View | Details | Raw Unified | Return to bug 232956
Collapse All | Expand All

(-)chapter.xml (-12 / +30 lines)
Lines 1654-1674 Link Here
1654
	custom kernel configuration file:</para>
1654
	custom kernel configuration file:</para>
1655
1655
1656
      <programlisting>options    IPFIREWALL			# enables IPFW
1656
      <programlisting>options    IPFIREWALL			# enables IPFW
1657
options    IPFIREWALL_VERBOSE		# enables logging for rules with log keyword
1657
options    IPFIREWALL_VERBOSE		# enables logging for rules with log keyword to syslogd(8)
1658
options    IPFIREWALL_VERBOSE_LIMIT=5	# limits number of logged packets per-entry
1658
options    IPFIREWALL_VERBOSE_LIMIT=5	# limits number of logged packets per-entry
1659
options    IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
1659
options    IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
1660
options    IPDIVERT			# enables NAT</programlisting>
1660
options    IPFIREWALL_NAT		# enables in-kernel NAT support
1661
options    IPFIREWALL_NAT64		# enables in-kernel NAT64 support
1662
options    IPFIREWALL_NPTV6		# enables in-kernel IPv6 NPT support
1663
options    IPFIREWALL_PMOD		# enables protocols modification module support
1664
options    IPDIVERT			# enables NAT through natd(8)</programlisting>
1661
1665
1662
      <para>To configure the system to enable
1666
      <para>To configure the system to enable
1663
	<application>IPFW</application> at boot time, add the
1667
	<application>IPFW</application> at boot time, add <literal>firewall_enable="YES"</literal>
1664
	following entry to <filename>/etc/rc.conf</filename>:</para>
1668
	 to <filename>/etc/rc.conf</filename>:</para>
1665
1669
1666
      <programlisting>firewall_enable="YES"</programlisting>
1670
      <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen>
1667
1671
1668
      <para>To use one of the default firewall types provided by &os;,
1672
      <para>To use one of the default firewall types provided by &os;,
1669
	add another line which specifies the type:</para>
1673
	add another line which specifies the type:</para>
1670
1674
1671
      <programlisting>firewall_type="open"</programlisting>
1675
      <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen>
1672
1676
1673
      <para>The available types are:</para>
1677
      <para>The available types are:</para>
1674
1678
Lines 1720-1730 Link Here
1720
	<literal>firewall_script</literal> is set to
1724
	<literal>firewall_script</literal> is set to
1721
	<filename>/etc/ipfw.rules</filename>:</para>
1725
	<filename>/etc/ipfw.rules</filename>:</para>
1722
1726
1723
      <programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
1727
      <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen>		
1724
1728
1725
      <para>To enable logging, include this line:</para>
1729
      <para>To enable logging through &man.syslogd.8;, include this line:</para>
1726
1730
1727
      <programlisting>firewall_logging="YES"</programlisting>
1731
      <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen>
1728
1732
1729
      <para>There is no <filename>/etc/rc.conf</filename> variable to
1733
      <para>There is no <filename>/etc/rc.conf</filename> variable to
1730
	set logging limits.  To limit the number of times a rule is
1734
	set logging limits.  To limit the number of times a rule is
Lines 1731-1740 Link Here
1731
	logged per connection attempt, specify the number using this
1735
	logged per connection attempt, specify the number using this
1732
	line in <filename>/etc/sysctl.conf</filename>:</para>
1736
	line in <filename>/etc/sysctl.conf</filename>:</para>
1733
1737
1734
      <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
1738
      <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
1735
1739
1736
      <para>After saving the needed edits, start the firewall.  To
1740
			<para>To enable logging through a dedicated interface named <literal>ipfw0</literal>, add this line
1737
	enable logging limits now, also set the
1741
			to <filename>/etc/rc.conf</filename> instead:</para>
1742
1743
			<screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen>
1744
1745
			<para>Then use <application>tcpdump</application> to see what is being logged:</para>
1746
1747
			<screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen>
1748
1749
			<tip>
1750
				<para>There's no overhead due to logging unless <application>tcpdump</application> is
1751
				attached.</para>
1752
			</tip>
1753
			
1754
      <para>After saving the needed edits, start the firewall. To
1755
	enable &man.syslogd.8; logging limits now, also set the
1738
	<command>sysctl</command> value specified above:</para>
1756
	<command>sysctl</command> value specified above:</para>
1739
1757
1740
      <screen>&prompt.root; <userinput>service ipfw start</userinput>
1758
      <screen>&prompt.root; <userinput>service ipfw start</userinput>

Return to bug 232956