# SOME DESCRIPTIVE TITLE
# Copyright (C) YEAR The FreeBSD Project
# This file is distributed under the same license as the FreeBSD Documentation package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: FreeBSD Documentation VERSION\n"
"POT-Creation-Date: 2026-05-09 23:29+0100\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <[email protected]>\n"
"Language: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

#. type: YAML Front Matter: description
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1
#, no-wrap
msgid "FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them"
msgstr ""

#. type: YAML Front Matter: part
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1
#, no-wrap
msgid "IV. Network Communication"
msgstr ""

#. type: YAML Front Matter: title
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1
#, no-wrap
msgid "Chapter 33. Firewalls"
msgstr ""

#. type: Title =
#: documentation/content/en/books/handbook/firewalls/_index.adoc:15
#, no-wrap
msgid "Firewalls"
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/firewalls/_index.adoc:53
#, no-wrap
msgid "Synopsis"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:58
msgid ""
"Firewalls make it possible to filter the incoming and outgoing traffic that "
"flows through a system.  A firewall can use one or more sets of \"rules\" to "
"inspect network packets as they come in or go out of network connections and "
"either allows the traffic through or blocks it.  The rules of a firewall can "
"inspect one or more characteristics of the packets such as the protocol "
"type, source or destination host address, and source or destination port."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:61
msgid ""
"Firewalls can enhance the security of a host or a network.  They can be used "
"to do one or more of the following:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:63
msgid ""
"Protect and insulate the applications, services, and machines of an internal "
"network from unwanted traffic from the public Internet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:64
msgid ""
"Limit or disable access from hosts of the internal network to services of "
"the public Internet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:65
msgid ""
"Support network address translation (NAT), which allows an internal network "
"to use private IP addresses and share a single connection to the public "
"Internet using either a single IP address or a shared pool of automatically "
"assigned public addresses."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:70
msgid ""
"FreeBSD has three firewalls built into the base system: PF, IPFW, and "
"IPFILTER, also known as IPF.  FreeBSD also provides two traffic shapers for "
"controlling bandwidth usage: man:altq[4] and man:dummynet[4].  ALTQ has "
"traditionally been closely tied with PF and dummynet with IPFW.  Each "
"firewall uses rules to control the access of packets to and from a FreeBSD "
"system, although they go about it in different ways and each has a different "
"rule syntax."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:73
msgid ""
"FreeBSD provides multiple firewalls in order to meet the different "
"requirements and preferences for a wide variety of users.  Each user should "
"evaluate which firewall best meets their needs."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:75
msgid "Read this chapter to learn:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:77
msgid "How to define packet filtering rules."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:78
msgid "The differences between the firewalls built into FreeBSD."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:79
msgid "How to use and configure the PF firewall."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:80
msgid "How to use and configure the IPFW firewall."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:81
msgid "How to use and configure the IPFILTER firewall."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:83
msgid "Before reading this chapter:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:85
msgid "Understand basic FreeBSD and Internet concepts."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:90
msgid ""
"Since all firewalls are based on inspecting the values of selected packet "
"control fields, the creator of the firewall ruleset must have an "
"understanding of how TCP/IP works, what the different values in the packet "
"control fields are, and how these values are used in a normal session "
"conversation.  For a good introduction, refer to http://"
"www.ipprimer.com[Daryl's TCP/IP Primer]."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/firewalls/_index.adoc:93
#, no-wrap
msgid "Firewall Concepts"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:101
msgid ""
"A ruleset contains a group of rules which pass or block packets based on the "
"values contained in the packet.  The bi-directional exchange of packets "
"between hosts comprises a session conversation.  The firewall ruleset "
"processes both the packets arriving from the public Internet, as well as the "
"packets produced by the system as a response to them.  Each TCP/IP service "
"is predefined by its protocol and listening port.  Packets destined for a "
"specific service originate from the source address using an unprivileged "
"port and target the specific service port on the destination address.  All "
"the above parameters can be used as selection criteria to create rules which "
"will pass or block services."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:104
msgid ""
"To lookup unknown port numbers, refer to [.filename]#/etc/services#.  "
"Alternatively, visit https://en.wikipedia.org/wiki/"
"List_of_TCP_and_UDP_port_numbers[https://en.wikipedia.org/wiki/"
"List_of_TCP_and_UDP_port_numbers] and do a port number lookup to find the "
"purpose of a particular port number."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:106
msgid ""
"Check out this link for http://web.archive.org/web/20150803024617/http://"
"www.sans.org/security-resources/idfaq/oddports.php[port numbers used by "
"Trojans]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:111
msgid ""
"FTP has two modes: active mode and passive mode.  The difference is in how "
"the data channel is acquired.  Passive mode is more secure as the data "
"channel is acquired by the ordinal ftp session requester.  For a good "
"explanation of FTP and the different modes, see http://www.slacksite.com/"
"other/ftp.html[http://www.slacksite.com/other/ftp.html]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:115
msgid ""
"A firewall ruleset can be either \"exclusive\" or \"inclusive\".  An "
"exclusive firewall allows all traffic through except for the traffic "
"matching the ruleset.  An inclusive firewall does the reverse as it only "
"allows traffic matching the rules through and blocks everything else."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:120
msgid ""
"An inclusive firewall offers better control of the outgoing traffic, making "
"it a better choice for systems that offer services to the public Internet.  "
"It also controls the type of traffic originating from the public Internet "
"that can gain access to a private network.  All traffic that does not match "
"the rules is blocked and logged.  Inclusive firewalls are generally safer "
"than exclusive firewalls because they significantly reduce the risk of "
"allowing unwanted traffic."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:124
msgid ""
"Unless noted otherwise, all configuration and example rulesets in this "
"chapter create inclusive firewall rulesets."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:128
msgid ""
"Security can be tightened further using a \"stateful firewall\".  This type "
"of firewall keeps track of open connections and only allows traffic which "
"either matches an existing connection or opens a new, allowed connection."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:133
msgid ""
"Stateful filtering treats traffic as a bi-directional exchange of packets "
"comprising a session.  When state is specified on a matching rule the "
"firewall dynamically generates internal rules for each anticipated packet "
"being exchanged during the session.  It has sufficient matching capabilities "
"to determine if a packet is valid for a session.  Any packets that do not "
"properly fit the session template are automatically rejected."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:135
msgid "When the session completes, it is removed from the dynamic state table."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:140
msgid ""
"Stateful filtering allows one to focus on blocking/passing new sessions.  If "
"the new session is passed, all its subsequent packets are allowed "
"automatically and any impostor packets are automatically rejected.  If a new "
"session is blocked, none of its subsequent packets are allowed.  Stateful "
"filtering provides advanced matching abilities capable of defending against "
"the flood of different attack methods employed by attackers."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:144
msgid ""
"NAT stands for _Network Address Translation_.  NAT function enables the "
"private LAN behind the firewall to share a single ISP-assigned IP address, "
"even if that address is dynamically assigned.  NAT allows each computer in "
"the LAN to have Internet access, without having to pay the ISP for multiple "
"Internet accounts or IP addresses."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:147
msgid ""
"NAT will automatically translate the private LAN IP address for each system "
"on the LAN to the single public IP address as packets exit the firewall "
"bound for the public Internet.  It also performs the reverse translation for "
"returning packets."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:149
msgid ""
"According to RFC 1918, the following IP address ranges are reserved for "
"private networks which will never be routed directly to the public Internet, "
"and therefore are available for use with NAT:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:151
msgid "`10.0.0.0/8`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:152
msgid "`172.16.0.0/12`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:153
msgid "`192.168.0.0/16`."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:159
msgid ""
"When working with the firewall rules, be _very careful_.  Some "
"configurations _can lock the administrator out_ of the server.  To be on the "
"safe side, consider performing the initial firewall configuration from the "
"local console rather than doing it remotely over ssh."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/firewalls/_index.adoc:162
#, no-wrap
msgid "PF"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:166
msgid ""
"Since FreeBSD 5.3, a ported version of OpenBSD's PF firewall has been "
"included as an integrated part of the base system.  PF is a complete, full-"
"featured firewall that has optional support for ALTQ (Alternate Queuing), "
"which provides Quality of Service (QoS)."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:169
msgid ""
"The OpenBSD Project maintains the definitive reference for PF in the http://"
"www.openbsd.org/faq/pf/[PF FAQ].  Peter Hansteen maintains a thorough PF "
"tutorial at http://home.nuug.no/\\~peter/pf/[http://home.nuug.no/~peter/pf/]."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:174
msgid ""
"When reading the http://www.openbsd.org/faq/pf/[PF FAQ], keep in mind that "
"FreeBSD's version of PF has diverged substantially from the upstream OpenBSD "
"version over the years.  Not all features work the same way on FreeBSD as "
"they do in OpenBSD and vice versa."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:178
msgid ""
"The {freebsd-pf} is a good place to ask questions about configuring and "
"running the PF firewall.  Check the mailing list archives before asking a "
"question as it may have already been answered."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:182
msgid ""
"This section of the Handbook focuses on PF as it pertains to FreeBSD.  It "
"demonstrates how to enable PF and ALTQ.  It also provides several examples "
"for creating rulesets on a FreeBSD system."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:183
#, no-wrap
msgid "Enabling PF"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:187
msgid ""
"To use PF, its kernel module must be first loaded.  This section describes "
"the entries that can be added to [.filename]#/etc/rc.conf# to enable PF."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:189
msgid "Start by adding `pf_enable=yes` to [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:193
#, no-wrap
msgid "# sysrc pf_enable=yes\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:197
msgid ""
"Additional options, described in man:pfctl[8], can be passed to PF when it "
"is started.  Add or change this entry in [.filename]#/etc/rc.conf# and "
"specify any required flags between the two quotes (`\"\"`):"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:201
#, no-wrap
msgid "pf_flags=\"\"                     # additional flags for pfctl startup\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:207
msgid ""
"PF will not start if it cannot find its ruleset configuration file.  By "
"default, FreeBSD does not ship with a ruleset and there is no [.filename]#/"
"etc/pf.conf#.  Example rulesets can be found in [.filename]#/usr/share/"
"examples/pf/#.  If a custom ruleset has been saved somewhere else, add a "
"line to [.filename]#/etc/rc.conf# which specifies the full path to the file:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:211
#, no-wrap
msgid "pf_rules=\"/path/to/pf.conf\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:215
msgid ""
"Logging support for PF is provided by man:pflog[4].  To enable logging "
"support, add `pflog_enable=yes` to [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:219
#, no-wrap
msgid "# sysrc pflog_enable=yes\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:222
msgid ""
"The following lines can also be added to change the default location of the "
"log file or to specify any additional flags to pass to man:pflog[4] when it "
"is started:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:227
#, no-wrap
msgid ""
"pflog_logfile=\"/var/log/pflog\"  # where pflogd should store the logfile\n"
"pflog_flags=\"\"                  # additional flags for pflogd startup\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:230
msgid ""
"Finally, if there is a LAN behind the firewall and packets need to be "
"forwarded for the computers on the LAN, or NAT is required, enable the "
"following option:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:234
#, no-wrap
msgid "gateway_enable=\"YES\"            # Enable as LAN gateway\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:237
msgid ""
"After saving the needed edits, PF can be started with logging support by "
"typing:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:242
#, no-wrap
msgid ""
"# service pf start\n"
"# service pflog start\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:247
msgid ""
"By default, PF reads its configuration rules from [.filename]#/etc/pf.conf# "
"and modifies, drops, or passes packets according to the rules or definitions "
"specified in this file.  The FreeBSD installation includes several sample "
"files located in [.filename]#/usr/share/examples/pf/#.  Refer to the http://"
"www.openbsd.org/faq/pf/[PF FAQ] for complete coverage of PF rulesets."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:251
msgid ""
"To control PF, use `pfctl`.  crossref:firewalls[pfctl,Useful `pfctl` "
"Options] summarizes some useful options to this command.  Refer to "
"man:pfctl[8] for a description of all available options:"
msgstr ""

#. type: Block title
#: documentation/content/en/books/handbook/firewalls/_index.adoc:252
#, no-wrap
msgid "Useful `pfctl` Options"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:256
#, no-wrap
msgid "Command"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:258
#, no-wrap
msgid "Purpose"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:259
#, no-wrap
msgid "`pfctl -e`"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:261
#, no-wrap
msgid "Enable PF."
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:262
#, no-wrap
msgid "`pfctl -d`"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:264
#, no-wrap
msgid "Disable PF."
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:265
#, no-wrap
msgid "`pfctl -F all -f /etc/pf.conf`"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:267
#, no-wrap
msgid "Flush all NAT, filter, state, and table rules and reload [.filename]#/etc/pf.conf#."
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:267
#, no-wrap
msgid "`pfctl -s [ rules \\"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:267
#, no-wrap
msgid "nat \\"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:268
#, no-wrap
msgid "states ]`"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:270
#, no-wrap
msgid "Report on the filter rules, NAT rules, or state table."
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:271
#, no-wrap
msgid "`pfctl -vnf /etc/pf.conf`"
msgstr ""

