|
Lines 365-371
Link Here
|
| 365 |
<para>Sample kernel config IPF option statements are in the |
365 |
<para>Sample kernel config IPF option statements are in the |
| 366 |
<filename>/usr/src/sys/conf/NOTES</filename> kernel source |
366 |
<filename>/usr/src/sys/conf/NOTES</filename> kernel source |
| 367 |
(<filename>/usr/src/sys/<replaceable>arch</replaceable>/conf/LINT</filename> |
367 |
(<filename>/usr/src/sys/<replaceable>arch</replaceable>/conf/LINT</filename> |
| 368 |
for &os; 4.X) and are reproduced here.</para> |
368 |
for &os; 4.X) and are reproduced here:</para> |
| 369 |
|
369 |
|
| 370 |
<programlisting>options IPFILTER |
370 |
<programlisting>options IPFILTER |
| 371 |
options IPFILTER_LOG |
371 |
options IPFILTER_LOG |
|
Lines 401-407
Link Here
|
| 401 |
# n = map IP & port to names</programlisting> |
401 |
# n = map IP & port to names</programlisting> |
| 402 |
<para>If you have a LAN behind this firewall that uses the |
402 |
<para>If you have a LAN behind this firewall that uses the |
| 403 |
reserved private IP address ranges, then you need to add the |
403 |
reserved private IP address ranges, then you need to add the |
| 404 |
following to enable <acronym>NAT</acronym> functionality.</para> |
404 |
following to enable <acronym>NAT</acronym> functionality:</para> |
| 405 |
|
405 |
|
| 406 |
<programlisting>gateway_enable="YES" # Enable as Lan gateway |
406 |
<programlisting>gateway_enable="YES" # Enable as Lan gateway |
| 407 |
ipnat_enable="YES" # Start ipnat function |
407 |
ipnat_enable="YES" # Start ipnat function |
|
Lines 414-420
Link Here
|
| 414 |
<para>The ipf command is used to load your rules file. Normally |
414 |
<para>The ipf command is used to load your rules file. Normally |
| 415 |
you create a file containing your custom rules and use this |
415 |
you create a file containing your custom rules and use this |
| 416 |
command to replace in mass the currently running firewall |
416 |
command to replace in mass the currently running firewall |
| 417 |
internal rules.</para> |
417 |
internal rules:</para> |
| 418 |
|
418 |
|
| 419 |
<programlisting><command>ipf -Fa -f /etc/ipf.rules</command></programlisting> |
419 |
<programlisting><command>ipf -Fa -f /etc/ipf.rules</command></programlisting> |
| 420 |
|
420 |
|
|
Lines 531-537
Link Here
|
| 531 |
rotate system logs. That is why outputting the log information to |
531 |
rotate system logs. That is why outputting the log information to |
| 532 |
syslogd is better than the default of outputting to a regular |
532 |
syslogd is better than the default of outputting to a regular |
| 533 |
file. In the default <filename>rc.conf</filename> file you see the |
533 |
file. In the default <filename>rc.conf</filename> file you see the |
| 534 |
ipmon_flags statement uses the <option>-Ds</option> flags</para> |
534 |
ipmon_flags statement uses the <option>-Ds</option> flags:</para> |
| 535 |
|
535 |
|
| 536 |
<programlisting>ipmon_flags="-Ds" # D = start as daemon |
536 |
<programlisting>ipmon_flags="-Ds" # D = start as daemon |
| 537 |
# s = log to syslog |
537 |
# s = log to syslog |
|
Lines 564-570
Link Here
|
| 564 |
and <quote>level.</quote> IPMON in <option>-Ds</option> mode uses |
564 |
and <quote>level.</quote> IPMON in <option>-Ds</option> mode uses |
| 565 |
<quote>facility</quote> name. All IPMON logged data goes to |
565 |
<quote>facility</quote> name. All IPMON logged data goes to |
| 566 |
<literal>local0</literal>. The following levels can be used to further |
566 |
<literal>local0</literal>. The following levels can be used to further |
| 567 |
the logged data if desired.</para> |
567 |
the logged data if desired:</para> |
| 568 |
|
568 |
|
| 569 |
<screen>LOG_INFO - packets logged using the "log" keyword as the action rather |
569 |
<screen>LOG_INFO - packets logged using the "log" keyword as the action rather |
| 570 |
LOG_NOTICE - packets logged which are also passed |
570 |
LOG_NOTICE - packets logged which are also passed |
|
Lines 583-590
Link Here
|
| 583 |
considerable flexibility in how syslog will deal with system |
583 |
considerable flexibility in how syslog will deal with system |
| 584 |
messages issued by software applications like IPF.</para> |
584 |
messages issued by software applications like IPF.</para> |
| 585 |
|
585 |
|
| 586 |
<para>Add the following statement to <filename>/etc/syslog.conf |
586 |
<para>Add the following statement to |
| 587 |
</filename>:</para> |
|
|
| 588 |
|
587 |
|
| 589 |
<programlisting>local0.* /var/log/ipfilter.log</programlisting> |
588 |
