From f1941b2b828e2e3f652e3702c729e83db60850f3 Mon Sep 17 00:00:00 2001 From: Christian Mauderer Date: Tue, 12 Jul 2016 13:41:39 +0200 Subject: libbsd.txt: Add section describing PF. --- libbsd.txt | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) (limited to 'libbsd.txt') diff --git a/libbsd.txt b/libbsd.txt index 1278ebc0..60a1b554 100644 --- a/libbsd.txt +++ b/libbsd.txt @@ -1326,6 +1326,50 @@ enabled from the shell with: or with an ioctl call to the network interface driver with SIOCSIFCAP and the mask IFCAP_TXCSUM and IFCAP_RXCSUM set. +== PF (Firewall) == + +It is possible to use PF as a firewall. See +[https://www.freebsd.org/doc/handbook/firewalls-pf.html] for details on the +range of functions and for how to configure the firewall. + +The following is necessary to use PF on RTEMS: + +- You have to provide a +/etc/pf.os+ file. The firewall can use it for passive + OS fingerprinting. If you don't want to use this feature, the file may contain + nothing except a line of comment (for example "# empty"). + +- If some filters use protocol names (like tcp or udp) you have to provide a + +/etc/protocols+ file. + +- If some filters use service names (like ssh or http) you have to provide a + +/etc/services+ file. + +- Create a rule file (normally +/etc/pf.conf+). See the FreeBSD manual for the + syntax. + +- Load the rule file using the pfctl command and enable pf. An example + initialisation can look like follows: + +---- + int exit_code; + char *params[] = { + "pfctl", + "-f", + "/etc/pf.conf", + "-e", + NULL + }; + + exit_code = rtems_bsd_command_pfctl(ARGC(params), params); + assert(exit_code == EXIT_SUCCSESS); +---- + +=== Known restrictions === + +- Currently PF on RTEMS always uses the configuration for memory restricted + systems (on FreeBSD that means systems with less than 100 MB RAM). This is + fixed in +pfctl_init_options()+. + == Problems to report to FreeBSD == The MMAP_NOT_AVAILABLE define is inverted on its usage. When it is -- cgit v1.2.3