diff options
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/firewalls/chapter.xml')
| -rw-r--r-- | en_US.ISO8859-1/books/handbook/firewalls/chapter.xml | 280 |
1 files changed, 116 insertions, 164 deletions
diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml index 1105738cec..cfae0f3553 100644 --- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -4,26 +4,17 @@ $FreeBSD$ --> - -<chapter id="firewalls"> - <chapterinfo> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="firewalls"> + <info><title>Firewalls</title> <authorgroup> - <author> - <firstname>Joseph J.</firstname> - <surname>Barbish</surname> - <contrib>Contributed by </contrib> - </author> + <author><personname><firstname>Joseph J.</firstname><surname>Barbish</surname></personname><contrib>Contributed by </contrib></author> </authorgroup> <authorgroup> - <author> - <firstname>Brad</firstname> - <surname>Davis</surname> - <contrib>Converted to SGML and updated by </contrib> - </author> + <author><personname><firstname>Brad</firstname><surname>Davis</surname></personname><contrib>Converted to SGML and updated by </contrib></author> </authorgroup> - </chapterinfo> + </info> - <title>Firewalls</title> + <indexterm><primary>firewall</primary></indexterm> @@ -33,7 +24,7 @@ <secondary>firewalls</secondary> </indexterm> - <sect1 id="firewalls-intro"> + <sect1 xml:id="firewalls-intro"> <title>Introduction</title> <para>Firewalls make it possible to filter the incoming and @@ -107,7 +98,7 @@ </itemizedlist> </sect1> - <sect1 id="firewalls-concepts"> + <sect1 xml:id="firewalls-concepts"> <title>Firewall Concepts</title> <indexterm> @@ -149,7 +140,7 @@ combination of stateful and non-stateful behavior.</para> </sect1> - <sect1 id="firewalls-apps"> + <sect1 xml:id="firewalls-apps"> <title>Firewall Packages</title> <para>&os; has three firewalls built into the base system: @@ -175,24 +166,18 @@ <acronym>TCP/IP</acronym> works, what the different values in the packet control fields are, and how these values are used in a normal session conversation. For a good introduction, refer - to <ulink - url="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP - Primer</ulink>.</para> + to <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP + Primer</link>.</para> </sect1> - <sect1 id="firewalls-pf"> - <sect1info> + <sect1 xml:id="firewalls-pf"> + <info><title>PF and <acronym>ALTQ</acronym></title> <authorgroup> - <author> - <firstname>John</firstname> - <surname>Ferrell</surname> - <contrib>Revised and updated by </contrib> - <!-- 24 March 2008 --> - </author> + <author><personname><firstname>John</firstname><surname>Ferrell</surname></personname><contrib>Revised and updated by </contrib></author> </authorgroup> - </sect1info> + </info> - <title>PF and <acronym>ALTQ</acronym></title> + <indexterm> <primary>firewall</primary> @@ -208,15 +193,13 @@ Quality of Service (<acronym>QoS</acronym>).</para> <para>Since the OpenBSD Project maintains the definitive - reference for <acronym>PF</acronym> in the<ulink - url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, this + reference for <acronym>PF</acronym> in the<link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, this section of the Handbook focuses on <acronym>PF</acronym> as it pertains to &os;, while providing some general usage information.</para> <para>More information about porting <acronym>PF</acronym> to &os; - can be found at <ulink - url="http://pf4freebsd.love2party.net/"></ulink>.</para> + can be found at <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para> <sect2> <title>Using the PF Loadable Kernel Modules</title> @@ -241,8 +224,7 @@ <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting> <para>The sample <filename>pf.conf</filename> - can be found in <filename - class="directory">/usr/share/examples/pf/</filename>.</para> + can be found in <filename>/usr/share/examples/pf/</filename>.