diff options
authorAlexander Langer <alex@FreeBSD.org>1996-06-30 02:59:16 +0000
committerAlexander Langer <alex@FreeBSD.org>1996-06-30 02:59:16 +0000
commit60f73e050b078eec7e05a57a6091feaccd8dbf1b (patch)
parentf9f4cdbff7c8260a1b25d63168a3c7f500ed37f2 (diff)
Merge fixes from HEAD (rev 1.6).
Notes: svn path=/branches/RELENG_2_1_0/; revision=386
1 files changed, 23 insertions, 10 deletions
diff --git a/handbook/firewalls.sgml b/handbook/firewalls.sgml
index 2028d8822a..a90a5412d2 100644
--- a/handbook/firewalls.sgml
+++ b/handbook/firewalls.sgml
@@ -1,4 +1,4 @@
-<!-- $Id: firewalls.sgml,v 1996-06-25 03:16:27 alex Exp $ -->
+<!-- $Id: firewalls.sgml,v 1996-06-30 02:59:16 alex Exp $ -->
<!-- The FreeBSD Documentation Project -->
<sect><heading>Firewalls<label id="firewalls"></heading>
@@ -180,8 +180,9 @@ entries.
<p>The syntax for this form of the command is:
-ipfw &lsqb;-N&rsqb; <em>command</em> &lsqb;index&rsqb; <em>action</em>
-<em>protocol</em> <em>addresses</em> &lsqb;options&rsqb;
+ipfw &lsqb;-N&rsqb; <em>command</em> &lsqb;<em>index</em>&rsqb;
+<em>action</em> &lsqb;log&rsqb; <em>protocol</em> <em>addresses</em>
<p>There is one valid flag when using this form of the command:
@@ -210,7 +211,10 @@ at a specific point in the chain. Otherwise, the entry is placed at
the end of the chain at an index 100 greater than the last chain
entry (this does not include the default policy, rule 65535, deny).
-Valid <em>actions</em> are:
+<p>The <bf>log</bf> option causes matching rules to be output to the
+system console if the kernel was compiled with <bf>IPFIREWALL_VERBOSE</bf>.
+<p>Valid <em>actions</em> are:
@@ -292,9 +296,10 @@ port&lsqb;,port&lsqb;,port&lsqb;...&rsqb;&rsqb;&rsqb;
to specify either a single port or a list of ports, or
-to specify a range of ports.
+to specify a range of ports. You may also combine a single range with a
+list, but the range must always be specified first.
<p>The <em>options</em> available are:
@@ -314,7 +319,9 @@ and <bf>ts</bf> (timestamp). The absence of a particular option may
be denoted with a leading '!'.
<tag/established/Matches if the packet is part of an already established
-TCP connection (i.e. it has the RST or ACK bits set).
+TCP connection (i.e. it has the RST or ACK bits set). You can optimize
+the performance of the firewall by placing <em>established</em> rules
+early in the chain.
<tag/setup/Matches if the packet is an attempt to establish a TCP connection
(the SYN bit set is set but the ACK bit is not).
@@ -329,7 +336,9 @@ by a leading '!'.
the list <em>types</em>. The list may be specified as any combination
of ranges and/or individual types separated by commas. Commonly used
ICMP types are: <bf>0</bf> echo reply (ping reply), <bf>5</bf>
-redirect, and <bf>8</bf> echo request (ping request).
+redirect, <bf>8</bf> echo request (ping request), and <bf>11</bf>
+time exceeded (used to indicate TTL expiration as with
@@ -402,14 +411,14 @@ If you do not want people sending X sessions to your internal network
-ipfw add deny setup from any to my.org/28 6000
+ipfw add deny from any to my.org/28 6000 setup
To allow access to the SUP server on <bf>sup.FreeBSD.ORG</bf>, use the
following command:
-ipfw addf accept syn to sup.FreeBSD.ORG 871
+ipfw add accept from any to sup.FreeBSD.ORG 871
To see the accounting records:
@@ -517,6 +526,10 @@ normally fall outside the 1-1024 range specified above.
+<p>Another checklist for firewall configuration is available from CERT
+at <htmlurl url="ftp://ftp.cert.org/pub/tech_tips/packet_filtering"
<p>As I said above, these are only <em>guidelines</em>. You will have
to decide what filter rules you want to use on your firewall
yourself. I cannot accept ANY responsibility if someone breaks into