diff options
Diffstat (limited to 'pl_PL.ISO8859-2/books/handbook/firewalls/chapter.xml')
| -rw-r--r-- | pl_PL.ISO8859-2/books/handbook/firewalls/chapter.xml | 145 |
1 files changed, 59 insertions, 86 deletions
diff --git a/pl_PL.ISO8859-2/books/handbook/firewalls/chapter.xml b/pl_PL.ISO8859-2/books/handbook/firewalls/chapter.xml index 09f6ecf083..c204509750 100644 --- a/pl_PL.ISO8859-2/books/handbook/firewalls/chapter.xml +++ b/pl_PL.ISO8859-2/books/handbook/firewalls/chapter.xml @@ -4,26 +4,17 @@ $FreeBSD$ --> - -<chapter id="firewalls"> - <chapterinfo> +<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="firewalls"> + <info><title>Firewalls</title> <authorgroup> - <author> - <firstname>Joseph J.</firstname> - <surname>Barbish</surname> - <contrib>Contributed by </contrib> - </author> + <author><personname><firstname>Joseph J.</firstname><surname>Barbish</surname></personname><contrib>Contributed by </contrib></author> </authorgroup> <authorgroup> - <author> - <firstname>Brad</firstname> - <surname>Davis</surname> - <contrib>Converted to SGML and updated by </contrib> - </author> + <author><personname><firstname>Brad</firstname><surname>Davis</surname></personname><contrib>Converted to SGML and updated by </contrib></author> </authorgroup> - </chapterinfo> + </info> - <title>Firewalls</title> + <indexterm><primary>firewall</primary></indexterm> @@ -33,7 +24,7 @@ <secondary>firewalls</secondary> </indexterm> - <sect1 id="firewalls-intro"> + <sect1 xml:id="firewalls-intro"> <title>Introduction</title> <para>Firewalls make it possible to filter @@ -109,7 +100,7 @@ </itemizedlist> </sect1> - <sect1 id="firewalls-concepts"> + <sect1 xml:id="firewalls-concepts"> <title>Firewall Concepts</title> <indexterm> @@ -141,7 +132,7 @@ optimal firewall for the site.</para> </sect1> - <sect1 id="firewalls-apps"> + <sect1 xml:id="firewalls-apps"> <title>Firewall Packages</title> <para>&os; has three different firewall packages built @@ -174,11 +165,10 @@ <acronym>TCP</acronym>/IP works, what the different values in the packet control fields are and how these values are used in a normal session conversation. For a good explanation go to: - <ulink - url="http://www.ipprimer.com/overview.cfm"></ulink>.</para> + <uri xlink:href="http://www.ipprimer.com/overview.cfm">http://www.ipprimer.com/overview.cfm</uri>.</para> </sect1> - <sect1 id="firewalls-pf"> + <sect1 xml:id="firewalls-pf"> <title>The OpenBSD Packet Filter (PF) and <acronym>ALTQ</acronym></title> @@ -203,8 +193,7 @@ this handbook firewall section as that would just be duplicated effort.</para> - <para>More info can be found at the PF for &os; web site: <ulink - url="http://pf4freebsd.love2party.net/"></ulink>.</para> + <para>More info can be found at the PF for &os; web site: <uri xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para> <sect2> <title>Enabling PF</title> @@ -357,8 +346,7 @@ options ALTQ_NOPCC # Required for SMP build</programlisting> <para><literal>options ALTQ_HFSC</literal> enables the Hierarchical Fair Service Curve Packet Scheduler. For more - information about <acronym>HFSC</acronym> see: <ulink - url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para> + information about <acronym>HFSC</acronym> see: <uri xlink:href="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html">http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html</uri>.</para> <para><literal>options ALTQ_PRIQ</literal> enables Priority Queuing (<acronym>PRIQ</acronym>). <acronym>PRIQ</acronym> @@ -385,7 +373,7 @@ options ALTQ_NOPCC # Required for SMP build</programlisting> the syntax is the same as one used in OpenBSD. A great resource for configuring the <application>pf</application> firewall has been written by OpenBSD team and is available at - <ulink url="http://www.openbsd.org/faq/pf/"></ulink>.</para> + <uri xlink:href="http://www.openbsd.org/faq/pf/">http://www.openbsd.org/faq/pf/</uri>.</para> <warning> <para>When browsing the pf user's guide, please keep in mind that @@ -402,7 +390,7 @@ options ALTQ_NOPCC # Required for SMP build</programlisting> </sect2> </sect1> - <sect1 id="firewalls-ipf"> + <sect1 xml:id="firewalls-ipf"> <title>The IPFILTER (IPF) Firewall</title> <indexterm> @@ -463,17 +451,13 @@ options ALTQ_NOPCC # Required for SMP build</programlisting> the only rule set type covered herein.</para> <para>For detailed explanation of the legacy rules processing - method see: <ulink - url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink> - and <ulink - url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para> + method see: <uri xlink:href="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1">http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1</uri> + and <uri xlink:href="http://coombs.anu.edu.au/~avalon/ip-filter.html">http://coombs.anu.edu.au/~avalon/ip-filter.html</uri>.