© 1995-2010 by The FreeBSD Project. All rights reserved.URL: http://www.FreeBSD.de
jkois 2011-03-10 15:05:02 UTC
FreeBSD German Documentation Repository
Modified files:
books/handbook/firewalls chapter.sgml
Log:
Den Abschnitt IPF in das Handbuch aufnehmen, um die Übersetzung zu erleichtern.
Übersetzungsstatus: 1 %
Revision Changes Path
1.28 +1581 -6 de-docproj/books/handbook/firewalls/chapter.sgml
Index: chapter.sgml
===================================================================
RCS file: /home/cvs/de-docproj/books/handbook/firewalls/chapter.sgml,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -I$FreeBSDde.*$ -r1.27 -r1.28
--- chapter.sgml 18 Dec 2010 09:32:47 -0000 1.27
+++ chapter.sgml 10 Mar 2011 15:05:02 -0000 1.28
@@ -541,12 +541,1587 @@
<sect1 id="firewalls-ipf">
<title>Die IPFILTER-Firewall (IPF)</title>
- <para>Dieses Kapitel ist noch nicht übersetzt.
- Lesen Sie bitte <ulink
- url="&url.books.handbook.en;/firewalls-ipf.html">
- das Original in englischer Sprache</ulink>. Wenn Sie helfen
- wollen, dieses Kapitel zu übersetzen, senden Sie bitte
- eine E-Mail an die Mailingliste &a.de.translators;.</para>
+ <indexterm>
+ <primary>Firewall</primary>
+
+ <secondary>IPFILTER</secondary>
+ </indexterm>
+
+ <para>IPFILTER wird von Darren Reed entwickelt. IPFILTER ist
+ betriebssystemunabhängig. Es handelt sich um ein
+ Open Source-Programm, dass unter anderem nach &os; NetBSD,
+ OpenBSD, &sunos;, HP/UX sowie nach &solaris; portiert wurde.
+ IPFILTER wird aktiv unterstützt und gewartet und es
+ werden regelmä&zslig;ig neue Versionen
+ veröffentlicht.</para>
+
+ <para>IPFILTER kombiniert eine kernelseitige Firewall mit dem
+ <acronym>NAT</acronym>-Mechanismus und kann von
+ Userland-Programmen gesteuert und überwacht werden.
+ Firewallregeln werden mit &man.ipf.8; angelegt oder auch wieder
+ gelöscht. <acronym>NAT</acronym>-Regeln werden hingegen
+ mit &man.ipnat.1; angelegt oder gelöscht. &man.ipfstat.8;
+ erlaubt es dem Benutzer, Laufzeitstatistiken für die
+ Kernelbereiche von IPFILTER auszugeben. Zur Protokollierung
+ der IPFILTER-Aktivitäten wird &man.ipmon.8; eingesetzt.</para>
+
+ <para>IPF was originally written using a rule processing logic of
+ <quote>the last matching rule wins</quote> and used only
+ stateless type of rules. Over time IPF has been enhanced to
+ include a <quote>quick</quote> option and a stateful <quote>keep
+ state</quote> option which drastically modernized the rules
+ processing logic. IPF's official documentation covers only the legacy
+ rule coding parameters and rule file processing
+ logic. The modernized functions are only included as additional
+ options, completely understating their benefits in producing a
+ far superior and more secure firewall.</para>
+
+ <para>The instructions contained in this section are based on
+ using rules that contain the <quote>quick</quote> option and the
+ stateful <quote>keep state</quote> option. This is the basic
+ framework for coding an inclusive firewall ruleset.</para>
+
+ <para>For detailed explanation of the legacy rules processing
+ method see: <ulink
+ url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>
+ and <ulink
+ url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
+
+ <para>The IPF FAQ is at <ulink
+ url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
+
+ <para>A searchable archive of the open-source IPFilter mailing list is
+ available at <ulink
+ url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>
+
+ <sect2>
+ <title>IPF aktivieren</title>
+
+ <indexterm>
+ <primary>IPFILTER</primary>
+
+ <secondary>enabling</secondary>
+ </indexterm>
+
+ <para>IPF is included in the basic &os; install as a separate run
+ time loadable module. The system will dynamically load the IPF
+ kernel loadable module when the <filename>rc.conf</filename> statement
+ <literal>ipfilter_enable="YES"</literal> is used. The loadable
+ module was created with logging enabled and the
+ <literal>default pass all</literal> options. There is no need
+ to compile IPF into the &os; kernel just to change the default