</para> <para>The <acronym>PF</acronym> module can also be loaded manually from the command line:</para> @@ -289,8 +271,7 @@ exposes certain changes to the state table used by <acronym>PF</acronym>. It can be paired with &man.carp.4; to create failover firewalls using <acronym>PF</acronym>. More - information on <acronym>CARP</acronym> can be found in <link - linkend="carp">of the Handbook</link>.</para> + information on <acronym>CARP</acronym> can be found in <link linkend="carp">of the Handbook</link>.</para> <para>The following <acronym>PF</acronym> kernel options can be found in <filename>/usr/src/sys/conf/NOTES</filename>:</para> @@ -342,12 +323,11 @@ pflog_flags="" # additional flags for pflogd startup</programli specified in this file. The &os; installation includes several sample files located in <filename>/usr/share/examples/pf/</filename>. Refer to the - <ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink> for + <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for complete coverage of <acronym>PF</acronym> rulesets.</para> <warning> - <para>When reading the <ulink - url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, + <para>When reading the <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>, keep in mind that different versions of &os; contain different versions of PF. Currently, &os; 8.<replaceable>X</replaceable> is using the @@ -378,33 +358,33 @@ pflog_flags="" # additional flags for pflogd startup</programli <tbody> <row> <entry><command>pfctl - <option>-e</option></command></entry> + -e</command></entry> <entry>Enable PF.</entry> </row> <row> <entry><command>pfctl - <option>-d</option></command></entry> + -d</command></entry> <entry>Disable PF.</entry> </row> <row> - <entry><command>pfctl <option>-F</option> all - <option>-f</option> /etc/pf.conf</command></entry> + <entry><command>pfctl -F all + -f /etc/pf.conf</command></entry> <entry>Flush all NAT, filter, state, and table rules and reload <filename>/etc/pf.conf</filename>.</entry> </row> <row> - <entry><command>pfctl <option>-s</option> [ rules | nat + <entry><command>pfctl -s [ rules | nat state ]</command></entry> <entry>Report on the filter rules, NAT rules, or state table.</entry> </row> <row> - <entry><command>pfctl <option>-vnf</option> + <entry><command>pfctl -vnf /etc/pf.conf</command></entry> <entry>Check <filename>/etc/pf.conf</filename> for errors, but do not load ruleset.</entry> @@ -460,8 +440,7 @@ options ALTQ_NOPCC # Required for SMP build</programlisting> <para><literal>options ALTQ_HFSC</literal> enables the <emphasis>Hierarchical Fair Service Curve Packet Scheduler</emphasis> <acronym>HFSC</acronym>. For more - information, refer to <ulink - url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para> + information, refer to <uri xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para> <para><literal>options ALTQ_PRIQ</literal> enables <emphasis>Priority Queuing</emphasis> @@ -474,34 +453,28 @@ options ALTQ_NOPCC # Required for SMP build</programlisting> systems.</para> </sect2> - <sect2 id="pf-tutorial"> - <sect2info> + <sect2 xml:id="pf-tutorial"> + <info><title><acronym>PF</acronym> Rule Sets and Tools</title> <authorgroup> - <author> - <firstname>Peter</firstname> - <surname>Hansteen</surname> - <othername>N. M.</othername> - <contrib>Contributed by </contrib> - </author> + <author><personname><firstname>Peter</firstname><surname>Hansteen</surname><othername>N. M.</othername></personname><contrib>Contributed by </contrib></author> </authorgroup> - </sect2info> + </info> - <title><acronym>PF</acronym> Rule Sets and Tools</title> + <para>This section demonstrates some useful <acronym>PF</acronym> features and <acronym>PF</acronym> related tools in a series of examples. A more thorough - tutorial is available at <ulink - url="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</ulink>.</para> + tutorial is available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para> <tip> - <para><filename role="package">security/sudo</filename> is + <para><package>security/sudo</package> is useful for running commands like <command>pfctl</command> that require elevated privileges. It can be installed from the Ports Collection.