| firewall.7 (141846) | firewall.7 (141851) |
|---|---|
| 1.\" Copyright (C) 2001 Matthew Dillon. All rights reserved. 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright --- 7 unchanged lines hidden (view full) --- 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" | 1.\" Copyright (C) 2001 Matthew Dillon. All rights reserved. 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright --- 7 unchanged lines hidden (view full) --- 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" |
| 24.\" $FreeBSD: head/share/man/man7/firewall.7 141846 2005-02-13 22:25:33Z ru $ | 24.\" $FreeBSD: head/share/man/man7/firewall.7 141851 2005-02-13 23:45:54Z ru $ |
| 25.\" 26.Dd May 26, 2001 27.Dt FIREWALL 7 28.Os 29.Sh NAME 30.Nm firewall 31.Nd simple firewalls under FreeBSD 32.Sh FIREWALL BASICS --- 84 unchanged lines hidden (view full) --- 117boot sequence, also resulting in an inaccessible machine. 118Because of these problems the 119.Sy IPFIREWALL_DEFAULT_TO_ACCEPT 120kernel option is also available which changes the default firewall 121to pass through all packets. 122Note, however, that using this option 123may open a small window of opportunity during booting where your 124firewall passes all packets. | 25.\" 26.Dd May 26, 2001 27.Dt FIREWALL 7 28.Os 29.Sh NAME 30.Nm firewall 31.Nd simple firewalls under FreeBSD 32.Sh FIREWALL BASICS --- 84 unchanged lines hidden (view full) --- 117boot sequence, also resulting in an inaccessible machine. 118Because of these problems the 119.Sy IPFIREWALL_DEFAULT_TO_ACCEPT 120kernel option is also available which changes the default firewall 121to pass through all packets. 122Note, however, that using this option 123may open a small window of opportunity during booting where your 124firewall passes all packets. |
| 125Still, it's a good option to use | 125Still, it is a good option to use |
| 126while getting up to speed with 127.Fx 128firewalling. 129Get rid of it once you understand how it all works 130to close the loophole, though. 131There is a third option called 132.Sy IPDIVERT 133which allows you to use the firewall to divert packets to a user program --- 245 unchanged lines hidden (view full) --- 379# otherwise do not bother. Have a final deny rule as a safety to 380# guarantee that your firewall is inclusive no matter how the kernel 381# is configured. 382# 383add 05000 deny log ip from any to any frag 384add 06000 deny all from any to any 385.Ed 386.Sh PORT BINDING INTERNAL AND EXTERNAL SERVICES | 126while getting up to speed with 127.Fx 128firewalling. 129Get rid of it once you understand how it all works 130to close the loophole, though. 131There is a third option called 132.Sy IPDIVERT 133which allows you to use the firewall to divert packets to a user program --- 245 unchanged lines hidden (view full) --- 379# otherwise do not bother. Have a final deny rule as a safety to 380# guarantee that your firewall is inclusive no matter how the kernel 381# is configured. 382# 383add 05000 deny log ip from any to any frag 384add 06000 deny all from any to any 385.Ed 386.Sh PORT BINDING INTERNAL AND EXTERNAL SERVICES |
| 387We've mentioned multi-homing hosts and binding services to internal or | 387We have mentioned multi-homing hosts and binding services to internal or |
| 388external addresses but we have not really explained it. 389When you have a 390host with multiple IP addresses assigned to it, you can bind services run 391on that host to specific IPs or interfaces rather than all IPs. 392Take 393the firewall machine for example: with three interfaces 394and two exposed IP addresses 395on one of those interfaces, the firewall machine is known by 5 different --- 48 unchanged lines hidden --- | 388external addresses but we have not really explained it. 389When you have a 390host with multiple IP addresses assigned to it, you can bind services run 391on that host to specific IPs or interfaces rather than all IPs. 392Take 393the firewall machine for example: with three interfaces 394and two exposed IP addresses 395on one of those interfaces, the firewall machine is known by 5 different --- 48 unchanged lines hidden --- |