Attachment #81408 for bug #116588

View | Details | Raw Unified | Return to bug 116588 | Differences between
Collapse All | Expand All





<!--
This is no longer true as of 9.x. It also references the CARP section
which does not explain how to use it...At some point it should.
     <indexterm>
	<primary>kernel options</primary>
	<secondary>device pf</secondary>

    </note>
    -->

<para>By default, <application>PF</application> reads its
  configuration rules from <filename>/etc/pf.conf</filename> and
  modifies, drops, or passes packets according to the rules or
  definitions specified in this file.  The &os; installation includes
  several sample files located in
  <filename>/usr/share/examples/pf/</filename>.  Refer to the <link
    xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for
  complete coverage of <application>PF</application> rulesets.</para>
	of <application>PF</application> rulesets.</para>

<para>To control <application>PF</application>, use
  <command>pfctl</command>.  <xref linkend="pfctl"/> summarizes
	some useful options to this command.  Refer to &man.pfctl.8;
	for a description of all available options:</para>


	    firewall rules.</para>
	</listitem>
	<listitem>
	  <para><filename><replaceable>filename</replaceable></filename>:
	    full path of the file containing the firewall
	    ruleset.</para>
	</listitem>
      </itemizedlist>


      <para>On the inbound side, the ruleset has to deny bad packets
	and allow only authorized services.  A packet which matches an
	inbound rule is posted to the dynamic state table and the
	packet is released to the <acronym>LAN</acronym>.  The packet
	generated as a response is recognized by the
	<literal>check-state</literal> rule as belonging to an
	existing session.  It is then sent to rule

&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
      </sect3>
    </sect2>
  </sect1>

    <sect2 xml:id="firewalls-ipfw-dummynet">
      <title>Using Dummynet</title>

      <para>&man.dummynet.4; is a traffic shaper, bandwidth manager
	and delay emulator which may be used to simulate different
	types of physical links.  It can also be &quot;misused&quot;
	as a traffic shaper.</para>

      <para>&man.dummynet.4; offers two objects.  Pipes are an
	abstraction of a given link, having a certain bandwidth, delay
	and loss.  Queues are an abstraction used to implement
	weighted fair queuing.  In practice, pipes can be used to set
	hard limits to the bandwidth that a flow can use, wheres
	queues can be used to determine how different flows share that
	bandwidth.</para>

      <para>To ensure that &man.dummynet.4; is loaded at boot time add
	the following line to
	<filename>/boot/loader.conf</filename>:</para>

      <programlisting>dummynet_load="YES"</programlisting>

      <para>Please note that in order for &man.dummynet.4; to work
	correctly, it is highly recommended to increase the system
	clock tick rate.  This can be accomplished by adding the
	following option to kernel configuration files.</para>

      <programlisting>options HZ=1000</programlisting>

      <para>Use the following command to configure a pipe which has
	4Kbps and a 100ms delay:</para>

      <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s delay 100</userinput></screen>

      <para>To use this pipe, i.e have some traffic go through it,
	use the following command:</para>

      <screen>&prompt.root; <userinput>ipfw -q add pipe 10 all from 10.0.0.0/24 to any</userinput></screen>

      <para>Please note that to properly limit users, one should
	create separate pipes for upload and download.</para>

      <para>Using the above pipe configuration, all LAN users compete
	for the same bandwidth.  If you would like to assign each of
	them 4Kbps upload and download, you may create dynamic pipes
	based on the source IP (for uplink) or destination IP (for
	downlink):</para>

      <screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff</userinput>
&prompt.root; <userinput>ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff</userinput>
&prompt.root; <userinput>ipfw -q add pipe 10 all from any to any recv $if_lan</userinput>
&prompt.root; <userinput>ipfw -q add pipe 11 all from any to any xmit $if_lan</userinput></screen>
    </sect2>

    <sect2 xml:id="firewalls-ipfw-tables">
      <title>Using Tables</title>

      <para>Tables are a way of referring to multiple IP addresses
	using a single identifier.  They are useful in the following
	situations:</para>