+ to <literal>block all</literal>. This can be done just by adding
+ a <literal>block all</literal> rule at the end of your ruleset.</para>
+ </sect2>
+
+ <sect2>
+ <title>Kernel options</title>
+
+ <indexterm>
+ <primary>kernel options</primary>
+
+ <secondary>IPFILTER</secondary>
+ </indexterm>
+
+ <indexterm>
+ <primary>kernel options</primary>
+
+ <secondary>IPFILTER_LOG</secondary>
+ </indexterm>
+
+ <indexterm>
+ <primary>kernel options</primary>
+
+ <secondary>IPFILTER_DEFAULT_BLOCK</secondary>
+ </indexterm>
+
+ <indexterm>
+ <primary>IPFILTER</primary>
+
+ <secondary>kernel options</secondary>
+ </indexterm>
+
+ <para>It is not a mandatory requirement to enable IPF by
+ compiling the following options into the &os; kernel. It is
+ only presented here as background information. Compiling IPF
+ into the kernel causes the loadable module to never be
+ used.</para>
+
+ <para>Sample kernel config IPF option statements are in the
+ <filename>/usr/src/sys/conf/NOTES</filename> kernel source
+ and are reproduced here:</para>
+
+ <programlisting>options IPFILTER
+options IPFILTER_LOG
+options IPFILTER_DEFAULT_BLOCK</programlisting>
+
+ <para><literal>options IPFILTER</literal> enables support for the
+ <quote>IPFILTER</quote> firewall.</para>
+
+ <para><literal>options IPFILTER_LOG</literal> enables the option
+ to have IPF log traffic by writing to the
+ <devicename>ipl</devicename> packet logging pseudo—device
+ for every rule that has the <literal>log</literal>
+ keyword.</para>
+
+ <para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
+ the default behavior so any packet not matching a firewall
+ <literal>pass</literal> rule gets blocked.</para>
+
+ <para>These settings will take effect only after installing a kernel
+ that has been built with the above options set.</para>
+ </sect2>
+
+ <sect2>
+ <title>Available rc.conf Options</title>
+
+ <para>To activate IPF at boot time, the following statements need to
+ be added to <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>ipfilter_enable="YES" # Start ipf firewall
+ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
+ipmon_enable="YES" # Start IP monitor log
+ipmon_flags="-Ds" # D = start as daemon
+ # s = log to syslog
+ # v = log tcp window, ack, seq
+ # n = map IP & port to names</programlisting>
+
+ <para>If there is a LAN behind this firewall that uses the
+ reserved private IP address ranges, the following lines will have to
+ be added to enable <acronym>NAT</acronym>
+ functionality:</para>
+
+ <programlisting>gateway_enable="YES" # Enable as LAN gateway
+ipnat_enable="YES" # Start ipnat function
+ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat</programlisting>
+ </sect2>
+
+ <sect2>
+ <title>IPF</title>
+
+ <indexterm><primary><command>ipf</command></primary></indexterm>
+
+ <para>The &man.ipf.8; command is used to load your ruleset file.
+ Your custom rules would normally be placed in a file, and the
+ following command could then be used to replace in mass the
+ currently running firewall rules:</para>
+
+ <screen>&prompt.root; <userinput>ipf -Fa -f /etc/ipf.rules</userinput></screen>
+
+ <para><option>-Fa</option> means flush all internal rules
+ tables.</para>
+
+ <para><option>-f</option> means this is the file to read for the
+ rules to load.</para>
+
+ <para>This gives you the ability to make changes to your custom
+ rules file, run the above IPF command, and thus update the
+ running firewall with a fresh copy of all the rules without
+ having to reboot the system. This method is very convenient
+ for testing new rules as the procedure can be executed as many
+ times as needed.</para>
+
+ <para>See the &man.ipf.8; manual page for details on the other
+ flags available with this command.</para>
----------------------------------------------
Diff block truncated. (Max lines = 200)
----------------------------------------------
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-cvs-doc" in the body of the message
Received on Thu 10 Mar 2011 - 16:05:21 CET