#. type: Table
#: documentation/content/en/books/handbook/firewalls/_index.adoc:272
#, no-wrap
msgid "Check [.filename]#/etc/pf.conf# for errors, but do not load ruleset."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:278
msgid ""
"package:security/sudo[] is useful for running commands like `pfctl` that "
"require elevated privileges.  It can be installed from the Ports Collection."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:282
msgid ""
"To keep an eye on the traffic that passes through the PF firewall, consider "
"installing the package:sysutils/pftop[] package or port.  Once installed, "
"pftop can be run to view a running snapshot of traffic in a format which is "
"similar to man:top[1]."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:284
#, no-wrap
msgid "PF Rulesets"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:288
msgid ""
"This section demonstrates how to create a customized ruleset.  It starts "
"with the simplest of rulesets and builds upon its concepts using several "
"examples to demonstrate real-world usage of PF's many features."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:291
msgid ""
"The simplest possible ruleset is for a single machine that does not run any "
"services and which needs access to one network, which may be the Internet.  "
"To create this minimal ruleset, edit [.filename]#/etc/pf.conf# so it looks "
"like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:296
#, no-wrap
msgid ""
"block in all\n"
"pass out all keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:302
msgid ""
"The first rule denies all incoming traffic by default.  The second rule "
"allows connections created by this system to pass out, while retaining state "
"information on those connections.  This state information allows return "
"traffic for those connections to pass back and should only be used on "
"machines that can be trusted.  The ruleset can be loaded with:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:306
#, no-wrap
msgid "# pfctl -e ; pfctl -f /etc/pf.conf\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:311
msgid ""
"In addition to keeping state, PF provides _lists_ and _macros_ which can be "
"defined for use when creating rules.  Macros can include lists and need to "
"be defined before use.  As an example, insert these lines at the very top of "
"the ruleset:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:316
#, no-wrap
msgid ""
"tcp_services = \"{ ssh, smtp, domain, www, pop3, auth, pop3s }\"\n"
"udp_services = \"{ domain }\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:323
msgid ""
"PF understands port names as well as port numbers, as long as the names are "
"listed in [.filename]#/etc/services#.  This example creates two macros.  The "
"first is a list of seven TCP port names and the second is one UDP port "
"name.  Once defined, macros can be used in rules.  In this example, all "
"traffic is blocked except for the connections initiated by this system for "
"the seven specified TCP services and the one specified UDP service:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:331
#, no-wrap
msgid ""
"tcp_services = \"{ ssh, smtp, domain, www, pop3, auth, pop3s }\"\n"
"udp_services = \"{ domain }\"\n"
"block all\n"
"pass out proto tcp to any port $tcp_services keep state\n"
"pass proto udp to any port $udp_services keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:335
msgid ""
"Even though UDP is considered to be a stateless protocol, PF is able to "
"track some state information.  For example, when a UDP request is passed "
"which asks a name server about a domain name, PF will watch for the response "
"to pass it back."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:337
msgid ""
"Whenever an edit is made to a ruleset, the new rules must be loaded so they "
"can be used:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:341
#: documentation/content/en/books/handbook/firewalls/_index.adoc:559
#, no-wrap
msgid "# pfctl -f /etc/pf.conf\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:345
msgid ""
"If there are no syntax errors, `pfctl` will not output any messages during "
"the rule load.  Rules can also be tested before attempting to load them:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:349
#, no-wrap
msgid "# pfctl -nf /etc/pf.conf\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:354
msgid ""
"Including `-n` causes the rules to be interpreted only, but not loaded.  "
"This provides an opportunity to correct any errors.  At all times, the last "
"valid ruleset loaded will be enforced until either PF is disabled or a new "
"ruleset is loaded."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:359
msgid ""
"Adding `-v` to a `pfctl` ruleset verify or load will display the fully "
"parsed rules exactly the way they will be loaded.  This is extremely useful "
"when debugging rules."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:362
#, no-wrap
msgid "A Simple Gateway with NAT"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:367
msgid ""
"This section demonstrates how to configure a FreeBSD system running PF to "
"act as a gateway for at least one other machine.  The gateway needs at least "
"two network interfaces, each connected to a separate network.  In this "
"example, [.filename]#xl0# is connected to the Internet and [.filename]#xl1# "
"is connected to the internal network."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:370
msgid ""
"First, enable the gateway to let the machine forward the network traffic it "
"receives on one interface to another interface.  This sysctl setting will "
"forward IPv4 packets:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:374
#, no-wrap
msgid "# sysctl net.inet.ip.forwarding=1\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:377
msgid "To forward IPv6 traffic, use:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:381
#, no-wrap
msgid "# sysctl net.inet6.ip6.forwarding=1\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:384
msgid ""
"To enable these settings at system boot, use man:sysrc[8] to add them to "
"[.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:389
#, no-wrap
msgid ""
"# sysrc gateway_enable=yes\n"
"# sysrc ipv6_gateway_enable=yes\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:392
msgid "Verify with `ifconfig` that both of the interfaces are up and running."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:395
msgid ""
"Next, create the PF rules to allow the gateway to pass traffic.  While the "
"following rule allows stateful traffic from hosts of the internal network to "
"pass to the gateway, the `to` keyword does not guarantee passage all the way "
"from source to destination:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:399
#, no-wrap
msgid "pass in on xl1 from xl1:network to xl0:network port $ports keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:403
msgid ""
"That rule only lets the traffic pass in to the gateway on the internal "
"interface.  To let the packets go further, a matching rule is needed:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:407
#, no-wrap
msgid "pass out on xl0 from xl1:network to xl0:network port $ports keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:413
msgid ""
"While these two rules will work, rules this specific are rarely needed.  For "
"a busy network admin, a readable ruleset is a safer ruleset.  The remainder "
"of this section demonstrates how to keep the rules as simple as possible for "
"readability.  For example, those two rules could be replaced with one rule:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:417
#, no-wrap
msgid "pass from xl1:network to any port $ports keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:422
msgid ""
"The `interface:network` notation can be replaced with a macro to make the "
"ruleset even more readable.  For example, a `$localnet` macro could be "
"defined as the network directly attached to the internal interface "
"(`$xl1:network`).  Alternatively, the definition of `$localnet` could be "
"changed to an _IP address/netmask_ notation to denote a network, such as "
"`192.168.100.1/24` for a subnet of private addresses."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:425
msgid ""
"If required, `$localnet` could even be defined as a list of networks.  "
"Whatever the specific needs, a sensible `$localnet` definition could be used "
"in a typical pass rule as follows:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:429
#, no-wrap
msgid "pass from $localnet to any port $ports keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:433
msgid ""
"The following sample ruleset allows all traffic initiated by machines on the "
"internal network.  It first defines two macros to represent the external and "
"internal 3COM interfaces of the gateway."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:438
msgid ""
"For dialup users, the external interface will use [.filename]#tun0#.  For an "
"ADSL connection, specifically those using PPP over Ethernet (PPPoE), the "
"correct external interface is [.filename]#tun0#, not the physical Ethernet "
"interface."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:449
#, no-wrap
msgid ""
"ext_if = \"xl0\"\t# macro for external interface - use tun0 for PPPoE\n"
"int_if = \"xl1\"\t# macro for internal interface\n"
"localnet = $int_if:network\n"
"# ext_if IP address could be dynamic, hence ($ext_if)\n"
"nat on $ext_if from $localnet to any -> ($ext_if)\n"
"block all\n"
"pass from { lo0, $localnet } to any keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:454
msgid ""
"This ruleset introduces the `nat` rule which is used to handle the network "
"address translation from the non-routable addresses inside the internal "
"network to the IP address assigned to the external interface.  The "
"parentheses surrounding the last part of the nat rule `($ext_if)` is "
"included when the IP address of the external interface is dynamically "
"assigned.  It ensures that network traffic runs without serious "
"interruptions even if the external IP address changes."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:457
msgid ""
"Note that this ruleset probably allows more traffic to pass out of the "
"network than is needed.  One reasonable setup could create this macro:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:462
#, no-wrap
msgid ""
"client_out = \"{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, \\\n"
"    https, cvspserver, 2628, 5999, 8000, 8080 }\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:465
msgid "to use in the main pass rule:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:470
#, no-wrap
msgid ""
"pass inet proto tcp from $localnet to any port $client_out \\\n"
"    flags S/SA keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:474
msgid ""
"A few other pass rules may be needed.  This one enables SSH on the external "
"interface:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:478
#, no-wrap
msgid "pass in inet proto tcp to $ext_if port ssh\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:481
msgid "This macro definition and rule allows DNS and NTP for internal clients:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:486
#, no-wrap
msgid ""
"udp_services = \"{ domain, ntp }\"\n"
"pass quick inet proto { tcp, udp } to any port $udp_services keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:494
msgid ""
"Note the `quick` keyword in this rule.  Since the ruleset consists of "
"several rules, it is important to understand the relationships between the "
"rules in a ruleset.  Rules are evaluated from top to bottom, in the sequence "
"they are written.  For each packet or connection evaluated by PF, _the last "
"matching rule_ in the ruleset is the one which is applied.  However, when a "
"packet matches a rule which contains the `quick` keyword, the rule "
"processing stops and the packet is treated according to that rule.  This is "
"very useful when an exception to the general rules is needed."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:496
#, no-wrap
msgid "Creating an FTP Proxy"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:501
msgid ""
"Configuring working FTP rules can be problematic due to the nature of the "
"FTP protocol.  FTP pre-dates firewalls by several decades and is insecure in "
"its design.  The most common points against using FTP include:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:503
msgid "Passwords are transferred in the clear."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:504
msgid ""
"The protocol demands the use of at least two TCP connections (control and "
"data) on separate ports."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:505
msgid ""
"When a session is established, data is communicated using randomly selected "
"ports."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:508
msgid ""
"All of these points present security challenges, even before considering any "
"potential security weaknesses in client or server software.  More secure "
"alternatives for file transfer exist, such as man:sftp[1] or man:scp[1], "
"which both feature authentication and data transfer over encrypted "
"connections."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:511
msgid ""
"For those situations when FTP is required, PF provides redirection of FTP "
"traffic to a small proxy program called man:ftp-proxy[8], which is included "
"in the base system of FreeBSD.  The role of the proxy is to dynamically "
"insert and delete rules in the ruleset, using a set of anchors, to correctly "
"handle FTP traffic."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:513
msgid "To enable the FTP proxy, add this line to [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:517
#, no-wrap
msgid "ftpproxy_enable=\"YES\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:520
msgid "Then start the proxy by running:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:524
#, no-wrap
msgid "# service ftp-proxy start\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:528
msgid ""
"For a basic configuration, three elements need to be added to [.filename]#/"
"etc/pf.conf#.  First, the anchors which the proxy will use to insert the "
"rules it generates for the FTP sessions:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:533
#, no-wrap
msgid ""
"nat-anchor \"ftp-proxy/*\"\n"
"rdr-anchor \"ftp-proxy/*\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:536
msgid "Second, a pass rule is needed to allow FTP traffic in to the proxy."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:539
msgid ""
"Third, redirection and NAT rules need to be defined before the filtering "
"rules.  Insert this `rdr` rule immediately after the `nat` rule:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:543
#, no-wrap
msgid "rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:546
msgid "Finally, allow the redirected traffic to pass:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:550
#, no-wrap
msgid "pass out proto tcp from $proxy to any port ftp\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:553
msgid "where `$proxy` expands to the address the proxy daemon is bound to."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:555
msgid ""
"Save [.filename]#/etc/pf.conf#, load the new rules, and verify from a client "
"that FTP connections are working:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:565
msgid ""
"This example covers a basic setup where the clients in the local network "
"need to contact FTP servers elsewhere.  This basic configuration should work "
"well with most combinations of FTP clients and servers.  As shown in man:ftp-"
"proxy[8], the proxy's behavior can be changed in various ways by adding "
"options to the `ftpproxy_flags=` line.  Some clients or servers may have "
"specific quirks that must be compensated for in the configuration, or there "
"may be a need to integrate the proxy in specific ways such as assigning FTP "
"traffic to a specific queue."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:567
msgid ""
"For ways to run an FTP server protected by PF and man:ftp-proxy[8], "
"configure a separate `ftp-proxy` in reverse mode, using `-R`, on a separate "
"port with its own redirecting pass rule."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:569
#, no-wrap
msgid "Managing ICMP"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:572
msgid ""
"Many of the tools used for debugging or troubleshooting a TCP/IP network "
"rely on the Internet Control Message Protocol (ICMP), which was designed "
"specifically with debugging in mind."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:575
msgid ""
"The ICMP protocol sends and receives _control messages_ between hosts and "
"gateways, mainly to provide feedback to a sender about any unusual or "
"difficult conditions enroute to the target host.  Routers use ICMP to "
"negotiate packet sizes and other transmission parameters in a process often "
"referred to as _path MTU discovery_."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:579
msgid ""
"From a firewall perspective, some ICMP control messages are vulnerable to "
"known attack vectors.  Also, letting all diagnostic traffic pass "
"unconditionally makes debugging easier, but it also makes it easier for "
"others to extract information about the network.  For these reasons, the "
"following rule may not be optimal:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:583
#, no-wrap
msgid "pass inet proto icmp from any to any\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:586
msgid ""
"One solution is to let all ICMP traffic from the local network through while "
"stopping all probes from outside the network:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:591
#, no-wrap
msgid ""
"pass inet proto icmp from $localnet to any keep state\n"
"pass inet proto icmp from any to $ext_if keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:596
msgid ""
"Additional options are available which demonstrate some of PF's "
"flexibility.  For example, rather than allowing all ICMP messages, one can "
"specify the messages used by man:ping[8] and man:traceroute[8].  Start by "
"defining a macro for that type of message:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:600
#, no-wrap
msgid "icmp_types = \"echoreq\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:603
msgid "and a rule which uses the macro:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:607
#: documentation/content/en/books/handbook/firewalls/_index.adoc:647
#, no-wrap
msgid "pass inet proto icmp all icmp-type $icmp_types keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:612
msgid ""
"If other types of ICMP packets are needed, expand `icmp_types` to a list of "
"those packet types.  Type `more /usr/src/sbin/pfctl/pfctl_parser.c` to see "
"the list of ICMP message types supported by PF.  Refer to http://"
"www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml[http://"
"www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml] for an "
"explanation of each message type."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:614
msgid ""
"Since Unix `traceroute` uses UDP by default, another rule is needed to allow "
"Unix `traceroute`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:619
#, no-wrap
msgid ""
"# allow out the default range for traceroute(8):\n"
"pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:624
msgid ""
"Since `TRACERT.EXE` on Microsoft Windows systems uses ICMP echo request "
"messages, only the first rule is needed to allow network traces from those "
"systems.  Unix `traceroute` can be instructed to use other protocols as "
"well, and will use ICMP echo request messages if `-I` is used.  Check the "
"man:traceroute[8] man page for details."
msgstr ""

#. type: Title =====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:626
#, no-wrap
msgid "Path MTU Discovery"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:631
msgid ""
"Internet protocols are designed to be device independent, and one "
"consequence of device independence is that the optimal packet size for a "
"given connection cannot always be predicted reliably.  The main constraint "
"on packet size is the _Maximum Transmission Unit_ (MTU) which sets the upper "
"limit on the packet size for an interface.  Type `ifconfig` to view the MTUs "
"for a system's network interfaces."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:636
msgid ""
"TCP/IP uses a process known as path MTU discovery to determine the right "
"packet size for a connection.  This process sends packets of varying sizes "
"with the \"Do not fragment\" flag set, expecting an ICMP return packet of "
"\"type 3, code 4\" when the upper limit has been reached.  Type 3 means "
"\"destination unreachable\", and code 4 is short for \"fragmentation needed, "
"but the do-not-fragment flag is set\".  To allow path MTU discovery in order "
"to support connections to other MTUs, add the `destination unreachable` type "
"to the `icmp_types` macro:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:640
#, no-wrap
msgid "icmp_types = \"{ echoreq, unreach }\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:643
msgid ""
"Since the pass rule already uses that macro, it does not need to be modified "
"to support the new ICMP type:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:651
msgid ""
"PF allows filtering on all variations of ICMP types and codes.  The list of "
"possible types and codes are documented in man:icmp[4] and man:icmp6[4]."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:653
#, no-wrap
msgid "Using Tables"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:658
msgid ""
"Some types of data are relevant to filtering and redirection at a given "
"time, but their definition is too long to be included in the ruleset file.  "
"PF supports the use of tables, which are defined lists that can be "
"manipulated without needing to reload the entire ruleset, and which can "
"provide fast lookups.  Table names are always enclosed within `< >`, like "
"this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:662
#, no-wrap
msgid "table <clients> { 192.168.2.0/24, !192.168.2.5 }\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:666
msgid ""
"In this example, the `192.168.2.0/24` network is part of the table, except "
"for the address `192.168.2.5`, which is excluded using the `!` operator.  It "
"is also possible to load tables from files where each item is on a separate "
"line, as seen in this example [.filename]#/etc/clients#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:671
#, no-wrap
msgid ""
"192.168.2.0/24\n"
"!192.168.2.5\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:674
msgid "To refer to the file, define the table like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:678
#, no-wrap
msgid "table <clients> persist file \"/etc/clients\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:681
msgid "Once the table is defined, it can be referenced by a rule:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:685
#, no-wrap
msgid "pass inet proto tcp from <clients> to any port $client_out flags S/SA keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:689
msgid ""
"A table's contents can be manipulated live, using `pfctl`.  This example "
"adds another network to the table:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:693
#, no-wrap
msgid "# pfctl -t clients -T add 192.168.1.0/16\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:699
msgid ""
"Note that any changes made this way will take affect now, making them ideal "
"for testing, but will not survive a power failure or reboot.  To make the "
"changes permanent, modify the definition of the table in the ruleset or edit "
"the file that the table refers to.  One can maintain the on-disk copy of the "
"table using a man:cron[8] job which dumps the table's contents to disk at "
"regular intervals, using a command such as `pfctl -t clients -T show >/etc/"
"clients`.  Alternatively, [.filename]#/etc/clients# can be updated with the "
"in-memory table contents:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:703
#, no-wrap
msgid "# pfctl -t clients -T replace -f /etc/clients\n"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:706
#, no-wrap
msgid "Using Overload Tables to Protect SSH"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:709
msgid ""
"Those who run SSH on an external interface have probably seen something like "
"this in the authentication logs:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:718
#, no-wrap
msgid ""
"Sep 26 03:12:34 skapet sshd[25771]: Failed password for root from 200.72.41.31 port 40992 ssh2\n"
"Sep 26 03:12:34 skapet sshd[5279]: Failed password for root from 200.72.41.31 port 40992 ssh2\n"
"Sep 26 03:12:35 skapet sshd[5279]: Received disconnect from 200.72.41.31: 11: Bye Bye\n"
"Sep 26 03:12:44 skapet sshd[29635]: Invalid user admin from 200.72.41.31\n"
"Sep 26 03:12:44 skapet sshd[24703]: input_userauth_request: invalid user admin\n"
"Sep 26 03:12:44 skapet sshd[24703]: Failed password for invalid user admin from 200.72.41.31 port 41484 ssh2\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:721
msgid ""
"This is indicative of a brute force attack where somebody or some program is "
"trying to discover the user name and password which will let them into the "
"system."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:726
msgid ""
"If external SSH access is needed for legitimate users, changing the default "
"port used by SSH can offer some protection.  However, PF provides a more "
"elegant solution.  Pass rules can contain limits on what connecting hosts "
"can do and violators can be banished to a table of addresses which are "
"denied some or all access.  It is even possible to drop all existing "
"connections from machines which overreach the limits."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:728
msgid ""
"To configure this, create this table in the tables section of the ruleset:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:732
#, no-wrap
msgid "table <bruteforce> persist\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:735
msgid ""
"Then, somewhere early in the ruleset, add rules to block brute access while "
"allowing legitimate access:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:743
#, no-wrap
msgid ""
"block quick from <bruteforce>\n"
"pass inet proto tcp from any to $localnet port $tcp_services \\\n"
"    flags S/SA keep state \\\n"
"    (max-src-conn 100, max-src-conn-rate 15/5, \\\n"
"    overload <bruteforce> flush global)\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:747
msgid ""
"The part in parentheses defines the limits and the numbers should be changed "
"to meet local requirements.  It can be read as follows:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:749
msgid ""
"`max-src-conn` is the number of simultaneous connections allowed from one "
"host."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:751
msgid ""
"`max-src-conn-rate` is the rate of new connections allowed from any single "
"host (_15_) per number of seconds (_5_)."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:754
msgid ""
"`overload <bruteforce>` means that any host which exceeds these limits gets "
"its address added to the `bruteforce` table.  The ruleset blocks all traffic "
"from addresses in the `bruteforce` table."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:756
msgid ""
"Finally, `flush global` says that when a host reaches the limit, that all "
"(`global`) of that host's connections will be terminated (`flush`)."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:760
msgid ""
"These rules will _not_ block slow bruteforcers, as described in http://"
"home.nuug.no/\\~peter/hailmary2013/[http://home.nuug.no/~peter/"
"hailmary2013/]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:764
msgid ""
"This example ruleset is intended mainly as an illustration.  For example, if "
"a generous number of connections in general are wanted, but the desire is to "
"be more restrictive when it comes to ssh, supplement the rule above with "
"something like the one below, early on in the rule set:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:771
#, no-wrap
msgid ""
"pass quick proto { tcp, udp } from any to any port ssh \\\n"
"    flags S/SA keep state \\\n"
"    (max-src-conn 15, max-src-conn-rate 5/3, \\\n"
"    overload <bruteforce> flush global)\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:776
#, no-wrap
msgid "*It May Not be Necessary to Block All Overloaders:* +\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:778
msgid ""
"It is worth noting that the overload mechanism is a general technique which "
"does not apply exclusively to SSH, and it is not always optimal to entirely "
"block all traffic from offenders."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:780
msgid ""
"For example, an overload rule could be used to protect a mail service or a "
"web service, and the overload table could be used in a rule to assign "
"offenders to a queue with a minimal bandwidth allocation or to redirect to a "
"specific web page."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:784
msgid ""
"Over time, tables will be filled by overload rules and their size will grow "
"incrementally, taking up more memory.  Sometimes an IP address that is "
"blocked is a dynamically assigned one, which has since been assigned to a "
"host who has a legitimate reason to communicate with hosts in the local "
"network."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:787
msgid ""
"For situations like these, pfctl provides the ability to expire table "
"entries.  For example, this command will remove `<bruteforce>` table entries "
"which have not been referenced for `86400` seconds:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:791
#, no-wrap
msgid "# pfctl -t bruteforce -T expire 86400\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:794
msgid ""
"Similar functionality is provided by package:security/expiretable[], which "
"removes table entries which have not been accessed for a specified period of "
"time."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:797
msgid ""
"Once installed, expiretable can be run to remove `<bruteforce>` table "
"entries older than a specified age.  This example removes all entries older "
"than 24 hours:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:801
#, no-wrap
msgid "/usr/local/sbin/expiretable -v -d -t 24h bruteforce\n"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:804
#, no-wrap
msgid "Protecting Against SPAM"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:808
msgid ""
"Not to be confused with the spamd daemon which comes bundled with "
"spamassassin, package:mail/spamd[] can be configured with PF to provide an "
"outer defense against SPAM.  This spamd hooks into the PF configuration "
"using a set of redirections."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:810
msgid ""
"Spammers tend to send a large number of messages, and SPAM is mainly sent "
"from a few spammer friendly networks and a large number of hijacked "
"machines, both of which are reported to _blocklists_ fairly quickly."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:814
msgid ""
"When an SMTP connection from an address in a blocklist is received, spamd "
"presents its banner and immediately switches to a mode where it answers SMTP "
"traffic one byte at a time.  This technique, which is intended to waste as "
"much time as possible on the spammer's end, is called _tarpitting_.  The "
"specific implementation which uses one byte SMTP replies is often referred "
"to as _stuttering_."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:817
msgid ""
"This example demonstrates the basic procedure for setting up spamd with "
"automatically updated blocklists.  Refer to the man pages which are "
"installed with package:mail/spamd[] for more information."
msgstr ""

