:237 msgid "" "After saving the needed edits, PF can be started with logging support by " "typing:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:242 #, no-wrap msgid "" "# service pf start\n" "# service pflog start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:247 msgid "" "By default, PF reads its configuration rules from [.filename]#/etc/pf.conf# " "and modifies, drops, or passes packets according to the rules or definitions " "specified in this file. The FreeBSD installation includes several sample " "files located in [.filename]#/usr/share/examples/pf/#. Refer to the http://" "www.openbsd.org/faq/pf/[PF FAQ] for complete coverage of PF rulesets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:251 msgid "" "To control PF, use `pfctl`. crossref:firewalls[pfctl,Useful `pfctl` " "Options] summarizes some useful options to this command. Refer to " "man:pfctl[8] for a description of all available options:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/firewalls/_index.adoc:252 #, no-wrap msgid "Useful `pfctl` Options" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:256 #, no-wrap msgid "Command" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:258 #, no-wrap msgid "Purpose" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:259 #, no-wrap msgid "`pfctl -e`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:261 #, no-wrap msgid "Enable PF." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:262 #, no-wrap msgid "`pfctl -d`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:264 #, no-wrap msgid "Disable PF." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:265 #, no-wrap msgid "`pfctl -F all -f /etc/pf.conf`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:267 #, no-wrap msgid "Flush all NAT, filter, state, and table rules and reload [.filename]#/etc/pf.conf#." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:267 #, no-wrap msgid "`pfctl -s [ rules \\" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:267 #, no-wrap msgid "nat \\" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:268 #, no-wrap msgid "states ]`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:270 #, no-wrap msgid "Report on the filter rules, NAT rules, or state table." msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:271 #, no-wrap msgid "`pfctl -vnf /etc/pf.conf`" msgstr "" #. type: Table #: documentation/content/en/books/handbook/firewalls/_index.adoc:272 #, no-wrap msgid "Check [.filename]#/etc/pf.conf# for errors, but do not load ruleset." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:278 msgid "" "package:security/sudo[] is useful for running commands like `pfctl` that " "require elevated privileges. It can be installed from the Ports Collection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:282 msgid "" "To keep an eye on the traffic that passes through the PF firewall, consider " "installing the package:sysutils/pftop[] package or port. Once installed, " "pftop can be run to view a running snapshot of traffic in a format which is " "similar to man:top[1]." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:284 #, no-wrap msgid "PF Rulesets" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:288 msgid "" "This section demonstrates how to create a customized ruleset. It starts " "with the simplest of rulesets and builds upon its concepts using several " "examples to demonstrate real-world usage of PF's many features." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:291 msgid "" "The simplest possible ruleset is for a single machine that does not run any " "services and which needs access to one network, which may be the Internet. " "To create this minimal ruleset, edit [.filename]#/etc/pf.conf# so it looks " "like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:296 #, no-wrap msgid "" "block in all\n" "pass out all keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:302 msgid "" "The first rule denies all incoming traffic by default. The second rule " "allows connections created by this system to pass out, while retaining state " "information on those connections. This state information allows return " "traffic for those connections to pass back and should only be used on " "machines that can be trusted. The ruleset can be loaded with:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:306 #, no-wrap msgid "# pfctl -e ; pfctl -f /etc/pf.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:311 msgid "" "In addition to keeping state, PF provides _lists_ and _macros_ which can be " "defined for use when creating rules. Macros can include lists and need to " "be defined before use. As an example, insert these lines at the very top of " "the ruleset:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:316 #, no-wrap msgid "" "tcp_services = \"{ ssh, smtp, domain, www, pop3, auth, pop3s }\"\n" "udp_services = \"{ domain }\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:323 msgid "" "PF understands port names as well as port numbers, as long as the names are " "listed in [.filename]#/etc/services#. This example creates two macros. The " "first is a list of seven TCP port names and the second is one UDP port " "name. Once defined, macros can be used in rules. In this example, all " "traffic is blocked except for the connections initiated by this system for " "the seven specified TCP services and the one specified UDP service:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:331 #, no-wrap msgid "" "tcp_services = \"{ ssh, smtp, domain, www, pop3, auth, pop3s }\"\n" "udp_services = \"{ domain }\"\n" "block all\n" "pass out proto tcp to any port $tcp_services keep state\n" "pass proto udp to any port $udp_services keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:335 msgid "" "Even though UDP is considered to be a stateless protocol, PF is able to " "track some state information. For example, when a UDP request is passed " "which asks a name server about a domain name, PF will watch for the response " "to pass it back." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:337 msgid "" "Whenever an edit is made to a ruleset, the new rules must be loaded so they " "can be used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:341 #: documentation/content/en/books/handbook/firewalls/_index.adoc:559 #, no-wrap msgid "# pfctl -f /etc/pf.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:345 msgid "" "If there are no syntax errors, `pfctl` will not output any messages during " "the rule load. Rules can also be tested before attempting to load them:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:349 #, no-wrap msgid "# pfctl -nf /etc/pf.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:354 msgid "" "Including `-n` causes the rules to be interpreted only, but not loaded. " "This provides an opportunity to correct any errors. At all times, the last " "valid ruleset loaded will be enforced until either PF is disabled or a new " "ruleset is loaded." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:359 msgid "" "Adding `-v` to a `pfctl` ruleset verify or load will display the fully " "parsed rules exactly the way they will be loaded. This is extremely useful " "when debugging rules." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:362 #, no-wrap msgid "A Simple Gateway with NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:367 msgid "" "This section demonstrates how to configure a FreeBSD system running PF to " "act as a gateway for at least one other machine. The gateway needs at least " "two network interfaces, each connected to a separate network. In this " "example, [.filename]#xl0# is connected to the Internet and [.filename]#xl1# " "is connected to the internal network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:370 msgid "" "First, enable the gateway to let the machine forward the network traffic it " "receives on one interface to another interface. This sysctl setting will " "forward IPv4 packets:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:374 #, no-wrap msgid "# sysctl net.inet.ip.forwarding=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:377 msgid "To forward IPv6 traffic, use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:381 #, no-wrap msgid "# sysctl net.inet6.ip6.forwarding=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:384 msgid "" "To enable these settings at system boot, use man:sysrc[8] to add them to " "[.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:389 #, no-wrap msgid "" "# sysrc gateway_enable=yes\n" "# sysrc ipv6_gateway_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:392 msgid "Verify with `ifconfig` that both of the interfaces are up and running." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:395 msgid "" "Next, create the PF rules to allow the gateway to pass traffic. While the " "following rule allows stateful traffic from hosts of the internal network to " "pass to the gateway, the `to` keyword does not guarantee passage all the way " "from source to destination:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:399 #, no-wrap msgid "pass in on xl1 from xl1:network to xl0:network port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:403 msgid "" "That rule only lets the traffic pass in to the gateway on the internal " "interface. To let the packets go further, a matching rule is needed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:407 #, no-wrap msgid "pass out on xl0 from xl1:network to xl0:network port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:413 msgid "" "While these two rules will work, rules this specific are rarely needed. For " "a busy network admin, a readable ruleset is a safer ruleset. The remainder " "of this section demonstrates how to keep the rules as simple as possible for " "readability. For example, those two rules could be replaced with one rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:417 #, no-wrap msgid "pass from xl1:network to any port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:422 msgid "" "The `interface:network` notation can be replaced with a macro to make the " "ruleset even more readable. For example, a `$localnet` macro could be " "defined as the network directly attached to the internal interface " "(`$xl1:network`). Alternatively, the definition of `$localnet` could be " "changed to an _IP address/netmask_ notation to denote a network, such as " "`192.168.100.1/24` for a subnet of private addresses." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:425 msgid "" "If required, `$localnet` could even be defined as a list of networks. " "Whatever the specific needs, a sensible `$localnet` definition could be used " "in a typical pass rule as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:429 #, no-wrap msgid "pass from $localnet to any port $ports keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:433 msgid "" "The following sample ruleset allows all traffic initiated by machines on the " "internal network. It first defines two macros to represent the external and " "internal 3COM interfaces of the gateway." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:438 msgid "" "For dialup users, the external interface will use [.filename]#tun0#. For an " "ADSL connection, specifically those using PPP over Ethernet (PPPoE), the " "correct external interface is [.filename]#tun0#, not the physical Ethernet " "interface." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:449 #, no-wrap msgid "" "ext_if = \"xl0\"\t# macro for external interface - use tun0 for PPPoE\n" "int_if = \"xl1\"\t# macro for internal interface\n" "localnet = $int_if:network\n" "# ext_if IP address could be dynamic, hence ($ext_if)\n" "nat on $ext_if from $localnet to any -> ($ext_if)\n" "block all\n" "pass from { lo0, $localnet } to any keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:454 msgid "" "This ruleset introduces the `nat` rule which is used to handle the network " "address translation from the non-routable addresses inside the internal " "network to the IP address assigned to the external interface. The " "parentheses surrounding the last part of the nat rule `($ext_if)` is " "included when the IP address of the external interface is dynamically " "assigned. It ensures that network traffic runs without serious " "interruptions even if the external IP address changes." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:457 msgid "" "Note that this ruleset probably allows more traffic to pass out of the " "network than is needed. One reasonable setup could create this macro:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:462 #, no-wrap msgid "" "client_out = \"{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \\\n" " https, cvspserver, 2628, 5999, 8000, 8080 }\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:465 msgid "to use in the main pass rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:470 #, no-wrap msgid "" "pass inet proto tcp from $localnet to any port $client_out \\\n" " flags S/SA keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:474 msgid "" "A few other pass rules may be needed. This one enables SSH on the external " "interface:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:478 #, no-wrap msgid "pass in inet proto tcp to $ext_if port ssh\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:481 msgid "This macro definition and rule allows DNS and NTP for internal clients:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:486 #, no-wrap msgid "" "udp_services = \"{ domain, ntp }\"\n" "pass quick inet proto { tcp, udp } to any port $udp_services keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:494 msgid "" "Note the `quick` keyword in this rule. Since the ruleset consists of " "several rules, it is important to understand the relationships between the " "rules in a ruleset. Rules are evaluated from top to bottom, in the sequence " "they are written. For each packet or connection evaluated by PF, _the last " "matching rule_ in the ruleset is the one which is applied. However, when a " "packet matches a rule which contains the `quick` keyword, the rule " "processing stops and the packet is treated according to that rule. This is " "very useful when an exception to the general rules is needed." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:496 #, no-wrap msgid "Creating an FTP Proxy" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:501 msgid "" "Configuring working FTP rules can be problematic due to the nature of the " "FTP protocol. FTP pre-dates firewalls by several decades and is insecure in " "its design. The most common points against using FTP include:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:503 msgid "Passwords are transferred in the clear." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:504 msgid "" "The protocol demands the use of at least two TCP connections (control and " "data) on separate ports." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:505 msgid "" "When a session is established, data is communicated using randomly selected " "ports." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:508 msgid "" "All of these points present security challenges, even before considering any " "potential security weaknesses in client or server software. More secure " "alternatives for file transfer exist, such as man:sftp[1] or man:scp[1], " "which both feature authentication and data transfer over encrypted " "connections." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:511 msgid "" "For those situations when FTP is required, PF provides redirection of FTP " "traffic to a small proxy program called man:ftp-proxy[8], which is included " "in the base system of FreeBSD. The role of the proxy is to dynamically " "insert and delete rules in the ruleset, using a set of anchors, to correctly " "handle FTP traffic." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:513 msgid "To enable the FTP proxy, add this line to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:517 #, no-wrap msgid "ftpproxy_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:520 msgid "Then start the proxy by running:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:524 #, no-wrap msgid "# service ftp-proxy start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:528 msgid "" "For a basic configuration, three elements need to be added to [.filename]#/" "etc/pf.conf#. First, the anchors which the proxy will use to insert the " "rules it generates for the FTP sessions:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:533 #, no-wrap msgid "" "nat-anchor \"ftp-proxy/*\"\n" "rdr-anchor \"ftp-proxy/*\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:536 msgid "Second, a pass rule is needed to allow FTP traffic in to the proxy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:539 msgid "" "Third, redirection and NAT rules need to be defined before the filtering " "rules. Insert this `rdr` rule immediately after the `nat` rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:543 #, no-wrap msgid "rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:546 msgid "Finally, allow the redirected traffic to pass:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:550 #, no-wrap msgid "pass out proto tcp from $proxy to any port ftp\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:553 msgid "where `$proxy` expands to the address the proxy daemon is bound to." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:555 msgid "" "Save [.filename]#/etc/pf.conf#, load the new rules, and verify from a client " "that FTP connections are working:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:565 msgid "" "This example covers a basic setup where the clients in the local network " "need to contact FTP servers elsewhere. This basic configuration should work " "well with most combinations of FTP clients and servers. As shown in man:ftp-" "proxy[8], the proxy's behavior can be changed in various ways by adding " "options to the `ftpproxy_flags=` line. Some clients or servers may have " "specific quirks that must be compensated for in the configuration, or there " "may be a need to integrate the proxy in specific ways such as assigning FTP " "traffic to a specific queue." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:567 msgid "" "For ways to run an FTP server protected by PF and man:ftp-proxy[8], " "configure a separate `ftp-proxy` in reverse mode, using `-R`, on a separate " "port with its own redirecting pass rule." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:569 #, no-wrap msgid "Managing ICMP" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:572 msgid "" "Many of the tools used for debugging or troubleshooting a TCP/IP network " "rely on the Internet Control Message Protocol (ICMP), which was designed " "specifically with debugging in mind." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:575 msgid "" "The ICMP protocol sends and receives _control messages_ between hosts and " "gateways, mainly to provide feedback to a sender about any unusual or " "difficult conditions enroute to the target host. Routers use ICMP to " "negotiate packet sizes and other transmission parameters in a process often " "referred to as _path MTU discovery_." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:579 msgid "" "From a firewall perspective, some ICMP control messages are vulnerable to " "known attack vectors. Also, letting all diagnostic traffic pass " "unconditionally makes debugging easier, but it also makes it easier for " "others to extract information about the network. For these reasons, the " "following rule may not be optimal:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:583 #, no-wrap msgid "pass inet proto icmp from any to any\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:586 msgid "" "One solution is to let all ICMP traffic from the local network through while " "stopping all probes from outside the network:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:591 #, no-wrap msgid "" "pass inet proto icmp from $localnet to any keep state\n" "pass inet proto icmp from any to $ext_if keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:596 msgid "" "Additional options are available which demonstrate some of PF's " "flexibility. For example, rather than allowing all ICMP messages, one can " "specify the messages used by man:ping[8] and man:traceroute[8]. Start by " "defining a macro for that type of message:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:600 #, no-wrap msgid "icmp_types = \"echoreq\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:603 msgid "and a rule which uses the macro:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:607 #: documentation/content/en/books/handbook/firewalls/_index.adoc:647 #, no-wrap msgid "pass inet proto icmp all icmp-type $icmp_types keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:612 msgid "" "If other types of ICMP packets are needed, expand `icmp_types` to a list of " "those packet types. Type `more /usr/src/sbin/pfctl/pfctl_parser.c` to see " "the list of ICMP message types supported by PF. Refer to http://" "www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml[http://" "www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml] for an " "explanation of each message type." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:614 msgid "" "Since Unix `traceroute` uses UDP by default, another rule is needed to allow " "Unix `traceroute`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:619 #, no-wrap msgid "" "# allow out the default range for traceroute(8):\n" "pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:624 msgid "" "Since `TRACERT.EXE` on Microsoft Windows systems uses ICMP echo request " "messages, only the first rule is needed to allow network traces from those " "systems. Unix `traceroute` can be instructed to use other protocols as " "well, and will use ICMP echo request messages if `-I` is used. Check the " "man:traceroute[8] man page for details." msgstr "" #. type: Title ===== #: documentation/content/en/books/handbook/firewalls/_index.adoc:626 #, no-wrap msgid "Path MTU Discovery" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:631 msgid "" "Internet protocols are designed to be device independent, and one " "consequence of device independence is that the optimal packet size for a " "given connection cannot always be predicted reliably. The main constraint " "on packet size is the _Maximum Transmission Unit_ (MTU) which sets the upper " "limit on the packet size for an interface. Type `ifconfig` to view the MTUs " "for a system's network interfaces." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:636 msgid "" "TCP/IP uses a process known as path MTU discovery to determine the right " "packet size for a connection. This process sends packets of varying sizes " "with the \"Do not fragment\" flag set, expecting an ICMP return packet of " "\"type 3, code 4\" when the upper limit has been reached. Type 3 means " "\"destination unreachable\", and code 4 is short for \"fragmentation needed, " "but the do-not-fragment flag is set\". To allow path MTU discovery in order " "to support connections to other MTUs, add the `destination unreachable` type " "to the `icmp_types` macro:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:640 #, no-wrap msgid "icmp_types = \"{ echoreq, unreach }\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:643 msgid "" "Since the pass rule already uses that macro, it does not need to be modified " "to support the new ICMP type:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:651 msgid "" "PF allows filtering on all variations of ICMP types and codes. The list of " "possible types and codes are documented in man:icmp[4] and man:icmp6[4]." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:653 #, no-wrap msgid "Using Tables" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:658 msgid "" "Some types of data are relevant to filtering and redirection at a given " "time, but their definition is too long to be included in the ruleset file. " "PF supports the use of tables, which are defined lists that can be " "manipulated without needing to reload the entire ruleset, and which can " "provide fast lookups. Table names are always enclosed within `< >`, like " "this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:662 #, no-wrap msgid "table { 192.168.2.0/24, !192.168.2.5 }\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:666 msgid "" "In this example, the `192.168.2.0/24` network is part of the table, except " "for the address `192.168.2.5`, which is excluded using the `!` operator. It " "is also possible to load tables from files where each item is on a separate " "line, as seen in this example [.filename]#/etc/clients#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:671 #, no-wrap msgid "" "192.168.2.0/24\n" "!192.168.2.5\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:674 msgid "To refer to the file, define the table like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:678 #, no-wrap msgid "table persist file \"/etc/clients\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:681 msgid "Once the table is defined, it can be referenced by a rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:685 #, no-wrap msgid "pass inet proto tcp from to any port $client_out flags S/SA keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:689 msgid "" "A table's contents can be manipulated live, using `pfctl`. This example " "adds another network to the table:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:693 #, no-wrap msgid "# pfctl -t clients -T add 192.168.1.0/16\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:699 msgid "" "Note that any changes made this way will take affect now, making them ideal " "for testing, but will not survive a power failure or reboot. To make the " "changes permanent, modify the definition of the table in the ruleset or edit " "the file that the table refers to. One can maintain the on-disk copy of the " "table using a man:cron[8] job which dumps the table's contents to disk at " "regular intervals, using a command such as `pfctl -t clients -T show >/etc/" "clients`. Alternatively, [.filename]#/etc/clients# can be updated with the " "in-memory table contents:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:703 #, no-wrap msgid "# pfctl -t clients -T replace -f /etc/clients\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:706 #, no-wrap msgid "Using Overload Tables to Protect SSH" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:709 msgid "" "Those who run SSH on an external interface have probably seen something like " "this in the authentication logs:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:718 #, no-wrap msgid "" "Sep 26 03:12:34 skapet sshd[25771]: Failed password for root from 200.72.41.31 port 40992 ssh2\n" "Sep 26 03:12:34 skapet sshd[5279]: Failed password for root from 200.72.41.31 port 40992 ssh2\n" "Sep 26 03:12:35 skapet sshd[5279]: Received disconnect from 200.72.41.31: 11: Bye Bye\n" "Sep 26 03:12:44 skapet sshd[29635]: Invalid user admin from 200.72.41.31\n" "Sep 26 03:12:44 skapet sshd[24703]: input_userauth_request: invalid user admin\n" "Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:721 msgid "" "This is indicative of a brute force attack where somebody or some program is " "trying to discover the user name and password which will let them into the " "system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:726 msgid "" "If external SSH access is needed for legitimate users, changing the default " "port used by SSH can offer some protection. However, PF provides a more " "elegant solution. Pass rules can contain limits on what connecting hosts " "can do and violators can be banished to a table of addresses which are " "denied some or all access. It is even possible to drop all existing " "connections from machines which overreach the limits." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:728 msgid "" "To configure this, create this table in the tables section of the ruleset:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:732 #, no-wrap msgid "table persist\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:735 msgid "" "Then, somewhere early in the ruleset, add rules to block brute access while " "allowing legitimate access:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:743 #, no-wrap msgid "" "block quick from \n" "pass inet proto tcp from any to $localnet port $tcp_services \\\n" " flags S/SA keep state \\\n" " (max-src-conn 100, max-src-conn-rate 15/5, \\\n" " overload flush global)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:747 msgid "" "The part in parentheses defines the limits and the numbers should be changed " "to meet local requirements. It can be read as follows:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:749 msgid "" "`max-src-conn` is the number of simultaneous connections allowed from one " "host." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:751 msgid "" "`max-src-conn-rate` is the rate of new connections allowed from any single " "host (_15_) per number of seconds (_5_)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:754 msgid "" "`overload ` means that any host which exceeds these limits gets " "its address added to the `bruteforce` table. The ruleset blocks all traffic " "from addresses in the `bruteforce` table." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:756 msgid "" "Finally, `flush global` says that when a host reaches the limit, that all " "(`global`) of that host's connections will be terminated (`flush`)." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:760 msgid "" "These rules will _not_ block slow bruteforcers, as described in http://" "home.nuug.no/\\~peter/hailmary2013/[http://home.nuug.no/~peter/" "hailmary2013/]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:764 msgid "" "This example ruleset is intended mainly as an illustration. For example, if " "a generous number of connections in general are wanted, but the desire is to " "be more restrictive when it comes to ssh, supplement the rule above with " "something like the one below, early on in the rule set:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:771 #, no-wrap msgid "" "pass quick proto { tcp, udp } from any to any port ssh \\\n" " flags S/SA keep state \\\n" " (max-src-conn 15, max-src-conn-rate 5/3, \\\n" " overload flush global)\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:776 #, no-wrap msgid "*It May Not be Necessary to Block All Overloaders:* +\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:778 msgid "" "It is worth noting that the overload mechanism is a general technique which " "does not apply exclusively to SSH, and it is not always optimal to entirely " "block all traffic from offenders." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:780 msgid "" "For example, an overload rule could be used to protect a mail service or a " "web service, and the overload table could be used in a rule to assign " "offenders to a queue with a minimal bandwidth allocation or to redirect to a " "specific web page." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:784 msgid "" "Over time, tables will be filled by overload rules and their size will grow " "incrementally, taking up more memory. Sometimes an IP address that is " "blocked is a dynamically assigned one, which has since been assigned to a " "host who has a legitimate reason to communicate with hosts in the local " "network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:787 msgid "" "For situations like these, pfctl provides the ability to expire table " "entries. For example, this command will remove `` table entries " "which have not been referenced for `86400` seconds:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:791 #, no-wrap msgid "# pfctl -t bruteforce -T expire 86400\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:794 msgid "" "Similar functionality is provided by package:security/expiretable[], which " "removes table entries which have not been accessed for a specified period of " "time." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:797 msgid "" "Once installed, expiretable can be run to remove `` table " "entries older than a specified age. This example removes all entries older " "than 24 hours:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:801 #, no-wrap msgid "/usr/local/sbin/expiretable -v -d -t 24h bruteforce\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:804 #, no-wrap msgid "Protecting Against SPAM" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:808 msgid "" "Not to be confused with the spamd daemon which comes bundled with " "spamassassin, package:mail/spamd[] can be configured with PF to provide an " "outer defense against SPAM. This spamd hooks into the PF configuration " "using a set of redirections." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:810 msgid "" "Spammers tend to send a large number of messages, and SPAM is mainly sent " "from a few spammer friendly networks and a large number of hijacked " "machines, both of which are reported to _blocklists_ fairly quickly." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:814 msgid "" "When an SMTP connection from an address in a blocklist is received, spamd " "presents its banner and immediately switches to a mode where it answers SMTP " "traffic one byte at a time. This technique, which is intended to waste as " "much time as possible on the spammer's end, is called _tarpitting_. The " "specific implementation which uses one byte SMTP replies is often referred " "to as _stuttering_." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:817 msgid "" "This example demonstrates the basic procedure for setting up spamd with " "automatically updated blocklists. Refer to the man pages which are " "installed with package:mail/spamd[] for more information." msgstr "" #. type: Block title #: documentation/content/en/books/handbook/firewalls/_index.adoc:820 #, no-wrap msgid "Procedure: Configuring spamd" msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:822 msgid "" "Install the package:mail/spamd[] package or port. To use spamd's greylisting " "features, man:fdescfs[5] must be mounted at [.filename]#/dev/fd#. Add the " "following line to [.filename]#/etc/fstab#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:826 #, no-wrap msgid " fdescfs /dev/fd fdescfs rw 0 0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:829 msgid "Then, mount the filesystem:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:833 #, no-wrap msgid "# mount fdescfs\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:836 msgid "Next, edit the PF ruleset to include:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:845 #, no-wrap msgid "" "table persist\n" "table persist\n" "rdr pass on $ext_if inet proto tcp from to \\\n" " { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025\n" "rdr pass on $ext_if inet proto tcp from ! to \\\n" " { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:849 msgid "" "The two tables `` and `` are essential. SMTP traffic " "from an address listed in `` but not in `` is redirected " "to the spamd daemon listening at port 8025." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:850 msgid "" "The next step is to configure spamd in [.filename]#/usr/local/etc/" "spamd.conf# and to add some [.filename]#rc.conf# parameters." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:853 msgid "" "The installation of package:mail/spamd[] includes a sample configuration " "file ([.filename]#/usr/local/etc/spamd.conf.sample#) and a man page for " "[.filename]#spamd.conf#. Refer to these for additional configuration " "options beyond those shown in this example." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:855 msgid "" "One of the first lines in the configuration file that does not begin with a " "`+#+` comment sign contains the block which defines the `all` list, which " "specifies the lists to use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:860 #, no-wrap msgid "" "all:\\\n" " :traplist:allowlist:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:863 msgid "" "This entry adds the desired blocklists, separated by colons (`:`). To use " "an allowlist to subtract addresses from a blocklist, add the name of the " "allowlist _immediately_ after the name of that blocklist. For example: " "`:blocklist:allowlist:`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:865 msgid "This is followed by the specified blocklist's definition:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:873 #, no-wrap msgid "" "traplist:\\\n" " :black:\\\n" " :msg=\"SPAM. Your address %A has sent spam within the last 24 hours\":\\\n" " :method=http:\\\n" " :file=www.openbsd.org/spamd/traplist.gz\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:879 msgid "" "where the first line is the name of the blocklist and the second line " "specifies the list type. The `msg` field contains the message to display to " "blocklisted senders during the SMTP dialogue. The `method` field specifies " "how spamd-setup fetches the list data; supported methods are `http`, `ftp`, " "from a `file` in a mounted file system, and via `exec` of an external " "program. Finally, the `file` field specifies the name of the file spamd " "expects to receive." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:881 msgid "" "The definition of the specified allowlist is similar, but omits the `msg` " "field since a message is not needed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:888 #, no-wrap msgid "" "allowlist:\\\n" " :white:\\\n" " :method=file:\\\n" " :file=/var/mail/allowlist.txt\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:893 #, no-wrap msgid "*Choose Data Sources with Care:* +\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:896 msgid "" "Using all the blocklists in the sample [.filename]#spamd.conf# will block " "large blocks of the Internet. Administrators need to edit the file to " "create an optimal configuration which uses applicable data sources and, when " "necessary, uses custom lists." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:900 msgid "" "Next, add this entry to [.filename]#/etc/rc.conf#. Additional flags are " "described in the man page specified by the comment:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:904 #, no-wrap msgid "spamd_flags=\"-v\" # use \"\" and see spamd-setup(8) for flags\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:908 msgid "" "When finished, reload the ruleset, start spamd by typing `service obspamd " "start`, and complete the configuration using `spamd-setup`. Finally, create " "a man:cron[8] job which calls `spamd-setup` to update the tables at " "reasonable intervals." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:911 msgid "" "On a typical gateway in front of a mail server, hosts will soon start " "getting trapped within a few seconds to several minutes." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:915 msgid "" "PF also supports _greylisting_, which temporarily rejects messages from " "unknown hosts with _45n_ codes. Messages from greylisted hosts which try " "again within a reasonable time are let through. Traffic from senders which " "are set up to behave within the limits set by RFC 1123 and RFC 2821 are " "immediately let through." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:919 msgid "" "More information about greylisting as a technique can be found at the http://" "www.greylisting.org/[greylisting.org] web site. The most amazing thing " "about greylisting, apart from its simplicity, is that it still works. " "Spammers and malware writers have been very slow to adapt to bypass this " "technique." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:921 msgid "The basic procedure for configuring greylisting is as follows:" msgstr "" #. type: Block title #: documentation/content/en/books/handbook/firewalls/_index.adoc:923 #, no-wrap msgid "Procedure: Configuring Greylisting" msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:925 msgid "" "Make sure that man:fdescfs[5] is mounted as described in Step 1 of the " "previous Procedure." msgstr "" #. type: delimited block * 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:926 msgid "" "To run spamd in greylisting mode, add this line to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:930 #, no-wrap msgid "spamd_grey=\"YES\" # use spamd greylisting if YES\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:933 msgid "" "Refer to the spamd man page for descriptions of additional related " "parameters." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:934 msgid "To complete the greylisting setup:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:939 #, no-wrap msgid "" "# service obspamd restart\n" "# service obspamlogd start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:943 msgid "" "Behind the scenes, the spamdb database tool and the spamlogd whitelist " "updater perform essential functions for the greylisting feature. spamdb is " "the administrator's main interface to managing the block, grey, and allow " "lists via the contents of the [.filename]#/var/db/spamdb# database." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:945 #, no-wrap msgid "Network Hygiene" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:948 msgid "" "This section describes how `block-policy`, `scrub`, and `antispoof` can be " "used to make the ruleset behave sanely." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:952 msgid "" "The `block-policy` is an option which can be set in the `options` part of " "the ruleset, which precedes the redirection and filtering rules. This " "option determines which feedback, if any, PF sends to hosts that are blocked " "by a rule. The option has two possible values: `drop` drops blocked packets " "with no feedback, and `return` returns a status code such as `Connection " "refused`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:955 msgid "" "If not set, the default policy is `drop`. To change the `block-policy`, " "specify the desired value:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:959 #, no-wrap msgid "set block-policy return\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:965 msgid "" "In PF, `scrub` is a keyword which enables network packet normalization. " "This process reassembles fragmented packets and drops TCP packets that have " "invalid flag combinations. Enabling `scrub` provides a measure of " "protection against certain kinds of attacks based on incorrect handling of " "packet fragments. A number of options are available, but the simplest form " "is suitable for most configurations:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:969 #, no-wrap msgid "scrub in all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:973 msgid "" "Some services, such as NFS, require specific fragment handling options. " "Refer to https://home.nuug.no/\\~peter/pf/en/scrub.html[https://home.nuug.no/" "~peter/pf/en/scrub.html] for more information." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:975 msgid "" "This example reassembles fragments, clears the \"do not fragment\" bit, and " "sets the maximum segment size to 1440 bytes:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:979 #, no-wrap msgid "scrub in all fragment reassemble no-df max-mss 1440\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:982 msgid "" "The `antispoof` mechanism protects against activity from spoofed or forged " "IP addresses, mainly by blocking packets appearing on interfaces and in " "directions which are logically not possible." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:984 msgid "" "These rules weed out spoofed traffic coming in from the rest of the world as " "well as any spoofed packets which originate in the local network:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:989 #, no-wrap msgid "" "antispoof for $ext_if\n" "antispoof for $int_if\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:992 #, no-wrap msgid "Handling Non-Routable Addresses" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:997 msgid "" "Even with a properly configured gateway to handle network address " "translation, one may have to compensate for other people's " "misconfigurations. A common misconfiguration is to let traffic with non-" "routable addresses out to the Internet. Since traffic from non-routeable " "addresses can play a part in several DoS attack techniques, consider " "explicitly blocking traffic from non-routeable addresses from entering the " "network through the external interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1000 msgid "" "In this example, a macro containing non-routable addresses is defined, then " "used in blocking rules. Traffic to and from these addresses is quietly " "dropped on the gateway's external interface." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1006 #, no-wrap msgid "" "martians = \"{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \\\n" "\t 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \\\n" "\t 0.0.0.0/8, 240.0.0.0/4 }\"\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1009 #, no-wrap msgid "" "block drop in quick on $ext_if from $martians to any\n" "block drop out quick on $ext_if from any to $martians\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1011 #, no-wrap msgid "Enabling ALTQ" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1015 msgid "" "On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS). " "Once ALTQ is enabled, queues can be defined in the ruleset which determine " "the processing priority of outbound packets." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1017 msgid "" "Before enabling ALTQ, refer to man:altq[4] to determine if the drivers for " "the network cards installed on the system support it." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1023 msgid "" "ALTQ is not available as a loadable kernel module. If the system's " "interfaces support ALTQ, create a custom kernel using the instructions in " "crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]. The " "following kernel options are available. The first is needed to enable " "ALTQ. At least one of the other options is necessary to specify the " "queueing scheduler algorithm:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1032 #, no-wrap msgid "" "options ALTQ\n" "options ALTQ_CBQ # Class Based Queuing (CBQ)\n" "options ALTQ_RED # Random Early Detection (RED)\n" "options ALTQ_RIO # RED In/Out\n" "options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)\n" "options ALTQ_PRIQ # Priority Queuing (PRIQ)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1035 msgid "The following scheduler algorithms are available:" msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1036 #, no-wrap msgid "CBQ" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1038 msgid "" "Class Based Queuing (CBQ) is used to divide a connection's bandwidth into " "different classes or queues to prioritize traffic based on filter rules." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1039 #, no-wrap msgid "RED" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1042 msgid "" "Random Early Detection (RED) is used to avoid network congestion by " "measuring the length of the queue and comparing it to the minimum and " "maximum thresholds for the queue. When the queue is over the maximum, all " "new packets are randomly dropped." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1043 #, no-wrap msgid "RIO" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1045 msgid "" "In Random Early Detection In and Out (RIO) mode, RED maintains multiple " "average queue lengths and multiple threshold values, one for each QOS level." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1046 #, no-wrap msgid "HFSC" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1048 msgid "" "Hierarchical Fair Service Curve Packet Scheduler (HFSC) is described in " "http://www-2.cs.cmu.edu/\\~hzhang/HFSC/main.html[http://www-2.cs.cmu.edu/" "~hzhang/HFSC/main.html]." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1049 #, no-wrap msgid "PRIQ" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1051 msgid "" "Priority Queuing (PRIQ) always passes traffic that is in a higher queue " "first." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1053 msgid "" "More information about the scheduling algorithms and example rulesets are " "available at the https://web.archive.org/web/20151109213426/http://" "www.openbsd.org/faq/pf/queueing.html[OpenBSD's web archive]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:1055 #, no-wrap msgid "IPFW" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1059 msgid "" "IPFW is a stateful firewall written for FreeBSD which supports both IPv4 and " "IPv6. It is comprised of several components: the kernel firewall filter " "rule processor and its integrated packet accounting facility, the logging " "facility, NAT, the man:dummynet[4] traffic shaper, a forward facility, a " "bridge facility, and an ipstealth facility." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1062 msgid "" "FreeBSD provides a sample ruleset in [.filename]#/etc/rc.firewall# which " "defines several firewall types for common scenarios to assist novice users " "in generating an appropriate ruleset. IPFW provides a powerful syntax which " "advanced users can use to craft customized rulesets that meet the security " "requirements of a given environment." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1064 msgid "" "This section describes how to enable IPFW, provides an overview of its rule " "syntax, and demonstrates several rulesets for common configuration scenarios." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1066 #, no-wrap msgid "Enabling IPFW" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1069 msgid "" "IPFW is included in the basic FreeBSD install as a kernel loadable module, " "meaning that a custom kernel is not needed in order to enable IPFW." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1072 msgid "" "For those users who wish to statically compile IPFW support into a custom " "kernel, see crossref:firewalls[firewalls-ipfw-kernelconfig, IPFW Kernel " "Options]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1074 msgid "" "To configure the system to enable IPFW at boot time, add " "`firewall_enable=\"YES\"` to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1078 #, no-wrap msgid "# sysrc firewall_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1081 msgid "" "To use one of the default firewall types provided by FreeBSD, add another " "line which specifies the type:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1085 #, no-wrap msgid "# sysrc firewall_type=\"open\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1088 msgid "The available types are:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1090 msgid "`open`: passes all traffic." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1091 msgid "`client`: protects only this machine." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1092 msgid "`simple`: protects the whole network." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1093 msgid "" "`closed`: entirely disables IP traffic except for the loopback interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1094 msgid "`workstation`: protects only this machine using stateful rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1095 msgid "`UNKNOWN`: disables the loading of firewall rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1096 msgid "" "[.filename]#filename#: full path of the file containing the firewall ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1098 msgid "" "If `firewall_type` is set to either `client` or `simple`, modify the default " "rules found in [.filename]#/etc/rc.firewall# to fit the configuration of the " "system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1100 msgid "Note that the `filename` type is used to load a custom ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1103 msgid "" "An alternate way to load a custom ruleset is to set the `firewall_script` " "variable to the absolute path of an _executable script_ that includes IPFW " "commands. The examples used in this section assume that the " "`firewall_script` is set to [.filename]#/etc/ipfw.rules#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1107 #, no-wrap msgid "# sysrc firewall_script=\"/etc/ipfw.rules\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1110 msgid "To enable logging through man:syslogd[8], include this line:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1114 #, no-wrap msgid "# sysrc firewall_logging=\"YES\"\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1122 msgid "" "Only firewall rules with the `log` option will be logged. The default rules " "do not include this option and it must be manually added. Therefore it is " "advisable that the default ruleset is edited for logging. In addition, log " "rotation may be desired if the logs are stored in a separate file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1126 msgid "" "There is no [.filename]#/etc/rc.conf# variable to set logging limits. To " "limit the number of times a rule is logged per connection attempt, specify " "the number using this line in [.filename]#/etc/sysctl.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1130 #, no-wrap msgid "# echo \"net.inet.ip.fw.verbose_limit=5\" >> /etc/sysctl.conf\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1133 msgid "" "To enable logging through a dedicated interface named `ipfw0`, add this line " "to [.filename]#/etc/rc.conf# instead:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1137 #, no-wrap msgid "# sysrc firewall_logif=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1140 msgid "Then use tcpdump to see what is being logged:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1144 #, no-wrap msgid "# tcpdump -t -n -i ipfw0\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1150 msgid "There is no overhead due to logging unless tcpdump is attached." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1154 msgid "" "After saving the needed edits, start the firewall. To enable logging limits " "now, also set the `sysctl` value specified above:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1159 #, no-wrap msgid "" "# service ipfw start\n" "# sysctl net.inet.ip.fw.verbose_limit=5\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1162 #, no-wrap msgid "IPFW Rule Syntax" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1170 msgid "" "When a packet enters the IPFW firewall, it is compared against the first " "rule in the ruleset and progresses one rule at a time, moving from top to " "bottom in sequence. When the packet matches the selection parameters of a " "rule, the rule's action is executed and the search of the ruleset terminates " "for that packet. This is referred to as \"first match wins\". If the " "packet does not match any of the rules, it gets caught by the mandatory IPFW " "default rule number 65535, which denies all packets and silently discards " "them. However, if the packet matches a rule that contains the `count`, " "`skipto`, or `tee` keywords, the search continues. Refer to man:ipfw[8] for " "details on how these keywords affect rule processing." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1176 msgid "" "When creating an IPFW rule, keywords must be written in the following " "order. Some keywords are mandatory while other keywords are optional. The " "words shown in uppercase represent a variable and the words shown in " "lowercase must precede the variable that follows it. The `+#+` symbol is " "used to mark the start of a comment and may appear at the end of a rule or " "on its own line. Blank lines are ignored." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1178 msgid "" "`_CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC " "SRC_PORT to DST DST_PORT OPTIONS_`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1182 msgid "" "This section provides an overview of these keywords and their options. It " "is not an exhaustive list of every possible option. Refer to man:ipfw[8] " "for a complete description of the rule syntax that can be used when creating " "IPFW rules." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1183 #, no-wrap msgid "CMD" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1185 msgid "Every rule must start with `ipfw add`." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1186 #, no-wrap msgid "RULE_NUMBER" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1190 msgid "" "Each rule is associated with a number from `1` to `65534`. The number is " "used to indicate the order of rule processing. Multiple rules can have the " "same number, in which case they are applied according to the order in which " "they have been added." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1191 #, no-wrap msgid "SET_NUMBER" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1195 msgid "" "Each rule is associated with a set number from `0` to `31`. Sets can be " "individually disabled or enabled, making it possible to quickly add or " "delete a set of rules. If a SET_NUMBER is not specified, the rule will be " "added to set `0`." