|
Lines 39-49
Link Here
|
| 39 |
network connections and either allows the traffic through or |
39 |
network connections and either allows the traffic through or |
| 40 |
blocks it. The rules of the firewall can inspect one or more |
40 |
blocks it. The rules of the firewall can inspect one or more |
| 41 |
characteristics of the packets, including but not limited to the |
41 |
characteristics of the packets, including but not limited to the |
| 42 |
protocol type, the source or destination host address and the |
42 |
protocol type, the source or destination host address, and the |
| 43 |
source or destination port.</para> |
43 |
source or destination port.</para> |
| 44 |
|
44 |
|
| 45 |
<para>Firewalls greatly enhance the security of your network, your |
45 |
<para>Firewalls greatly enhance the security of your network, your |
| 46 |
applications and services. They can be used to do one of more of |
46 |
applications and services. They can be used to do one or more of |
| 47 |
the following things:</para> |
47 |
the following things:</para> |
| 48 |
|
48 |
|
| 49 |
<itemizedlist> |
49 |
<itemizedlist> |
|
Lines 197-203
Link Here
|
| 197 |
<para>The author prefers IPFILTER because its stateful rules are |
197 |
<para>The author prefers IPFILTER because its stateful rules are |
| 198 |
much less complicated to use in a <acronym>NAT</acronym> |
198 |
much less complicated to use in a <acronym>NAT</acronym> |
| 199 |
environment and it has a built in ftp proxy that simplifies the |
199 |
environment and it has a built in ftp proxy that simplifies the |
| 200 |
rules to allow secure outbound FTP usage. If is also more |
200 |
rules to allow secure outbound FTP usage. It is also more |
| 201 |
appropriate to the knowledge level of the inexperienced firewall |
201 |
appropriate to the knowledge level of the inexperienced firewall |
| 202 |
user.</para> |
202 |
user.</para> |
| 203 |
|
203 |
|
|
Lines 566-572
Link Here
|
| 566 |
log and adds the log keyword to those rules. Normally only |
566 |
log and adds the log keyword to those rules. Normally only |
| 567 |
deny rules are logged.</para> |
567 |
deny rules are logged.</para> |
| 568 |
|
568 |
|
| 569 |
<para>Its very customary to include a default deny everything |
569 |
<para>It is very customary to include a default deny everything |
| 570 |
rule with the log keyword included as your last rule in the |
570 |
rule with the log keyword included as your last rule in the |
| 571 |
rule set. This way you get to see all the packets that did not |
571 |
rule set. This way you get to see all the packets that did not |
| 572 |
match any of the rules in the rule set.</para> |
572 |
match any of the rules in the rule set.</para> |
|
Lines 749-756
Link Here
|
| 749 |
<para>That is all there is to it. The rules are not important in |
749 |
<para>That is all there is to it. The rules are not important in |
| 750 |
this example, how the Symbolic substitution field are populated |
750 |
this example, how the Symbolic substitution field are populated |
| 751 |
and used are. If the above example was in /etc/ipf.rules.script |
751 |
and used are. If the above example was in /etc/ipf.rules.script |
| 752 |
file, you could reload these rules by entering on the command |
752 |
file, you could reload these rules by entering this on the command |
| 753 |
line.</para> |
753 |
line:</para> |
| 754 |
|
754 |
|
| 755 |
<programlisting><command>sh /etc/ipf.rules.script</command> |
755 |
<programlisting><command>sh /etc/ipf.rules.script</command> |
| 756 |
</programlisting> |
756 |
</programlisting> |
|
Lines 948-954
Link Here
|
| 948 |
<title>SELECTION</title> |
948 |
<title>SELECTION</title> |
| 949 |
<para>The keywords described in this section are used to |
949 |
<para>The keywords described in this section are used to |
| 950 |
describe attributes of the packet to be interrogated when |
950 |
describe attributes of the packet to be interrogated when |
| 951 |
determining whether rules match or don't match. There is a |
951 |
determining whether rules match or not. There is a |
| 952 |
keyword subject, and it has sub-option keywords, one of |
952 |
keyword subject, and it has sub-option keywords, one of |
| 953 |
which has to be selected. The following general-purpose |
953 |
which has to be selected. The following general-purpose |
| 954 |
attributes are provided for matching, and must be used in |
954 |
attributes are provided for matching, and must be used in |
|
Lines 1842-1848
Link Here
|
| 1842 |
options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> |
1842 |
options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> |
| 1843 |
|
1843 |
|
| 1844 |
<para>These options are exactly the same as the IPv4 options but |
1844 |
<para>These options are exactly the same as the IPv4 options but |
| 1845 |
they are for IPv6. If you don't use IPv6 you might want to use |
1845 |
they are for IPv6. If you do not use IPv6 you might want to use |
| 1846 |
IPV6FIREWALL without any rules to block all IPv6</para> |
1846 |
IPV6FIREWALL without any rules to block all IPv6</para> |
| 1847 |
|
1847 |
|
| 1848 |
<programlisting>options IPDIVERT</programlisting> |
1848 |
<programlisting>options IPDIVERT</programlisting> |
|
Lines 1851-1857
Link Here
|
| 1851 |
functionality.</para> |
1851 |
functionality.</para> |
| 1852 |
|
1852 |
|
| 1853 |
<note> |
1853 |
<note> |
| 1854 |
<para>If you don't include IPFIREWALL_DEFAULT_TO_ACCEPT or set |
1854 |
<para>If you do not include IPFIREWALL_DEFAULT_TO_ACCEPT or set |
| 1855 |
your rules to allow incoming packets you will block all |
1855 |
your rules to allow incoming packets you will block all |
| 1856 |
packets going to and from this machine.</para> |
1856 |
packets going to and from this machine.</para> |
| 1857 |
</note> |
1857 |
</note> |
|
Lines 2066-2072
Link Here
|
| 2066 |
|
2066 |
|
| 2067 |
<para>The keywords described in this section are used to |
2067 |
<para>The keywords described in this section are used to |
| 2068 |
describe attributes of the packet to be interrogated when |
2068 |
describe attributes of the packet to be interrogated when |
| 2069 |
determining whether rules match or don't match the packet. |
2069 |
determining whether rules match the packet or not. |
| 2070 |
The following general-purpose attributes are provided for |
2070 |
The following general-purpose attributes are provided for |
| 2071 |
matching, and must be used in this order:</para> |
2071 |
matching, and must be used in this order:</para> |
| 2072 |
|
2072 |
|
|
Lines 2276-2282
Link Here
|
| 2276 |
</programlisting> |
2276 |
</programlisting> |
| 2277 |
|
2277 |
|
| 2278 |
<para>The <filename>/etc/ipfw.rules</filename> file could be |
2278 |
<para>The <filename>/etc/ipfw.rules</filename> file could be |
| 2279 |
located any where you want and the file could be named any |
2279 |
located anywhere you want and the file could be named any |
| 2280 |
thing you would like.</para> |
2280 |
thing you would like.</para> |
| 2281 |
|
2281 |
|
| 2282 |
<para>The same thing could also be accomplished by running |
2282 |
<para>The same thing could also be accomplished by running |