#. type: Block title
#: documentation/content/en/books/handbook/firewalls/_index.adoc:820
#, no-wrap
msgid "Procedure: Configuring spamd"
msgstr ""

#. type: delimited block * 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:822
msgid ""
"Install the package:mail/spamd[] package or port. To use spamd's greylisting "
"features, man:fdescfs[5] must be mounted at [.filename]#/dev/fd#. Add the "
"following line to [.filename]#/etc/fstab#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:826
#, no-wrap
msgid " fdescfs /dev/fd fdescfs rw 0 0\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:829
msgid "Then, mount the filesystem:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:833
#, no-wrap
msgid "#  mount fdescfs\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:836
msgid "Next, edit the PF ruleset to include:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:845
#, no-wrap
msgid ""
"table <spamd> persist\n"
"table <spamd-white> persist\n"
"rdr pass on $ext_if inet proto tcp from <spamd> to \\\n"
"    { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025\n"
"rdr pass on $ext_if inet proto tcp from !<spamd-white> to \\\n"
"    { $ext_if, $localnet } port smtp -> 127.0.0.1 port 8025\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:849
msgid ""
"The two tables `<spamd>` and `<spamd-white>` are essential.  SMTP traffic "
"from an address listed in `<spamd>` but not in `<spamd-white>` is redirected "
"to the spamd daemon listening at port 8025."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:850
msgid ""
"The next step is to configure spamd in [.filename]#/usr/local/etc/"
"spamd.conf# and to add some [.filename]#rc.conf# parameters."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:853
msgid ""
"The installation of package:mail/spamd[] includes a sample configuration "
"file ([.filename]#/usr/local/etc/spamd.conf.sample#) and a man page for "
"[.filename]#spamd.conf#.  Refer to these for additional configuration "
"options beyond those shown in this example."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:855
msgid ""
"One of the first lines in the configuration file that does not begin with a "
"`+#+` comment sign contains the block which defines the `all` list, which "
"specifies the lists to use:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:860
#, no-wrap
msgid ""
"all:\\\n"
"    :traplist:allowlist:\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:863
msgid ""
"This entry adds the desired blocklists, separated by colons (`:`).  To use "
"an allowlist to subtract addresses from a blocklist, add the name of the "
"allowlist _immediately_ after the name of that blocklist. For example: "
"`:blocklist:allowlist:`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:865
msgid "This is followed by the specified blocklist's definition:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:873
#, no-wrap
msgid ""
"traplist:\\\n"
"    :black:\\\n"
"    :msg=\"SPAM. Your address %A has sent spam within the last 24 hours\":\\\n"
"    :method=http:\\\n"
"    :file=www.openbsd.org/spamd/traplist.gz\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:879
msgid ""
"where the first line is the name of the blocklist and the second line "
"specifies the list type.  The `msg` field contains the message to display to "
"blocklisted senders during the SMTP dialogue.  The `method` field specifies "
"how spamd-setup fetches the list data; supported methods are `http`, `ftp`, "
"from a `file` in a mounted file system, and via `exec` of an external "
"program.  Finally, the `file` field specifies the name of the file spamd "
"expects to receive."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:881
msgid ""
"The definition of the specified allowlist is similar, but omits the `msg` "
"field since a message is not needed:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:888
#, no-wrap
msgid ""
"allowlist:\\\n"
"    :white:\\\n"
"    :method=file:\\\n"
"    :file=/var/mail/allowlist.txt\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:893
#, no-wrap
msgid "*Choose Data Sources with Care:* +\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:896
msgid ""
"Using all the blocklists in the sample [.filename]#spamd.conf# will block "
"large blocks of the Internet.  Administrators need to edit the file to "
"create an optimal configuration which uses applicable data sources and, when "
"necessary, uses custom lists."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:900
msgid ""
"Next, add this entry to [.filename]#/etc/rc.conf#.  Additional flags are "
"described in the man page specified by the comment:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:904
#, no-wrap
msgid "spamd_flags=\"-v\" # use \"\" and see spamd-setup(8) for flags\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:908
msgid ""
"When finished, reload the ruleset, start spamd by typing `service obspamd "
"start`, and complete the configuration using `spamd-setup`.  Finally, create "
"a man:cron[8] job which calls `spamd-setup` to update the tables at "
"reasonable intervals."
msgstr ""

#. type: delimited block * 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:911
msgid ""
"On a typical gateway in front of a mail server, hosts will soon start "
"getting trapped within a few seconds to several minutes."
msgstr ""

#. type: delimited block * 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:915
msgid ""
"PF also supports _greylisting_, which temporarily rejects messages from "
"unknown hosts with _45n_ codes.  Messages from greylisted hosts which try "
"again within a reasonable time are let through.  Traffic from senders which "
"are set up to behave within the limits set by RFC 1123 and RFC 2821 are "
"immediately let through."
msgstr ""

#. type: delimited block * 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:919
msgid ""
"More information about greylisting as a technique can be found at the http://"
"www.greylisting.org/[greylisting.org] web site.  The most amazing thing "
"about greylisting, apart from its simplicity, is that it still works.  "
"Spammers and malware writers have been very slow to adapt to bypass this "
"technique."
msgstr ""

#. type: delimited block * 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:921
msgid "The basic procedure for configuring greylisting is as follows:"
msgstr ""

#. type: Block title
#: documentation/content/en/books/handbook/firewalls/_index.adoc:923
#, no-wrap
msgid "Procedure: Configuring Greylisting"
msgstr ""

#. type: delimited block * 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:925
msgid ""
"Make sure that man:fdescfs[5] is mounted as described in Step 1 of the "
"previous Procedure."
msgstr ""