      <itemizedlist>
	<listitem>
	  <para>you must apply the same rule to a lot of IP
	    addresses (table lookups are fast)</para>
	</listitem>
	<listitem>
	  <para>you must apply a lot of rules to some IP addresses
	    (use tables to add / remove IP addresses from a single
	    location in the ruleset)</para>
	</listitem>
      </itemizedlist>

      <para>IP addresses stored in a table may also have an optional
	32-bit unsigned value assigned to them.  A rule may be written
	in such a way that it will only match if the IP found in
	a table has been assigned a specific value.</para>

      <para>These are the commands used to manipulate tables from the
	shell:</para>

      <para>Clear all IP addresses from a table:</para>

      <screen>&prompt.root; <userinput>ipfw table 10 flush</userinput></screen>

      <para>Add a single IP address to a table:</para>

      <screen>&prompt.root; <userinput>ipfw table 10 add 172.27.0.1</userinput></screen>

      <para>Add a CIDR network to a table:</para>

      <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24</userinput></screen>

      <para>Add a CIDR network to a table and also assign a value to
	it:</para>

      <screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24 100</userinput></screen>

      <para>List the contents of a table:</para>

      <screen>&prompt.root; <userinput>ipfw table 10 list</userinput></screen>

      <para>To use the table in a firewall rule:</para>

      <screen>&prompt.root; <userinput>ipfw -q add allow tcp from &quot;table(10)&quot; to any</userinput></screen>

      <para>Or, to use the table and the value in a firewall
	rule:</para>

      <screen>&prompt.root; <userinput>ipfw -q add allow tcp from &quot;table(10,100)&quot; to any</userinput></screen>

      <para>The following listing is an example of how one could use
	tables in a ruleset:</para>

      <programlisting>#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
table="ipfw -q table"

# Create a table with all IPs allowed to connect to SSH
$table 1 flush		# required
$table 1 add 172.27.0.1	    # single IP address
$table 1 add 192.168.0.0/24   # CIDR network

# Actual rule which allows SSH
$cmd allow from "table(1)" to me 22 keep-state

# Deny everything else
$cmd deny from any to any</programlisting>

      <para>Here is another example, in which tables and values are
	used to group clients into multiple bandwidth limitations
	depending on their subscription:</para>

      <programlisting>#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
table="ipfw -q table"
pipe="ipfw -q pipe"
if_net="em0"

#
# Pipes
#

# Please note that dynamic pipes will be created for each client.
# In other words, clients DO NOT compete for the bandwidth.

# First subscription rate.
$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff  # uplink
$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff  # downlink

# Second subscription rate.
$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff  # uplink
$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff  # downlink

# Create a table with all IPs allowed to have Internet connection.
# Note that although it is not required, values are the same
# as the bandwidth which will be given to the client.
$table 1 flush	    # required
$table 1 add 172.27.0.2 512	  # 512Kbps client
$table 1 add 172.27.0.3 768	  # 768Kbps client
$table 1 add 172.27.0.4 512	  # 512Kbps client

# Actual rules which classify the traffic
$cmd pipe 10 all from "table(1,512)" to any xmit $if_net
$cmd pipe 11 all from any to "table(1,512)" recv $if_net
$cmd pipe 20 all from "table(1,768)" to any xmit $if_net
$cmd pipe 21 all from any to "table(1,768)" recv $if_net

