aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMurray Stokely <murray@FreeBSD.org>2001-09-02 10:37:26 +0000
committerMurray Stokely <murray@FreeBSD.org>2001-09-02 10:37:26 +0000
commit93216fe45a7409eb98a0518d8b9e5a80b981c58a (patch)
treeb2c8d7711bbe0e7b5c167ba01a95c3f117ad87b2
parent504bff39b88bbeb3019daadcdf9f2b3ff304af25 (diff)
downloaddoc-93216fe45a7409eb98a0518d8b9e5a80b981c58a.tar.gz
doc-93216fe45a7409eb98a0518d8b9e5a80b981c58a.zip
Whitespace only commit.
Let Emacs rewrap the paragraphs after adding tags in the previous commit.
Notes
Notes: svn path=/head/; revision=10536
-rw-r--r--en_US.ISO8859-1/articles/dialup-firewall/article.sgml99
1 files changed, 54 insertions, 45 deletions
diff --git a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
index d809d58ee8..35346c7870 100644
--- a/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
+++ b/en_US.ISO8859-1/articles/dialup-firewall/article.sgml
@@ -22,7 +22,7 @@
</author>
</authorgroup>
- <pubdate>$FreeBSD: doc/en_US.ISO8859-1/articles/dialup-firewall/article.sgml,v 1.13 2001/08/31 18:06:40 dd Exp $</pubdate>
+ <pubdate>$FreeBSD: doc/en_US.ISO8859-1/articles/dialup-firewall/article.sgml,v 1.14 2001/09/02 10:21:15 murray Exp $</pubdate>
<abstract>
<para>This article documents how to setup a firewall using a PPP
@@ -161,23 +161,26 @@ ppp_profile="<replaceable>profile</replaceable>"</programlisting>
<sect1 id="rules">
<title>The ruleset for the firewall</title>
- <para>We're nearly done now. All that remains now is to define the
- firewall rules and then we can reboot and the firewall should be up and
- running. I realize that everyone will want something slightly different
- when it comes to their rulebase. What I've tried to do is write a
- rulebase that suits most dialup users. You can obviously modify it to
- your needs by using the following rules as the foundation for
- your own rulebase. First, let's start with the basics of closed
- firewalling. What you want to do is deny everything by default and then
- only open up for the things you really need. Rules should be in the
- order of allow first and then deny. The premise is that you add the
- rules for your allows, and then everything else is denied. :)</para>
-
- <para>Now, let's make the dir <filename class="directory">/etc/firewall</filename>. Change into the directory and
- edit the file <filename>fwrules</filename> as we specified in
- <filename>rc.conf</filename>. Please note that you can change this
- filename to anything you wish. This guide just gives an example of a
- filename. </para>
+ <para>We're nearly done now. All that remains now is to define
+ the firewall rules and then we can reboot and the firewall
+ should be up and running. I realize that everyone will want
+ something slightly different when it comes to their rulebase.