</para> </tip> - <sect3 id="pftut-simplest"> + <sect3 xml:id="pftut-simplest"> <title>The Simplest Rule Set Ever</title> <para>The simplest possible setup is for a single machine @@ -533,9 +506,8 @@ pass out all keep state</programlisting> of some thinking. The point of packet filtering is to take control, not to run catch-up with what the bad guys do. Marcus Ranum has written a very entertaining and - informative article about this, <ulink - url="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The - Six Dumbest Ideas in Computer Security</ulink>, and + informative article about this, <link xlink:href="http://www.ranum.com/security/computer_security/editorials/dumb/index.html">The + Six Dumbest Ideas in Computer Security</link>, and it is well written too.</para></footnote>. This gives us the opportunity to introduce two of the features which make <acronym>PF</acronym> such a wonderful tool: @@ -609,7 +581,7 @@ pass proto udp to any port $udp_services keep state</programlisting> </tip> </sect3> - <sect3 id="pftut-gateway"> + <sect3 xml:id="pftut-gateway"> <title>A Simple Gateway with NAT</title> <para>To most users, a single machine setup will be of limited @@ -618,7 +590,7 @@ pass proto udp to any port $udp_services keep state</programlisting> which is running <acronym>PF</acronym> and also acts as a gateway for at least one other machine.</para> - <sect4 id="pftut-gwpitfalls"> + <sect4 xml:id="pftut-gwpitfalls"> <title>Gateways and the Pitfalls of <literal>in</literal>, <literal>out</literal> and <literal>on</literal></title> @@ -636,8 +608,8 @@ pass proto udp to any port $udp_services keep state</programlisting> <para>It is very reasonable to think that for traffic to pass from the network connected to - <devicename>xl1</devicename> to hosts on the network - connected to <devicename>xl0</devicename>, a rule like + <filename>xl1</filename> to hosts on the network + connected to <filename>xl0</filename>, a rule like this is needed:</para> <programlisting>pass in on xl1 from xl1:network to xl0:network port $ports keep state</programlisting> @@ -680,7 +652,7 @@ pass proto udp to any port $udp_services keep state</programlisting> for readability.</para> </sect4> - <sect4 id="pftut-whatsthelocalnet"> + <sect4 xml:id="pftut-whatsthelocalnet"> <title>What is the Local Network, Anyway?</title> <para>Above, we introduced the @@ -711,7 +683,7 @@ pass proto udp to any port $udp_services keep state</programlisting> stick to that convention from here on.</para> </sect4> - <sect4 id="pftut-gwsimplesetup"> + <sect4 xml:id="pftut-gwsimplesetup"> <title>Setting Up</title> <para>We assume that the machine has acquired another @@ -749,7 +721,7 @@ ipv6_gateway_enable="YES" #for ipv6</programlisting> <para>Use <command>ifconfig -a</command>, or <command>ifconfig - <replaceable>interface_name</replaceable></command> to + interface_name</command> to find out if both of the interfaces to be used are up and running.</para> @@ -862,7 +834,7 @@ pass from { lo0, $localnet } to any keep state</programlisting> </sect4> </sect3> - <sect3 id="pftut-ftp"> + <sect3 xml:id="pftut-ftp"> <title>That Sad Old <acronym>FTP</acronym> Thing</title> <para>The short list of real life <acronym>TCP</acronym> ports @@ -912,7 +884,7 @@ pass from { lo0, $localnet } to any keep state</programlisting> program which is written specifically for this purpose.</para> - <sect4 id="pftut-ftp-proxy"> + <sect4 xml:id="pftut-ftp-proxy"> <title><acronym>FTP</acronym> Via Redirect: <application>ftp-proxy</application></title> @@ -963,7 +935,7 @@ rdr-anchor "ftp-proxy/*"</programlisting> after the <literal>nat</literal> rule in <filename>/etc/pf.conf</filename></para> - <programlisting>rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021</programlisting> + <programlisting>rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021</programlisting> <para>In addition, the redirected traffic must be allowed to pass. We achieve this with</para> @@ -1005,7 +977,7 @@ rdr-anchor "ftp-proxy/*"</programlisting> </sect4> </sect3> - <sect3 id="pftut-icmp"> + <sect3 xml:id="pftut-icmp"> <title>Easing Troubleshooting</title> <para>Making network troubleshooting friendly is a potentially @@ -1056,7 +1028,7 @@ rdr-anchor "ftp-proxy/*"</programlisting> these rule sets have been around for roughly fifteen years, and the people who put them there are still scared.