# Deny everything else
$cmd deny all from any to any</programlisting>
	</sect2>
      </sect1>

      <sect1 xml:id="firewalls-ipf">
	<title>IPFILTER (IPF)</title>

	<indexterm>
      <primary>firewall</primary>

      <secondary><application>IPFILTER</application></secondary>

Return to bug 116588

Lines 398-404 Link Here

(-)en_US.ISO8859-1/books/handbook/firewalls/chapter.xml (-19 / +199 lines)
398		398
399	<!--	399	<!--
400	This is no longer true as of 9.x. It also references the CARP section	400	This is no longer true as of 9.x. It also references the CARP section
401	which doesn't explain how to use it...At some point it should.	401	which does not explain how to use it...At some point it should.
402	<indexterm>	402	<indexterm>
403	<primary>kernel options</primary>	403	<primary>kernel options</primary>
404	<secondary>device pf</secondary>	404	<secondary>device pf</secondary>
Lines 447-464 Link Here
447	</note>	447	</note>
448	-->	448	-->
449		449
450	<para>By default, <application>PF</application> reads its	450	<para>By default, <application>PF</application> reads its
451	configuration rules from <filename>/etc/pf.conf</filename> and	451	configuration rules from <filename>/etc/pf.conf</filename> and
452	modifies, drops, or passes packets according to the rules or	452	modifies, drops, or passes packets according to the rules or
453	definitions specified in this file. The &os; installation	453	definitions specified in this file. The &os; installation includes
454	includes several sample files located in	454	several sample files located in
455	<filename>/usr/share/examples/pf/</filename>. Refer to the	455	<filename>/usr/share/examples/pf/</filename>. Refer to the <link
456	<link xlink:href="http://www.openbsd.org/faq/pf/">PF	456	xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link> for
457	FAQ</link> for complete coverage	457	complete coverage of <application>PF</application> rulesets.</para>
458	of <application>PF</application> rulesets.</para>
459		458
460	<para>To control <application>PF</application>, use	459	<para>To control <application>PF</application>, use
461	<command>pfctl</command>. <xref linkend="pfctl"/> summarizes	460	<command>pfctl</command>. <xref linkend="pfctl"/> summarizes
462	some useful options to this command. Refer to &man.pfctl.8;	461	some useful options to this command. Refer to &man.pfctl.8;
463	for a description of all available options:</para>	462	for a description of all available options:</para>
464		463
Lines 1702-1709 Link Here
1702	firewall rules.</para>	1701	firewall rules.</para>
1703	</listitem>	1702	</listitem>
1704	<listitem>	1703	<listitem>
1705	<para><filename><replaceable>filename</replaceable></filename>: full path of the file	1704	<para><filename><replaceable>filename</replaceable></filename>:
1706	containing the firewall ruleset.</para>	1705	full path of the file containing the firewall
		1706	ruleset.</para>
1707	</listitem>	1707	</listitem>
1708	</itemizedlist>	1708	</itemizedlist>
1709		1709
Lines 2312-2318 Link Here
2312	<para>On the inbound side, the ruleset has to deny bad packets	2312	<para>On the inbound side, the ruleset has to deny bad packets
2313	and allow only authorized services. A packet which matches an	2313	and allow only authorized services. A packet which matches an
2314	inbound rule is posted to the dynamic state table and the	2314	inbound rule is posted to the dynamic state table and the
2315	packet is released to the <acronym>LAN</acronym>. The packet	2315	packet is released to the <acronym>LAN</acronym>. The packet
2316	generated as a response is recognized by the	2316	generated as a response is recognized by the
2317	<literal>check-state</literal> rule as belonging to an	2317	<literal>check-state</literal> rule as belonging to an
2318	existing session. It is then sent to rule	2318	existing session. It is then sent to rule
