FreeBSD Bugzilla – Attachment 198938 Details for
Bug 232956
Update the ipfw section in the Handbook: kernel options, ipfw0, configuration
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
ipfw.diff (text/plain), 3.77 KB, created by
f.toscan
on 2018-11-04 11:59:03 UTC
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
f.toscan
Created:
2018-11-04 11:59:03 UTC
Size:
3.77 KB
patch
obsolete
>Index: chapter.xml >=================================================================== >--- chapter.xml (revision 52415) >+++ chapter.xml (working copy) >@@ -1654,21 +1654,25 @@ > custom kernel configuration file:</para> > > <programlisting>options IPFIREWALL # enables IPFW >-options IPFIREWALL_VERBOSE # enables logging for rules with log keyword >+options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8) > options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry > options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied >-options IPDIVERT # enables NAT</programlisting> >+options IPFIREWALL_NAT # enables in-kernel NAT support >+options IPFIREWALL_NAT64 # enables in-kernel NAT64 support >+options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support >+options IPFIREWALL_PMOD # enables protocols modification module support >+options IPDIVERT # enables NAT through natd(8)</programlisting> > > <para>To configure the system to enable >- <application>IPFW</application> at boot time, add the >- following entry to <filename>/etc/rc.conf</filename>:</para> >+ <application>IPFW</application> at boot time, add <literal>firewall_enable="YES"</literal> >+ to <filename>/etc/rc.conf</filename>:</para> > >- <programlisting>firewall_enable="YES"</programlisting> >+ <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen> > > <para>To use one of the default firewall types provided by &os;, > add another line which specifies the type:</para> > >- <programlisting>firewall_type="open"</programlisting> >+ <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen> > > <para>The available types are:</para> > >@@ -1720,11 +1724,11 @@ > <literal>firewall_script</literal> is set to > <filename>/etc/ipfw.rules</filename>:</para> > >- <programlisting>firewall_script="/etc/ipfw.rules"</programlisting> >+ <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen> > >- <para>To enable logging, include this line:</para> >+ <para>To enable logging through &man.syslogd.8;, include this line:</para> > >- <programlisting>firewall_logging="YES"</programlisting> >+ <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen> > > <para>There is no <filename>/etc/rc.conf</filename> variable to > set logging limits. To limit the number of times a rule is >@@ -1731,10 +1735,24 @@ > logged per connection attempt, specify the number using this > line in <filename>/etc/sysctl.conf</filename>:</para> > >- <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting> >+ <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen> > >- <para>After saving the needed edits, start the firewall. To >- enable logging limits now, also set the >+ <para>To enable logging through a dedicated interface named <literal>ipfw0</literal>, add this line >+ to <filename>/etc/rc.conf</filename> instead:</para> >+ >+ <screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen> >+ >+ <para>Then use <application>tcpdump</application> to see what is being logged:</para> >+ >+ <screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen> >+ >+ <tip> >+ <para>There's no overhead due to logging unless <application>tcpdump</application> is >+ attached.</para> >+ </tip> >+ >+ <para>After saving the needed edits, start the firewall. To >+ enable &man.syslogd.8; logging limits now, also set the > <command>sysctl</command> value specified above:</para> > > <screen>&prompt.root; <userinput>service ipfw start</userinput>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=198938">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 232956
: 198938