+ What I've tried to do is write a rulebase that suits most dialup
+ users. You can obviously modify it to your needs by using the
+ following rules as the foundation for your own rulebase. First,
+ let's start with the basics of closed firewalling. What you
+ want to do is deny everything by default and then only open up
+ for the things you really need. Rules should be in the order of
+ allow first and then deny. The premise is that you add the
+ rules for your allows, and then everything else is
+ denied. :)</para>
+
+ <para>Now, let's make the dir <filename
+ class="directory">/etc/firewall</filename>. Change into the
+ directory and edit the file <filename>fwrules</filename> as we
+ specified in <filename>rc.conf</filename>. Please note that you
+ can change this filename to anything you wish. This guide just
+ gives an example of a filename. </para>
<para>Now, let's look at a sample firewall file, that is commented
nicely.</para>
@@ -251,13 +254,16 @@ $fwcmd add 65435 deny log ip from any to any</programlisting>
</question>
<answer>
- <para>I'll have to be honest and say there's no definitive reason
- why I use <command>ipfw</command> and <command>natd</command> instead of the built in <command>ppp</command> filters. From
- the discussions I've had with people the consensus seems to be
- that while <command>ipfw</command> is certainly more powerful and more configurable
- than the <command>ppp</command> filters, what it makes up for in functionality it
- loses in being easy to customize. One of the reasons I use it is
- because I prefer firewalling to be done at a kernel level rather
+ <para>I'll have to be honest and say there's no definitive
+ reason why I use <command>ipfw</command> and
+ <command>natd</command> instead of the built in
+ <command>ppp</command> filters. From the discussions I've
+ had with people the consensus seems to be that while
+ <command>ipfw</command> is certainly more powerful and
+ more configurable than the <command>ppp</command> filters,
+ what it makes up for in functionality it loses in being
+ easy to customize. One of the reasons I use it is because
+ I prefer firewalling to be done at a kernel level rather
than by a userland program.</para>
</answer>
</qandaentry>
@@ -288,15 +294,16 @@ $fwcmd add 65435 deny log ip from any to any</programlisting>
</question>
<answer>
- <para>The simple answer is no. The reason for this is that <command>natd</command> is
- doing address translation for <emphasis>anything</emphasis> being
- diverted through the <devicename>tun0</devicename> device. As far as it's concerned
- incoming packets will speak only to the dynamically assigned IP
- address and NOT to the internal network. Note though that you can
- add a rule like <literal>$fwcmd add deny all from
- 192.168.0.4:255.255.0.0 to any via tun0</literal> which would
- limit a host on your internal network from going out via the
- firewall.</para>
+ <para>The simple answer is no. The reason for this is that
+ <command>natd</command> is doing address translation for
+ <emphasis>anything</emphasis> being diverted through the
+ <devicename>tun0</devicename> device. As far as it's
+ concerned incoming packets will speak only to the
+ dynamically assigned IP address and NOT to the internal
+ network. Note though that you can add a rule like
+ <literal>$fwcmd add deny all from 192.168.0.4:255.255.0.0
+ to any via tun0</literal> which would limit a host on your
+ internal network from going out via the firewall.</para>
</answer>
</qandaentry>
@@ -316,11 +323,12 @@ $fwcmd add 65435 deny log ip from any to any</programlisting>
on.</para>
<para>You should also note that &man.pppd.8; uses the
- <devicename>ppp0</devicename> interface instead, so if you start the
- connection with &man.pppd.8; you must substitute
- <devicename>tun0</devicename> for <devicename>ppp0</devicename>. A
- quick way to edit the firewall rules to reflect this change is shown
- below. The original ruleset is backed up as
+ <devicename>ppp0</devicename> interface instead, so if you
+ start the connection with &man.pppd.8; you must substitute
+ <devicename>tun0</devicename> for
+ <devicename>ppp0</devicename>. A quick way to edit the
+ firewall rules to reflect this change is shown below. The
+ original ruleset is backed up as
<filename>fwrules_tun0</filename>.</para>
<screen> &prompt.user; <userinput>cd /etc/firewall</userinput>
@@ -331,9 +339,10 @@ $fwcmd add 65435 deny log ip from any to any</programlisting>
</screen>
<para>To know whether you are currently using &man.ppp.8; or
- &man.pppd.8; you can examine the output of &man.ifconfig.8; once the
- connection is up. E.g., for a connection made with &man.pppd.8; you
- would see something like this (showing only the relevant lines):</para>
+ &man.pppd.8; you can examine the output of
+ &man.ifconfig.8; once the connection is up. E.g., for a
+ connection made with &man.pppd.8; you would see something
+ like this (showing only the relevant lines):</para>
<screen> &prompt.user; <userinput>ifconfig</userinput>
<emphasis>(skipped...)</emphasis>
@@ -342,9 +351,9 @@ $fwcmd add 65435 deny log ip from any to any</programlisting>
<emphasis>(skipped...)</emphasis>
</screen>
- <para>On the other hand, for a connection made with &man.ppp.8;
- (<emphasis>user-ppp</emphasis>) you should see something similar to
- this:</para>
+ <para>On the other hand, for a connection made with
+ &man.ppp.8; (<emphasis>user-ppp</emphasis>) you should see
+ something similar to this:</para>
<screen> &prompt.user; <userinput>ifconfig</userinput>
<emphasis>(skipped...)</emphasis>