#. type: delimited block * 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:926
msgid ""
"To run spamd in greylisting mode, add this line to [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:930
#, no-wrap
msgid "spamd_grey=\"YES\"  # use spamd greylisting if YES\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:933
msgid ""
"Refer to the spamd man page for descriptions of additional related "
"parameters."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:934
msgid "To complete the greylisting setup:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:939
#, no-wrap
msgid ""
"#  service obspamd restart\n"
"#  service obspamlogd start\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:943
msgid ""
"Behind the scenes, the spamdb database tool and the spamlogd whitelist "
"updater perform essential functions for the greylisting feature.  spamdb is "
"the administrator's main interface to managing the block, grey, and allow "
"lists via the contents of the [.filename]#/var/db/spamdb# database."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:945
#, no-wrap
msgid "Network Hygiene"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:948
msgid ""
"This section describes how `block-policy`, `scrub`, and `antispoof` can be "
"used to make the ruleset behave sanely."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:952
msgid ""
"The `block-policy` is an option which can be set in the `options` part of "
"the ruleset, which precedes the redirection and filtering rules.  This "
"option determines which feedback, if any, PF sends to hosts that are blocked "
"by a rule.  The option has two possible values: `drop` drops blocked packets "
"with no feedback, and `return` returns a status code such as `Connection "
"refused`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:955
msgid ""
"If not set, the default policy is `drop`.  To change the `block-policy`, "
"specify the desired value:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:959
#, no-wrap
msgid "set block-policy return\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:965
msgid ""
"In PF, `scrub` is a keyword which enables network packet normalization.  "
"This process reassembles fragmented packets and drops TCP packets that have "
"invalid flag combinations.  Enabling `scrub` provides a measure of "
"protection against certain kinds of attacks based on incorrect handling of "
"packet fragments.  A number of options are available, but the simplest form "
"is suitable for most configurations:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:969
#, no-wrap
msgid "scrub in all\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:973
msgid ""
"Some services, such as NFS, require specific fragment handling options.  "
"Refer to https://home.nuug.no/\\~peter/pf/en/scrub.html[https://home.nuug.no/"
"~peter/pf/en/scrub.html] for more information."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:975
msgid ""
"This example reassembles fragments, clears the \"do not fragment\" bit, and "
"sets the maximum segment size to 1440 bytes:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:979
#, no-wrap
msgid "scrub in all fragment reassemble no-df max-mss 1440\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:982
msgid ""
"The `antispoof` mechanism protects against activity from spoofed or forged "
"IP addresses, mainly by blocking packets appearing on interfaces and in "
"directions which are logically not possible."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:984
msgid ""
"These rules weed out spoofed traffic coming in from the rest of the world as "
"well as any spoofed packets which originate in the local network:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:989
#, no-wrap
msgid ""
"antispoof for $ext_if\n"
"antispoof for $int_if\n"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:992
#, no-wrap
msgid "Handling Non-Routable Addresses"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:997
msgid ""
"Even with a properly configured gateway to handle network address "
"translation, one may have to compensate for other people's "
"misconfigurations.  A common misconfiguration is to let traffic with non-"
"routable addresses out to the Internet.  Since traffic from non-routeable "
"addresses can play a part in several DoS attack techniques, consider "
"explicitly blocking traffic from non-routeable addresses from entering the "
"network through the external interface."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1000
msgid ""
"In this example, a macro containing non-routable addresses is defined, then "
"used in blocking rules.  Traffic to and from these addresses is quietly "
"dropped on the gateway's external interface."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1006
#, no-wrap
msgid ""
"martians = \"{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \\\n"
"\t      10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \\\n"
"\t      0.0.0.0/8, 240.0.0.0/4 }\"\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1009
#, no-wrap
msgid ""
"block drop in quick on $ext_if from $martians to any\n"
"block drop out quick on $ext_if from any to $martians\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1011
#, no-wrap
msgid "Enabling ALTQ"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1015
msgid ""
"On FreeBSD, ALTQ can be used with PF to provide Quality of Service (QOS).  "
"Once ALTQ is enabled, queues can be defined in the ruleset which determine "
"the processing priority of outbound packets."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1017
msgid ""
"Before enabling ALTQ, refer to man:altq[4] to determine if the drivers for "
"the network cards installed on the system support it."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1023
msgid ""
"ALTQ is not available as a loadable kernel module.  If the system's "
"interfaces support ALTQ, create a custom kernel using the instructions in "
"crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel].  The "
"following kernel options are available.  The first is needed to enable "
"ALTQ.  At least one of the other options is necessary to specify the "
"queueing scheduler algorithm:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1032
#, no-wrap
msgid ""
"options         ALTQ\n"
"options         ALTQ_CBQ        # Class Based Queuing (CBQ)\n"
"options         ALTQ_RED        # Random Early Detection (RED)\n"
"options         ALTQ_RIO        # RED In/Out\n"
"options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)\n"
"options         ALTQ_PRIQ       # Priority Queuing (PRIQ)\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1035
msgid "The following scheduler algorithms are available:"
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1036
#, no-wrap
msgid "CBQ"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1038
msgid ""
"Class Based Queuing (CBQ) is used to divide a connection's bandwidth into "
"different classes or queues to prioritize traffic based on filter rules."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1039
#, no-wrap
msgid "RED"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1042
msgid ""
"Random Early Detection (RED) is used to avoid network congestion by "
"measuring the length of the queue and comparing it to the minimum and "
"maximum thresholds for the queue.  When the queue is over the maximum, all "
"new packets are randomly dropped."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1043
#, no-wrap
msgid "RIO"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1045
msgid ""
"In Random Early Detection In and Out (RIO) mode, RED maintains multiple "
"average queue lengths and multiple threshold values, one for each QOS level."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1046
#, no-wrap
msgid "HFSC"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1048
msgid ""
"Hierarchical Fair Service Curve Packet Scheduler (HFSC) is described in "
"http://www-2.cs.cmu.edu/\\~hzhang/HFSC/main.html[http://www-2.cs.cmu.edu/"
"~hzhang/HFSC/main.html]."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1049
#, no-wrap
msgid "PRIQ"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1051
msgid ""
"Priority Queuing (PRIQ) always passes traffic that is in a higher queue "
"first."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1053
msgid ""
"More information about the scheduling algorithms and example rulesets are "
"available at the https://web.archive.org/web/20151109213426/http://"
"www.openbsd.org/faq/pf/queueing.html[OpenBSD's web archive]."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1055
#, no-wrap
msgid "IPFW"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1059
msgid ""
"IPFW is a stateful firewall written for FreeBSD which supports both IPv4 and "
"IPv6.  It is comprised of several components: the kernel firewall filter "
"rule processor and its integrated packet accounting facility, the logging "
"facility, NAT, the man:dummynet[4] traffic shaper, a forward facility, a "
"bridge facility, and an ipstealth facility."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1062
msgid ""
"FreeBSD provides a sample ruleset in [.filename]#/etc/rc.firewall# which "
"defines several firewall types for common scenarios to assist novice users "
"in generating an appropriate ruleset.  IPFW provides a powerful syntax which "
"advanced users can use to craft customized rulesets that meet the security "
"requirements of a given environment."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1064
msgid ""
"This section describes how to enable IPFW, provides an overview of its rule "
"syntax, and demonstrates several rulesets for common configuration scenarios."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1066
#, no-wrap
msgid "Enabling IPFW"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1069
msgid ""
"IPFW is included in the basic FreeBSD install as a kernel loadable module, "
"meaning that a custom kernel is not needed in order to enable IPFW."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1072
msgid ""
"For those users who wish to statically compile IPFW support into a custom "
"kernel, see crossref:firewalls[firewalls-ipfw-kernelconfig, IPFW Kernel "
"Options]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1074
msgid ""
"To configure the system to enable IPFW at boot time, add "
"`firewall_enable=\"YES\"` to [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1078
#, no-wrap
msgid "# sysrc firewall_enable=\"YES\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1081
msgid ""
"To use one of the default firewall types provided by FreeBSD, add another "
"line which specifies the type:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1085
#, no-wrap
msgid "# sysrc firewall_type=\"open\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1088
msgid "The available types are:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1090
msgid "`open`: passes all traffic."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1091
msgid "`client`: protects only this machine."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1092
msgid "`simple`: protects the whole network."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1093
msgid ""
"`closed`: entirely disables IP traffic except for the loopback interface."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1094
msgid "`workstation`: protects only this machine using stateful rules."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1095
msgid "`UNKNOWN`: disables the loading of firewall rules."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1096
msgid ""
"[.filename]#filename#: full path of the file containing the firewall ruleset."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1098
msgid ""
"If `firewall_type` is set to either `client` or `simple`, modify the default "
"rules found in [.filename]#/etc/rc.firewall# to fit the configuration of the "
"system."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1100
msgid "Note that the `filename` type is used to load a custom ruleset."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1103
msgid ""
"An alternate way to load a custom ruleset is to set the `firewall_script` "
"variable to the absolute path of an _executable script_ that includes IPFW "
"commands.  The examples used in this section assume that the "
"`firewall_script` is set to [.filename]#/etc/ipfw.rules#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1107
#, no-wrap
msgid "# sysrc firewall_script=\"/etc/ipfw.rules\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1110
msgid "To enable logging through man:syslogd[8], include this line:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1114
#, no-wrap
msgid "# sysrc firewall_logging=\"YES\"\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1122
msgid ""
"Only firewall rules with the `log` option will be logged.  The default rules "
"do not include this option and it must be manually added.  Therefore it is "
"advisable that the default ruleset is edited for logging.  In addition, log "
"rotation may be desired if the logs are stored in a separate file."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1126
msgid ""
"There is no [.filename]#/etc/rc.conf# variable to set logging limits.  To "
"limit the number of times a rule is logged per connection attempt, specify "
"the number using this line in [.filename]#/etc/sysctl.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1130
#, no-wrap
msgid "# echo \"net.inet.ip.fw.verbose_limit=5\" >> /etc/sysctl.conf\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1133
msgid ""
"To enable logging through a dedicated interface named `ipfw0`, add this line "
"to [.filename]#/etc/rc.conf# instead:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1137
#, no-wrap
msgid "# sysrc firewall_logif=\"YES\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1140
msgid "Then use tcpdump to see what is being logged:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1144
#, no-wrap
msgid "# tcpdump -t -n -i ipfw0\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1150
msgid "There is no overhead due to logging unless tcpdump is attached."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1154
msgid ""
"After saving the needed edits, start the firewall.  To enable logging limits "
"now, also set the `sysctl` value specified above:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1159
#, no-wrap
msgid ""
"# service ipfw start\n"
"# sysctl net.inet.ip.fw.verbose_limit=5\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1162
#, no-wrap
msgid "IPFW Rule Syntax"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1170
msgid ""
"When a packet enters the IPFW firewall, it is compared against the first "
"rule in the ruleset and progresses one rule at a time, moving from top to "
"bottom in sequence.  When the packet matches the selection parameters of a "
"rule, the rule's action is executed and the search of the ruleset terminates "
"for that packet.  This is referred to as \"first match wins\".  If the "
"packet does not match any of the rules, it gets caught by the mandatory IPFW "
"default rule number 65535, which denies all packets and silently discards "
"them.  However, if the packet matches a rule that contains the `count`, "
"`skipto`, or `tee` keywords, the search continues.  Refer to man:ipfw[8] for "
"details on how these keywords affect rule processing."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1176
msgid ""
"When creating an IPFW rule, keywords must be written in the following "
"order.  Some keywords are mandatory while other keywords are optional.  The "
"words shown in uppercase represent a variable and the words shown in "
"lowercase must precede the variable that follows it.  The `+#+` symbol is "
"used to mark the start of a comment and may appear at the end of a rule or "
"on its own line.  Blank lines are ignored."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1178
msgid ""
"`_CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC "
"SRC_PORT to DST DST_PORT OPTIONS_`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1182
msgid ""
"This section provides an overview of these keywords and their options.  It "
"is not an exhaustive list of every possible option.  Refer to man:ipfw[8] "
"for a complete description of the rule syntax that can be used when creating "
"IPFW rules."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1183
#, no-wrap
msgid "CMD"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1185
msgid "Every rule must start with `ipfw add`."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1186
#, no-wrap
msgid "RULE_NUMBER"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1190
msgid ""
"Each rule is associated with a number from `1` to `65534`.  The number is "
"used to indicate the order of rule processing.  Multiple rules can have the "
"same number, in which case they are applied according to the order in which "
"they have been added."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1191
#, no-wrap
msgid "SET_NUMBER"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1195
msgid ""
"Each rule is associated with a set number from `0` to `31`.  Sets can be "
"individually disabled or enabled, making it possible to quickly add or "
"delete a set of rules.  If a SET_NUMBER is not specified, the rule will be "
"added to set `0`."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1196
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1942
#, no-wrap
msgid "ACTION"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1199
msgid ""
"A rule can be associated with one of the following actions.  The specified "
"action will be executed when the packet matches the selection criterion of "
"the rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1201
msgid ""
"`allow | accept | pass | permit`: these keywords are equivalent and allow "
"packets that match the rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1206
msgid ""
"`check-state`: checks the packet against the dynamic state table.  If a "
"match is found, execute the action associated with the rule which generated "
"this dynamic rule, otherwise move to the next rule.  A `check-state` rule "
"does not have selection criterion.  If no `check-state` rule is present in "
"the ruleset, the dynamic rules table is checked at the first `keep-state` or "
"`limit` rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1209
msgid ""
"`count`: updates counters for all packets that match the rule.  The search "
"continues with the next rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1211
msgid ""
"`deny | drop`: either word silently discards packets that match this rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1214
msgid "Additional actions are available.  Refer to man:ipfw[8] for details."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1215
#, no-wrap
msgid "LOG_AMOUNT"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1221
msgid ""
"When a packet matches a rule with the `log` keyword, a message will be "
"logged to man:syslogd[8] with a facility name of `SECURITY`.  Logging only "
"occurs if the number of packets logged for that particular rule does not "
"exceed a specified LOG_AMOUNT.  If no LOG_AMOUNT is specified, the limit is "
"taken from the value of `net.inet.ip.fw.verbose_limit`.  A value of zero "
"removes the logging limit.  Once the limit is reached, logging can be re-"
"enabled by clearing the logging counter or the packet counter for that rule, "
"using `ipfw resetlog`."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1226
msgid ""
"Logging is done after all other packet matching conditions have been met, "
"and before performing the final action on the packet.  The administrator "
"decides which rules to enable logging on."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1228
#, no-wrap
msgid "PROTO"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1230
msgid ""
"This optional value can be used to specify any protocol name or number found "
"in [.filename]#/etc/protocols#."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1231
#, no-wrap
msgid "SRC"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1236
msgid ""
"The `from` keyword must be followed by the source address or a keyword that "
"represents the source address.  An address can be represented by `any`, `me` "
"(any address configured on an interface on this system), `me6`, (any IPv6 "
"address configured on an interface on this system), or `table` followed by "
"the number of a lookup table which contains a list of addresses.  When "
"specifying an IP address, it can be optionally followed by its CIDR mask or "
"subnet mask.  For example, `1.2.3.4/25` or `1.2.3.4:255.255.255.128`."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1237
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2008
#, no-wrap
msgid "SRC_PORT"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1239
msgid ""
"An optional source port can be specified using the port number or name from "
"[.filename]#/etc/services#."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1240
#, no-wrap
msgid "DST"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1243
msgid ""
"The `to` keyword must be followed by the destination address or a keyword "
"that represents the destination address.  The same keywords and addresses "
"described in the SRC section can be used to describe the destination."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1244
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2021
#, no-wrap
msgid "DST_PORT"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1246
msgid ""
"An optional destination port can be specified using the port number or name "
"from [.filename]#/etc/services#."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1247
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1972
#, no-wrap
msgid "OPTIONS"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1251
msgid ""
"Several keywords can follow the source and destination.  As the name "
"suggests, OPTIONS are optional.  Commonly used options include `in` or "
"`out`, which specify the direction of packet flow, `icmptypes` followed by "
"the type of ICMP message, and `keep-state`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1253
msgid ""
"When a `keep-state` rule is matched, the firewall will create a dynamic rule "
"which matches bidirectional traffic between the source and destination "
"addresses and ports using the same protocol."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1258
msgid ""
"The dynamic rules facility is vulnerable to resource depletion from a SYN-"
"flood attack which would open a huge number of dynamic rules.  To counter "
"this type of attack with IPFW, use `limit`.  This option limits the number "
"of simultaneous sessions by checking the open dynamic rules, counting the "
"number of times this rule and IP address combination occurred.  If this "
"count is greater than the value specified by `limit`, the packet is "
"discarded."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1261
msgid ""
"Dozens of OPTIONS are available.  Refer to man:ipfw[8] for a description of "
"each available option."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1262
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2049
#, no-wrap
msgid "Example Ruleset"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1267
msgid ""
"This section demonstrates how to create an example stateful firewall ruleset "
"script named [.filename]#/etc/ipfw.rules#.  In this example, all connection "
"rules use `in` or `out` to clarify the direction.  They also use `via` "
"_interface-name_ to specify the interface the packet is traveling over."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1271
msgid ""
"When first creating or testing a firewall ruleset, consider temporarily "
"setting this tunable:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1275
#, no-wrap
msgid "net.inet.ip.fw.default_to_accept=\"1\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1278
msgid ""
"This sets the default policy of man:ipfw[8] to be more permissive than the "
"default `deny ip from any to any`, making it slightly more difficult to get "
"locked out of the system right after a reboot."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1283
msgid ""
"The firewall script begins by indicating that it is a POSIX(R) shell script "
"and flushes any existing rules.  It then creates the `cmd` variable so that "
"`ipfw add` does not have to be typed at the beginning of every rule.  It "
"also defines the `pif` variable which represents the name of the interface "
"that is attached to the Internet."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1289
#, no-wrap
msgid ""
"#!/bin/sh\n"
"# Flush out the list before we begin.\n"
"ipfw -q -f flush\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1293
#, no-wrap
msgid ""
"# Set rules command prefix\n"
"cmd=\"ipfw -q add\"\n"
"pif=\"dc0\"     # interface name of NIC attached to Internet\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1296
msgid ""
"The first two rules allow all traffic on the trusted internal interface and "
"on the loopback interface:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1301
#, no-wrap
msgid ""
"# Change xl0 to LAN NIC interface name\n"
"$cmd 00005 allow all from any to any via xl0\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1304
#, no-wrap
msgid ""
"# No restrictions on Loopback Interface\n"
"$cmd 00010 allow all from any to any via lo0\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1307
msgid ""
"The next rule allows the packet through if it matches an existing entry in "
"the dynamic rules table:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1311
#, no-wrap
msgid "$cmd 00101 check-state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1314
msgid ""
"The next set of rules defines which stateful connections internal systems "
"can create to hosts on the Internet:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1322
#, no-wrap
msgid ""
"# Allow access to public DNS\n"
"# Replace x.x.x.x with the IP address of a public DNS server\n"
"# and repeat for each DNS server in /etc/resolv.conf\n"
"$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state\n"
"$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1328
#, no-wrap
msgid ""
"# Allow access to ISP's DHCP server for cable/DSL configurations.\n"
"# Use the first rule and check log for IP address.\n"
"# Then, uncomment the second rule, input the IP address, and delete the first rule\n"
"$cmd 00120 allow log udp from any to any 67 out via $pif keep-state\n"
"#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1332
#, no-wrap
msgid ""
"# Allow outbound HTTP and HTTPS connections\n"
"$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state\n"
"$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1336
#, no-wrap
msgid ""
"# Allow outbound email connections\n"
"$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state\n"
"$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1339
#, no-wrap
msgid ""
"# Allow outbound ping\n"
"$cmd 00250 allow icmp from any to any out via $pif keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1342
#, no-wrap
msgid ""
"# Allow outbound NTP\n"
"$cmd 00260 allow udp from any to any 123 out via $pif keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1345
#, no-wrap
msgid ""
"# Allow outbound SSH\n"
"$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1348
#, no-wrap
msgid ""
"# deny and log all other outbound connections\n"
"$cmd 00299 deny log all from any to any out via $pif\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1353
msgid ""
"The next set of rules controls connections from Internet hosts to the "
"internal network.  It starts by denying packets typically associated with "
"attacks and then explicitly allows specific types of connections.  All the "
"authorized services that originate from the Internet use `limit` to prevent "
"flooding."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1366
#, no-wrap
msgid ""
"# Deny all inbound traffic from non-routable reserved address spaces\n"
"$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif     #RFC 1918 private IP\n"
"$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif      #RFC 1918 private IP\n"
"$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif         #RFC 1918 private IP\n"
"$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        #loopback\n"
"$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif          #loopback\n"
"$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif     #DHCP auto-config\n"
"$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif       #reserved for docs\n"
"$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif    #Sun cluster interconnect\n"
"$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif        #Class D & E multicast\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1369
#, no-wrap
msgid ""
"# Deny public pings\n"
"$cmd 00310 deny icmp from any to any in via $pif\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1372
#, no-wrap
msgid ""
"# Deny ident\n"
"$cmd 00315 deny tcp from any to any 113 in via $pif\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1378
#, no-wrap
msgid ""
"# Deny all Netbios services.\n"
"$cmd 00320 deny tcp from any to any 137 in via $pif\n"
"$cmd 00321 deny tcp from any to any 138 in via $pif\n"
"$cmd 00322 deny tcp from any to any 139 in via $pif\n"
"$cmd 00323 deny tcp from any to any 81 in via $pif\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1381
#, no-wrap
msgid ""
"# Deny fragments\n"
"$cmd 00330 deny all from any to any frag in via $pif\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1384
#, no-wrap
msgid ""
"# Deny ACK packets that did not match the dynamic rule table\n"
"$cmd 00332 deny tcp from any to any established in via $pif\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1388
#, no-wrap
msgid ""
"# Allow traffic from ISP's DHCP server.\n"
"# Replace x.x.x.x with the same IP address used in rule 00120.\n"
"#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1391
#, no-wrap
msgid ""
"# Allow HTTP connections to internal web server\n"
"$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1394
#, no-wrap
msgid ""
"# Allow inbound SSH connections\n"
"$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1397
#, no-wrap
msgid ""
"# Reject and log all other incoming connections\n"
"$cmd 00499 deny log all from any to any in via $pif\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1400
msgid ""
"The last rule logs all packets that do not match any of the rules in the "
"ruleset:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1405
#, no-wrap
msgid ""
"# Everything else is denied and logged\n"
"$cmd 00999 deny log all from any to any\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1408
#, no-wrap
msgid "In-kernel NAT"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1413
msgid ""
"FreeBSD's IPFW firewall has two implementations of NAT: the userland "
"implementation man:natd[8], and the more recent in-kernel NAT "
"implementation.  Both work in conjunction with IPFW to provide network "
"address translation.  This can be used to provide an Internet Connection "
"Sharing solution so that several internal computers can connect to the "
"Internet using a single public IP address."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1417
msgid ""
"To do this, the FreeBSD machine connected to the Internet must act as a "
"gateway.  This system must have two NICs, where one is connected to the "
"Internet and the other is connected to the internal LAN.  Each machine "
"connected to the LAN should be assigned an IP address in the private network "
"space, as defined by https://www.ietf.org/rfc/rfc1918.txt[RFC 1918]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1420
msgid ""
"Some additional configuration is needed in order to enable the in-kernel NAT "
"facility of IPFW.  To enable in-kernel NAT support at boot time, the "
"following must be set in [.filename]#/etc/rc.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1426
#, no-wrap
msgid ""
"gateway_enable=\"YES\"\n"
"firewall_enable=\"YES\"\n"
"firewall_nat_enable=\"YES\"\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1432
msgid ""
"When `firewall_nat_enable` is set but `firewall_enable` is not, it will have "
"no effect and do nothing.  This is because the in-kernel NAT implementation "
"is only compatible with IPFW."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1439
msgid ""
"When the ruleset contains stateful rules, the positioning of the NAT rule is "
"critical and the `skipto` action is used.  The `skipto` action requires a "
"rule number so that it knows which rule to jump to.  The example below "
"builds upon the firewall ruleset shown in the previous section.  It adds "
"some additional entries and modifies some existing rules in order to "
"configure the firewall for in-kernel NAT.  It starts by adding some "
"additional variables which represent the rule number to skip to, the `keep-"
"state` option, and a list of TCP ports which will be used to reduce the "
"number of rules."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1449
#, no-wrap
msgid ""
"#!/bin/sh\n"
"ipfw -q -f flush\n"
"cmd=\"ipfw -q add\"\n"
"skip=\"skipto 1000\"\n"
"pif=dc0\n"
"ks=\"keep-state\"\n"
"good_tcpo=\"22,25,37,53,80,443,110\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1454
msgid ""
"With in-kernel NAT it is necessary to disable TCP segmentation offloading "
"(TSO) due to the architecture of man:libalias[3], a library implemented as a "
"kernel module to provide the in-kernel NAT facility of IPFW.  TSO can be "
"disabled on a per network interface basis using man:ifconfig[8] or on a "
"system wide basis using man:sysctl[8].  To disable TSO system wide, the "
"following must be set it [.filename]#/etc/sysctl.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1458
#, no-wrap
msgid "net.inet.tcp.tso=\"0\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1467
msgid ""
"A NAT instance will also be configured.  It is possible to have multiple NAT "
"instances each with their own configuration.  For this example only one NAT "
"instance is needed, NAT instance number 1.  The configuration can take a few "
"options such as: `if` which indicates the public interface, `same_ports` "
"which takes care that aliased ports and local port numbers are mapped the "
"same, `unreg_only` will result in only unregistered (private) address spaces "
"to be processed by the NAT instance, and `reset` which will help to keep a "
"functioning NAT instance even when the public IP address of the IPFW machine "
"changes.  For all possible options that can be passed to a single NAT "
"instance configuration consult man:ipfw[8].  When configuring a stateful "
"NATing firewall, it is necessary to allow translated packets to be "
"reinjected in the firewall for further processing.  This can be achieved by "
"disabling `one_pass` behavior at the start of the firewall script."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1472
#, no-wrap
msgid ""
"ipfw disable one_pass\n"
"ipfw -q nat 1 config if $pif same_ports unreg_only reset\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1478
msgid ""
"The inbound NAT rule is inserted _after_ the two rules which allow all "
"traffic on the trusted and loopback interfaces and after the reassemble rule "
"but _before_ the `check-state` rule.  It is important that the rule number "
"selected for this NAT rule, in this example `100`, is higher than the first "
"three rules and lower than the `check-state` rule.  Furthermore, because of "
"the behavior of in-kernel NAT it is advised to place a reassemble rule just "
"before the first NAT rule and after the rules that allow traffic on trusted "
"interface.  Normally, IP fragmentation should not happen, but when dealing "
"with IPSEC/ESP/GRE tunneling traffic it might and the reassembling of "
"fragments is necessary before handing the complete packet over to the in-"
"kernel NAT facility."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1482
msgid ""
"The reassemble rule was not needed with userland man:natd[8] because the "
"internal workings of the IPFW `divert` action already takes care of "
"reassembling packets before delivery to the socket as also stated in "
"man:ipfw[8]."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1485