</para> - <sect4 id="pftut-dowepass"> + <sect4 xml:id="pftut-dowepass"> <title>Then, Do We Let it All Through?</title> <para>The obvious question then becomes, if @@ -1079,7 +1051,7 @@ rdr-anchor "ftp-proxy/*"</programlisting> <literal>keep state</literal> rules.</para> </sect4> - <sect4 id="pftut-icmpstopatgw"> + <sect4 xml:id="pftut-icmpstopatgw"> <title>The Easy Way Out: the Buck Stops Here</title> <para>The easiest solution could very well be to let all @@ -1095,7 +1067,7 @@ pass inet proto icmp from any to $ext_if keep state</programlisting> flexibility.</para> </sect4> - <sect4 id="pftut-letpingthru"> + <sect4 xml:id="pftut-letpingthru"> <title>Letting <command>ping</command> Through</title> <para>The rule set we have developed so far has one clear @@ -1124,7 +1096,7 @@ pass inet proto icmp from any to $ext_if keep state</programlisting> allowed.</para> </sect4> - <sect4 id="pftut-helptraceroute"> + <sect4 xml:id="pftut-helptraceroute"> <title>Helping &man.traceroute.8;</title> <para>&man.traceroute.8; is another command which is quite @@ -1155,13 +1127,12 @@ pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 kee <para>Under any circumstances, this solution was lifted from an openbsd-misc post. I've found that list, and the searchable list archives (accessible among other - places from <ulink - url="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</ulink>), + places from <link xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>), to be a very valuable resource whenever you need OpenBSD or <acronym>PF</acronym> related information.</para> </sect4> - <sect4 id="pftut-pathmtudisc"> + <sect4 xml:id="pftut-pathmtudisc"> <title>Path <acronym>MTU</acronym> Discovery</title> <para>Internet protocols are designed to be device @@ -1213,14 +1184,14 @@ pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 kee ICMP for IPv6 are found in RFC1885, RFC2463, RFC2466. These documents are available in a number of places on the net, such as the - <ulink url="http://www.ietf.org">ietf.org</ulink> + <link xlink:href="http://www.ietf.org">ietf.org</link> and - <ulink url="http://www.faqs.org">faqs.org</ulink> + <link xlink:href="http://www.faqs.org">faqs.org</link> web sites.</para></footnote>.</para> </sect4> </sect3> - <sect3 id="pftut-tables"> + <sect3 xml:id="pftut-tables"> <title>Tables Make Life Easier</title> <para>By this time it may appear that this gets awfully static @@ -1285,7 +1256,7 @@ pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 kee and creativity.</para> </sect3> - <sect3 id="pftut-overload"> + <sect3 xml:id="pftut-overload"> <title>Overload Tables</title> <para>Those who run a Secure Shell login service which is @@ -1374,9 +1345,8 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from <note> <para>These rules will <emphasis>not</emphasis> block slow - bruteforcers, sometimes referred to as <ulink - url="http://home.nuug.no/~peter/hailmary2013/">the Hail - Mary Cloud</ulink>.</para> + bruteforcers, sometimes referred to as <link xlink:href="http://home.nuug.no/~peter/hailmary2013/">the Hail + Mary Cloud</link>.</para> </note> <para>Once again, please keep in mind that this example rule @@ -1399,8 +1369,8 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from <para>It should be possible to find the set of parameters which is just right for individual situations by reading the relevant man pages and the - <ulink url="http://www.openbsd.org/faq/pf/">PF User - Guide</ulink>, and perhaps a bit of + <link xlink:href="http://www.openbsd.org/faq/pf/">PF User + Guide</link>, and perhaps a bit of experimentation.</para> <note> @@ -1421,7 +1391,7 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from case, to redirect to a specific web page.