</para> - <para>The IPF FAQ is at <ulink - url="http://www.phildev.net/ipf/index.html"></ulink>.</para> + <para>The IPF FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>.</para> <para>A searchable archive of the open-source IPFilter mailing list is - available at <ulink - url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para> + available at <uri xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter</uri>.</para> <sect2> <title>Enabling IPF</title> @@ -541,7 +525,7 @@ options IPFILTER_DEFAULT_BLOCK</programlisting> <para><literal>options IPFILTER_LOG</literal> enables the option to have IPF log traffic by writing to the - <devicename>ipl</devicename> packet logging pseudo—device + <filename>ipl</filename> packet logging pseudo—device for every rule that has the <literal>log</literal> keyword.</para> @@ -822,7 +806,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre <listitem> <para>The name of the interface the packet was processed on, - e.g. <devicename>dc0</devicename>.</para> + e.g. <filename>dc0</filename>.</para> </listitem> <listitem> @@ -873,7 +857,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre a slash, e.g. ICMP 3/3 for a port unreachable message.</para> </sect2> - <sect2 id="firewalls-ipf-rules-script"> + <sect2 xml:id="firewalls-ipf-rules-script"> <title>Building the Rule Script with Symbolic Substitution</title> @@ -971,7 +955,7 @@ EOF sh /etc/ipf.rules.script</programlisting> <para>The permissions on this script file must be read, - write, execute for owner <username>root</username>.</para> + write, execute for owner <systemitem class="username">root</systemitem>.</para> <screen>&prompt.root; <userinput>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</userinput></screen> </listitem> @@ -1152,7 +1136,7 @@ sh /etc/ipf.rules.script</programlisting> <!-- XXX - xref here --> - the <devicename>ipl</devicename> log (as described in the + the <filename>ipl</filename> log (as described in the LOGGING section below) if the selection parameters match the packet.</para> @@ -1242,8 +1226,7 @@ sh /etc/ipf.rules.script</programlisting> <para>There is no way to match ranges of IP addresses which do not express themselves easily as mask-length. See this - web page for help on writing mask-length: <ulink - url="http://jodies.de/ipcalc"></ulink>.</para> + web page for help on writing mask-length: <uri xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para> </sect3> <sect3> @@ -1383,8 +1366,8 @@ sh /etc/ipf.rules.script</programlisting> function.</para> <para>All &unix; flavored systems including &os; are designed to - use interface <devicename>lo0</devicename> and IP address - <hostid role="ipaddr">127.0.0.1</hostid> for internal + use interface <filename>lo0</filename> and IP address + <systemitem class="ipaddress">127.0.0.1</systemitem> for internal communication within the operating system. The firewall rules must contain rules to allow free unmolested movement of these special internally used packets.</para> @@ -1393,7 +1376,7 @@ sh /etc/ipf.rules.script</programlisting> where you place your rules to authorize and control access out to the public Internet and access requests arriving from the public Internet. This can be your user PPP - <devicename>tun0</devicename> interface or your NIC that is + <filename>tun0</filename> interface or your NIC that is connected to your DSL or cable modem.</para> <para>In cases where one or more NICs are cabled to private LANs @@ -1453,13 +1436,11 @@ sh /etc/ipf.rules.script</programlisting> <para>When you log packets with port numbers you do not recognize, look it up in <filename>/etc/services</filename> or - go to <ulink - url="http://www.securitystats.com/tools/portsearch.php"></ulink> + go to <uri xlink:href="http://www.securitystats.com/tools/portsearch.php">http://www.securitystats.com/tools/portsearch.php</uri> and do a port number lookup to find what the purpose of that port number is.</para> - <para>Check out this link for port numbers used by Trojans <ulink - url="http://www.simovits.com/trojans/trojans.html"></ulink>.</para> + <para>Check out this link for port numbers used by Trojans <uri xlink:href="http://www.simovits.com/trojans/trojans.html">http://www.simovits.com/trojans/trojans.html</uri>.</para> <para>The following rule set is a complete very secure 'inclusive' type of firewall rule set that I have used on my @@ -1470,10 +1451,10 @@ sh /etc/ipf.rules.script</programlisting> <para>If you see messages in your log that you want to stop seeing just add a block rule in the inbound section.