msgid ""
"The NAT instance and rule number used in this example does not match with "
"the default NAT instance and rule number created by "
"[.filename]#rc.firewall#.  [.filename]#rc.firewall# is a script that sets up "
"the default firewall rules present in FreeBSD."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1495
#, no-wrap
msgid ""
"$cmd 005 allow all from any to any via xl0  # exclude LAN traffic\n"
"$cmd 010 allow all from any to any via lo0  # exclude loopback traffic\n"
"$cmd 099 reass all from any to any in       # reassemble inbound packets\n"
"$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets\n"
"# Allow the packet through if it has an existing entry in the dynamic rules table\n"
"$cmd 101 check-state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1499
msgid ""
"The outbound rules are modified to replace the `allow` action with the "
"`$skip` variable, indicating that rule processing will continue at rule "
"`1000`.  The seven `tcp` rules have been replaced by rule `125` as the "
"`$good_tcpo` variable contains the seven allowed outbound ports."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1503
msgid ""
"Remember that IPFW's performance is largely determined by the number of "
"rules present in the ruleset."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1512
#, no-wrap
msgid ""
"# Authorized outbound packets\n"
"$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks\n"
"$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks\n"
"$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks\n"
"$cmd 130 $skip icmp from any to any out via $pif $ks\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1518
msgid ""
"The inbound rules remain the same, except for the very last rule which "
"removes the `via $pif` in order to catch both inbound and outbound rules.  "
"The NAT rule must follow this last outbound rule, must have a higher number "
"than that last rule, and the rule number must be referenced by the `skipto` "
"action.  In this ruleset, rule number `1000` handles passing all packets to "
"our configured instance for NAT processing.  The next rule allows any packet "
"which has undergone NAT processing to pass."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1524
#, no-wrap
msgid ""
"$cmd 999 deny log all from any to any\n"
"$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules\n"
"$cmd 1001 allow ip from any to any\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1527
msgid ""
"In this example, rules `100`, `101`, `125`, `1000`, and `1001` control the "
"address translation of the outbound and inbound packets so that the entries "
"in the dynamic state table always register the private LANIP address."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1539
msgid ""
"Consider an internal web browser which initializes a new outbound HTTP "
"session over port 80.  When the first outbound packet enters the firewall, "
"it does not match rule `100` because it is headed out rather than in.  It "
"passes rule `101` because this is the first packet and it has not been "
"posted to the dynamic state table yet.  The packet finally matches rule "
"`125` as it is outbound on an allowed port and has a source IP address from "
"the internal LAN.  On matching this rule, two actions take place.  First, "
"the `keep-state` action adds an entry to the dynamic state table and the "
"specified action, `skipto rule 1000`, is executed.  Next, the packet "
"undergoes NAT and is sent out to the Internet.  This packet makes its way to "
"the destination web server, where a response packet is generated and sent "
"back.  This new packet enters the top of the ruleset.  It matches rule `100` "
"and has its destination IP address mapped back to the original internal "
"address.  It then is processed by the `check-state` rule, is found in the "
"table as an existing session, and is released to the LAN."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1544
msgid ""
"On the inbound side, the ruleset has to deny bad packets and allow only "
"authorized services.  A packet which matches an inbound rule is posted to "
"the dynamic state table and the packet is released to the LAN.  The packet "
"generated as a response is recognized by the `check-state` rule as belonging "
"to an existing session.  It is then sent to rule `1000` to undergo NAT "
"before being released to the outbound interface."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1552
msgid ""
"Transitioning from userland man:natd[8] to in-kernel NAT might appear "
"seamless at first but there is small catch.  When using the GENERIC kernel, "
"IPFW will load the [.filename]#libalias.ko# kernel module, when "
"`firewall_nat_enable` is enabled in [.filename]#/etc/rc.conf#.  The "
"[.filename]#libalias.ko# kernel module only provides basic NAT "
"functionality, whereas the userland implementation man:natd[8] has all NAT "
"functionality available in its userland library without any extra "
"configuration.  All functionality refers to the following kernel modules "
"that can additionally be loaded when needed besides the standard "
"[.filename]#libalias.ko# kernel module: [.filename]#alias_ftp.ko#, "
"[.filename]#alias_bbt.ko#, [.filename]#skinny.ko#, [.filename]#irc.ko#, "
"[.filename]#alias_pptp.ko# and [.filename]#alias_smedia.ko# using the "
"`kld_list` directive in [.filename]#/etc/rc.conf#.  If a custom kernel is "
"used, the full functionality of the userland library can be compiled in, in "
"the kernel, using the `options LIBALIAS`."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1554
#, no-wrap
msgid "Port Redirection"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1560
msgid ""
"The drawback with NAT in general is that the LAN clients are not accessible "
"from the Internet.  Clients on the LAN can make outgoing connections to the "
"world but cannot receive incoming ones.  This presents a problem if trying "
"to run Internet services on one of the LAN client machines.  A simple way "
"around this is to redirect selected Internet ports on the NAT providing "
"machine to a LAN client."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1563
msgid ""
"For example, an IRC server runs on client `A` and a web server runs on "
"client `B`.  For this to work properly, connections received on ports 6667 "
"(IRC) and 80 (HTTP) must be redirected to the respective machines."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1567
msgid ""
"With in-kernel NAT all configuration is done in the NAT instance "
"configuration.  For a full list of options that an in-kernel NAT instance "
"can use, consult man:ipfw[8].  The IPFW syntax follows the syntax of natd. "
"The syntax for `redirect_port` is as follows:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1573
#, no-wrap
msgid ""
"redirect_port proto targetIP:targetPORT[-targetPORT]\n"
"  [aliasIP:]aliasPORT[-aliasPORT]\n"
"  [remoteIP[:remotePORT[-remotePORT]]]\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1576
msgid "To configure the above example setup, the arguments should be:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1581
#, no-wrap
msgid ""
"redirect_port tcp 192.168.0.2:6667 6667\n"
"redirect_port tcp 192.168.0.3:80 80\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1584
msgid ""
"After adding these arguments to the configuration of NAT instance 1 in the "
"above ruleset, the TCP ports will be port forwarded to the LAN client "
"machines running the IRC and HTTP services."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1590
#, no-wrap
msgid ""
"ipfw -q nat 1 config if $pif same_ports unreg_only reset \\\n"
"  redirect_port tcp 192.168.0.2:6667 6667 \\\n"
"  redirect_port tcp 192.168.0.3:80 80\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1594
msgid ""
"Port ranges over individual ports can be indicated with `redirect_port`.  "
"For example, _tcp 192.168.0.2:2000-3000 2000-3000_ would redirect all "
"connections received on ports 2000 to 3000 to ports 2000 to 3000 on client "
"`A`."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1595
#, no-wrap
msgid "Address Redirection"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1601
msgid ""
"Address redirection is useful if more than one IP address is available.  "
"Each LAN client can be assigned its own external IP address by man:ipfw[8], "
"which will then rewrite outgoing packets from the LAN clients with the "
"proper external IP address and redirects all traffic incoming on that "
"particular IP address back to the specific LAN client.  This is also known "
"as static NAT.  For example, if IP addresses `128.1.1.1`, `128.1.1.2`, and "
"`128.1.1.3` are available, `128.1.1.1` can be used as the man:ipfw[8] "
"machine's external IP address, while `128.1.1.2` and `128.1.1.3` are "
"forwarded back to LAN clients `A` and `B`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1603
msgid ""
"The `redirect_addr` syntax is as below, where `localIP` is the internal IP "
"address of the LAN client, and `publicIP` the external IP address "
"corresponding to the LAN client."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1607
#, no-wrap
msgid "redirect_addr localIP publicIP\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1610
msgid "In the example, the arguments would read:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1615
#, no-wrap
msgid ""
"redirect_addr 192.168.0.2 128.1.1.2\n"
"redirect_addr 192.168.0.3 128.1.1.3\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1619
msgid ""
"Like `redirect_port`, these arguments are placed in a NAT instance "
"configuration.  With address redirection, there is no need for port "
"redirection, as all data received on a particular IP address is redirected."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1622
msgid ""
"The external IP addresses on the man:ipfw[8] machine must be active and "
"aliased to the external interface.  Refer to man:rc.conf[5] for details."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1623
#, no-wrap
msgid "Userspace NAT"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1627
msgid ""
"Let us start with a statement: the userspace NAT implementation: "
"man:natd[8], has more overhead than in-kernel NAT.  For man:natd[8] to "
"translate packets, the packets have to be copied from the kernel to "
"userspace and back which brings in extra overhead that is not present with "
"in-kernel NAT."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1631
msgid ""
"To enable the userspace NAT daemon man:natd[8] at boot time, the following "
"is a minimum configuration in [.filename]#/etc/rc.conf#.  Where "
"`natd_interface` is set to the name of the NIC attached to the Internet.  "
"The man:rc[8] script of man:natd[8] will automatically check if a dynamic IP "
"address is used and configure itself to handle that."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1637
#, no-wrap
msgid ""
"gateway_enable=\"YES\"\n"
"natd_enable=\"YES\"\n"
"natd_interface=\"rl0\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1642
msgid ""
"In general, the above ruleset as explained for in-kernel NAT can also be "
"used together with man:natd[8].  The exceptions are the configuration of the "
"in-kernel NAT instance `(ipfw -q nat 1 config ...)` which is not needed "
"together with reassemble rule 99 because its functionality is included in "
"the `divert` action.  Rule number 100 and 1000 will have to change slightly "
"as shown below."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1647
#, no-wrap
msgid ""
"$cmd 100 divert natd ip from any to any in via $pif\n"
"$cmd 1000 divert natd ip from any to any out via $pif\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1652
msgid ""
"To configure port or address redirection, a similar syntax as with in-kernel "
"NAT is used.  Although, now, instead of specifying the configuration in our "
"ruleset script like with in-kernel NAT, configuration of man:natd[8] is best "
"done in a configuration file.  To do this, an extra flag must be passed via "
"[.filename]#/etc/rc.conf# which specifies the path of the configuration file."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1656
#, no-wrap
msgid "natd_flags=\"-f /etc/natd.conf\"\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1663
msgid ""
"The specified file must contain a list of configuration options, one per "
"line.  For more information about the configuration file and possible "
"variables, consult man:natd[8].  Below are two example entries, one per line:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1668
#, no-wrap
msgid ""
"redirect_port tcp 192.168.0.2:6667 6667\n"
"redirect_addr 192.168.0.3 128.1.1.3\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1673
#, no-wrap
msgid "The IPFW Command"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1678
msgid ""
"`ipfw` can be used to make manual, single rule additions or deletions to the "
"active firewall while it is running.  The problem with using this method is "
"that all the changes are lost when the system reboots.  It is recommended to "
"instead write all the rules in a file and to use that file to load the rules "
"at boot time and to replace the currently running firewall rules whenever "
"that file changes."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1682
msgid ""
"`ipfw` is a useful way to display the running firewall rules to the console "
"screen.  The IPFW accounting facility dynamically creates a counter for each "
"rule that counts each packet that matches the rule.  During the process of "
"testing a rule, listing the rule with its counter is one way to determine if "
"the rule is functioning as expected."
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1684
msgid "To list all the running rules in sequence:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1688
#, no-wrap
msgid "# ipfw list\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1691
msgid ""
"To list all the running rules with a time stamp of when the last time the "
"rule was matched:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1695
#, no-wrap
msgid "# ipfw -t list\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1699
msgid ""
"The next example lists accounting information and the packet count for "
"matched rules along with the rules themselves.  The first column is the rule "
"number, followed by the number of matched packets and bytes, followed by the "
"rule itself."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1703
#, no-wrap
msgid "# ipfw -a list\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1706
msgid "To list dynamic rules in addition to static rules:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1710
#, no-wrap
msgid "# ipfw -d list\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1713
msgid "To also show the expired dynamic rules:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1717
#, no-wrap
msgid "# ipfw -d -e list\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1720
msgid "To zero the counters:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1724
#, no-wrap
msgid "# ipfw zero\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1727
msgid "To zero the counters for just the rule with number _NUM_:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1731
#, no-wrap
msgid "# ipfw zero NUM\n"
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1733
#, no-wrap
msgid "Logging Firewall Messages"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1740
msgid ""
"Even with the logging facility enabled, IPFW will not generate any rule "
"logging on its own.  The firewall administrator decides which rules in the "
"ruleset will be logged, and adds the `log` keyword to those rules.  Normally "
"only deny rules are logged.  It is customary to duplicate the \"ipfw default "
"deny everything\" rule with the `log` keyword included as the last rule in "
"the ruleset.  This way, it is possible to see all the packets that did not "
"match any of the rules in the ruleset."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1744
msgid ""
"Logging is a two edged sword.  If one is not careful, an over abundance of "
"log data or a DoS attack can fill the disk with log files.  Log messages are "
"not only written to syslogd, but also are displayed on the root console "
"screen and soon become annoying."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1749
msgid ""
"The `IPFIREWALL_VERBOSE_LIMIT=5` kernel option limits the number of "
"consecutive messages sent to man:syslogd[8], concerning the packet matching "
"of a given rule.  When this option is enabled in the kernel, the number of "
"consecutive messages concerning a particular rule is capped at the number "
"specified.  There is nothing to be gained from 200 identical log messages.  "
"With this option set to five, five consecutive messages concerning a "
"particular rule would be logged to syslogd and the remainder identical "
"consecutive messages would be counted and posted to syslogd with a phrase "
"like the following:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1753
#, no-wrap
msgid "last message repeated 45 times\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1756
msgid ""
"All logged packets messages are written by default to [.filename]#/var/log/"
"security#, which is defined in [.filename]#/etc/syslog.conf#."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1758
#, no-wrap
msgid "Building a Rule Script"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1764
msgid ""
"Most experienced IPFW users create a file containing the rules and code them "
"in a manner compatible with running them as a script.  The major benefit of "
"doing this is the firewall rules can be refreshed in mass without the need "
"of rebooting the system to activate them.  This method is convenient in "
"testing new rules as the procedure can be executed as many times as needed.  "
"Being a script, symbolic substitution can be used for frequently used values "
"to be substituted into multiple rules."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1769
msgid ""
"This example script is compatible with the syntax used by the man:sh[1], "
"man:csh[1], and man:tcsh[1] shells.  Symbolic substitution fields are "
"prefixed with a dollar sign ($).  Symbolic fields do not have the $ prefix.  "
"The value to populate the symbolic field must be enclosed in double quotes "
"(\"\")."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1771
msgid "Start the rules file like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1789
#, no-wrap
msgid ""
"############### start of example ipfw rules script #############\n"
"#\n"
"ipfw -q -f flush       # Delete all rules\n"
"# Set defaults\n"
"oif=\"tun0\"             # out interface\n"
"odns=\"192.0.2.11\"      # ISP's DNS server IP address\n"
"cmd=\"ipfw -q add \"     # build rule prefix\n"
"ks=\"keep-state\"        # just too lazy to key this each time\n"
"$cmd 00500 check-state\n"
"$cmd 00502 deny all from any to any frag\n"
"$cmd 00501 deny tcp from any to any established\n"
"$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks\n"
"$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks\n"
"$cmd 00611 allow udp from any to $odns 53 out via $oif $ks\n"
"################### End of example ipfw rules script ############\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1792
msgid ""
"The rules are not important as the focus of this example is how the symbolic "
"substitution fields are populated."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1794
msgid ""
"If the above example was in [.filename]#/etc/ipfw.rules#, the rules could be "
"reloaded by the following command:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1798
#, no-wrap
msgid "# sh /etc/ipfw.rules\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1801
msgid ""
"[.filename]#/etc/ipfw.rules# can be located anywhere and the file can have "
"any name."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1803
msgid "The same thing could be accomplished by running these commands by hand:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1813
#, no-wrap
msgid ""
"# ipfw -q -f flush\n"
"# ipfw -q add check-state\n"
"# ipfw -q add deny all from any to any frag\n"
"# ipfw -q add deny tcp from any to any established\n"
"# ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state\n"
"# ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state\n"
"# ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1816
#, no-wrap
msgid "IPFW Kernel Options"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1820
msgid ""
"In order to statically compile IPFW support into a custom kernel, refer to "
"the instructions in crossref:kernelconfig[kernelconfig,Configuring the "
"FreeBSD Kernel].  The following options are available for the custom kernel "
"configuration file:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1833
#, no-wrap
msgid ""
"options    IPFIREWALL\t\t\t# enables IPFW\n"
"options    IPFIREWALL_VERBOSE\t\t# enables logging for rules with log keyword to syslogd(8)\n"
"options    IPFIREWALL_VERBOSE_LIMIT=5\t# limits number of logged packets per-entry\n"
"options    IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied\n"
"options    IPFIREWALL_NAT\t\t# enables basic in-kernel NAT support\n"
"options    LIBALIAS\t\t\t# enables full in-kernel NAT support\n"
"options    IPFIREWALL_NAT64\t\t# enables in-kernel NAT64 support\n"
"options    IPFIREWALL_NPTV6\t\t# enables in-kernel IPv6 NPT support\n"
"options    IPFIREWALL_PMOD\t\t# enables protocols modification module support\n"
"options    IPDIVERT\t\t\t# enables NAT through natd(8)\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1838
msgid ""
"IPFW can be loaded as a kernel module: options above are built by default as "
"modules or can be set at runtime using tunables."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1841
#, no-wrap
msgid "IPFILTER (IPF)"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1844
msgid ""
"IPFILTER, also known as IPF, is a cross-platform, open source firewall which "
"has been ported to several operating systems, including FreeBSD, NetBSD, "
"OpenBSD, and Solaris(TM)."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1847
msgid ""
"IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled "
"and monitored by userland programs.  Firewall rules can be set or deleted "
"using ipf, NAT rules can be set or deleted using ipnat, run-time statistics "
"for the kernel parts of IPFILTER can be printed using ipfstat, and ipmon can "
"be used to log IPFILTER actions to the system log files."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1850
msgid ""
"IPF was originally written using a rule processing logic of \"the last "
"matching rule wins\" and only used stateless rules.  Since then, IPF has "
"been enhanced to include the `quick` and `keep state` options."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1853
msgid ""
"The IPF FAQ is at http://www.phildev.net/ipf/index.html[http://"
"www.phildev.net/ipf/index.html].  A searchable archive of the IPFilter "
"mailing list is available at http://marc.info/?l=ipfilter[http://marc.info/?"
"l=ipfilter]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1856
msgid ""
"This section of the Handbook focuses on IPF as it pertains to FreeBSD.  It "
"provides examples of rules that contain the `quick` and `keep state` options."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1857
#, no-wrap
msgid "Enabling IPF"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1860
msgid ""
"IPF is included in the basic FreeBSD install as a kernel loadable module, "
"meaning that a custom kernel is not needed in order to enable IPF."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1863
msgid ""
"For users who prefer to statically compile IPF support into a custom kernel, "
"refer to the instructions in crossref:kernelconfig[kernelconfig,Configuring "
"the FreeBSD Kernel].  The following kernel options are available:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1870
#, no-wrap
msgid ""
"options IPFILTER\n"
"options IPFILTER_LOG\n"
"options IPFILTER_LOOKUP\n"
"options IPFILTER_DEFAULT_BLOCK\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1873
msgid ""
"where `options IPFILTER` enables support for IPFILTER, `options "
"IPFILTER_LOG` enables IPF logging using the [.filename]#ipl# packet logging "
"pseudo-device for every rule that has the `log` keyword, `IPFILTER_LOOKUP` "
"enables IP pools in order to speed up IP lookups, and `options "
"IPFILTER_DEFAULT_BLOCK` changes the default behavior so that any packet not "
"matching a firewall `pass` rule gets blocked."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1877
msgid ""
"To configure the system to enable IPF at boot time, add the following "
"entries to [.filename]#/etc/rc.conf#.  These entries will also enable "
"logging and `default pass all`.  To change the default policy to `block all` "
"without compiling a custom kernel, remember to add a `block all` rule at the "
"end of the ruleset."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1888
#, no-wrap
msgid ""
"ipfilter_enable=\"YES\"             # Start ipf firewall\n"
"ipfilter_rules=\"/etc/ipf.rules\"   # loads rules definition text file\n"
"ipv6_ipfilter_rules=\"/etc/ipf6.rules\" # loads rules definition text file for IPv6\n"
"ipmon_enable=\"YES\"                # Start IP monitor log\n"
"ipmon_flags=\"-Ds\"                 # D = start as daemon\n"
"                                  # s = log to syslog\n"
"                                  # v = log tcp window, ack, seq\n"
"                                  # n = map IP & port to names\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1891
msgid "If NAT functionality is needed, also add these lines:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1897
#, no-wrap
msgid ""
"gateway_enable=\"YES\"              # Enable as LAN gateway\n"
"ipnat_enable=\"YES\"                # Start ipnat function\n"
"ipnat_rules=\"/etc/ipnat.rules\"    # rules definition file for ipnat\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1900
msgid "Then, to start IPF now:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1904
#, no-wrap
msgid "#  service ipfilter start\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1908
msgid ""
"To load the firewall rules, specify the name of the ruleset file using "
"`ipf`.  The following command can be used to replace the currently running "
"firewall rules:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1912
#, no-wrap
msgid "# ipf -Fa -f /etc/ipf.rules\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1915
msgid ""
"where `-Fa` flushes all the internal rules tables and `-f` specifies the "
"file containing the rules to load."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1918
msgid ""
"This provides the ability to make changes to a custom ruleset and update the "
"running firewall with a fresh copy of the rules without having to reboot the "
"system.  This method is convenient for testing new rules as the procedure "
"can be executed as many times as needed."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1920
msgid ""
"Refer to man:ipf[8] for details on the other flags available with this "
"command."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1921
#, no-wrap
msgid "IPF Rule Syntax"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1927
msgid ""
"This section describes the IPF rule syntax used to create stateful rules.  "
"When creating rules, keep in mind that unless the `quick` keyword appears in "
"a rule, every rule is read in order, with the _last matching rule_ being the "
"one that is applied.  This means that even if the first rule to match a "
"packet is a `pass`, if there is a later matching rule that is a `block`, the "
"packet will be dropped.  Sample rulesets can be found in [.filename]#/usr/"
"share/examples/ipfilter#."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1930
msgid ""
"When creating rules, a `+#+` character is used to mark the start of a "
"comment and may appear at the end of a rule, to explain that rule's "
"function, or on its own line.  Any blank lines are ignored."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1935
msgid ""
"The keywords which are used in rules must be written in a specific order, "
"from left to right.  Some keywords are mandatory while others are optional.  "
"Some keywords have sub-options which may be keywords themselves and also "
"include more sub-options.  The keyword order is as follows, where the words "
"shown in uppercase represent a variable and the words shown in lowercase "
"must precede the variable that follows it:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1937
msgid ""
"`_ACTION DIRECTION OPTIONS proto PROTO_TYPE from SRC_ADDR SRC_PORT to "
"DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE keep state STATE_`"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1941
msgid ""
"This section describes each of these keywords and their options.  It is not "
"an exhaustive list of every possible option.  Refer to man:ipf[5] for a "
"complete description of the rule syntax that can be used when creating IPF "
"rules and examples for using each keyword."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1946
msgid ""
"The action keyword indicates what to do with the packet if it matches that "
"rule.  Every rule _must_ have an action.  The following actions are "
"recognized:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1948
msgid "`block`: drops the packet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1950
msgid "`pass`: allows the packet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1952
msgid "`log`: generates a log record."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1954
msgid ""
"`count`: counts the number of packets and bytes which can provide an "
"indication of how often a rule is used."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1956
msgid "`auth`: queues the packet for further processing by another program."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1958
msgid ""
"`call`: provides access to functions built into IPF that allow more complex "
"actions."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1960
msgid ""
"`decapsulate`: removes any headers in order to process the contents of the "
"packet."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1961
#, no-wrap
msgid "DIRECTION"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1963
msgid ""
"Next, each rule must explicitly state the direction of traffic using one of "
"these keywords:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1965
msgid "`in`: the rule is applied against an inbound packet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1967
msgid "`out`: the rule is applied against an outbound packet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1969
msgid "`all`: the rule applies to either direction."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1971
msgid ""
"If the system has multiple interfaces, the interface can be specified along "
"with the direction. An example would be `in on fxp0`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1975
msgid ""
"Options are optional.  However, if multiple options are specified, they must "
"be used in the order shown here."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1977
msgid ""
"`log`: when performing the specified ACTION, the contents of the packet's "
"headers will be written to the man:ipl[4] packet log pseudo-device."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1979
msgid ""
"`quick`: if a packet matches this rule, the ACTION specified by the rule "
"occurs and no further processing of any following rules will occur for this "
"packet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1982
msgid ""
"`on`: must be followed by the interface name as displayed by "
"man:ifconfig[8].  The rule will only match if the packet is going through "
"the specified interface in the specified direction."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1984
msgid ""
"When using the `log` keyword, the following qualifiers may be used in this "
"order:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1986
msgid ""
"`body`: indicates that the first 128 bytes of the packet contents will be "
"logged after the headers."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1988
msgid ""
"`first`: if the `log` keyword is being used in conjunction with a `keep "
"state` option, this option is recommended so that only the triggering packet "
"is logged and not every packet which matches the stateful connection."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1991
msgid ""
"Additional options are available to specify error return messages.  Refer to "
"man:ipf[5] for more details."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1992
#, no-wrap
msgid "PROTO_TYPE"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1998
msgid ""
"The protocol type is optional.  However, it is mandatory if the rule needs "
"to specify a SRC_PORT or a DST_PORT as it defines the type of protocol.  "
"When specifying the type of protocol, use the `proto` keyword followed by "
"either a protocol number or name from [.filename]#/etc/protocols#.  Example "
"protocol names include `tcp`, `udp`, or `icmp`.  If PROTO_TYPE is specified "
"but no SRC_PORT or DST_PORT is specified, all port numbers for that protocol "
"will match that rule."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:1999
#, no-wrap
msgid "SRC_ADDR"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2003
msgid ""
"The `from` keyword is mandatory and is followed by a keyword which "
"represents the source of the packet.  The source can be a hostname, an IP "
"address followed by the CIDR mask, an address pool, or the keyword `all`.  "
"Refer to man:ipf[5] for examples."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2007
msgid ""
"There is no way to match ranges of IP addresses which do not express "
"themselves easily using the dotted numeric form / mask-length notation.  The "
"package:net-mgmt/ipcalc[] package or port may be used to ease the "
"calculation of the CIDR mask.  Additional information is available at the "
"utility's web page: http://jodies.de/ipcalc[http://jodies.de/ipcalc]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2012
msgid ""
"The port number of the source is optional.  However, if it is used, it "
"requires PROTO_TYPE to be first defined in the rule.  The port number must "
"also be preceded by the `proto` keyword."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2014
msgid ""
"A number of different comparison operators are supported: `=` (equal to), `!"
"=` (not equal to), `<` (less than), `>` (greater than), `<=` (less than or "
"equal to), and `>=` (greater than or equal to)."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2016
msgid ""
"To specify port ranges, place the two port numbers between `<>` (less than "
"and greater than ), `><` (greater than and less than ), or `:` (greater than "
"or equal to and less than or equal to)."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2017
#, no-wrap
msgid "DST_ADDR"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2020
msgid ""
"The `to` keyword is mandatory and is followed by a keyword which represents "
"the destination of the packet.  Similar to SRC_ADDR, it can be a hostname, "
"an IP address followed by the CIDR mask, an address pool, or the keyword "
"`all`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2025
msgid ""
"Similar to SRC_PORT, the port number of the destination is optional.  "
"However, if it is used, it requires PROTO_TYPE to be first defined in the "
"rule.  The port number must also be preceded by the `proto` keyword."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2026
#, no-wrap
msgid "TCP_FLAG|ICMP_TYPE"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2029
msgid ""
"If `tcp` is specified as the PROTO_TYPE, flags can be specified as letters, "
"where each letter represents one of the possible TCP flags used to determine "
"the state of a connection.  Possible values are: `S` (SYN), `A` (ACK), `P` "
"(PSH), `F` (FIN), `U` (URG), `R` (RST), `C` (CWN), and `E` (ECN)."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2032
msgid ""
"If `icmp` is specified as the PROTO_TYPE, the ICMP type to match can be "
"specified.  Refer to man:ipf[5] for the allowable types."
msgstr ""