</para> </note> - <sect4 id="pftut-expire"> + <sect4 xml:id="pftut-expire"> <title>Expiring Table Entries with <application>pfctl</application></title> @@ -1450,7 +1420,7 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from seconds.</para> </sect4> - <sect4 id="pftut-expiretable"> + <sect4 xml:id="pftut-expiretable"> <title>The <application>expiretable</application> Tool</title> @@ -1474,18 +1444,17 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from <programlisting>/usr/local/sbin/expiretable -v -d -t 24h bruteforce</programlisting> <para><application>expiretable</application> is in the - Ports Collection on &os; as <filename - role="package">security/expiretable</filename>.</para> + Ports Collection on &os; as <package>security/expiretable</package>.</para> </sect4> </sect3> - <sect3 id="pftut-tools"> + <sect3 xml:id="pftut-tools"> <title>Other <acronym>PF</acronym> Tools</title> <para>Over time, a number of tools have been developed which interact with <acronym>PF</acronym> in various ways.</para> - <sect4 id="pftut-pftop"> + <sect4 xml:id="pftut-pftop"> <title>The <application>pftop</application> Traffic Viewer</title> @@ -1493,14 +1462,14 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from makes it possible to keep an eye on what passes into and out of the network. <application>pftop</application> is available through the ports system as - <filename role="package">sysutils/pftop</filename>. The + <package>sysutils/pftop</package>. The name is a strong hint at what it does - <application>pftop</application> shows a running snapshot of traffic in a format which is strongly inspired by &man.top.1;.</para> </sect4> - <sect4 id="pftut-spamd"> + <sect4 xml:id="pftut-spamd"> <title>The <application>spamd</application> Spam Deferral Daemon</title> @@ -1537,7 +1506,7 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from implementation with one byte SMTP replies is often referred to as <firstterm>stuttering</firstterm>.</para> - <sect5 id="pftut-spamd-allblack"> + <sect5 xml:id="pftut-spamd-allblack"> <title>A Basic Blacklisting <application>spamd</application></title> @@ -1547,13 +1516,11 @@ Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from <procedure> <step> - <para>Install the <filename - role="package">mail/spamd/</filename> port. In + <para>Install the <package>mail/spamd/</package> port. In particular, be sure to read the package message and act upon what it says. Specifically, to use <application>spamd</application>'s greylisting - features, a file descriptor file system (see <ulink - url="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&sektion=5">fdescfs(5)</ulink>) + features, a file descriptor file system (see <link xlink:href="http://www.freebsd.org/cgi/man.cgi?query=fdescfs&sektion=5">fdescfs(5)</link>) must be mounted at <filename>/dev/fd/</filename>. Do this by adding the following line to <filename>/etc/fstab</filename>:</para> @@ -1683,7 +1650,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ several minutes.</para> </sect5> - <sect5 id="pftut-spamd-greylist"> + <sect5 xml:id="pftut-spamd-greylist"> <title>Adding Greylisting to the <application>spamd</application> Setup</title> @@ -1703,8 +1670,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ paper by Evan Harris <footnote><para>The original Harris paper and a number of other useful articles - and resources can be found at the <ulink - url="http://www.greylisting.org/">greylisting.org</ulink> + and resources can be found at the <link xlink:href="http://www.greylisting.org/">greylisting.org</link> web site.</para></footnote>, and a number of implementations followed over the next few months. OpenBSD's <application>spamd</application> acquired its @@ -1797,7 +1763,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ </sect5> </sect4> - <sect4 id="pftut-hygiene"> + <sect4 xml:id="pftut-hygiene"> <title>Network Hygiene: Blocking, Scrubbing and so On</title> @@ -1806,7 +1772,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ a bit more sanely towards hosts on the wide net and our local network.