Lines 2614-2625 Link Here
2614	&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>	2614	&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
2615	</sect3>	2615	</sect3>
2616	</sect2>	2616	</sect2>
2617	</sect1>
2618		2617
2619	<sect1 xml:id="firewalls-ipf">	2618	<sect2 xml:id="firewalls-ipfw-dummynet">
2620	<title>IPFILTER (IPF)</title>	2619	<title>Using Dummynet</title>
2621		2620
2622	<indexterm>	2621	<para>&man.dummynet.4; is a traffic shaper, bandwidth manager
		2622	and delay emulator which may be used to simulate different
		2623	types of physical links. It can also be "misused"
		2624	as a traffic shaper.</para>
		2625
		2626	<para>&man.dummynet.4; offers two objects. Pipes are an
		2627	abstraction of a given link, having a certain bandwidth, delay
		2628	and loss. Queues are an abstraction used to implement
		2629	weighted fair queuing. In practice, pipes can be used to set
		2630	hard limits to the bandwidth that a flow can use, wheres
		2631	queues can be used to determine how different flows share that
		2632	bandwidth.</para>
		2633
		2634	<para>To ensure that &man.dummynet.4; is loaded at boot time add
		2635	the following line to
		2636	<filename>/boot/loader.conf</filename>:</para>
		2637
		2638	<programlisting>dummynet_load="YES"</programlisting>
		2639
		2640	<para>Please note that in order for &man.dummynet.4; to work
		2641	correctly, it is highly recommended to increase the system
		2642	clock tick rate. This can be accomplished by adding the
		2643	following option to kernel configuration files.</para>
		2644
		2645	<programlisting>options HZ=1000</programlisting>
		2646
		2647	<para>Use the following command to configure a pipe which has
		2648	4Kbps and a 100ms delay:</para>
		2649
		2650	<screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s delay 100</userinput></screen>
		2651
		2652	<para>To use this pipe, i.e have some traffic go through it,
		2653	use the following command:</para>
		2654
		2655	<screen>&prompt.root; <userinput>ipfw -q add pipe 10 all from 10.0.0.0/24 to any</userinput></screen>
		2656
		2657	<para>Please note that to properly limit users, one should
		2658	create separate pipes for upload and download.</para>
		2659
		2660	<para>Using the above pipe configuration, all LAN users compete
		2661	for the same bandwidth. If you would like to assign each of
		2662	them 4Kbps upload and download, you may create dynamic pipes
		2663	based on the source IP (for uplink) or destination IP (for
		2664	downlink):</para>
		2665
		2666	<screen>&prompt.root; <userinput>ipfw pipe 10 config bw 4Kbit/s src-ip 0xffffffff</userinput>
		2667	&prompt.root; <userinput>ipfw pipe 11 config bw 4Kbit/s dst-ip 0xffffffff</userinput>
		2668	&prompt.root; <userinput>ipfw -q add pipe 10 all from any to any recv $if_lan</userinput>
		2669	&prompt.root; <userinput>ipfw -q add pipe 11 all from any to any xmit $if_lan</userinput></screen>
		2670	</sect2>
		2671
		2672	<sect2 xml:id="firewalls-ipfw-tables">
		2673	<title>Using Tables</title>
		2674
		2675	<para>Tables are a way of referring to multiple IP addresses
		2676	using a single identifier. They are useful in the following
		2677	situations:</para>
		2678
		2679	<itemizedlist>
		2680	<listitem>
		2681	<para>you must apply the same rule to a lot of IP
		2682	addresses (table lookups are fast)</para>
		2683	</listitem>
		2684	<listitem>
		2685	<para>you must apply a lot of rules to some IP addresses
2686	(use tables to add / remove IP addresses from a single
2687	location in the ruleset)</para>
2688	</listitem>
2689	</itemizedlist>
2690
2691	<para>IP addresses stored in a table may also have an optional
2692	32-bit unsigned value assigned to them. A rule may be written
2693	in such a way that it will only match if the IP found in
2694	a table has been assigned a specific value.</para>
2695
2696	<para>These are the commands used to manipulate tables from the
