--- jonen/notes/notes_2003-02.twingle 2003/03/09 16:36:37 1.1
+++ jonen/notes/notes_2003-02.twingle 2003/03/09 16:43:24 1.2
@@ -41,23 +41,25 @@
x use packet fiters (firewall):
x read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
x some options at the kernel have to be enabled:
-
- options IPFIREWALL #Compiles into the kernel the code for packet filtering.
- options IPFIREWALL_VERBOSE #Enables code to allow logging of packets through syslogd.
- # Without this option, even if you specify that packets should be logged in the filter rules,
- # nothing will happen.
- options IPFIREWALL_VERBOSE_LIMIT=10 #Limits the number of packets logged through syslogd on a per entry basis.
- # You may wish to use this option in hostile environments in which you want to log firewall activity,
- # but do not want to be open to a denial of service attack via syslog flooding.
- # When a chain entry reaches the packet limit specified, logging is turned off for that particular entry.
- # To resume logging, you will need to reset the associated counter using the ipfw(8) utility:
- # ipfw zero 4500
- # Where 4500 is the chain entry you wish to continue logging.
- options IPFIREWALL_DEFAULT_TO_ACCEPT #This changes the default rule action from ``deny'' to ``allow''.
- # This avoids the possibility of locking yourself out if you happen to boot a kernel with IPFIREWALL support but have not configured your firewall yet.
- # It is also very useful if you often use ipfw(8) as a filter for specific problems as they arise.
- # Use with care though, as this opens up the firewall and changes the way it works.
-
+ - options IPFIREWALL
+ Compiles into the kernel the code for packet filtering.
+ - options IPFIREWALL_VERBOSE
+ Enables code to allow logging of packets through syslogd.
+ Without this option, even if you specify that packets should be logged in the filter rules,
+ nothing will happen.
+ - options IPFIREWALL_VERBOSE_LIMIT=10
+ Limits the number of packets logged through syslogd on a per entry basis.
+ You may wish to use this option in hostile environments in which you want to log firewall activity,
+ but do not want to be open to a denial of service attack via syslog flooding.
+ When a chain entry reaches the packet limit specified, logging is turned off for that particular entry.
+ To resume logging, you will need to reset the associated counter using the ipfw(8) utility:
+ :# ipfw zero 4500
+ Where 4500 is the chain entry you wish to continue logging.
+ - options IPFIREWALL_DEFAULT_TO_ACCEPT
+ This changes the default rule action from ``deny'' to ``allow''.
+ This avoids the possibility of locking yourself out if you happen to boot a kernel with IPFIREWALL support but have not configured your firewall yet.
+ It is also very useful if you often use ipfw(8) as a filter for specific problems as they arise.
+ Use with care though, as this opens up the firewall and changes the way it works.
x firewall is enabled at /etc/rc.conf (or /etc/rc.conf.local)
firewall_enabled = "YES"
firewall_type = ""
@@ -170,5 +172,5 @@
o build 'black box' to trace for 'spys' at a isdn/internet connection ;)
-$Id: notes_2003-02.twingle,v 1.1 2003/03/09 16:36:37 jonen Exp $
+$Id: notes_2003-02.twingle,v 1.2 2003/03/09 16:43:24 jonen Exp $
\ No newline at end of file