</para> - <sect5 id="pftut-blockpolicy"> + <sect5 xml:id="pftut-blockpolicy"> <title><literal>block-policy</literal></title> <para><literal>block-policy</literal> is an option which @@ -1829,7 +1795,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ <programlisting>set block-policy return</programlisting> </sect5> - <sect5 id="pftut-scrub"> + <sect5 xml:id="pftut-scrub"> <title><literal>scrub</literal></title> <para>In <acronym>PF</acronym> versions up to OpenBSD 4.5 @@ -1863,7 +1829,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ experimentation.</para> </sect5> - <sect5 id="pftut-antispoof"> + <sect5 xml:id="pftut-antispoof"> <title><literal>antispoof</literal></title> <para><literal>antispoof</literal> is a common special @@ -1881,7 +1847,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \ antispoof for $int_if</programlisting> </sect5> - <sect5 id="pftut-unrouteables"> + <sect5 xml:id="pftut-unrouteables"> <title>Handling Non-Routable Addresses from Elsewhere</title> @@ -1927,8 +1893,7 @@ block drop out quick on $ext_if from any to $martians</programlisting> <para>This completes our simple NATing firewall for a small local network. A more thorough tutorial is - available at <ulink - url="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</ulink>, + available at <link xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>, where you will also find slides from related presentations.</para> </sect5> @@ -1937,7 +1902,7 @@ block drop out quick on $ext_if from any to $martians</programlisting> </sect2> </sect1> - <sect1 id="firewalls-ipf"> + <sect1 xml:id="firewalls-ipf"> <title>The IPFILTER (IPF) Firewall</title> <indexterm> @@ -1975,17 +1940,13 @@ block drop out quick on $ext_if from any to $martians</programlisting> for configuring an inclusive firewall ruleset.</para> <para>For a detailed explanation of the legacy rules processing - method, refer to <ulink - url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink> - and <ulink - url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para> + method, refer to <uri xlink:href="http://www.munk.me.uk/ipf/ipf-howto.html">http://www.munk.me.uk/ipf/ipf-howto.html</uri> + and <uri xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para> - <para>The IPF FAQ is at <ulink - url="http://www.phildev.net/ipf/index.html"></ulink>.</para> + <para>The IPF FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para> <para>A searchable archive of the IPFilter mailing list is - available at <ulink - url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para> + available at <uri xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para> <sect2> <title>Enabling IPF</title> @@ -2047,7 +2008,7 @@ options IPFILTER_DEFAULT_BLOCK</programlisting> the <quote>IPFILTER</quote> firewall.</para> <para><literal>options IPFILTER_LOG</literal> enables IPF - logging using the <devicename>ipl</devicename> packet logging + logging using the <filename>ipl</filename> packet logging pseudo—device for every rule that has the <literal>log</literal> keyword.</para> @@ -2374,7 +2335,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre unreachable message.</para> </sect2> - <sect2 id="firewalls-ipf-rules-script"> + <sect2 xml:id="firewalls-ipf-rules-script"> <title>Building the Rule Script with Symbolic Substitution</title> @@ -2463,8 +2424,7 @@ EOF adding <literal>ipfilter_enable="NO"</literal>to <filename>/etc/rc.conf</filename>.</para> - <para>Then, add a script like the following to <filename - class="directory">/usr/local/etc/rc.d/</filename>. + <para>Then, add a script like the following to <filename>/usr/local/etc/rc.d/</filename>. The script should have an obvious name like <filename>ipf.loadrules.sh</filename>, where the <filename>.sh</filename> extension is mandatory.