#. type: Labeled list
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2033
#, no-wrap
msgid "STATE"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2037
msgid ""
"If a `pass` rule contains `keep state`, IPF will add an entry to its dynamic "
"state table and allow subsequent packets that match the connection.  IPF can "
"track state for TCP, UDP, and ICMP sessions.  Any packet that IPF can be "
"certain is part of an active session, even if it is a different protocol, "
"will be allowed."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2044
msgid ""
"In IPF, packets destined to go out through the interface connected to the "
"public Internet are first checked against the dynamic state table.  If the "
"packet matches the next expected packet comprising an active session "
"conversation, it exits the firewall and the state of the session "
"conversation flow is updated in the dynamic state table.  Packets that do "
"not belong to an already active session are checked against the outbound "
"ruleset.  Packets coming in from the interface connected to the public "
"Internet are first checked against the dynamic state table.  If the packet "
"matches the next expected packet comprising an active session, it exits the "
"firewall and the state of the session conversation flow is updated in the "
"dynamic state table.  Packets that do not belong to an already active "
"session are checked against the inbound ruleset."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2048
msgid ""
"Several keywords can be added after `keep state`.  If used, these keywords "
"set various options that control stateful filtering, such as setting "
"connection limits or connection age.  Refer to man:ipf[5] for the list of "
"available options and their descriptions."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2052
msgid ""
"This section demonstrates how to create an example ruleset which only allows "
"services matching `pass` rules and blocks all others."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2055
msgid ""
"FreeBSD uses the loopback interface ([.filename]#lo0#) and the IP address "
"`127.0.0.1` for internal communication.  The firewall ruleset must contain "
"rules to allow free movement of these internally used packets:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2061
#, no-wrap
msgid ""
"# no restrictions on loopback interface\n"
"pass in quick on lo0 all\n"
"pass out quick on lo0 all\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2066
msgid ""
"The public interface connected to the Internet is used to authorize and "
"control access of all outbound and inbound connections.  If one or more "
"interfaces are cabled to private networks, those internal interfaces may "
"require rules to allow packets originating from the LAN to flow between the "
"internal networks or to the interface attached to the Internet.  The ruleset "
"should be organized into three major sections: any trusted internal "
"interfaces, outbound connections through the public interface, and inbound "
"connections through the public interface."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2068
msgid ""
"These two rules allow all traffic to pass through a trusted LAN interface "
"named [.filename]#xl0#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2074
#, no-wrap
msgid ""
"# no restrictions on inside LAN interface for private network\n"
"pass out quick on xl0 all\n"
"pass in quick on xl0 all\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2077
msgid ""
"The rules for the public interface's outbound and inbound sections should "
"have the most frequently matched rules placed before less commonly matched "
"rules, with the last rule in the section blocking and logging all packets "
"for that interface and direction."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2081
msgid ""
"This set of rules defines the outbound section of the public interface named "
"[.filename]#dc0#.  These rules keep state and identify the specific services "
"that internal systems are authorized for public Internet access.  All the "
"rules use `quick` and specify the appropriate port numbers and, where "
"applicable, destination addresses."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2087
#, no-wrap
msgid ""
"# interface facing Internet (outbound)\n"
"# Matches session start requests originating from or behind the\n"
"# firewall, destined for the Internet.\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2093
#, no-wrap
msgid ""
"# Allow outbound access to public DNS servers.\n"
"# Replace x.x.x.x with address listed in /etc/resolv.conf.\n"
"# Repeat for each DNS server.\n"
"pass out quick on dc0 proto tcp from any to x.x.x.x port = 53 flags S keep state\n"
"pass out quick on dc0 proto udp from any to x.x.x.x port = 53 keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2100
#, no-wrap
msgid ""
"# Allow access to ISP's specified DHCP server for cable or DSL networks.\n"
"# Use the first rule, then check log for the IP address of DHCP server.\n"
"# Then, uncomment the second rule, replace z.z.z.z with the IP address,\n"
"# and comment out the first rule\n"
"pass out log quick on dc0 proto udp from any to any port = 67 keep state\n"
"#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2104
#, no-wrap
msgid ""
"# Allow HTTP and HTTPS\n"
"pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state\n"
"pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2108
#, no-wrap
msgid ""
"# Allow email\n"
"pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state\n"
"pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2111
#, no-wrap
msgid ""
"# Allow NTP\n"
"pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2114
#, no-wrap
msgid ""
"# Allow FTP\n"
"pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2117
#, no-wrap
msgid ""
"# Allow SSH\n"
"pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2120
#, no-wrap
msgid ""
"# Allow ping\n"
"pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2123
#, no-wrap
msgid ""
"# Block and log everything else\n"
"block out log first quick on dc0 all\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2127
msgid ""
"This example of the rules in the inbound section of the public interface "
"blocks all undesirable packets first.  This reduces the number of packets "
"that are logged by the last rule."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2141
#, no-wrap
msgid ""
"# interface facing Internet (inbound)\n"
"# Block all inbound traffic from non-routable or reserved address spaces\n"
"block in quick on dc0 from 192.168.0.0/16 to any    #RFC 1918 private IP\n"
"block in quick on dc0 from 172.16.0.0/12 to any     #RFC 1918 private IP\n"
"block in quick on dc0 from 10.0.0.0/8 to any        #RFC 1918 private IP\n"
"block in quick on dc0 from 127.0.0.0/8 to any       #loopback\n"
"block in quick on dc0 from 0.0.0.0/8 to any         #loopback\n"
"block in quick on dc0 from 169.254.0.0/16 to any    #DHCP auto-config\n"
"block in quick on dc0 from 192.0.2.0/24 to any      #reserved for docs\n"
"block in quick on dc0 from 204.152.64.0/23 to any   #Sun cluster interconnect\n"
"block in quick on dc0 from 224.0.0.0/3 to any       #Class D & E multicast\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2145
#, no-wrap
msgid ""
"# Block fragments and too short tcp packets\n"
"block in quick on dc0 all with frags\n"
"block in quick on dc0 proto tcp all with short\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2149
#, no-wrap
msgid ""
"# block source routed packets\n"
"block in quick on dc0 all with opt lsrr\n"
"block in quick on dc0 all with opt ssrr\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2152
#, no-wrap
msgid ""
"# Block OS fingerprint attempts and log first occurrence\n"
"block in log first quick on dc0 proto tcp from any to any flags FUP\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2155
#, no-wrap
msgid ""
"# Block anything with special options\n"
"block in quick on dc0 all with ipopts\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2159
#, no-wrap
msgid ""
"# Block public pings and ident\n"
"block in quick on dc0 proto icmp all icmp-type 8\n"
"block in quick on dc0 proto tcp from any to any port = 113\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2165
#, no-wrap
msgid ""
"# Block incoming Netbios services\n"
"block in log first quick on dc0 proto tcp/udp from any to any port = 137\n"
"block in log first quick on dc0 proto tcp/udp from any to any port = 138\n"
"block in log first quick on dc0 proto tcp/udp from any to any port = 139\n"
"block in log first quick on dc0 proto tcp/udp from any to any port = 81\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2169
msgid ""
"Any time there are logged messages on a rule with the `log first` option, "
"run `ipfstat -hio` to evaluate how many times the rule has been matched.  A "
"large number of matches may indicate that the system is under attack."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2172
msgid ""
"The rest of the rules in the inbound section define which connections are "
"allowed to be initiated from the Internet.  The last rule denies all "
"connections which were not explicitly allowed by previous rules in this "
"section."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2178
#, no-wrap
msgid ""
"# Allow traffic in from ISP's DHCP server. Replace z.z.z.z with\n"
"# the same IP address used in the outbound section.\n"
"pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2181
#, no-wrap
msgid ""
"# Allow public connections to specified internal web server\n"
"pass in quick on dc0 proto tcp from any to x.x.x.x port = 80 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2184
#, no-wrap
msgid ""
"# Block and log only first occurrence of all remaining traffic.\n"
"block in log first quick on dc0 all\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2186
#, no-wrap
msgid "Configuring NAT"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2189
msgid ""
"To enable NAT, add these statements to [.filename]#/etc/rc.conf# and specify "
"the name of the file containing the NAT rules:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2195
#, no-wrap
msgid ""
"gateway_enable=\"YES\"\n"
"ipnat_enable=\"YES\"\n"
"ipnat_rules=\"/etc/ipnat.rules\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2200
msgid ""
"NAT rules are flexible and can accomplish many different things to fit the "
"needs of both commercial and home users.  The rule syntax presented here has "
"been simplified to demonstrate common usage.  For a complete rule syntax "
"description, refer to man:ipnat[5]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2202
msgid ""
"The basic syntax for a NAT rule is as follows, where `map` starts the rule "
"and _IF_ should be replaced with the name of the external interface:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2206
#, no-wrap
msgid "map IF LAN_IP_RANGE -> PUBLIC_ADDRESS\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2211
msgid ""
"The _LAN_IP_RANGE_ is the range of IP addresses used by internal clients.  "
"Usually, it is a private address range such as `192.168.1.0/24`.  The "
"_PUBLIC_ADDRESS_ can either be the static external IP address or the keyword "
"`0/32` which represents the IP address assigned to _IF_."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2218
msgid ""
"In IPF, when a packet arrives at the firewall from the LAN with a public "
"destination, it first passes through the outbound rules of the firewall "
"ruleset.  Then, the packet is passed to the NAT ruleset which is read from "
"the top down, where the first matching rule wins.  IPF tests each NAT rule "
"against the packet's interface name and source IP address.  When a packet's "
"interface name matches a NAT rule, the packet's source IP address in the "
"private LAN is checked to see if it falls within the IP address range "
"specified in _LAN_IP_RANGE_.  On a match, the packet has its source IP "
"address rewritten with the public IP address specified by _PUBLIC_ADDRESS_.  "
"IPF posts an entry in its internal NAT table so that when the packet returns "
"from the Internet, it can be mapped back to its original private IP address "
"before being passed to the firewall rules for further processing."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2221
msgid ""
"For networks that have large numbers of internal systems or multiple "
"subnets, the process of funneling every private IP address into a single "
"public IP address becomes a resource problem.  Two methods are available to "
"relieve this issue."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2224
msgid ""
"The first method is to assign a range of ports to use as source ports.  By "
"adding the `portmap` keyword, NAT can be directed to only use source ports "
"in the specified range:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2228
#, no-wrap
msgid "map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:60000\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2231
msgid ""
"Alternately, use the `auto` keyword which tells NAT to determine the ports "
"that are available for use:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2235
#, no-wrap
msgid "map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2240
msgid ""
"The second method is to use a pool of public addresses.  This is useful when "
"there are too many LAN addresses to fit into a single public address and a "
"block of public IP addresses is available.  These public addresses can be "
"used as a pool from which NAT selects an IP address as a packet's address is "
"mapped on its way out."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2243
msgid ""
"The range of public IP addresses can be specified using a netmask or CIDR "
"notation.  These two rules are equivalent:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2248
#, no-wrap
msgid ""
"map dc0 192.168.1.0/24 -> 204.134.75.0/255.255.255.0\n"
"map dc0 192.168.1.0/24 -> 204.134.75.0/24\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2253
msgid ""
"A common practice is to have a publicly accessible web server or mail server "
"segregated to an internal network segment.  The traffic from these servers "
"still has to undergo NAT, but port redirection is needed to direct inbound "
"traffic to the correct server.  For example, to map a web server using the "
"internal address `10.0.10.25` to its public IP address of `20.20.20.5`, use "
"this rule:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2257
#, no-wrap
msgid "rdr dc0 20.20.20.5/32 port 80 -> 10.0.10.25 port 80\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2260
msgid ""
"If it is the only web server, this rule would also work as it redirects all "
"external HTTP requests to `10.0.10.25`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2264
#, no-wrap
msgid "rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.25 port 80\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2269
msgid ""
"IPF has a built in FTP proxy which can be used with NAT.  It monitors all "
"outbound traffic for active or passive FTP connection requests and "
"dynamically creates temporary filter rules containing the port number used "
"by the FTP data channel.  This eliminates the need to open large ranges of "
"high order ports for FTP connections."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2272
msgid ""
"In this example, the first rule calls the proxy for outbound FTP traffic "
"from the internal LAN.  The second rule passes the FTP traffic from the "
"firewall to the Internet, and the third rule handles all non-FTP traffic "
"from the internal LAN:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2278
#, no-wrap
msgid ""
"map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp\n"
"map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp\n"
"map dc0 10.0.10.0/29 -> 0/32\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2282
msgid ""
"The FTP `map` rules go before the NAT rule so that when a packet matches an "
"FTP rule, the FTP proxy creates temporary filter rules to let the FTP "
"session packets pass and undergo NAT.  All LAN packets that are not FTP will "
"not match the FTP rules but will undergo NAT if they match the third rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2285
msgid ""
"Without the FTP proxy, the following firewall rules would instead be "
"needed.  Note that without the proxy, all ports above `1024` need to be "
"allowed:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2291
#, no-wrap
msgid ""
"# Allow out LAN PC client FTP to public Internet\n"
"# Active and passive modes\n"
"pass out quick on rl0 proto tcp from any to any port = 21 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2294
#, no-wrap
msgid ""
"# Allow out passive mode data channel high order port numbers\n"
"pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep state\n"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2297
#, no-wrap
msgid ""
"# Active mode let data channel in from FTP server\n"
"pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2301
msgid ""
"Whenever the file containing the NAT rules is edited, run `ipnat` with `-CF` "
"to delete the current NAT rules and flush the contents of the dynamic "
"translation table.  Include `-f` and specify the name of the NAT ruleset to "
"load:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2305
#, no-wrap
msgid "# ipnat -CF -f /etc/ipnat.rules\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2308
msgid "To display the NAT statistics:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2312
#, no-wrap
msgid "# ipnat -s\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2315
msgid "To list the NAT table's current mappings:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2319
#, no-wrap
msgid "# ipnat -l\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2322
msgid ""
"To turn verbose mode on and display information relating to rule processing "
"and active rules and table entries:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2326
#, no-wrap
msgid "# ipnat -v\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2328
#, no-wrap
msgid "Viewing IPF Statistics"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2332
msgid ""
"IPF includes man:ipfstat[8] which can be used to retrieve and display "
"statistics which are gathered as packets match rules as they go through the "
"firewall.  Statistics are accumulated since the firewall was last started or "
"since the last time they were reset to zero using `ipf -Z`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2334
msgid "The default `ipfstat` output looks like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2354
#, no-wrap
msgid ""
"input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0\n"
" output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0\n"
" input packets logged: blocked 99286 passed 0\n"
" output packets logged: blocked 0 passed 0\n"
" packets logged: input 0 output 0\n"
" log failures: input 3898 output 0\n"
" fragment state(in): kept 0 lost 0\n"
" fragment state(out): kept 0 lost 0\n"
" packet state(in): kept 169364 lost 0\n"
" packet state(out): kept 431395 lost 0\n"
" ICMP replies: 0 TCP RSTs sent: 0\n"
" Result cache hits(in): 1215208 (out): 1098963\n"
" IN Pullups succeeded: 2 failed: 0\n"
" OUT Pullups succeeded: 0 failed: 0\n"
" Fastroute successes: 0 failures: 0\n"
" TCP cksum fails(in): 0 (out): 0\n"
" Packet log flags set: (0)\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2360
msgid ""
"Several options are available.  When supplied with either `-i` for inbound "
"or `-o` for outbound, the command will retrieve and display the appropriate "
"list of filter rules currently installed and in use by the kernel.  To also "
"see the rule numbers, include `-n`.  For example, `ipfstat -on` displays the "
"outbound rules table with rule numbers:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2366
#, no-wrap
msgid ""
"@1 pass out on xl0 from any to any\n"
"@2 block out on dc0 from any to any\n"
"@3 pass out quick on dc0 proto tcp/udp from any to any keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2370
msgid ""
"Include `-h` to prefix each rule with a count of how many times the rule was "
"matched.  For example, `ipfstat -oh` displays the outbound internal rules "
"table, prefixing each rule with its usage count:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2376
#, no-wrap
msgid ""
"2451423 pass out on xl0 from any to any\n"
"354727 block out on dc0 from any to any\n"
"430918 pass out quick on dc0 proto tcp/udp from any to any keep state\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2382
msgid ""
"To display the state table in a format similar to man:top[1], use `ipfstat "
"-t`.  When the firewall is under attack, this option provides the ability to "
"identify and see the attacking packets.  The optional sub-flags give the "
"ability to select the destination or source IP, port, or protocol to be "
"monitored in real time.  Refer to man:ipfstat[8] for details."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2383
#, no-wrap
msgid "IPF Logging"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2387
msgid ""
"IPF provides `ipmon`, which can be used to write the firewall's logging "
"information in a human readable format.  It requires that `options "
"IPFILTER_LOG` be first added to a custom kernel using the instructions in "
"crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2390
msgid ""
"This command is typically run in daemon mode in order to provide a "
"continuous system log file so that logging of past events may be reviewed.  "
"Since FreeBSD has a built in man:syslogd[8] facility to automatically rotate "
"system logs, the default [.filename]#rc.conf# `ipmon_flags` statement uses `-"
"Ds`:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2397
#, no-wrap
msgid ""
"ipmon_flags=\"-Ds\" # D = start as daemon\n"
"                  # s = log to syslog\n"
"                  # v = log tcp window, ack, seq\n"
"                  # n = map IP & port to names\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2401
msgid ""
"Logging provides the ability to review, after the fact, information such as "
"which packets were dropped, what addresses they came from, and where they "
"were going.  This information is useful in tracking down attackers."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2406
msgid ""
"Once the logging facility is enabled in [.filename]#rc.conf# and started "
"with `service ipmon start`, IPF will only log the rules which contain the "
"`log` keyword.  The firewall administrator decides which rules in the "
"ruleset should be logged and normally only deny rules are logged.  It is "
"customary to include the `log` keyword in the last rule in the ruleset.  "
"This makes it possible to see all the packets that did not match any of the "
"rules in the ruleset."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2409
msgid ""
"By default, `ipmon -Ds` mode uses `local0` as the logging facility.  The "
"following logging levels can be used to further segregate the logged data:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2416
#, no-wrap
msgid ""
"LOG_INFO - packets logged using the \"log\" keyword as the action rather than pass or block.\n"
"LOG_NOTICE - packets logged which are also passed\n"
"LOG_WARNING - packets logged which are also blocked\n"
"LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2419
msgid ""
"In order to setup IPF to log all data to [.filename]#/var/log/ipfilter.log#, "
"first create the empty file:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2423
#, no-wrap
msgid "# touch /var/log/ipfilter.log\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2426
msgid ""
"Then, to write all logged messages to the specified file, add the following "
"statement to [.filename]#/etc/syslog.conf#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2430
#, no-wrap
msgid "local0.* /var/log/ipfilter.log\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2433
msgid ""
"To activate the changes and instruct man:syslogd[8] to read the modified "
"[.filename]#/etc/syslog.conf#, run `service syslogd reload`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2435
msgid ""
"Do not forget to edit [.filename]#/etc/newsyslog.conf# to rotate the new log "
"file."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2438
msgid ""
"Messages generated by `ipmon` consist of data fields separated by white "
"space.  Fields common to all messages are:"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2440
msgid "The date of packet receipt."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2441
msgid ""
"The time of packet receipt. This is in the form HH:MM:SS.F, for hours, "
"minutes, seconds, and fractions of a second."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2442
msgid "The name of the interface that processed the packet."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2443
msgid "The group and rule number of the rule in the format `@0:17`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2444
msgid ""
"The action: `p` for passed, `b` for blocked, `S` for a short packet, `n` did "
"not match any rules, and `L` for a log rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2445
msgid ""
"The addresses written as three fields: the source address and port separated "
"by a comma, the -> symbol, and the destination address and port. For "
"example: `209.53.17.22,80 -> 198.73.220.17,1722`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2446
msgid "`PR` followed by the protocol name or number: for example, `PR tcp`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2447
msgid ""
"`len` followed by the header length and total length of the packet: for "
"example, `len 20 40`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2450
msgid ""
"If the packet is a TCP packet, there will be an additional field starting "
"with a hyphen followed by letters corresponding to any flags that were set.  "
"Refer to man:ipf[5] for a list of letters and their flags."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2453
msgid ""
"If the packet is an ICMP packet, there will be two fields at the end: the "
"first always being \"icmp\" and the next being the ICMP message and sub-"
"message type, separated by a slash.  For example: `icmp 3/3` for a port "
"unreachable message."
msgstr ""