</para> - <para>You have to change the <devicename>dc0</devicename> + <para>You have to change the <filename>dc0</filename> interface name in every rule to the interface name of the Nic card that connects your system to the public Internet. For - user PPP it would be <devicename>tun0</devicename>.</para> + user PPP it would be <filename>tun0</filename>.</para> <para>Add the following statements to <filename>/etc/ipf.rules</filename>:</para> @@ -1713,27 +1694,27 @@ block in log first quick on dc0 all <tbody> <row> - <entry>Start IP <hostid role="ipaddr">10.0.0.0</hostid></entry> + <entry>Start IP <systemitem class="ipaddress">10.0.0.0</systemitem></entry> <entry>-</entry> - <entry>Ending IP <hostid role="ipaddr">10.255.255.255</hostid></entry> + <entry>Ending IP <systemitem class="ipaddress">10.255.255.255</systemitem></entry> </row> <row> - <entry>Start IP <hostid role="ipaddr">172.16.0.0</hostid></entry> + <entry>Start IP <systemitem class="ipaddress">172.16.0.0</systemitem></entry> <entry>-</entry> - <entry>Ending IP <hostid role="ipaddr">172.31.255.255</hostid></entry> + <entry>Ending IP <systemitem class="ipaddress">172.31.255.255</systemitem></entry> </row> <row> - <entry>Start IP <hostid role="ipaddr">192.168.0.0</hostid></entry> + <entry>Start IP <systemitem class="ipaddress">192.168.0.0</systemitem></entry> <entry>-</entry> - <entry>Ending IP <hostid role="ipaddr">192.168.255.255</hostid></entry> + <entry>Ending IP <systemitem class="ipaddress">192.168.255.255</systemitem></entry> </row> </tbody> </tgroup> @@ -1809,8 +1790,7 @@ block in log first quick on dc0 all <para>The <replaceable>LAN_IP_RANGE</replaceable> is what your internal clients use for IP Addressing, usually this is - something like <hostid - role="ipaddr">192.168.1.0/24</hostid>.</para> + something like <systemitem class="ipaddress">192.168.1.0/24</systemitem>.</para> <para>The <replaceable>PUBLIC_ADDRESS</replaceable> can either be the external IP address or the special keyword @@ -1939,9 +1919,8 @@ block in log first quick on dc0 all has to be some way to direct the inbound traffic to the correct LAN PCs. IP<acronym>NAT</acronym> has the redirection facilities of <acronym>NAT</acronym> to solve this problem. - Lets say you have your web server on LAN address <hostid - role="ipaddr">10.0.10.25</hostid> and your single public IP - address is <hostid role="ipaddr">20.20.20.5</hostid> you would + Lets say you have your web server on LAN address <systemitem class="ipaddress">10.0.10.25</systemitem> and your single public IP + address is <systemitem class="ipaddress">20.20.20.5</systemitem> you would code the rule like this:</para> <programlisting>rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80</programlisting> @@ -1950,8 +1929,7 @@ block in log first quick on dc0 all <programlisting>rdr dc0 0/32 port 80 -> 10.0.10.25 port 80</programlisting> - <para>or for a LAN DNS Server on LAN address of <hostid - role="ipaddr">10.0.10.33</hostid> that needs to receive + <para>or for a LAN DNS Server on LAN address of <systemitem class="ipaddress">10.0.10.33</systemitem> that needs to receive public DNS requests:</para> <programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting> @@ -1972,8 +1950,7 @@ block in log first quick on dc0 all in how the data channel is acquired. Passive mode is more secure as the data channel is acquired be the ordinal ftp session requester. For a real good explanation of FTP and the - different modes see <ulink - url="http://www.slacksite.com/other/ftp.html"></ulink>.</para> + different modes see <uri xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para> <sect3> <title>IP<acronym>NAT</acronym> Rules</title> @@ -2058,7 +2035,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro </sect2> </sect1> - <sect1 id="firewalls-ipfw"> + <sect1 xml:id="firewalls-ipfw"> <title>IPFW</title> <indexterm> @@ -2104,7 +2081,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro facilities, the 'fwd rule' forward facility, the bridge facility, and the ipstealth facility.