diff options
| -rw-r--r-- | en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml | 63 |
1 files changed, 60 insertions, 3 deletions
diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml index 9b9e69fb6d..53be6460ee 100644 --- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml @@ -2241,10 +2241,67 @@ options IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting> <programlisting>firewall_type="open"</programlisting> - <para>Or load custom rules by setting the following variable to the - file containing them:</para> + <para>Available values for this setting are:</para> - <programlisting>firewall_script="/etc/ipfw.rules"</programlisting> + <itemizedlist> + <listitem> + <para><literal>open</literal> — pass all traffic.</para> + </listitem> + <listitem> + <para><literal>client</literal> — will protect only this + machine.</para> + </listitem> + <listitem> + <para><literal>simple</literal> — protect the whole + network.</para> + </listitem> + <listitem> + <para><literal>closed</literal> — entirely disables IP + traffic except for the loopback interface.</para> + </listitem> + <listitem> + <para><literal>UNKNOWN</literal> — disables the loading + of firewall rules.</para> + </listitem> + <listitem> + <para><filename>filename</filename> — absolute path of + file containing firewall rules.</para> + </listitem> + </itemizedlist> + + <para>It is possible to use two different ways to load custom + rules for <application>ipfw</application> firewall. One is + by setting <literal>firewall_type</literal> variable to absolute + path of file, which contains <emphasis>firewall rules</emphasis> + without any command-line options for &man.ipfw.8; itself. A + simple examble of ruleset file can be following:</para> + + <programlisting>add block in all +add block out all</programlisting> + + <para>On the other hand, it is possible to set + <literal>firewall_script</literal> variable to absolute path of + executable script that includes <command>ipfw</command> commands + being executed at system boot time. A valid ruleset script that + would be equivalent to the ruleset file shown above would + be following:</para> + + <programlisting>#!/bin/sh + +ipfw -q flush + +ipfw add block in all +ipfw add block out all</programlisting> + + <note> + <para>If <literal>firewall_type</literal> is set to either + <literal>client</literal> or <literal>simple</literal>, the + default rules found in <filename>/etc/rc.firewall</filename> + should be reviewed to fit to the configuration of the given + machine. Also note that the examples used in this chapter + expect that the <literal>firewall_script</literal> is set to + <filename>/etc/ipfw.rules</filename>.</para> + </note> <para>Enable logging:</para> |