#. type: Title ==
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2455
#, no-wrap
msgid "Blocklistd"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2462
msgid ""
"Blocklistd is a daemon listening to sockets awaiting to receive "
"notifications from other daemons about connection attempts that failed or "
"were successful.  It is most widely used in blocking too many connection "
"attempts on open ports.  A prime example is SSH running on the internet "
"getting a lot of requests from bots or scripts trying to guess passwords and "
"gain access.  Using blocklistd, the daemon can notify the firewall to create "
"a filter rule to block excessive connection attempts from a single source "
"after a number of tries. Blocklistd was first developed on NetBSD and "
"appeared there in version 7, it was originally called blacklistd.  FreeBSD "
"11 imported blocklistd from NetBSD."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2467
msgid ""
"This chapter describes how to set up blocklistd, configure it, and provides "
"examples on how to use it.  Readers should be familiar with basic firewall "
"concepts like rules.  For details, refer to the firewall chapter.  PF is "
"used in the examples, but other firewalls available on FreeBSD should be "
"able to work with blocklistd, too."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2468
#, no-wrap
msgid "Enabling Blocklistd"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2474
msgid ""
"The main configuration for blocklistd is stored in man:blocklistd.conf[5].  "
"Various command line options are also available to change blocklistd's run-"
"time behavior.  Persistent configuration across reboots should be stored in "
"[.filename]#/etc/blocklistd.conf#.  To enable the daemon during system boot, "
"add a `blocklistd_enable` line to [.filename]#/etc/rc.conf# like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2478
#, no-wrap
msgid "# sysrc blocklistd_enable=yes\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2481
msgid "To start the service manually, run this command:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2485
#, no-wrap
msgid "# service blocklistd start\n"
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2487
#, no-wrap
msgid "Creating a Blocklistd Ruleset"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2492
msgid ""
"Rules for blocklistd are configured in man:blocklistd.conf[5] with one entry "
"per line.  Each rule contains a tuple separated by spaces or tabs.  Rules "
"either belong to a `local` or a `remote`, which applies to the machine where "
"blocklistd is running or an outside source, respectively."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2493
#, no-wrap
msgid "Local Rules"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2496
msgid "An example blocklistd.conf entry for a local rule looks like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2501
#, no-wrap
msgid ""
"[local]\n"
"ssh             stream  *       *               *       3       24h\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2505
msgid ""
"All rules that follow the `[local]` section are treated as local rules "
"(which is the default), applying to the local machine.  When a `[remote]` "
"section is encountered, all rules that follow it are handled as remote "
"machine rules."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2513
msgid ""
"Seven fields separated by either tabs or spaces define a rule.  The first "
"four fields identify the traffic that should be blocklisted.  The three "
"fields that follow define blocklistd's behavior.  Wildcards are denoted as "
"asterisks (`*`), matching anything in this field.  The first field defines "
"the location.  In local rules, these are the network ports.  The syntax for "
"the location field is as follows:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2517
#, no-wrap
msgid "[address|interface][/mask][:port]\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2521
msgid ""
"Addresses can be specified as IPv4 in numeric format or IPv6 in square "
"brackets.  An interface name like `_em0_` can also be used."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2525
msgid ""
"The socket type is defined by the second field.  TCP sockets are of type "
"`stream`, whereas UDP is denoted as `dgram`.  The example above uses TCP, "
"since SSH is using that protocol."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2529
msgid ""
"A protocol can be used in the third field of a blocklistd rule.  The "
"following protocols can be used: `tcp`, `udp`, `tcp6`, `udp6`, or numeric.  "
"A wildcard, like in the example, is typically used to match all protocols "
"unless there is a reason to distinguish traffic by a certain protocol."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2532
msgid ""
"In the fourth field, the effective user or owner of the daemon process that "
"is reporting the event is defined.  The username or UID can be used here, as "
"well as a wildcard (see example rule above)."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2535
msgid ""
"The packet filter rule name is declared by the fifth field, which starts the "
"behavior part of the rule.  By default, blocklistd puts all blocks under a "
"pf anchor called `blocklistd` in [.filename]#pf.conf# like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2541
#, no-wrap
msgid ""
"anchor \"blocklistd/*\" in on $ext_if\n"
"block in\n"
"pass out\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2547
msgid ""
"For separate blocklists, an anchor name can be used in this field.  In other "
"cases, the wildcard will suffice.  When a name starts with a hyphen (`-`) it "
"means that an anchor with the default rule name prepended should be used.  A "
"modified example from the above using the hyphen would look like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2551
#, no-wrap
msgid "ssh             stream  *       *               -ssh       3       24h\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2554
msgid ""
"With such a rule, any new blocklist rules are added to an anchor called "
"`blocklistd-ssh`."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2558
msgid ""
"To block whole subnets for a single rule violation, a `/` in the rule name "
"can be used.  This causes the remaining portion of the name to be "
"interpreted as the mask to be applied to the address specified in the rule.  "
"For example, this rule would block every address adjoining `/24`."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2562
#, no-wrap
msgid "22              stream  tcp       *               */24    3       24h\n"
msgstr ""