</para> - <sect2 id="firewalls-ipfw-enable"> + <sect2 xml:id="firewalls-ipfw-enable"> <title>Enabling IPFW</title> <indexterm> @@ -2138,7 +2115,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro net.inet.ip.fw.verbose_limit=5</programlisting> </sect2> - <sect2 id="firewalls-ipfw-kernel"> + <sect2 xml:id="firewalls-ipfw-kernel"> <title>Kernel Options</title> <indexterm> @@ -2226,7 +2203,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> </note> </sect2> - <sect2 id="firewalls-ipfw-rc"> + <sect2 xml:id="firewalls-ipfw-rc"> <title><filename>/etc/rc.conf</filename> Options</title> <para>If you do not have IPFW compiled into your kernel you will @@ -2255,8 +2232,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> <para>The only thing that the <varname>firewall_logging</varname> variable will do is setting the <varname>net.inet.ip.fw.verbose</varname> sysctl - variable to the value of <literal>1</literal> (see <xref - linkend="firewalls-ipfw-enable"/>). There is no + variable to the value of <literal>1</literal> (see <xref linkend="firewalls-ipfw-enable"/>). There is no <filename>rc.conf</filename> variable to set log limitations, but it can be set via sysctl variable, manually or from the <filename>/etc/sysctl.conf</filename> file:</para> @@ -2271,7 +2247,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> options.</para> </sect2> - <sect2 id="firewalls-ipfw-cmd"> + <sect2 xml:id="firewalls-ipfw-cmd"> <title>The IPFW Command</title> <indexterm><primary><command>ipfw</command></primary></indexterm> @@ -2330,7 +2306,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> <screen>&prompt.root; <userinput>ipfw zero NUM</userinput></screen> </sect2> - <sect2 id="firewalls-ipfw-rules"> + <sect2 xml:id="firewalls-ipfw-rules"> <title>IPFW Rule Sets</title> <!-- XXX: looks incorrect (and duplicated 2 times in this chapter): @@ -2401,7 +2377,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> end up locking your self out.</para> </warning> - <sect3 id="firewalls-ipfw-rules-syntax"> + <sect3 xml:id="firewalls-ipfw-rules-syntax"> <title>Rule Syntax</title> <indexterm> @@ -2532,8 +2508,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> specified as a dotted IP address numeric form/mask-length, or as single dotted IP address numeric form. This is a mandatory requirement. See this link for help on writing - mask-lengths. <ulink - url="http://jodies.de/ipcalc"></ulink></para> + mask-lengths. <uri xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri></para> <para><parameter>port number</parameter></para> @@ -2565,7 +2540,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> <para><parameter>keep-state</parameter></para> - <para>This is a mandatory> keyword. Upon a match, the + <para>This is a mandatory> keyword. Upon a match, the firewall will create a dynamic rule, whose default behavior is to match bidirectional traffic between source and destination IP/port using the same protocol.</para> @@ -2681,7 +2656,7 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> in the <filename>/etc/syslog.conf</filename> file.</para> </sect3> - <sect3 id="firewalls-ipfw-rules-script"> + <sect3 xml:id="firewalls-ipfw-rules-script"> <title>Building a Rule Script</title> <para>Most experienced IPFW users create a file containing the @@ -2756,8 +2731,8 @@ ks="keep-state" # just too lazy to key this each time to have rules to allow the firewall to function.</para> <para>All &unix; flavored operating systems, &os; included, are - designed to use interface <devicename>lo0</devicename> and IP - address <hostid role="ipaddr">127.0.0.1</hostid> for internal + designed to use interface <filename>lo0</filename> and IP + address <systemitem class="ipaddress">127.0.0.1</systemitem> for internal communication with in the operating system. The firewall rules must contain rules to allow free unmolested movement of these special internally used packets.</para> @@ -2766,7 +2741,7 @@ ks="keep-state" # just too lazy to key this each time which you code your rules to authorize and control access out to the public Internet and access requests arriving from the public Internet. This can be your ppp - <devicename>tun0</devicename> interface or your NIC that is + <filename>tun0</filename> interface or your NIC that is connected to your DSL or cable modem.</para> <para>In cases where one or more than one NIC are connected to @@ -2813,12 +2788,10 @@ ks="keep-state" # just too lazy to key this each time The less the attackers can learn about your system the more secure it is. When you log packets with port numbers you do not recognize, look the numbers up in - <filename>/etc/services/</filename> or go to <ulink - url="http://www.securitystats.com/tools/portsearch.php"></ulink> + <filename>/etc/services/</filename> or go to <uri xlink:href="http://www.securitystats.com/tools/portsearch.php">http://www.securitystats.com/tools/portsearch.php</uri> and do a port number lookup to find what the purpose of that port number is. Check out this link for port numbers used by - Trojans: <ulink - url="http://www.simovits.com/trojans/trojans.html"></ulink>.</para> + Trojans: <uri xlink:href="http://www.simovits.com/trojans/trojans.html">http://www.simovits.com/trojans/trojans.html</uri>.</para> </sect3> <sect3> |