The translation is temporarily closed for contributions due to maintenance, please come back later.


(itstool) path: sect2/indexterm
Context English Turkish (tr_TR) State
<application>IPF</application> has a built in <acronym>FTP</acronym> proxy which can be used with <acronym>NAT</acronym>. It monitors all outbound traffic for active or passive <acronym>FTP</acronym> connection requests and dynamically creates temporary filter rules containing the port number used by the <acronym>FTP</acronym> data channel. This eliminates the need to open large ranges of high order ports for <acronym>FTP</acronym> connections.
In this example, the first rule calls the proxy for outbound <acronym>FTP</acronym> traffic from the internal <acronym>LAN</acronym>. The second rule passes the <acronym>FTP</acronym> traffic from the firewall to the Internet, and the third rule handles all non-<acronym>FTP</acronym> traffic from the internal <acronym>LAN</acronym>:
map dc0 -&gt; 0/32 proxy port 21 ftp/tcp
map dc0 -&gt; 0/32 proxy port 21 ftp/tcp
map dc0 -&gt; 0/32
The <acronym>FTP</acronym> <literal>map</literal> rules go before the <acronym>NAT</acronym> rule so that when a packet matches an <acronym>FTP</acronym> rule, the <acronym>FTP</acronym> proxy creates temporary filter rules to let the <acronym>FTP</acronym> session packets pass and undergo <acronym>NAT</acronym>. All LAN packets that are not <acronym>FTP</acronym> will not match the <acronym>FTP</acronym> rules but will undergo <acronym>NAT</acronym> if they match the third rule.
Without the <acronym>FTP</acronym> proxy, the following firewall rules would instead be needed. Note that without the proxy, all ports above <literal>1024</literal> need to be allowed:
# Allow out LAN PC client FTP to public Internet
# Active and passive modes
pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state

# Allow out passive mode data channel high order port numbers
pass out quick on rl0 proto tcp from any to any port &gt; 1024 flags S keep state

# Active mode let data channel in from FTP server
pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state
Whenever the file containing the <acronym>NAT</acronym> rules is edited, run <command>ipnat</command> with <option>-CF</option> to delete the current <acronym>NAT</acronym> rules and flush the contents of the dynamic translation table. Include <option>-f</option> and specify the name of the <acronym>NAT</acronym> ruleset to load:
<prompt>#</prompt> <userinput>ipnat -CF -f /etc/ipnat.rules</userinput>
To display the <acronym>NAT</acronym> statistics:
<prompt>#</prompt> <userinput>ipnat -s</userinput>
To list the <acronym>NAT</acronym> table's current mappings:
<prompt>#</prompt> <userinput>ipnat -l</userinput>
To turn verbose mode on and display information relating to rule processing and active rules and table entries:
<prompt>#</prompt> <userinput>ipnat -v</userinput>
Viewing <application>IPF</application> Statistics
<primary><application>IPFILTER</application></primary> <secondary>statistics</secondary>
<application>IPF</application> includes <citerefentry><refentrytitle>ipfstat</refentrytitle><manvolnum>8</manvolnum></citerefentry> which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using <command>ipf -Z</command>.
The default <command>ipfstat</command> output looks like this:
input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
input packets logged: blocked 99286 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 3898 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 169364 lost 0
packet state(out): kept 431395 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Result cache hits(in): 1215208 (out): 1098963
IN Pullups succeeded: 2 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
Several options are available. When supplied with either <option>-i</option> for inbound or <option>-o</option> for outbound, the command will retrieve and display the appropriate list of filter rules currently installed and in use by the kernel. To also see the rule numbers, include <option>-n</option>. For example, <command>ipfstat -on</command> displays the outbound rules table with rule numbers:
@1 pass out on xl0 from any to any
@2 block out on dc0 from any to any
@3 pass out quick on dc0 proto tcp/udp from any to any keep state
Include <option>-h</option> to prefix each rule with a count of how many times the rule was matched. For example, <command>ipfstat -oh</command> displays the outbound internal rules table, prefixing each rule with its usage count:
2451423 pass out on xl0 from any to any
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep state
To display the state table in a format similar to <citerefentry><refentrytitle>top</refentrytitle><manvolnum>1</manvolnum></citerefentry>, use <command>ipfstat -t</command>. When the firewall is under attack, this option provides the ability to identify and see the attacking packets. The optional sub-flags give the ability to select the destination or source <acronym>IP</acronym>, port, or protocol to be monitored in real time. Refer to <citerefentry><refentrytitle>ipfstat</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.
<application>IPF</application> Logging
<primary><application>IPFILTER</application></primary> <secondary>logging</secondary>
<application>IPF</application> provides <command>ipmon</command>, which can be used to write the firewall's logging information in a human readable format. It requires that <literal>options IPFILTER_LOG</literal> be first added to a custom kernel using the instructions in <xref linkend="kernelconfig"/>.
This command is typically run in daemon mode in order to provide a continuous system log file so that logging of past events may be reviewed. Since FreeBSD has a built in <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> facility to automatically rotate system logs, the default <filename>rc.conf</filename> <literal>ipmon_flags</literal> statement uses <option>-Ds</option>:
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP &amp; port to names


No matching activity found.

Browse all component changes


English Turkish (tr_TR)
command komut FreeBSD Doc (Archived)
command komut FreeBSD Doc (Archived)
Primary Öncel FreeBSD Doc (Archived)

Source information

Source string comment
(itstool) path: sect2/indexterm
Source string location
String age
9 months ago
Source string age
a year ago
Translation file
books/tr_TR/handbook.po, string 10400