Source string Read only

(itstool) path: sect2/programlisting
504/5040
Context English State
<application>IPFILTER</application> is a kernel-side firewall and <acronym>NAT</acronym> mechanism that can be controlled and monitored by userland programs. Firewall rules can be set or deleted using <application>ipf</application>, <acronym>NAT</acronym> rules can be set or deleted using <application>ipnat</application>, run-time statistics for the kernel parts of <application>IPFILTER</application> can be printed using <application>ipfstat</application>, and <application>ipmon</application> can be used to log <application>IPFILTER</application> actions to the system log files.
<application>IPF</application> was originally written using a rule processing logic of <quote>the last matching rule wins</quote> and only used stateless rules. Since then, <application>IPF</application> has been enhanced to include the <literal>quick</literal> and <literal>keep state</literal> options.
The <application>IPF</application> FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>. A searchable archive of the IPFilter mailing list is available at <uri xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri>.
This section of the Handbook focuses on <application>IPF</application> as it pertains to FreeBSD. It provides examples of rules that contain the <literal>quick</literal> and <literal>keep state</literal> options.
Enabling <application>IPF</application>
<primary><application>IPFILTER</application></primary> <secondary>enabling</secondary>
<application>IPF</application> is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable <application>IPF</application>.
<primary>kernel options</primary> <secondary><application>IPFILTER</application></secondary>
<primary>kernel options</primary> <secondary>IPFILTER_LOG</secondary>
<primary>kernel options</primary> <secondary>IPFILTER_DEFAULT_BLOCK</secondary>
<primary><application>IPFILTER</application></primary> <secondary>kernel options</secondary>
For users who prefer to statically compile <application>IPF</application> support into a custom kernel, refer to the instructions in <xref linkend="kernelconfig"/>. The following kernel options are available:
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK
where <literal>options IPFILTER</literal> enables support for <application>IPFILTER</application>, <literal>options IPFILTER_LOG</literal> enables <application>IPF</application> logging using the <filename>ipl</filename> packet logging pseudo-device for every rule that has the <literal>log</literal> keyword, <literal>IPFILTER_LOOKUP</literal> enables <acronym>IP</acronym> pools in order to speed up <acronym>IP</acronym> lookups, and <literal>options IPFILTER_DEFAULT_BLOCK</literal> changes the default behavior so that any packet not matching a firewall <literal>pass</literal> rule gets blocked.
To configure the system to enable <application>IPF</application> at boot time, add the following entries to <filename>/etc/rc.conf</filename>. These entries will also enable logging and <literal>default pass all</literal>. To change the default policy to <literal>block all</literal> without compiling a custom kernel, remember to add a <literal>block all</literal> rule at the end of the ruleset.
ipfilter_enable="YES" # Start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
ipv6_ipfilter_rules="/etc/ipf6.rules" # loads rules definition text file for IPv6
ipmon_enable="YES" # Start IP monitor log
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP &amp; port to names
If <acronym>NAT</acronym> functionality is needed, also add these lines:
gateway_enable="YES" # Enable as LAN gateway
ipnat_enable="YES" # Start ipnat function
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
Then, to start <application>IPF</application> now:
<prompt>#</prompt> <userinput>service ipfilter start</userinput>
To load the firewall rules, specify the name of the ruleset file using <command>ipf</command>. The following command can be used to replace the currently running firewall rules:
<prompt>#</prompt> <userinput>ipf -Fa -f /etc/ipf.rules</userinput>
where <option>-Fa</option> flushes all the internal rules tables and <option>-f</option> specifies the file containing the rules to load.
This provides the ability to make changes to a custom ruleset and update the running firewall with a fresh copy of the rules without having to reboot the system. This method is convenient for testing new rules as the procedure can be executed as many times as needed.
Refer to <citerefentry><refentrytitle>ipf</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details on the other flags available with this command.
<application>IPF</application> Rule Syntax
<primary><application>IPFILTER</application></primary> <secondary>rule syntax</secondary>
This section describes the <application>IPF</application> rule syntax used to create stateful rules. When creating rules, keep in mind that unless the <literal>quick</literal> keyword appears in a rule, every rule is read in order, with the <emphasis>last matching rule</emphasis> being the one that is applied. This means that even if the first rule to match a packet is a <literal>pass</literal>, if there is a later matching rule that is a <literal>block</literal>, the packet will be dropped. Sample rulesets can be found in <filename>/usr/share/examples/ipfilter</filename>.
When creating rules, a <literal>#</literal> character is used to mark the start of a comment and may appear at the end of a rule, to explain that rule's function, or on its own line. Any blank lines are ignored.
The keywords which are used in rules must be written in a specific order, from left to right. Some keywords are mandatory while others are optional. Some keywords have sub-options which may be keywords themselves and also include more sub-options. The keyword order is as follows, where the words shown in uppercase represent a variable and the words shown in lowercase must precede the variable that follows it:
<replaceable>ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE</replaceable>

Loading…

User avatar None

New source string

FreeBSD Doc / books_handbookEnglish

New source string 4 months ago
Browse all component changes

Things to check

Multiple failing checks

The translations in several languages have failing checks

Reset

Glossary

English English
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/programlisting
Flags
no-wrap, read-only
Source string location
book.translate.xml:60786
String age
4 months ago
Source string age
4 months ago
Translation file
books/handbook.pot, string 9976