</para> @@ -2473,7 +2433,7 @@ EOF sh /etc/ipf.rules.script</programlisting> <para>The permissions on this script file must be read, - write, execute for owner <username>root</username>:</para> + write, execute for owner <systemitem class="username">root</systemitem>:</para> <screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen> </listitem> @@ -2698,11 +2658,9 @@ sh /etc/ipf.rules.script</programlisting> <para>There is no way to match ranges of IP addresses which do not express themselves easily using the dotted numeric - form / mask-length notation. The <filename - role="package">net-mgmt/ipcalc</filename> port may be + form / mask-length notation. The <package>net-mgmt/ipcalc</package> port may be used to ease the calculation. Additional information - is available at the utility's web page: <ulink - url="http://jodies.de/ipcalc"></ulink>.</para> + is available at the utility's web page: <uri xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para> </sect3> <sect3> @@ -2834,8 +2792,8 @@ sh /etc/ipf.rules.script</programlisting> network or a desktop system not protected by firewall on the network.</para> - <para>&os; uses interface <devicename>lo0</devicename> and IP - address <hostid role="ipaddr">127.0.0.1</hostid> for internal + <para>&os; uses interface <filename>lo0</filename> and IP + address <systemitem class="ipaddress">127.0.0.1</systemitem> for internal communication within the operating system. The firewall rules must contain rules to allow free movement of these internally used packets.</para> @@ -2887,7 +2845,7 @@ sh /etc/ipf.rules.script</programlisting> <literal>log first</literal> option, will only log the event the first time they are triggered. This option is included in the sample <literal>nmap OS fingerprint</literal> rule. The - <filename role="package">security/nmap</filename> utility is + <package>security/nmap</package> utility is commonly used by attackers who attempt to identify the operating system of the server.</para> @@ -2900,14 +2858,12 @@ sh /etc/ipf.rules.script</programlisting> <para>To lookup unknown port numbers, refer to <filename>/etc/services</filename>. Alternatively, visit - <ulink - url="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers"></ulink> + <uri xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri> and do a port number lookup to find the purpose of a particular port number.</para> <para>Check out this link for port numbers used by Trojans - <ulink - url="http://www.sans.org/security-resources/idfaq/oddports.php"></ulink>.</para> + <uri xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para> <para>The following ruleset creates an <literal>inclusive</literal> firewall ruleset which can be @@ -2918,7 +2874,7 @@ sh /etc/ipf.rules.script</programlisting> <para>To avoid logging unwanted messages, add a <literal>block</literal> rule in the inbound section.</para> - <para>Change the <devicename>dc0</devicename> interface name in + <para>Change the <filename>dc0</filename> interface name in every rule to the interface name that connects the system to the public Internet.</para> @@ -3210,8 +3166,7 @@ block in log first quick on dc0 all <para>The <replaceable>LAN_IP_RANGE</replaceable> is used by the internal clients use for IP Addressing. Usually, this is - something like <hostid - role="ipaddr">192.168.1.0/24</hostid>.</para> + something like <systemitem class="ipaddress">192.168.1.0/24</systemitem>.</para> <para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either be the static external IP address or the special keyword @@ -3335,9 +3290,8 @@ block in log first quick on dc0 all servers still has to undergo <acronym>NAT</acronym>, but there has to be some way to direct the inbound traffic to the correct server. For example, a web server operating on LAN - address <hostid - role="ipaddr">10.0.10.25</hostid> and using a single public - IP address of <hostid role="ipaddr">20.20.20.5</hostid>, would + address <systemitem class="ipaddress">10.0.10.25</systemitem> and using a single public + IP address of <systemitem class="ipaddress">20.20.20.5</systemitem>, would use this rule:</para> <programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting> @@ -3346,8 +3300,7 @@ block in log first quick on dc0 all <programlisting>rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80</programlisting> - <para>For a LAN DNS server on a private address of <hostid - role="ipaddr">10.0.10.33</hostid> that needs to receive + <para>For a LAN DNS server on a private address of <systemitem class="ipaddress">10.0.10.33</systemitem> that needs to receive public DNS requests:</para> <programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting> @@ -3360,8 +3313,7 @@ block in log first quick on dc0 all difference is in how the data channel is acquired. Passive mode is more secure as the data channel is acquired by the ordinal ftp session requester. For a good explanation of FTP - and the different modes, see <ulink - url="http://www.slacksite.com/other/ftp.html"></ulink>.