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1196 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1942 #, no-wrap msgid "ACTION" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1199 msgid "" "A rule can be associated with one of the following actions. The specified " "action will be executed when the packet matches the selection criterion of " "the rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1201 msgid "" "`allow | accept | pass | permit`: these keywords are equivalent and allow " "packets that match the rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1206 msgid "" "`check-state`: checks the packet against the dynamic state table. If a " "match is found, execute the action associated with the rule which generated " "this dynamic rule, otherwise move to the next rule. A `check-state` rule " "does not have selection criterion. If no `check-state` rule is present in " "the ruleset, the dynamic rules table is checked at the first `keep-state` or " "`limit` rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1209 msgid "" "`count`: updates counters for all packets that match the rule. The search " "continues with the next rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1211 msgid "" "`deny | drop`: either word silently discards packets that match this rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1214 msgid "Additional actions are available. Refer to man:ipfw[8] for details." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1215 #, no-wrap msgid "LOG_AMOUNT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1221 msgid "" "When a packet matches a rule with the `log` keyword, a message will be " "logged to man:syslogd[8] with a facility name of `SECURITY`. Logging only " "occurs if the number of packets logged for that particular rule does not " "exceed a specified LOG_AMOUNT. If no LOG_AMOUNT is specified, the limit is " "taken from the value of `net.inet.ip.fw.verbose_limit`. A value of zero " "removes the logging limit. Once the limit is reached, logging can be re-" "enabled by clearing the logging counter or the packet counter for that rule, " "using `ipfw resetlog`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1226 msgid "" "Logging is done after all other packet matching conditions have been met, " "and before performing the final action on the packet. The administrator " "decides which rules to enable logging on." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1228 #, no-wrap msgid "PROTO" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1230 msgid "" "This optional value can be used to specify any protocol name or number found " "in [.filename]#/etc/protocols#." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1231 #, no-wrap msgid "SRC" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1236 msgid "" "The `from` keyword must be followed by the source address or a keyword that " "represents the source address. An address can be represented by `any`, `me` " "(any address configured on an interface on this system), `me6`, (any IPv6 " "address configured on an interface on this system), or `table` followed by " "the number of a lookup table which contains a list of addresses. When " "specifying an IP address, it can be optionally followed by its CIDR mask or " "subnet mask. For example, `1.2.3.4/25` or `1.2.3.4:255.255.255.128`." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1237 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2008 #, no-wrap msgid "SRC_PORT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1239 msgid "" "An optional source port can be specified using the port number or name from " "[.filename]#/etc/services#." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1240 #, no-wrap msgid "DST" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1243 msgid "" "The `to` keyword must be followed by the destination address or a keyword " "that represents the destination address. The same keywords and addresses " "described in the SRC section can be used to describe the destination." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1244 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2021 #, no-wrap msgid "DST_PORT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1246 msgid "" "An optional destination port can be specified using the port number or name " "from [.filename]#/etc/services#." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1247 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1972 #, no-wrap msgid "OPTIONS" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1251 msgid "" "Several keywords can follow the source and destination. As the name " "suggests, OPTIONS are optional. Commonly used options include `in` or " "`out`, which specify the direction of packet flow, `icmptypes` followed by " "the type of ICMP message, and `keep-state`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1253 msgid "" "When a `keep-state` rule is matched, the firewall will create a dynamic rule " "which matches bidirectional traffic between the source and destination " "addresses and ports using the same protocol." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1258 msgid "" "The dynamic rules facility is vulnerable to resource depletion from a SYN-" "flood attack which would open a huge number of dynamic rules. To counter " "this type of attack with IPFW, use `limit`. This option limits the number " "of simultaneous sessions by checking the open dynamic rules, counting the " "number of times this rule and IP address combination occurred. If this " "count is greater than the value specified by `limit`, the packet is " "discarded." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1261 msgid "" "Dozens of OPTIONS are available. Refer to man:ipfw[8] for a description of " "each available option." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1262 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2049 #, no-wrap msgid "Example Ruleset" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1267 msgid "" "This section demonstrates how to create an example stateful firewall ruleset " "script named [.filename]#/etc/ipfw.rules#. In this example, all connection " "rules use `in` or `out` to clarify the direction. They also use `via` " "_interface-name_ to specify the interface the packet is traveling over." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1271 msgid "" "When first creating or testing a firewall ruleset, consider temporarily " "setting this tunable:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1275 #, no-wrap msgid "net.inet.ip.fw.default_to_accept=\"1\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1278 msgid "" "This sets the default policy of man:ipfw[8] to be more permissive than the " "default `deny ip from any to any`, making it slightly more difficult to get " "locked out of the system right after a reboot." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1283 msgid "" "The firewall script begins by indicating that it is a Bourne shell script " "and flushes any existing rules. It then creates the `cmd` variable so that " "`ipfw add` does not have to be typed at the beginning of every rule. It " "also defines the `pif` variable which represents the name of the interface " "that is attached to the Internet." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1289 #, no-wrap msgid "" "#!/bin/sh\n" "# Flush out the list before we begin.\n" "ipfw -q -f flush\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1293 #, no-wrap msgid "" "# Set rules command prefix\n" "cmd=\"ipfw -q add\"\n" "pif=\"dc0\" # interface name of NIC attached to Internet\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1296 msgid "" "The first two rules allow all traffic on the trusted internal interface and " "on the loopback interface:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1301 #, no-wrap msgid "" "# Change xl0 to LAN NIC interface name\n" "$cmd 00005 allow all from any to any via xl0\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1304 #, no-wrap msgid "" "# No restrictions on Loopback Interface\n" "$cmd 00010 allow all from any to any via lo0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1307 msgid "" "The next rule allows the packet through if it matches an existing entry in " "the dynamic rules table:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1311 #, no-wrap msgid "$cmd 00101 check-state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1314 msgid "" "The next set of rules defines which stateful connections internal systems " "can create to hosts on the Internet:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1322 #, no-wrap msgid "" "# Allow access to public DNS\n" "# Replace x.x.x.x with the IP address of a public DNS server\n" "# and repeat for each DNS server in /etc/resolv.conf\n" "$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state\n" "$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1328 #, no-wrap msgid "" "# Allow access to ISP's DHCP server for cable/DSL configurations.\n" "# Use the first rule and check log for IP address.\n" "# Then, uncomment the second rule, input the IP address, and delete the first rule\n" "$cmd 00120 allow log udp from any to any 67 out via $pif keep-state\n" "#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1332 #, no-wrap msgid "" "# Allow outbound HTTP and HTTPS connections\n" "$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state\n" "$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1336 #, no-wrap msgid "" "# Allow outbound email connections\n" "$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state\n" "$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1339 #, no-wrap msgid "" "# Allow outbound ping\n" "$cmd 00250 allow icmp from any to any out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1342 #, no-wrap msgid "" "# Allow outbound NTP\n" "$cmd 00260 allow udp from any to any 123 out via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1345 #, no-wrap msgid "" "# Allow outbound SSH\n" "$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1348 #, no-wrap msgid "" "# deny and log all other outbound connections\n" "$cmd 00299 deny log all from any to any out via $pif\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1353 msgid "" "The next set of rules controls connections from Internet hosts to the " "internal network. It starts by denying packets typically associated with " "attacks and then explicitly allows specific types of connections. All the " "authorized services that originate from the Internet use `limit` to prevent " "flooding." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1366 #, no-wrap msgid "" "# Deny all inbound traffic from non-routable reserved address spaces\n" "$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP\n" "$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP\n" "$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP\n" "$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback\n" "$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback\n" "$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config\n" "$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs\n" "$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect\n" "$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1369 #, no-wrap msgid "" "# Deny public pings\n" "$cmd 00310 deny icmp from any to any in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1372 #, no-wrap msgid "" "# Deny ident\n" "$cmd 00315 deny tcp from any to any 113 in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1378 #, no-wrap msgid "" "# Deny all Netbios services.\n" "$cmd 00320 deny tcp from any to any 137 in via $pif\n" "$cmd 00321 deny tcp from any to any 138 in via $pif\n" "$cmd 00322 deny tcp from any to any 139 in via $pif\n" "$cmd 00323 deny tcp from any to any 81 in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1381 #, no-wrap msgid "" "# Deny fragments\n" "$cmd 00330 deny all from any to any frag in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1384 #, no-wrap msgid "" "# Deny ACK packets that did not match the dynamic rule table\n" "$cmd 00332 deny tcp from any to any established in via $pif\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1388 #, no-wrap msgid "" "# Allow traffic from ISP's DHCP server.\n" "# Replace x.x.x.x with the same IP address used in rule 00120.\n" "#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1391 #, no-wrap msgid "" "# Allow HTTP connections to internal web server\n" "$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1394 #, no-wrap msgid "" "# Allow inbound SSH connections\n" "$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1397 #, no-wrap msgid "" "# Reject and log all other incoming connections\n" "$cmd 00499 deny log all from any to any in via $pif\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1400 msgid "" "The last rule logs all packets that do not match any of the rules in the " "ruleset:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1405 #, no-wrap msgid "" "# Everything else is denied and logged\n" "$cmd 00999 deny log all from any to any\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1408 #, no-wrap msgid "In-kernel NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1413 msgid "" "FreeBSD's IPFW firewall has two implementations of NAT: the userland " "implementation man:natd[8], and the more recent in-kernel NAT " "implementation. Both work in conjunction with IPFW to provide network " "address translation. This can be used to provide an Internet Connection " "Sharing solution so that several internal computers can connect to the " "Internet using a single public IP address." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1417 msgid "" "To do this, the FreeBSD machine connected to the Internet must act as a " "gateway. This system must have two NICs, where one is connected to the " "Internet and the other is connected to the internal LAN. Each machine " "connected to the LAN should be assigned an IP address in the private network " "space, as defined by https://www.ietf.org/rfc/rfc1918.txt[RFC 1918]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1420 msgid "" "Some additional configuration is needed in order to enable the in-kernel NAT " "facility of IPFW. To enable in-kernel NAT support at boot time, the " "following must be set in [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1426 #, no-wrap msgid "" "gateway_enable=\"YES\"\n" "firewall_enable=\"YES\"\n" "firewall_nat_enable=\"YES\"\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1432 msgid "" "When `firewall_nat_enable` is set but `firewall_enable` is not, it will have " "no effect and do nothing. This is because the in-kernel NAT implementation " "is only compatible with IPFW." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1439 msgid "" "When the ruleset contains stateful rules, the positioning of the NAT rule is " "critical and the `skipto` action is used. The `skipto` action requires a " "rule number so that it knows which rule to jump to. The example below " "builds upon the firewall ruleset shown in the previous section. It adds " "some additional entries and modifies some existing rules in order to " "configure the firewall for in-kernel NAT. It starts by adding some " "additional variables which represent the rule number to skip to, the `keep-" "state` option, and a list of TCP ports which will be used to reduce the " "number of rules." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1449 #, no-wrap msgid "" "#!/bin/sh\n" "ipfw -q -f flush\n" "cmd=\"ipfw -q add\"\n" "skip=\"skipto 1000\"\n" "pif=dc0\n" "ks=\"keep-state\"\n" "good_tcpo=\"22,25,37,53,80,443,110\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1454 msgid "" "With in-kernel NAT it is necessary to disable TCP segmentation offloading " "(TSO) due to the architecture of man:libalias[3], a library implemented as a " "kernel module to provide the in-kernel NAT facility of IPFW. TSO can be " "disabled on a per network interface basis using man:ifconfig[8] or on a " "system wide basis using man:sysctl[8]. To disable TSO system wide, the " "following must be set it [.filename]#/etc/sysctl.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1458 #, no-wrap msgid "net.inet.tcp.tso=\"0\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1467 msgid "" "A NAT instance will also be configured. It is possible to have multiple NAT " "instances each with their own configuration. For this example only one NAT " "instance is needed, NAT instance number 1. The configuration can take a few " "options such as: `if` which indicates the public interface, `same_ports` " "which takes care that aliased ports and local port numbers are mapped the " "same, `unreg_only` will result in only unregistered (private) address spaces " "to be processed by the NAT instance, and `reset` which will help to keep a " "functioning NAT instance even when the public IP address of the IPFW machine " "changes. For all possible options that can be passed to a single NAT " "instance configuration consult man:ipfw[8]. When configuring a stateful " "NATing firewall, it is necessary to allow translated packets to be " "reinjected in the firewall for further processing. This can be achieved by " "disabling `one_pass` behavior at the start of the firewall script." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1472 #, no-wrap msgid "" "ipfw disable one_pass\n" "ipfw -q nat 1 config if $pif same_ports unreg_only reset\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1478 msgid "" "The inbound NAT rule is inserted _after_ the two rules which allow all " "traffic on the trusted and loopback interfaces and after the reassemble rule " "but _before_ the `check-state` rule. It is important that the rule number " "selected for this NAT rule, in this example `100`, is higher than the first " "three rules and lower than the `check-state` rule. Furthermore, because of " "the behavior of in-kernel NAT it is advised to place a reassemble rule just " "before the first NAT rule and after the rules that allow traffic on trusted " "interface. Normally, IP fragmentation should not happen, but when dealing " "with IPSEC/ESP/GRE tunneling traffic it might and the reassembling of " "fragments is necessary before handing the complete packet over to the in-" "kernel NAT facility." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1482 msgid "" "The reassemble rule was not needed with userland man:natd[8] because the " "internal workings of the IPFW `divert` action already takes care of " "reassembling packets before delivery to the socket as also stated in " "man:ipfw[8]." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1485 msgid "" "The NAT instance and rule number used in this example does not match with " "the default NAT instance and rule number created by " "[.filename]#rc.firewall#. [.filename]#rc.firewall# is a script that sets up " "the default firewall rules present in FreeBSD." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1495 #, no-wrap msgid "" "$cmd 005 allow all from any to any via xl0 # exclude LAN traffic\n" "$cmd 010 allow all from any to any via lo0 # exclude loopback traffic\n" "$cmd 099 reass all from any to any in # reassemble inbound packets\n" "$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets\n" "# Allow the packet through if it has an existing entry in the dynamic rules table\n" "$cmd 101 check-state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1499 msgid "" "The outbound rules are modified to replace the `allow` action with the " "`$skip` variable, indicating that rule processing will continue at rule " "`1000`. The seven `tcp` rules have been replaced by rule `125` as the " "`$good_tcpo` variable contains the seven allowed outbound ports." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1503 msgid "" "Remember that IPFW's performance is largely determined by the number of " "rules present in the ruleset." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1512 #, no-wrap msgid "" "# Authorized outbound packets\n" "$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks\n" "$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks\n" "$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks\n" "$cmd 130 $skip icmp from any to any out via $pif $ks\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1518 msgid "" "The inbound rules remain the same, except for the very last rule which " "removes the `via $pif` in order to catch both inbound and outbound rules. " "The NAT rule must follow this last outbound rule, must have a higher number " "than that last rule, and the rule number must be referenced by the `skipto` " "action. In this ruleset, rule number `1000` handles passing all packets to " "our configured instance for NAT processing. The next rule allows any packet " "which has undergone NAT processing to pass." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1524 #, no-wrap msgid "" "$cmd 999 deny log all from any to any\n" "$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules\n" "$cmd 1001 allow ip from any to any\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1527 msgid "" "In this example, rules `100`, `101`, `125`, `1000`, and `1001` control the " "address translation of the outbound and inbound packets so that the entries " "in the dynamic state table always register the private LANIP address." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1539 msgid "" "Consider an internal web browser which initializes a new outbound HTTP " "session over port 80. When the first outbound packet enters the firewall, " "it does not match rule `100` because it is headed out rather than in. It " "passes rule `101` because this is the first packet and it has not been " "posted to the dynamic state table yet. The packet finally matches rule " "`125` as it is outbound on an allowed port and has a source IP address from " "the internal LAN. On matching this rule, two actions take place. First, " "the `keep-state` action adds an entry to the dynamic state table and the " "specified action, `skipto rule 1000`, is executed. Next, the packet " "undergoes NAT and is sent out to the Internet. This packet makes its way to " "the destination web server, where a response packet is generated and sent " "back. This new packet enters the top of the ruleset. It matches rule `100` " "and has its destination IP address mapped back to the original internal " "address. It then is processed by the `check-state` rule, is found in the " "table as an existing session, and is released to the LAN." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1544 msgid "" "On the inbound side, the ruleset has to deny bad packets and allow only " "authorized services. A packet which matches an inbound rule is posted to " "the dynamic state table and the packet is released to the LAN. The packet " "generated as a response is recognized by the `check-state` rule as belonging " "to an existing session. It is then sent to rule `1000` to undergo NAT " "before being released to the outbound interface." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1552 msgid "" "Transitioning from userland man:natd[8] to in-kernel NAT might appear " "seamless at first but there is small catch. When using the GENERIC kernel, " "IPFW will load the [.filename]#libalias.ko# kernel module, when " "`firewall_nat_enable` is enabled in [.filename]#/etc/rc.conf#. The " "[.filename]#libalias.ko# kernel module only provides basic NAT " "functionality, whereas the userland implementation man:natd[8] has all NAT " "functionality available in its userland library without any extra " "configuration. All functionality refers to the following kernel modules " "that can additionally be loaded when needed besides the standard " "[.filename]#libalias.ko# kernel module: [.filename]#alias_ftp.ko#, " "[.filename]#alias_bbt.ko#, [.filename]#skinny.ko#, [.filename]#irc.ko#, " "[.filename]#alias_pptp.ko# and [.filename]#alias_smedia.ko# using the " "`kld_list` directive in [.filename]#/etc/rc.conf#. If a custom kernel is " "used, the full functionality of the userland library can be compiled in, in " "the kernel, using the `options LIBALIAS`." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1554 #, no-wrap msgid "Port Redirection" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1560 msgid "" "The drawback with NAT in general is that the LAN clients are not accessible " "from the Internet. Clients on the LAN can make outgoing connections to the " "world but cannot receive incoming ones. This presents a problem if trying " "to run Internet services on one of the LAN client machines. A simple way " "around this is to redirect selected Internet ports on the NAT providing " "machine to a LAN client." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1563 msgid "" "For example, an IRC server runs on client `A` and a web server runs on " "client `B`. For this to work properly, connections received on ports 6667 " "(IRC) and 80 (HTTP) must be redirected to the respective machines." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1567 msgid "" "With in-kernel NAT all configuration is done in the NAT instance " "configuration. For a full list of options that an in-kernel NAT instance " "can use, consult man:ipfw[8]. The IPFW syntax follows the syntax of natd. " "The syntax for `redirect_port` is as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1573 #, no-wrap msgid "" "redirect_port proto targetIP:targetPORT[-targetPORT]\n" " [aliasIP:]aliasPORT[-aliasPORT]\n" " [remoteIP[:remotePORT[-remotePORT]]]\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1576 msgid "To configure the above example setup, the arguments should be:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1581 #, no-wrap msgid "" "redirect_port tcp 192.168.0.2:6667 6667\n" "redirect_port tcp 192.168.0.3:80 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1584 msgid "" "After adding these arguments to the configuration of NAT instance 1 in the " "above ruleset, the TCP ports will be port forwarded to the LAN client " "machines running the IRC and HTTP services." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1590 #, no-wrap msgid "" "ipfw -q nat 1 config if $pif same_ports unreg_only reset \\\n" " redirect_port tcp 192.168.0.2:6667 6667 \\\n" " redirect_port tcp 192.168.0.3:80 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1594 msgid "" "Port ranges over individual ports can be indicated with `redirect_port`. " "For example, _tcp 192.168.0.2:2000-3000 2000-3000_ would redirect all " "connections received on ports 2000 to 3000 to ports 2000 to 3000 on client " "`A`." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1595 #, no-wrap msgid "Address Redirection" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1601 msgid "" "Address redirection is useful if more than one IP address is available. " "Each LAN client can be assigned its own external IP address by man:ipfw[8], " "which will then rewrite outgoing packets from the LAN clients with the " "proper external IP address and redirects all traffic incoming on that " "particular IP address back to the specific LAN client. This is also known " "as static NAT. For example, if IP addresses `128.1.1.1`, `128.1.1.2`, and " "`128.1.1.3` are available, `128.1.1.1` can be used as the man:ipfw[8] " "machine's external IP address, while `128.1.1.2` and `128.1.1.3` are " "forwarded back to LAN clients `A` and `B`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1603 msgid "" "The `redirect_addr` syntax is as below, where `localIP` is the internal IP " "address of the LAN client, and `publicIP` the external IP address " "corresponding to the LAN client." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1607 #, no-wrap msgid "redirect_addr localIP publicIP\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1610 msgid "In the example, the arguments would read:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1615 #, no-wrap msgid "" "redirect_addr 192.168.0.2 128.1.1.2\n" "redirect_addr 192.168.0.3 128.1.1.3\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1619 msgid "" "Like `redirect_port`, these arguments are placed in a NAT instance " "configuration. With address redirection, there is no need for port " "redirection, as all data received on a particular IP address is redirected." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1622 msgid "" "The external IP addresses on the man:ipfw[8] machine must be active and " "aliased to the external interface. Refer to man:rc.conf[5] for details." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1623 #, no-wrap msgid "Userspace NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1627 msgid "" "Let us start with a statement: the userspace NAT implementation: " "man:natd[8], has more overhead than in-kernel NAT. For man:natd[8] to " "translate packets, the packets have to be copied from the kernel to " "userspace and back which brings in extra overhead that is not present with " "in-kernel NAT." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1631 msgid "" "To enable the userspace NAT daemon man:natd[8] at boot time, the following " "is a minimum configuration in [.filename]#/etc/rc.conf#. Where " "`natd_interface` is set to the name of the NIC attached to the Internet. " "The man:rc[8] script of man:natd[8] will automatically check if a dynamic IP " "address is used and configure itself to handle that." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1637 #, no-wrap msgid "" "gateway_enable=\"YES\"\n" "natd_enable=\"YES\"\n" "natd_interface=\"rl0\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1642 msgid "" "In general, the above ruleset as explained for in-kernel NAT can also be " "used together with man:natd[8]. The exceptions are the configuration of the " "in-kernel NAT instance `(ipfw -q nat 1 config ...)` which is not needed " "together with reassemble rule 99 because its functionality is included in " "the `divert` action. Rule number 100 and 1000 will have to change slightly " "as shown below." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1647 #, no-wrap msgid "" "$cmd 100 divert natd ip from any to any in via $pif\n" "$cmd 1000 divert natd ip from any to any out via $pif\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1652 msgid "" "To configure port or address redirection, a similar syntax as with in-kernel " "NAT is used. Although, now, instead of specifying the configuration in our " "ruleset script like with in-kernel NAT, configuration of man:natd[8] is best " "done in a configuration file. To do this, an extra flag must be passed via " "[.filename]#/etc/rc.conf# which specifies the path of the configuration file." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1656 #, no-wrap msgid "natd_flags=\"-f /etc/natd.conf\"\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1663 msgid "" "The specified file must contain a list of configuration options, one per " "line. For more information about the configuration file and possible " "variables, consult man:natd[8]. Below are two example entries, one per line:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1668 #, no-wrap msgid "" "redirect_port tcp 192.168.0.2:6667 6667\n" "redirect_addr 192.168.0.3 128.1.1.3\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1673 #, no-wrap msgid "The IPFW Command" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1678 msgid "" "`ipfw` can be used to make manual, single rule additions or deletions to the " "active firewall while it is running. The problem with using this method is " "that all the changes are lost when the system reboots. It is recommended to " "instead write all the rules in a file and to use that file to load the rules " "at boot time and to replace the currently running firewall rules whenever " "that file changes." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1682 msgid "" "`ipfw` is a useful way to display the running firewall rules to the console " "screen. The IPFW accounting facility dynamically creates a counter for each " "rule that counts each packet that matches the rule. During the process of " "testing a rule, listing the rule with its counter is one way to determine if " "the rule is functioning as expected." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1684 msgid "To list all the running rules in sequence:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1688 #, no-wrap msgid "# ipfw list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1691 msgid "" "To list all the running rules with a time stamp of when the last time the " "rule was matched:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1695 #, no-wrap msgid "# ipfw -t list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1699 msgid "" "The next example lists accounting information and the packet count for " "matched rules along with the rules themselves. The first column is the rule " "number, followed by the number of matched packets and bytes, followed by the " "rule itself." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1703 #, no-wrap msgid "# ipfw -a list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1706 msgid "To list dynamic rules in addition to static rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1710 #, no-wrap msgid "# ipfw -d list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1713 msgid "To also show the expired dynamic rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1717 #, no-wrap msgid "# ipfw -d -e list\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1720 msgid "To zero the counters:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1724 #, no-wrap msgid "# ipfw zero\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1727 msgid "To zero the counters for just the rule with number _NUM_:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1731 #, no-wrap msgid "# ipfw zero NUM\n" msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1733 #, no-wrap msgid "Logging Firewall Messages" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1740 msgid "" "Even with the logging facility enabled, IPFW will not generate any rule " "logging on its own. The firewall administrator decides which rules in the " "ruleset will be logged, and adds the `log` keyword to those rules. Normally " "only deny rules are logged. It is customary to duplicate the \"ipfw default " "deny everything\" rule with the `log` keyword included as the last rule in " "the ruleset. This way, it is possible to see all the packets that did not " "match any of the rules in the ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1744 msgid "" "Logging is a two edged sword. If one is not careful, an over abundance of " "log data or a DoS attack can fill the disk with log files. Log messages are " "not only written to syslogd, but also are displayed on the root console " "screen and soon become annoying." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1749 msgid "" "The `IPFIREWALL_VERBOSE_LIMIT=5` kernel option limits the number of " "consecutive messages sent to man:syslogd[8], concerning the packet matching " "of a given rule. When this option is enabled in the kernel, the number of " "consecutive messages concerning a particular rule is capped at the number " "specified. There is nothing to be gained from 200 identical log messages. " "With this option set to five, five consecutive messages concerning a " "particular rule would be logged to syslogd and the remainder identical " "consecutive messages would be counted and posted to syslogd with a phrase " "like the following:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1753 #, no-wrap msgid "last message repeated 45 times\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1756 msgid "" "All logged packets messages are written by default to [.filename]#/var/log/" "security#, which is defined in [.filename]#/etc/syslog.conf#." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:1758 #, no-wrap msgid "Building a Rule Script" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1764 msgid "" "Most experienced IPFW users create a file containing the rules and code them " "in a manner compatible with running them as a script. The major benefit of " "doing this is the firewall rules can be refreshed in mass without the need " "of rebooting the system to activate them. This method is convenient in " "testing new rules as the procedure can be executed as many times as needed. " "Being a script, symbolic substitution can be used for frequently used values " "to be substituted into multiple rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1769 msgid "" "This example script is compatible with the syntax used by the man:sh[1], " "man:csh[1], and man:tcsh[1] shells. Symbolic substitution fields are " "prefixed with a dollar sign ($). Symbolic fields do not have the $ prefix. " "The value to populate the symbolic field must be enclosed in double quotes " "(\"\")." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1771 msgid "Start the rules file like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1789 #, no-wrap msgid "" "############### start of example ipfw rules script #############\n" "#\n" "ipfw -q -f flush # Delete all rules\n" "# Set defaults\n" "oif=\"tun0\" # out interface\n" "odns=\"192.0.2.11\" # ISP's DNS server IP address\n" "cmd=\"ipfw -q add \" # build rule prefix\n" "ks=\"keep-state\" # just too lazy to key this each time\n" "$cmd 00500 check-state\n" "$cmd 00502 deny all from any to any frag\n" "$cmd 00501 deny tcp from any to any established\n" "$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks\n" "$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks\n" "$cmd 00611 allow udp from any to $odns 53 out via $oif $ks\n" "################### End of example ipfw rules script ############\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1792 msgid "" "The rules are not important as the focus of this example is how the symbolic " "substitution fields are populated." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1794 msgid "" "If the above example was in [.filename]#/etc/ipfw.rules#, the rules could be " "reloaded by the following command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1798 #, no-wrap msgid "# sh /etc/ipfw.rules\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1801 msgid "" "[.filename]#/etc/ipfw.rules# can be located anywhere and the file can have " "any name." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1803 msgid "The same thing could be accomplished by running these commands by hand:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1813 #, no-wrap msgid "" "# ipfw -q -f flush\n" "# ipfw -q add check-state\n" "# ipfw -q add deny all from any to any frag\n" "# ipfw -q add deny tcp from any to any established\n" "# ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state\n" "# ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state\n" "# ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1816 #, no-wrap msgid "IPFW Kernel Options" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1820 msgid "" "In order to statically compile IPFW support into a custom kernel, refer to " "the instructions in crossref:kernelconfig[kernelconfig,Configuring the " "FreeBSD Kernel]. The following options are available for the custom kernel " "configuration file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1833 #, no-wrap msgid "" "options IPFIREWALL\t\t\t# enables IPFW\n" "options IPFIREWALL_VERBOSE\t\t# enables logging for rules with log keyword to syslogd(8)\n" "options IPFIREWALL_VERBOSE_LIMIT=5\t# limits number of logged packets per-entry\n" "options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied\n" "options IPFIREWALL_NAT\t\t# enables basic in-kernel NAT support\n" "options LIBALIAS\t\t\t# enables full in-kernel NAT support\n" "options IPFIREWALL_NAT64\t\t# enables in-kernel NAT64 support\n" "options IPFIREWALL_NPTV6\t\t# enables in-kernel IPv6 NPT support\n" "options IPFIREWALL_PMOD\t\t# enables protocols modification module support\n" "options IPDIVERT\t\t\t# enables NAT through natd(8)\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1838 msgid "" "IPFW can be loaded as a kernel module: options above are built by default as " "modules or can be set at runtime using tunables." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:1841 #, no-wrap msgid "IPFILTER (IPF)" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1844 msgid "" "IPFILTER, also known as IPF, is a cross-platform, open source firewall which " "has been ported to several operating systems, including FreeBSD, NetBSD, " "OpenBSD, and Solaris(TM)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1847 msgid "" "IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled " "and monitored by userland programs. Firewall rules can be set or deleted " "using ipf, NAT rules can be set or deleted using ipnat, run-time statistics " "for the kernel parts of IPFILTER can be printed using ipfstat, and ipmon can " "be used to log IPFILTER actions to the system log files." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1850 msgid "" "IPF was originally written using a rule processing logic of \"the last " "matching rule wins\" and only used stateless rules. Since then, IPF has " "been enhanced to include the `quick` and `keep state` options." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1853 msgid "" "The IPF FAQ is at http://www.phildev.net/ipf/index.html[http://" "www.phildev.net/ipf/index.html]. A searchable archive of the IPFilter " "mailing list is available at http://marc.info/?l=ipfilter[http://marc.info/?" "l=ipfilter]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1856 msgid "" "This section of the Handbook focuses on IPF as it pertains to FreeBSD. It " "provides examples of rules that contain the `quick` and `keep state` options." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1857 #, no-wrap msgid "Enabling IPF" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1860 msgid "" "IPF is included in the basic FreeBSD install as a kernel loadable module, " "meaning that a custom kernel is not needed in order to enable IPF." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1863 msgid "" "For users who prefer to statically compile IPF support into a custom kernel, " "refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring " "the FreeBSD Kernel]. The following kernel options are available:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1870 #, no-wrap msgid "" "options IPFILTER\n" "options IPFILTER_LOG\n" "options IPFILTER_LOOKUP\n" "options IPFILTER_DEFAULT_BLOCK\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1873 msgid "" "where `options IPFILTER` enables support for IPFILTER, `options " "IPFILTER_LOG` enables IPF logging using the [.filename]#ipl# packet logging " "pseudo-device for every rule that has the `log` keyword, `IPFILTER_LOOKUP` " "enables IP pools in order to speed up IP lookups, and `options " "IPFILTER_DEFAULT_BLOCK` changes the default behavior so that any packet not " "matching a firewall `pass` rule gets blocked." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1877 msgid "" "To configure the system to enable IPF at boot time, add the following " "entries to [.filename]#/etc/rc.conf#. These entries will also enable " "logging and `default pass all`. To change the default policy to `block all` " "without compiling a custom kernel, remember to add a `block all` rule at the " "end of the ruleset." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1888 #, no-wrap msgid "" "ipfilter_enable=\"YES\" # Start ipf firewall\n" "ipfilter_rules=\"/etc/ipf.rules\" # loads rules definition text file\n" "ipv6_ipfilter_rules=\"/etc/ipf6.rules\" # loads rules definition text file for IPv6\n" "ipmon_enable=\"YES\" # Start IP monitor log\n" "ipmon_flags=\"-Ds\" # D = start as daemon\n" " # s = log to syslog\n" " # v = log tcp window, ack, seq\n" " # n = map IP & port to names\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1891 msgid "If NAT functionality is needed, also add these lines:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1897 #, no-wrap msgid "" "gateway_enable=\"YES\" # Enable as LAN gateway\n" "ipnat_enable=\"YES\" # Start ipnat function\n" "ipnat_rules=\"/etc/ipnat.rules\" # rules definition file for ipnat\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1900 msgid "Then, to start IPF now:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1904 #, no-wrap msgid "# service ipfilter start\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1908 msgid "" "To load the firewall rules, specify the name of the ruleset file using " "`ipf`. The following command can be used to replace the currently running " "firewall rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:1912 #, no-wrap msgid "# ipf -Fa -f /etc/ipf.rules\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1915 msgid "" "where `-Fa` flushes all the internal rules tables and `-f` specifies the " "file containing the rules to load." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1918 msgid "" "This provides the ability to make changes to a custom ruleset and update the " "running firewall with a fresh copy of the rules without having to reboot the " "system. This method is convenient for testing new rules as the procedure " "can be executed as many times as needed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1920 msgid "" "Refer to man:ipf[8] for details on the other flags available with this " "command." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:1921 #, no-wrap msgid "IPF Rule Syntax" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1927 msgid "" "This section describes the IPF rule syntax used to create stateful rules. " "When creating rules, keep in mind that unless the `quick` keyword appears in " "a rule, every rule is read in order, with the _last matching rule_ being the " "one that is applied. This means that even if the first rule to match a " "packet is a `pass`, if there is a later matching rule that is a `block`, the " "packet will be dropped. Sample rulesets can be found in [.filename]#/usr/" "share/examples/ipfilter#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1930 msgid "" "When creating rules, a `+#+` character is used to mark the start of a " "comment and may appear at the end of a rule, to explain that rule's " "function, or on its own line. Any blank lines are ignored." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1935 msgid "" "The keywords which are used in rules must be written in a specific order, " "from left to right. Some keywords are mandatory while others are optional. " "Some keywords have sub-options which may be keywords themselves and also " "include more sub-options. The keyword order is as follows, where the words " "shown in uppercase represent a variable and the words shown in lowercase " "must precede the variable that follows it:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1937 msgid "" "`_ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to " "DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE_`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1941 msgid "" "This section describes each of these keywords and their options. It is not " "an exhaustive list of every possible option. Refer to man:ipf[5] for a " "complete description of the rule syntax that can be used when creating IPF " "rules and examples for using each keyword." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1946 msgid "" "The action keyword indicates what to do with the packet if it matches that " "rule. Every rule _must_ have an action. The following actions are " "recognized:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1948 msgid "`block`: drops the packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1950 msgid "`pass`: allows the packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1952 msgid "`log`: generates a log record." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1954 msgid "" "`count`: counts the number of packets and bytes which can provide an " "indication of how often a rule is used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1956 msgid "`auth`: queues the packet for further processing by another program." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1958 msgid "" "`call`: provides access to functions built into IPF that allow more complex " "actions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1960 msgid "" "`decapsulate`: removes any headers in order to process the contents of the " "packet." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1961 #, no-wrap msgid "DIRECTION" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1963 msgid "" "Next, each rule must explicitly state the direction of traffic using one of " "these keywords:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1965 msgid "`in`: the rule is applied against an inbound packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1967 msgid "`out`: the rule is applied against an outbound packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1969 msgid "`all`: the rule applies to either direction." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1971 msgid "" "If the system has multiple interfaces, the interface can be specified along " "with the direction. An example would be `in on fxp0`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1975 msgid "" "Options are optional. However, if multiple options are specified, they must " "be used in the order shown here." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1977 msgid "" "`log`: when performing the specified ACTION, the contents of the packet's " "headers will be written to the man:ipl[4] packet log pseudo-device." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1979 msgid "" "`quick`: if a packet matches this rule, the ACTION specified by the rule " "occurs and no further processing of any following rules will occur for this " "packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1982 msgid "" "`on`: must be followed by the interface name as displayed by " "man:ifconfig[8]. The rule will only match if the packet is going through " "the specified interface in the specified direction." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1984 msgid "" "When using the `log` keyword, the following qualifiers may be used in this " "order:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1986 msgid "" "`body`: indicates that the first 128 bytes of the packet contents will be " "logged after the headers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1988 msgid "" "`first`: if the `log` keyword is being used in conjunction with a `keep " "state` option, this option is recommended so that only the triggering packet " "is logged and not every packet which matches the stateful connection." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1991 msgid "" "Additional options are available to specify error return messages. Refer to " "man:ipf[5] for more details." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1992 #, no-wrap msgid "PROTO_TYPE" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:1998 msgid "" "The protocol type is optional. However, it is mandatory if the rule needs " "to specify a SRC_PORT or a DST_PORT as it defines the type of protocol. " "When specifying the type of protocol, use the `proto` keyword followed by " "either a protocol number or name from [.filename]#/etc/protocols#. Example " "protocol names include `tcp`, `udp`, or `icmp`. If PROTO_TYPE is specified " "but no SRC_PORT or DST_PORT is specified, all port numbers for that protocol " "will match that rule." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:1999 #, no-wrap msgid "SRC_ADDR" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2003 msgid "" "The `from` keyword is mandatory and is followed by a keyword which " "represents the source of the packet. The source can be a hostname, an IP " "address followed by the CIDR mask, an address pool, or the keyword `all`. " "Refer to man:ipf[5] for examples." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2007 msgid "" "There is no way to match ranges of IP addresses which do not express " "themselves easily using the dotted numeric form / mask-length notation. The " "package:net-mgmt/ipcalc[] package or port may be used to ease the " "calculation of the CIDR mask. Additional information is available at the " "utility's web page: http://jodies.de/ipcalc[http://jodies.de/ipcalc]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2012 msgid "" "The port number of the source is optional. However, if it is used, it " "requires PROTO_TYPE to be first defined in the rule. The port number must " "also be preceded by the `proto` keyword." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2014 msgid "" "A number of different comparison operators are supported: `=` (equal to), `!" "=` (not equal to), `<` (less than), `>` (greater than), `<=` (less than or " "equal to), and `>=` (greater than or equal to)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2016 msgid "" "To specify port ranges, place the two port numbers between `<>` (less than " "and greater than ), `><` (greater than and less than ), or `:` (greater than " "or equal to and less than or equal to)." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:2017 #, no-wrap msgid "DST_ADDR" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2020 msgid "" "The `to` keyword is mandatory and is followed by a keyword which represents " "the destination of the packet. Similar to SRC_ADDR, it can be a hostname, " "an IP address followed by the CIDR mask, an address pool, or the keyword " "`all`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2025 msgid "" "Similar to SRC_PORT, the port number of the destination is optional. " "However, if it is used, it requires PROTO_TYPE to be first defined in the " "rule. The port number must also be preceded by the `proto` keyword." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:2026 #, no-wrap msgid "TCP_FLAG|ICMP_TYPE" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2029 msgid "" "If `tcp` is specified as the PROTO_TYPE, flags can be specified as letters, " "where each letter represents one of the possible TCP flags used to determine " "the state of a connection. Possible values are: `S` (SYN), `A` (ACK), `P` " "(PSH), `F` (FIN), `U` (URG), `R` (RST), `C` (CWN), and `E` (ECN)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2032 msgid "" "If `icmp` is specified as the PROTO_TYPE, the ICMP type to match can be " "specified. Refer to man:ipf[5] for the allowable types." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/firewalls/_index.adoc:2033 #, no-wrap msgid "STATE" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2037 msgid "" "If a `pass` rule contains `keep state`, IPF will add an entry to its dynamic " "state table and allow subsequent packets that match the connection. IPF can " "track state for TCP, UDP, and ICMP sessions. Any packet that IPF can be " "certain is part of an active session, even if it is a different protocol, " "will be allowed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2044 msgid "" "In IPF, packets destined to go out through the interface connected to the " "public Internet are first checked against the dynamic state table. If the " "packet matches the next expected packet comprising an active session " "conversation, it exits the firewall and the state of the session " "conversation flow is updated in the dynamic state table. Packets that do " "not belong to an already active session are checked against the outbound " "ruleset. Packets coming in from the interface connected to the public " "Internet are first checked against the dynamic state table. If the packet " "matches the next expected packet comprising an active session, it exits the " "firewall and the state of the session conversation flow is updated in the " "dynamic state table. Packets that do not belong to an already active " "session are checked against the inbound ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2048 msgid "" "Several keywords can be added after `keep state`. If used, these keywords " "set various options that control stateful filtering, such as setting " "connection limits or connection age. Refer to man:ipf[5] for the list of " "available options and their descriptions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2052 msgid "" "This section demonstrates how to create an example ruleset which only allows " "services matching `pass` rules and blocks all others." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2055 msgid "" "FreeBSD uses the loopback interface ([.filename]#lo0#) and the IP address " "`127.0.0.1` for internal communication. The firewall ruleset must contain " "rules to allow free movement of these internally used packets:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2061 #, no-wrap msgid "" "# no restrictions on loopback interface\n" "pass in quick on lo0 all\n" "pass out quick on lo0 all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2066 msgid "" "The public interface connected to the Internet is used to authorize and " "control access of all outbound and inbound connections. If one or more " "interfaces are cabled to private networks, those internal interfaces may " "require rules to allow packets originating from the LAN to flow between the " "internal networks or to the interface attached to the Internet. The ruleset " "should be organized into three major sections: any trusted internal " "interfaces, outbound connections through the public interface, and inbound " "connections through the public interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2068 msgid "" "These two rules allow all traffic to pass through a trusted LAN interface " "named [.filename]#xl0#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2074 #, no-wrap msgid "" "# no restrictions on inside LAN interface for private network\n" "pass out quick on xl0 all\n" "pass in quick on xl0 all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2077 msgid "" "The rules for the public interface's outbound and inbound sections should " "have the most frequently matched rules placed before less commonly matched " "rules, with the last rule in the section blocking and logging all packets " "for that interface and direction." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2081 msgid "" "This set of rules defines the outbound section of the public interface named " "[.filename]#dc0#. These rules keep state and identify the specific services " "that internal systems are authorized for public Internet access. All the " "rules use `quick` and specify the appropriate port numbers and, where " "applicable, destination addresses." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2087 #, no-wrap msgid "" "# interface facing Internet (outbound)\n" "# Matches session start requests originating from or behind the\n" "# firewall, destined for the Internet.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2093 #, no-wrap msgid "" "# Allow outbound access to public DNS servers.\n" "# Replace x.x.x.x with address listed in /etc/resolv.conf.\n" "# Repeat for each DNS server.\n" "pass out quick on dc0 proto tcp from any to x.x.x.x port = 53 flags S keep state\n" "pass out quick on dc0 proto udp from any to x.x.x.x port = 53 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2100 #, no-wrap msgid "" "# Allow access to ISP's specified DHCP server for cable or DSL networks.\n" "# Use the first rule, then check log for the IP address of DHCP server.\n" "# Then, uncomment the second rule, replace z.z.z.z with the IP address,\n" "# and comment out the first rule\n" "pass out log quick on dc0 proto udp from any to any port = 67 keep state\n" "#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2104 #, no-wrap msgid "" "# Allow HTTP and HTTPS\n" "pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state\n" "pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2108 #, no-wrap msgid "" "# Allow email\n" "pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state\n" "pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2111 #, no-wrap msgid "" "# Allow NTP\n" "pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2114 #, no-wrap msgid "" "# Allow FTP\n" "pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2117 #, no-wrap msgid "" "# Allow SSH\n" "pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2120 #, no-wrap msgid "" "# Allow ping\n" "pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2123 #, no-wrap msgid "" "# Block and log everything else\n" "block out log first quick on dc0 all\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2127 msgid "" "This example of the rules in the inbound section of the public interface " "blocks all undesirable packets first. This reduces the number of packets " "that are logged by the last rule." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2141 #, no-wrap msgid "" "# interface facing Internet (inbound)\n" "# Block all inbound traffic from non-routable or reserved address spaces\n" "block in quick on dc0 from 192.168.0.0/16 to any #RFC 1918 private IP\n" "block in quick on dc0 from 172.16.0.0/12 to any #RFC 1918 private IP\n" "block in quick on dc0 from 10.0.0.0/8 to any #RFC 1918 private IP\n" "block in quick on dc0 from 127.0.0.0/8 to any #loopback\n" "block in quick on dc0 from 0.0.0.0/8 to any #loopback\n" "block in quick on dc0 from 169.254.0.0/16 to any #DHCP auto-config\n" "block in quick on dc0 from 192.0.2.0/24 to any #reserved for docs\n" "block in quick on dc0 from 204.152.64.0/23 to any #Sun cluster interconnect\n" "block in quick on dc0 from 224.0.0.0/3 to any #Class D & E multicast\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2145 #, no-wrap msgid "" "# Block fragments and too short tcp packets\n" "block in quick on dc0 all with frags\n" "block in quick on dc0 proto tcp all with short\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2149 #, no-wrap msgid "" "# block source routed packets\n" "block in quick on dc0 all with opt lsrr\n" "block in quick on dc0 all with opt ssrr\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2152 #, no-wrap msgid "" "# Block OS fingerprint attempts and log first occurrence\n" "block in log first quick on dc0 proto tcp from any to any flags FUP\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2155 #, no-wrap msgid "" "# Block anything with special options\n" "block in quick on dc0 all with ipopts\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2159 #, no-wrap msgid "" "# Block public pings and ident\n" "block in quick on dc0 proto icmp all icmp-type 8\n" "block in quick on dc0 proto tcp from any to any port = 113\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2165 #, no-wrap msgid "" "# Block incoming Netbios services\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 137\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 138\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 139\n" "block in log first quick on dc0 proto tcp/udp from any to any port = 81\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2169 msgid "" "Any time there are logged messages on a rule with the `log first` option, " "run `ipfstat -hio` to evaluate how many times the rule has been matched. A " "large number of matches may indicate that the system is under attack." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2172 msgid "" "The rest of the rules in the inbound section define which connections are " "allowed to be initiated from the Internet. The last rule denies all " "connections which were not explicitly allowed by previous rules in this " "section." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2178 #, no-wrap msgid "" "# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with\n" "# the same IP address used in the outbound section.\n" "pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2181 #, no-wrap msgid "" "# Allow public connections to specified internal web server\n" "pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2184 #, no-wrap msgid "" "# Block and log only first occurrence of all remaining traffic.\n" "block in log first quick on dc0 all\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2186 #, no-wrap msgid "Configuring NAT" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2189 msgid "" "To enable NAT, add these statements to [.filename]#/etc/rc.conf# and specify " "the name of the file containing the NAT rules:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2195 #, no-wrap msgid "" "gateway_enable=\"YES\"\n" "ipnat_enable=\"YES\"\n" "ipnat_rules=\"/etc/ipnat.rules\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2200 msgid "" "NAT rules are flexible and can accomplish many different things to fit the " "needs of both commercial and home users. The rule syntax presented here has " "been simplified to demonstrate common usage. For a complete rule syntax " "description, refer to man:ipnat[5]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2202 msgid "" "The basic syntax for a NAT rule is as follows, where `map` starts the rule " "and _IF_ should be replaced with the name of the external interface:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2206 #, no-wrap msgid "map IF LAN_IP_RANGE -> PUBLIC_ADDRESS\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2211 msgid "" "The _LAN_IP_RANGE_ is the range of IP addresses used by internal clients. " "Usually, it is a private address range such as `192.168.1.0/24`. The " "_PUBLIC_ADDRESS_ can either be the static external IP address or the keyword " "`0/32` which represents the IP address assigned to _IF_." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2218 msgid "" "In IPF, when a packet arrives at the firewall from the LAN with a public " "destination, it first passes through the outbound rules of the firewall " "ruleset. Then, the packet is passed to the NAT ruleset which is read from " "the top down, where the first matching rule wins. IPF tests each NAT rule " "against the packet's interface name and source IP address. When a packet's " "interface name matches a NAT rule, the packet's source IP address in the " "private LAN is checked to see if it falls within the IP address range " "specified in _LAN_IP_RANGE_. On a match, the packet has its source IP " "address rewritten with the public IP address specified by _PUBLIC_ADDRESS_. " "IPF posts an entry in its internal NAT table so that when the packet returns " "from the Internet, it can be mapped back to its original private IP address " "before being passed to the firewall rules for further processing." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2221 msgid "" "For networks that have large numbers of internal systems or multiple " "subnets, the process of funneling every private IP address into a single " "public IP address becomes a resource problem. Two methods are available to " "relieve this issue." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2224 msgid "" "The first method is to assign a range of ports to use as source ports. By " "adding the `portmap` keyword, NAT can be directed to only use source ports " "in the specified range:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2228 #, no-wrap msgid "map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2231 msgid "" "Alternately, use the `auto` keyword which tells NAT to determine the ports " "that are available for use:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2235 #, no-wrap msgid "map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2240 msgid "" "The second method is to use a pool of public addresses. This is useful when " "there are too many LAN addresses to fit into a single public address and a " "block of public IP addresses is available. These public addresses can be " "used as a pool from which NAT selects an IP address as a packet's address is " "mapped on its way out." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2243 msgid "" "The range of public IP addresses can be specified using a netmask or CIDR " "notation. These two rules are equivalent:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2248 #, no-wrap msgid "" "map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0\n" "map dc0 192.168.1.0/24 -> 204.134.75.0/24\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2253 msgid "" "A common practice is to have a publicly accessible web server or mail server " "segregated to an internal network segment. The traffic from these servers " "still has to undergo NAT, but port redirection is needed to direct inbound " "traffic to the correct server. For example, to map a web server using the " "internal address `10.0.10.25` to its public IP address of `20.20.20.5`, use " "this rule:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2257 #, no-wrap msgid "rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2260 msgid "" "If it is the only web server, this rule would also work as it redirects all " "external HTTP requests to `10.0.10.25`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2264 #, no-wrap msgid "rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2269 msgid "" "IPF has a built in FTP proxy which can be used with NAT. It monitors all " "outbound traffic for active or passive FTP connection requests and " "dynamically creates temporary filter rules containing the port number used " "by the FTP data channel. This eliminates the need to open large ranges of " "high order ports for FTP connections." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2272 msgid "" "In this example, the first rule calls the proxy for outbound FTP traffic " "from the internal LAN. The second rule passes the FTP traffic from the " "firewall to the Internet, and the third rule handles all non-FTP traffic " "from the internal LAN:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2278 #, no-wrap msgid "" "map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp\n" "map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp\n" "map dc0 10.0.10.0/29 -> 0/32\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2282 msgid "" "The FTP `map` rules go before the NAT rule so that when a packet matches an " "FTP rule, the FTP proxy creates temporary filter rules to let the FTP " "session packets pass and undergo NAT. All LAN packets that are not FTP will " "not match the FTP rules but will undergo NAT if they match the third rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2285 msgid "" "Without the FTP proxy, the following firewall rules would instead be " "needed. Note that without the proxy, all ports above `1024` need to be " "allowed:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2291 #, no-wrap msgid "" "# Allow out LAN PC client FTP to public Internet\n" "# Active and passive modes\n" "pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2294 #, no-wrap msgid "" "# Allow out passive mode data channel high order port numbers\n" "pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2297 #, no-wrap msgid "" "# Active mode let data channel in from FTP server\n" "pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2301 msgid "" "Whenever the file containing the NAT rules is edited, run `ipnat` with `-CF` " "to delete the current NAT rules and flush the contents of the dynamic " "translation table. Include `-f` and specify the name of the NAT ruleset to " "load:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2305 #, no-wrap msgid "# ipnat -CF -f /etc/ipnat.rules\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2308 msgid "To display the NAT statistics:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2312 #, no-wrap msgid "# ipnat -s\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2315 msgid "To list the NAT table's current mappings:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2319 #, no-wrap msgid "# ipnat -l\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2322 msgid "" "To turn verbose mode on and display information relating to rule processing " "and active rules and table entries:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2326 #, no-wrap msgid "# ipnat -v\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2328 #, no-wrap msgid "Viewing IPF Statistics" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2332 msgid "" "IPF includes man:ipfstat[8] which can be used to retrieve and display " "statistics which are gathered as packets match rules as they go through the " "firewall. Statistics are accumulated since the firewall was last started or " "since the last time they were reset to zero using `ipf -Z`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2334 msgid "The default `ipfstat` output looks like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2354 #, no-wrap msgid "" "input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0\n" " output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0\n" " input packets logged: blocked 99286 passed 0\n" " output packets logged: blocked 0 passed 0\n" " packets logged: input 0 output 0\n" " log failures: input 3898 output 0\n" " fragment state(in): kept 0 lost 0\n" " fragment state(out): kept 0 lost 0\n" " packet state(in): kept 169364 lost 0\n" " packet state(out): kept 431395 lost 0\n" " ICMP replies: 0 TCP RSTs sent: 0\n" " Result cache hits(in): 1215208 (out): 1098963\n" " IN Pullups succeeded: 2 failed: 0\n" " OUT Pullups succeeded: 0 failed: 0\n" " Fastroute successes: 0 failures: 0\n" " TCP cksum fails(in): 0 (out): 0\n" " Packet log flags set: (0)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2360 msgid "" "Several options are available. When supplied with either `-i` for inbound " "or `-o` for outbound, the command will retrieve and display the appropriate " "list of filter rules currently installed and in use by the kernel. To also " "see the rule numbers, include `-n`. For example, `ipfstat -on` displays the " "outbound rules table with rule numbers:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2366 #, no-wrap msgid "" "@1 pass out on xl0 from any to any\n" "@2 block out on dc0 from any to any\n" "@3 pass out quick on dc0 proto tcp/udp from any to any keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2370 msgid "" "Include `-h` to prefix each rule with a count of how many times the rule was " "matched. For example, `ipfstat -oh` displays the outbound internal rules " "table, prefixing each rule with its usage count:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2376 #, no-wrap msgid "" "2451423 pass out on xl0 from any to any\n" "354727 block out on dc0 from any to any\n" "430918 pass out quick on dc0 proto tcp/udp from any to any keep state\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2382 msgid "" "To display the state table in a format similar to man:top[1], use `ipfstat " "-t`. When the firewall is under attack, this option provides the ability to " "identify and see the attacking packets. The optional sub-flags give the " "ability to select the destination or source IP, port, or protocol to be " "monitored in real time. Refer to man:ipfstat[8] for details." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2383 #, no-wrap msgid "IPF Logging" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2387 msgid "" "IPF provides `ipmon`, which can be used to write the firewall's logging " "information in a human readable format. It requires that `options " "IPFILTER_LOG` be first added to a custom kernel using the instructions in " "crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2390 msgid "" "This command is typically run in daemon mode in order to provide a " "continuous system log file so that logging of past events may be reviewed. " "Since FreeBSD has a built in man:syslogd[8] facility to automatically rotate " "system logs, the default [.filename]#rc.conf# `ipmon_flags` statement uses `-" "Ds`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2397 #, no-wrap msgid "" "ipmon_flags=\"-Ds\" # D = start as daemon\n" " # s = log to syslog\n" " # v = log tcp window, ack, seq\n" " # n = map IP & port to names\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2401 msgid "" "Logging provides the ability to review, after the fact, information such as " "which packets were dropped, what addresses they came from, and where they " "were going. This information is useful in tracking down attackers." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2406 msgid "" "Once the logging facility is enabled in [.filename]#rc.conf# and started " "with `service ipmon start`, IPF will only log the rules which contain the " "`log` keyword. The firewall administrator decides which rules in the " "ruleset should be logged and normally only deny rules are logged. It is " "customary to include the `log` keyword in the last rule in the ruleset. " "This makes it possible to see all the packets that did not match any of the " "rules in the ruleset." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2409 msgid "" "By default, `ipmon -Ds` mode uses `local0` as the logging facility. The " "following logging levels can be used to further segregate the logged data:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2416 #, no-wrap msgid "" "LOG_INFO - packets logged using the \"log\" keyword as the action rather than pass or block.\n" "LOG_NOTICE - packets logged which are also passed\n" "LOG_WARNING - packets logged which are also blocked\n" "LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2419 msgid "" "In order to setup IPF to log all data to [.filename]#/var/log/ipfilter.log#, " "first create the empty file:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2423 #, no-wrap msgid "# touch /var/log/ipfilter.log\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2426 msgid "" "Then, to write all logged messages to the specified file, add the following " "statement to [.filename]#/etc/syslog.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2430 #, no-wrap msgid "local0.* /var/log/ipfilter.log\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2433 msgid "" "To activate the changes and instruct man:syslogd[8] to read the modified " "[.filename]#/etc/syslog.conf#, run `service syslogd reload`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2435 msgid "" "Do not forget to edit [.filename]#/etc/newsyslog.conf# to rotate the new log " "file." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2438 msgid "" "Messages generated by `ipmon` consist of data fields separated by white " "space. Fields common to all messages are:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2440 msgid "The date of packet receipt." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2441 msgid "" "The time of packet receipt. This is in the form HH:MM:SS.F, for hours, " "minutes, seconds, and fractions of a second." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2442 msgid "The name of the interface that processed the packet." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2443 msgid "The group and rule number of the rule in the format `@0:17`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2444 msgid "" "The action: `p` for passed, `b` for blocked, `S` for a short packet, `n` did " "not match any rules, and `L` for a log rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2445 msgid "" "The addresses written as three fields: the source address and port separated " "by a comma, the -> symbol, and the destination address and port. For " "example: `209.53.17.22,80 -> 198.73.220.17,1722`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2446 msgid "`PR` followed by the protocol name or number: for example, `PR tcp`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2447 msgid "" "`len` followed by the header length and total length of the packet: for " "example, `len 20 40`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2450 msgid "" "If the packet is a TCP packet, there will be an additional field starting " "with a hyphen followed by letters corresponding to any flags that were set. " "Refer to man:ipf[5] for a list of letters and their flags." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2453 msgid "" "If the packet is an ICMP packet, there will be two fields at the end: the " "first always being \"icmp\" and the next being the ICMP message and sub-" "message type, separated by a slash. For example: `icmp 3/3` for a port " "unreachable message." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/firewalls/_index.adoc:2455 #, no-wrap msgid "Blocklistd" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2462 msgid "" "Blocklistd is a daemon listening to sockets awaiting to receive " "notifications from other daemons about connection attempts that failed or " "were successful. It is most widely used in blocking too many connection " "attempts on open ports. A prime example is SSH running on the internet " "getting a lot of requests from bots or scripts trying to guess passwords and " "gain access. Using blocklistd, the daemon can notify the firewall to create " "a filter rule to block excessive connection attempts from a single source " "after a number of tries. Blocklistd was first developed on NetBSD and " "appeared there in version 7, it was originally called blacklistd. FreeBSD " "11 imported blocklistd from NetBSD." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2467 msgid "" "This chapter describes how to set up blocklistd, configure it, and provides " "examples on how to use it. Readers should be familiar with basic firewall " "concepts like rules. For details, refer to the firewall chapter. PF is " "used in the examples, but other firewalls available on FreeBSD should be " "able to work with blocklistd, too." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2468 #, no-wrap msgid "Enabling Blocklistd" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2474 msgid "" "The main configuration for blocklistd is stored in man:blocklistd.conf[5]. " "Various command line options are also available to change blocklistd's run-" "time behavior. Persistent configuration across reboots should be stored in " "[.filename]#/etc/blocklistd.conf#. To enable the daemon during system boot, " "add a `blocklistd_enable` line to [.filename]#/etc/rc.conf# like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2478 #, no-wrap msgid "# sysrc blocklistd_enable=yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2481 msgid "To start the service manually, run this command:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2485 #, no-wrap msgid "# service blocklistd start\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2487 #, no-wrap msgid "Creating a Blocklistd Ruleset" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2492 msgid "" "Rules for blocklistd are configured in man:blocklistd.conf[5] with one entry " "per line. Each rule contains a tuple separated by spaces or tabs. Rules " "either belong to a `local` or a `remote`, which applies to the machine where " "blocklistd is running or an outside source, respectively." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:2493 #, no-wrap msgid "Local Rules" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2496 msgid "An example blocklistd.conf entry for a local rule looks like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2501 #, no-wrap msgid "" "[local]\n" "ssh stream * * * 3 24h\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2505 msgid "" "All rules that follow the `[local]` section are treated as local rules " "(which is the default), applying to the local machine. When a `[remote]` " "section is encountered, all rules that follow it are handled as remote " "machine rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2513 msgid "" "Seven fields separated by either tabs or spaces define a rule. The first " "four fields identify the traffic that should be blocklisted. The three " "fields that follow define blocklistd's behavior. Wildcards are denoted as " "asterisks (`*`), matching anything in this field. The first field defines " "the location. In local rules, these are the network ports. The syntax for " "the location field is as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2517 #, no-wrap msgid "[address|interface][/mask][:port]\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2521 msgid "" "Addresses can be specified as IPv4 in numeric format or IPv6 in square " "brackets. An interface name like `_em0_` can also be used." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2525 msgid "" "The socket type is defined by the second field. TCP sockets are of type " "`stream`, whereas UDP is denoted as `dgram`. The example above uses TCP, " "since SSH is using that protocol." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2529 msgid "" "A protocol can be used in the third field of a blocklistd rule. The " "following protocols can be used: `tcp`, `udp`, `tcp6`, `udp6`, or numeric. " "A wildcard, like in the example, is typically used to match all protocols " "unless there is a reason to distinguish traffic by a certain protocol." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2532 msgid "" "In the fourth field, the effective user or owner of the daemon process that " "is reporting the event is defined. The username or UID can be used here, as " "well as a wildcard (see example rule above)." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2535 msgid "" "The packet filter rule name is declared by the fifth field, which starts the " "behavior part of the rule. By default, blocklistd puts all blocks under a " "pf anchor called `blocklistd` in [.filename]#pf.conf# like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2541 #, no-wrap msgid "" "anchor \"blocklistd/*\" in on $ext_if\n" "block in\n" "pass out\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2547 msgid "" "For separate blocklists, an anchor name can be used in this field. In other " "cases, the wildcard will suffice. When a name starts with a hyphen (`-`) it " "means that an anchor with the default rule name prepended should be used. A " "modified example from the above using the hyphen would look like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2551 #, no-wrap msgid "ssh stream * * -ssh 3 24h\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2554 msgid "" "With such a rule, any new blocklist rules are added to an anchor called " "`blocklistd-ssh`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2558 msgid "" "To block whole subnets for a single rule violation, a `/` in the rule name " "can be used. This causes the remaining portion of the name to be " "interpreted as the mask to be applied to the address specified in the rule. " "For example, this rule would block every address adjoining `/24`." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2562 #, no-wrap msgid "22 stream tcp * */24 3 24h\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2568 msgid "" "It is important to specify the proper protocol here. IPv4 and IPv6 treat /" "24 differently, that is the reason why `*` cannot be used in the third field " "for this rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2571 msgid "" "This rule defines that if any one host in that network is misbehaving, " "everything else on that network will be blocked, too." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2575 msgid "" "The sixth field, called `nfail`, sets the number of login failures required " "to blocklist the remote IP in question. When a wildcard is used at this " "position, it means that blocks will never happen. In the example rule " "above, a limit of three is defined meaning that after three attempts to log " "into SSH on one connection, the IP is blocked." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2578 msgid "" "The last field in a blocklistd rule definition specifies how long a host is " "blocklisted. The default unit is seconds, but suffixes like `m`, `h`, and " "`d` can also be specified for minutes, hours, and days, respectively." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2582 msgid "" "The example rule in its entirety means that after three times authenticating " "to SSH will result in a new PF block rule for that host. Rule matches are " "performed by first checking local rules one after another, from most " "specific to least specific. When a match occurs, the `remote` rules are " "applied and the `name`, `nfail`, and `duration` fields are changed by the " "`remote` rule that matched." msgstr "" #. type: Title ==== #: documentation/content/en/books/handbook/firewalls/_index.adoc:2583 #, no-wrap msgid "Remote Rules" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2589 msgid "" "Remote rules are used to specify how blocklistd changes its behavior " "depending on the remote host currently being evaluated. Each field in a " "remote rule is the same as in a local rule. The only difference is in the " "way blocklistd is using them. To explain it, this example rule is used:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2594 #, no-wrap msgid "" "[remote]\n" "203.0.113.128/25 * * * =/25 = 48h\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2599 msgid "" "The address field can be an IP address (either v4 or v6), a port or both. " "This allows setting special rules for a specific remote address range like " "in this example. The fields for socket type, protocol and owner are " "identically interpreted as in the local rule." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2605 msgid "" "The name fields is different though: the equal sign (`=`) in a remote rule " "tells blocklistd to use the value from the matching local rule. It means " "that the firewall rule entry is taken and the `/25` prefix (a netmask of " "`255.255.255.128`) is added. When a connection from that address range is " "blocklisted, the entire subnet is affected. A PF anchor name can also be " "used here, in which case blocklistd will add rules for this address block to " "the anchor of that name. The default table is used when a wildcard is " "specified." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2609 msgid "" "A custom number of failures in the `nfail` column can be defined for an " "address. This is useful for exceptions to a specific rule, to maybe allow " "someone a less strict application of rules or a bit more leniency in login " "tries. Blocking is disabled when an asterisk is used in this sixth field." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2611 msgid "" "Remote rules allow a stricter enforcement of limits on attempts to log in " "compared to attempts coming from a local network like an office." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2612 #, no-wrap msgid "Blocklistd Client Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2617 msgid "" "There are a few software packages in FreeBSD that can utilize blocklistd's " "functionality. The two most prominent ones are package:ftp/freebsd-ftpd[] " "and man:sshd[8] to block excessive connection attempts. To activate " "blocklistd in the SSH daemon, add the following line to [.filename]#/etc/ssh/" "sshd_config#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2621 #, no-wrap msgid "UseBlocklist yes\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2624 msgid "Restart sshd afterwards to make these changes take effect." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2626 msgid "" "Blocklisting for package:ftp/freebsd-ftpd[] is enabled using `-B`, either in " "[.filename]#/etc/inetd.conf# or as a flag in [.filename]#/etc/rc.conf# like " "this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2630 #, no-wrap msgid "ftpd_flags=\"-B\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2633 msgid "That is all that is needed to make these programs talk to blocklistd." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2634 #, no-wrap msgid "Blocklistd Management" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2639 msgid "" "Blocklistd provides the user with a management utility called " "man:blocklistctl[8]. It displays blocked addresses and networks that are " "blocklisted by the rules defined in man:blocklistd.conf[5]. To see the list " "of currently blocked hosts, use `dump` combined with `-b` like this." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2645 #, no-wrap msgid "" "# blocklistctl dump -b\n" "rulename address/ma:port id nfail last access\n" "blocklistd 213.0.123.128/25:22 OK 6/3 2019/06/08 14:30:19\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2651 msgid "" "This example shows that there were 6 out of three permitted attempts on port " "22 coming from the address range `213.0.123.128/25`. There are more " "attempts listed than are allowed because SSH allows a client to try multiple " "logins on a single TCP connection. A connection that is currently going on " "is not stopped by blocklistd. The last connection attempt is listed in the " "`last access` column of the output." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2653 msgid "" "To see the remaining time that this host will be on the blocklist, add `-r` " "to the previous command." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2659 #, no-wrap msgid "" "# blocklistctl dump -br\n" "rulename address/ma:port id nfail remaining time\n" "blocklistd 213.0.123.128/25:22 OK 6/3 36s\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2662 msgid "" "In this example, there are 36s seconds left until this host will not be " "blocked any more." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/firewalls/_index.adoc:2663 #, no-wrap msgid "Removing Hosts from the Block List" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2674 msgid "" "Sometimes it is necessary to remove a host from the block list before the " "remaining time expires. Unfortunately, there is no functionality in " "blocklistd to do that. However, it is possible to remove the address from " "the PF table using pfctl. For each blocked port, there is a child anchor " "inside the blocklistd anchor defined in [.filename]#/etc/pf.conf#. For " "example, if there is a child anchor for blocking port 22 it is called " "`blocklistd/22`. There is a table inside that child anchor that contains " "the blocked addresses. This table is called port followed by the port " "number. In this example, it would be called `port22`. With that " "information at hand, it is now possible to use man:pfctl[8] to display all " "addresses listed like this:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2681 #, no-wrap msgid "" "# pfctl -a blocklistd/22 -t port22 -T show\n" "...\n" "213.0.123.128/25\n" "...\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2684 msgid "" "After identifying the address to be unblocked from the list, the following " "command removes it from the list:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/firewalls/_index.adoc:2688 #, no-wrap msgid "# pfctl -a blocklistd/22 -t port22 -T delete 213.0.123.128/25\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/firewalls/_index.adoc:2692 msgid "" "The address is now removed from PF, but will still show up in the " "blocklistctl list, since it does not know about any changes made in PF. The " "entry in blocklistd's database will eventually expire and be removed from " "its output. The entry will be added again if the host is matching one of " "the block rules in blocklistd again." msgstr ""