<programlisting>local0.* /var/log/ipfilter.log</programlisting> |
| 590 |
|
589 |
|
|
Lines 751-758
Link Here
|
| 751 |
|
750 |
|
| 752 |
<para>Add a script like the following to your <filename> |
751 |
<para>Add a script like the following to your <filename> |
| 753 |
/usr/local/etc/rc.d/</filename> startup directory. The script |
752 |
/usr/local/etc/rc.d/</filename> startup directory. The script |
| 754 |
should have an obvious name like <filename>loadipfrules.sh |
753 |
should have an obvious name like <filename>loadipfrules.sh</filename>. |
| 755 |
</filename>. The <filename>.sh</filename> extension is mandatory.</para> |
754 |
The <filename>.sh</filename> extension is mandatory.</para> |
| 756 |
|
755 |
|
| 757 |
<programlisting>#!/bin/sh |
756 |
<programlisting>#!/bin/sh |
| 758 |
sh /etc/ipf.rules.script</programlisting> |
757 |
sh /etc/ipf.rules.script</programlisting> |
|
Lines 982-988
Link Here
|
| 982 |
<para>There is no way to match ranges of IP addresses which |
981 |
<para>There is no way to match ranges of IP addresses which |
| 983 |
do not express themselves easily as mask-length. See this |
982 |
do not express themselves easily as mask-length. See this |
| 984 |
web page for help on writing mask-length: |
983 |
web page for help on writing mask-length: |
| 985 |
<ulink url="http://jodies.de/ipcalc"></ulink></para> |
984 |
<ulink url="http://jodies.de/ipcalc"></ulink>.</para> |
| 986 |
</sect3> |
985 |
</sect3> |
| 987 |
|
986 |
|
| 988 |
<sect3> |
987 |
<sect3> |
|
Lines 1174-1181
Link Here
|
| 1174 |
|
1173 |
|
| 1175 |
<para>Check out this link for port numbers used by Trojans |
1174 |
<para>Check out this link for port numbers used by Trojans |
| 1176 |
<ulink |
1175 |
<ulink |
| 1177 |
url="http://www.simovits.com/trojans/trojans.html"></ulink> |
1176 |
url="http://www.simovits.com/trojans/trojans.html"></ulink>.</para> |
| 1178 |
</para> |
|
|
| 1179 |
|
1177 |
|
| 1180 |
<para>The following rule set is a complete very secure |
1178 |
<para>The following rule set is a complete very secure |
| 1181 |
'inclusive' type of firewall rule set that I have used on my |
1179 |
'inclusive' type of firewall rule set that I have used on my |
|
Lines 1404-1410
Link Here
|
| 1404 |
<acronym>NAT</acronym>ed private LAN IP address. According to |
1402 |
<acronym>NAT</acronym>ed private LAN IP address. According to |
| 1405 |
RFC 1918, you can use the following IP ranges for private nets |
1403 |
RFC 1918, you can use the following IP ranges for private nets |
| 1406 |
which will never be routed directly to the public |
1404 |
which will never be routed directly to the public |
| 1407 |
Internet.</para> |
1405 |
Internet:</para> |
| 1408 |
|
1406 |
|
| 1409 |
<informaltable frame="none" pgwide="1"> |
1407 |
<informaltable frame="none" pgwide="1"> |
| 1410 |
<tgroup cols="2"> |
1408 |
<tgroup cols="2"> |
|
Lines 1579-1585
Link Here
|
| 1579 |
IP<acronym>NAT</acronym> to only use source ports in a |
1577 |
IP<acronym>NAT</acronym> to only use source ports in a |
| 1580 |
range. For example the following rule will tell |
1578 |
range. For example the following rule will tell |
| 1581 |
IP<acronym>NAT</acronym> to modify the source port to be |
1579 |
IP<acronym>NAT</acronym> to modify the source port to be |
| 1582 |
within that range.</para> |
1580 |
within that range:</para> |
| 1583 |
|
1581 |
|
| 1584 |
<programlisting>map dc0 192.168.1.0/24 -> 0.32 portmap tcp/udp |
1582 |
<programlisting>map dc0 192.168.1.0/24 -> 0.32 portmap tcp/udp |
| 1585 |
|
1583 |
|
|
Lines 1628-1640
Link Here
|
| 1628 |
|
1626 |
|
| 1629 |
<programlisting>map dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port |
1627 |
<programlisting>map dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port |
| 1630 |
|
1628 |
|
| 1631 |
<para>or</para> |
1629 |
<para>Or:</para> |
| 1632 |
|
1630 |
|
| 1633 |
<programlisting>map dc0 0/32 port 80 -> 10.0.10.25 port 80</programlisting> |
1631 |
<programlisting>map dc0 0/32 port 80 -> 10.0.10.25 port 80</programlisting> |
| 1634 |
|
1632 |
|
| 1635 |
<para>or for a LAN DNS Server on LAN address of <hostid |
1633 |
<para>Or for a LAN DNS Server on LAN address of <hostid |
| 1636 |
role="ipaddr">10.0.10.33</hostid> that needs to receive |
1634 |
role="ipaddr">10.0.10.33</hostid> that needs to receive |
| 1637 |
public DNS requests</para> |
1635 |
public DNS requests:</para> |
| 1638 |
|
1636 |
|
| 1639 |
<programlisting>map dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 |
1637 |
<programlisting>map dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 |
| 1640 |
</sect2> |
1638 |
</sect2> |