|
Lines 1654-1674
Link Here
|
| 1654 |
custom kernel configuration file:</para> |
1654 |
custom kernel configuration file:</para> |
| 1655 |
|
1655 |
|
| 1656 |
<programlisting>options IPFIREWALL # enables IPFW |
1656 |
<programlisting>options IPFIREWALL # enables IPFW |
| 1657 |
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword |
1657 |
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) |
| 1658 |
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry |
1658 |
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry |
| 1659 |
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied |
1659 |
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied |
| 1660 |
options IPDIVERT # enables NAT</programlisting> |
1660 |
options IPFIREWALL_NAT # enables in-kernel NAT support |
|
|
1661 |
options IPFIREWALL_NAT64 # enables in-kernel NAT64 support |
| 1662 |
options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support |
| 1663 |
options IPFIREWALL_PMOD # enables protocols modification module support |
| 1664 |
options IPDIVERT # enables NAT through natd(8)</programlisting> |
| 1661 |
|
1665 |
|
| 1662 |
<para>To configure the system to enable |
1666 |
<para>To configure the system to enable |
| 1663 |
<application>IPFW</application> at boot time, add the |
1667 |
<application>IPFW</application> at boot time, add <literal>firewall_enable="YES"</literal> |
| 1664 |
following entry to <filename>/etc/rc.conf</filename>:</para> |
1668 |
to <filename>/etc/rc.conf</filename>:</para> |
| 1665 |
|
1669 |
|
| 1666 |
<programlisting>firewall_enable="YES"</programlisting> |
1670 |
<screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen> |
| 1667 |
|
1671 |
|
| 1668 |
<para>To use one of the default firewall types provided by &os;, |
1672 |
<para>To use one of the default firewall types provided by &os;, |
| 1669 |
add another line which specifies the type:</para> |
1673 |
add another line which specifies the type:</para> |
| 1670 |
|
1674 |
|
| 1671 |
<programlisting>firewall_type="open"</programlisting> |
1675 |
<screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen> |
| 1672 |
|
1676 |
|
| 1673 |
<para>The available types are:</para> |
1677 |
<para>The available types are:</para> |
| 1674 |
|
1678 |
|
|
Lines 1720-1730
Link Here
|
| 1720 |
<literal>firewall_script</literal> is set to |
1724 |
<literal>firewall_script</literal> is set to |
| 1721 |
<filename>/etc/ipfw.rules</filename>:</para> |
1725 |
<filename>/etc/ipfw.rules</filename>:</para> |
| 1722 |
|
1726 |
|
| 1723 |
<programlisting>firewall_script="/etc/ipfw.rules"</programlisting> |
1727 |
<screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen> |
| 1724 |
|
1728 |
|
| 1725 |
<para>To enable logging, include this line:</para> |
1729 |
<para>To enable logging through &man.syslogd.8;, include this line:</para> |
| 1726 |
|
1730 |
|
| 1727 |
<programlisting>firewall_logging="YES"</programlisting> |
1731 |
<screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen> |
| 1728 |
|
1732 |
|
| 1729 |
<para>There is no <filename>/etc/rc.conf</filename> variable to |
1733 |
<para>There is no <filename>/etc/rc.conf</filename> variable to |
| 1730 |
set logging limits. To limit the number of times a rule is |
1734 |
set logging limits. To limit the number of times a rule is |
|
Lines 1731-1740
Link Here
|
| 1731 |
logged per connection attempt, specify the number using this |
1735 |
logged per connection attempt, specify the number using this |
| 1732 |
line in <filename>/etc/sysctl.conf</filename>:</para> |
1736 |
line in <filename>/etc/sysctl.conf</filename>:</para> |
| 1733 |
|
1737 |
|
| 1734 |
<programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting> |
1738 |
<screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen> |
| 1735 |
|
1739 |
|
| 1736 |
<para>After saving the needed edits, start the firewall. To |
1740 |
<para>To enable logging through a dedicated interface named <literal>ipfw0</literal>, add this line |
| 1737 |
enable logging limits now, also set the |
1741 |
to <filename>/etc/rc.conf</filename> instead:</para> |
|
|
1742 |
|
| 1743 |
<screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen> |
| 1744 |
|
| 1745 |
<para>Then use <application>tcpdump</application> to see what is being logged:</para> |
| 1746 |
|
| 1747 |
<screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen> |
| 1748 |
|
| 1749 |
<tip> |
| 1750 |
<para>There's no overhead due to logging unless <application>tcpdump</application> is |
| 1751 |
attached.</para> |
| 1752 |
</tip> |
| 1753 |
|
| 1754 |
<para>After saving the needed edits, start the firewall. To |
| 1755 |
enable &man.syslogd.8; logging limits now, also set the |
| 1738 |
<command>sysctl</command> value specified above:</para> |
1756 |
<command>sysctl</command> value specified above:</para> |
| 1739 |
|
1757 |
|
| 1740 |
<screen>&prompt.root; <userinput>service ipfw start</userinput> |
1758 |
<screen>&prompt.root; <userinput>service ipfw start</userinput> |