#. type: delimited block = 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2568
msgid ""
"It is important to specify the proper protocol here.  IPv4 and IPv6 treat /"
"24 differently, that is the reason why `*` cannot be used in the third field "
"for this rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2571
msgid ""
"This rule defines that if any one host in that network is misbehaving, "
"everything else on that network will be blocked, too."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2575
msgid ""
"The sixth field, called `nfail`, sets the number of login failures required "
"to blocklist the remote IP in question.  When a wildcard is used at this "
"position, it means that blocks will never happen.  In the example rule "
"above, a limit of three is defined meaning that after three attempts to log "
"into SSH on one connection, the IP is blocked."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2578
msgid ""
"The last field in a blocklistd rule definition specifies how long a host is "
"blocklisted.  The default unit is seconds, but suffixes like `m`, `h`, and "
"`d` can also be specified for minutes, hours, and days, respectively."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2582
msgid ""
"The example rule in its entirety means that after three times authenticating "
"to SSH will result in a new PF block rule for that host.  Rule matches are "
"performed by first checking local rules one after another, from most "
"specific to least specific.  When a match occurs, the `remote` rules are "
"applied and the `name`, `nfail`, and `duration` fields are changed by the "
"`remote` rule that matched."
msgstr ""

#. type: Title ====
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2583
#, no-wrap
msgid "Remote Rules"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2589
msgid ""
"Remote rules are used to specify how blocklistd changes its behavior "
"depending on the remote host currently being evaluated.  Each field in a "
"remote rule is the same as in a local rule.  The only difference is in the "
"way blocklistd is using them.  To explain it, this example rule is used:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2594
#, no-wrap
msgid ""
"[remote]\n"
"203.0.113.128/25 *      *       *               =/25    =       48h\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2599
msgid ""
"The address field can be an IP address (either v4 or v6), a port or both.  "
"This allows setting special rules for a specific remote address range like "
"in this example.  The fields for socket type, protocol and owner are "
"identically interpreted as in the local rule."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2605
msgid ""
"The name fields is different though: the equal sign (`=`) in a remote rule "
"tells blocklistd to use the value from the matching local rule.  It means "
"that the firewall rule entry is taken and the `/25` prefix (a netmask of "
"`255.255.255.128`) is added.  When a connection from that address range is "
"blocklisted, the entire subnet is affected.  A PF anchor name can also be "
"used here, in which case blocklistd will add rules for this address block to "
"the anchor of that name.  The default table is used when a wildcard is "
"specified."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2609
msgid ""
"A custom number of failures in the `nfail` column can be defined for an "
"address.  This is useful for exceptions to a specific rule, to maybe allow "
"someone a less strict application of rules or a bit more leniency in login "
"tries.  Blocking is disabled when an asterisk is used in this sixth field."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2611
msgid ""
"Remote rules allow a stricter enforcement of limits on attempts to log in "
"compared to attempts coming from a local network like an office."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2612
#, no-wrap
msgid "Blocklistd Client Configuration"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2617
msgid ""
"There are a few software packages in FreeBSD that can utilize blocklistd's "
"functionality.  The two most prominent ones are package:ftp/freebsd-ftpd[] "
"and man:sshd[8] to block excessive connection attempts.  To activate "
"blocklistd in the SSH daemon, add the following line to [.filename]#/etc/ssh/"
"sshd_config#:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2621
#, no-wrap
msgid "UseBlocklist yes\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2624
msgid "Restart sshd afterwards to make these changes take effect."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2626
msgid ""
"Blocklisting for package:ftp/freebsd-ftpd[] is enabled using `-B`, either in "
"[.filename]#/etc/inetd.conf# or as a flag in [.filename]#/etc/rc.conf# like "
"this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2630
#, no-wrap
msgid "ftpd_flags=\"-B\"\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2633
msgid "That is all that is needed to make these programs talk to blocklistd."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2634
#, no-wrap
msgid "Blocklistd Management"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2639
msgid ""
"Blocklistd provides the user with a management utility called "
"man:blocklistctl[8].  It displays blocked addresses and networks that are "
"blocklisted by the rules defined in man:blocklistd.conf[5].  To see the list "
"of currently blocked hosts, use `dump` combined with `-b` like this."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2645
#, no-wrap
msgid ""
"# blocklistctl dump -b\n"
"rulename                address/ma:port id      nfail   last access\n"
"blocklistd        213.0.123.128/25:22   OK      6/3     2019/06/08 14:30:19\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2651
msgid ""
"This example shows that there were 6 out of three permitted attempts on port "
"22 coming from the address range `213.0.123.128/25`.  There are more "
"attempts listed than are allowed because SSH allows a client to try multiple "
"logins on a single TCP connection.  A connection that is currently going on "
"is not stopped by blocklistd.  The last connection attempt is listed in the "
"`last access` column of the output."
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2653
msgid ""
"To see the remaining time that this host will be on the blocklist, add `-r` "
"to the previous command."
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2659
#, no-wrap
msgid ""
"# blocklistctl dump -br\n"
"rulename                address/ma:port id      nfail   remaining time\n"
"blocklistd        213.0.123.128/25:22   OK      6/3     36s\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2662
msgid ""
"In this example, there are 36s seconds left until this host will not be "
"blocked any more."
msgstr ""

#. type: Title ===
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2663
#, no-wrap
msgid "Removing Hosts from the Block List"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2674
msgid ""
"Sometimes it is necessary to remove a host from the block list before the "
"remaining time expires.  Unfortunately, there is no functionality in "
"blocklistd to do that.  However, it is possible to remove the address from "
"the PF table using pfctl.  For each blocked port, there is a child anchor "
"inside the blocklistd anchor defined in [.filename]#/etc/pf.conf#.  For "
"example, if there is a child anchor for blocking port 22 it is called "
"`blocklistd/22`.  There is a table inside that child anchor that contains "
"the blocked addresses.  This table is called port followed by the port "
"number.  In this example, it would be called `port22`.  With that "
"information at hand, it is now possible to use man:pfctl[8] to display all "
"addresses listed like this:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2681
#, no-wrap
msgid ""
"# pfctl -a blocklistd/22 -t port22 -T show\n"
"...\n"
"213.0.123.128/25\n"
"...\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2684
msgid ""
"After identifying the address to be unblocked from the list, the following "
"command removes it from the list:"
msgstr ""

#. type: delimited block . 4
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2688
#, no-wrap
msgid "# pfctl -a blocklistd/22 -t port22 -T delete 213.0.123.128/25\n"
msgstr ""

#. type: Plain text
#: documentation/content/en/books/handbook/firewalls/_index.adoc:2692
msgid ""
"The address is now removed from PF, but will still show up in the "
"blocklistctl list, since it does not know about any changes made in PF.  The "
"entry in blocklistd's database will eventually expire and be removed from "
"its output.  The entry will be added again if the host is matching one of "
"the block rules in blocklistd again."
msgstr ""