</para> + and the different modes, see <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para> <sect3> <title>IP<acronym>NAT</acronym> Rules</title> @@ -3422,7 +3374,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro </sect2> </sect1> - <sect1 id="firewalls-ipfw"> + <sect1 xml:id="firewalls-ipfw"> <title>IPFW</title> <indexterm> @@ -3452,7 +3404,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro facility, and the ipstealth facility. IPFW supports both IPv4 and IPv6.</para> - <sect2 id="firewalls-ipfw-enable"> + <sect2 xml:id="firewalls-ipfw-enable"> <title>Enabling IPFW</title> <indexterm> @@ -3479,7 +3431,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro net.inet.ip.fw.verbose_limit=5</programlisting> </sect2> - <sect2 id="firewalls-ipfw-kernel"> + <sect2 xml:id="firewalls-ipfw-kernel"> <title>Kernel Options</title> <indexterm> @@ -3560,7 +3512,7 @@ net.inet.ip.fw.verbose_limit=5</programlisting> </note> </sect2> - <sect2 id="firewalls-ipfw-rc"> + <sect2 xml:id="firewalls-ipfw-rc"> <title><filename>/etc/rc.conf</filename> Options</title> <para>Enables the firewall:</para> @@ -3597,7 +3549,7 @@ net.inet.ip.fw.verbose_limit=5</programlisting> firewall rules.</para> </listitem> <listitem> - <para><filename><replaceable>filename</replaceable></filename>: + <para><filename>filename</filename>: absolute path of the file containing the firewall rules.</para> </listitem> @@ -3656,7 +3608,7 @@ ipfw add deny out</programlisting> options.</para> </sect2> - <sect2 id="firewalls-ipfw-cmd"> + <sect2 xml:id="firewalls-ipfw-cmd"> <title>The IPFW Command</title> <indexterm><primary><command>ipfw</command></primary></indexterm> @@ -3710,10 +3662,10 @@ ipfw add deny out</programlisting> <para>To zero the counters for just the rule with number <replaceable>NUM</replaceable>:</para> - <screen>&prompt.root; <userinput>ipfw zero <replaceable>NUM</replaceable></userinput></screen> + <screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen> </sect2> - <sect2 id="firewalls-ipfw-rules"> + <sect2 xml:id="firewalls-ipfw-rules"> <title>IPFW Rulesets</title> <indexterm> @@ -3750,7 +3702,7 @@ ipfw add deny out</programlisting> easy to lock out even the administrator.</para> </warning> - <sect3 id="firewalls-ipfw-rules-syntax"> + <sect3 xml:id="firewalls-ipfw-rules-syntax"> <title>Rule Syntax</title> <indexterm> @@ -3877,7 +3829,7 @@ ipfw add deny out</programlisting> are specified in dotted IP address format followed by the mask in CIDR notation, or as a single host in dotted IP address format. This keyword is a mandatory requirement. - The <filename role="package">net-mgmt/ipcalc</filename> + The <package>net-mgmt/ipcalc</package> port may be used to assist the mask calculation.</para> <para><parameter>port number</parameter></para> @@ -4005,7 +3957,7 @@ ipfw add deny out</programlisting> defined in <filename>/etc/syslog.conf</filename>.</para> </sect3> - <sect3 id="firewalls-ipfw-rules-script"> + <sect3 xml:id="firewalls-ipfw-rules-script"> <title>Building a Rule Script</title> <para>Most experienced IPFW users create a file containing @@ -4076,7 +4028,7 @@ ks="keep-state" # just too lazy to key this each time <literal>pass</literal> rules for services that are not required. To avoid logging undesired messages, add a <literal>deny</literal> rule in the inbound section. - Change the <devicename>dc0</devicename> in every rule to the + Change the <filename>dc0</filename> in every rule to the device name of the interface that connects the system to the Internet.</para> |