2697	shell:</para>
2698
2699	<para>Clear all IP addresses from a table:</para>
2700
2701	<screen>&prompt.root; <userinput>ipfw table 10 flush</userinput></screen>
2702
2703	<para>Add a single IP address to a table:</para>
2704
2705	<screen>&prompt.root; <userinput>ipfw table 10 add 172.27.0.1</userinput></screen>
2706
2707	<para>Add a CIDR network to a table:</para>
2708
2709	<screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24</userinput></screen>
2710
2711	<para>Add a CIDR network to a table and also assign a value to
2712	it:</para>
2713
2714	<screen>&prompt.root; <userinput>ipfw table 10 add 192.168.0.0/24 100</userinput></screen>
2715
2716	<para>List the contents of a table:</para>
2717
2718	<screen>&prompt.root; <userinput>ipfw table 10 list</userinput></screen>
2719
2720	<para>To use the table in a firewall rule:</para>
2721
2722	<screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10)" to any</userinput></screen>
2723
2724	<para>Or, to use the table and the value in a firewall
2725	rule:</para>
2726
2727	<screen>&prompt.root; <userinput>ipfw -q add allow tcp from "table(10,100)" to any</userinput></screen>
2728
2729	<para>The following listing is an example of how one could use
2730	tables in a ruleset:</para>
2731
2732	<programlisting>#!/bin/sh
2733	# Flush out the list before we begin.
2734	ipfw -q -f flush
2735
2736	# Set rules command prefix
2737	cmd="ipfw -q add"
2738	table="ipfw -q table"
2739
2740	# Create a table with all IPs allowed to connect to SSH
2741	$table 1 flush # required
2742	$table 1 add 172.27.0.1 # single IP address
2743	$table 1 add 192.168.0.0/24 # CIDR network
2744
2745	# Actual rule which allows SSH
2746	$cmd allow from "table(1)" to me 22 keep-state
2747
2748	# Deny everything else
2749	$cmd deny from any to any</programlisting>
2750
2751	<para>Here is another example, in which tables and values are
2752	used to group clients into multiple bandwidth limitations
2753	depending on their subscription:</para>
2754
2755	<programlisting>#!/bin/sh
2756	# Flush out the list before we begin.
2757	ipfw -q -f flush
2758
2759	# Set rules command prefix
2760	cmd="ipfw -q add"
2761	table="ipfw -q table"
2762	pipe="ipfw -q pipe"
2763	if_net="em0"
2764
2765	#
2766	# Pipes
2767	#
2768
2769	# Please note that dynamic pipes will be created for each client.
2770	# In other words, clients DO NOT compete for the bandwidth.
2771
2772	# First subscription rate.
2773	$pipe 10 config queue 10 bw 512Kbit/s mask src-ip 0xffffffff # uplink
2774	$pipe 11 config queue 10 bw 512Kbit/s mask dst-ip 0xffffffff # downlink
2775
2776	# Second subscription rate.
2777	$pipe 20 config queue 10 bw 768Kbit/s mask src-ip 0xffffffff # uplink
2778	$pipe 21 config queue 10 bw 768Kbit/s mask dst-ip 0xffffffff # downlink
2779
2780	# Create a table with all IPs allowed to have Internet connection.
2781	# Note that although it is not required, values are the same
2782	# as the bandwidth which will be given to the client.
2783	$table 1 flush # required
2784	$table 1 add 172.27.0.2 512 # 512Kbps client
2785	$table 1 add 172.27.0.3 768 # 768Kbps client
2786	$table 1 add 172.27.0.4 512 # 512Kbps client
2787
2788	# Actual rules which classify the traffic
2789	$cmd pipe 10 all from "table(1,512)" to any xmit $if_net
2790	$cmd pipe 11 all from any to "table(1,512)" recv $if_net
2791	$cmd pipe 20 all from "table(1,768)" to any xmit $if_net
2792	$cmd pipe 21 all from any to "table(1,768)" recv $if_net
2793
2794	# Deny everything else
2795	$cmd deny all from any to any</programlisting>
2796	</sect2>
2797	</sect1>
2798
2799	<sect1 xml:id="firewalls-ipf">
2800	<title>IPFILTER (IPF)</title>
2801
2802	<indexterm>
2623	<primary>firewall</primary>	2803	<primary>firewall</primary>
2624		2804
2625	<secondary><application>IPFILTER</application></secondary>	2805	<secondary><application>IPFILTER</application></secondary>