-
# Security
***Much of this chapter has been taken from the security(7) manual page by Matthew Dillon. ***
-At this point you need to generate your one-time password to answer this login prompt. This must be done on a trusted system that you can run `key` or `opiekey` on. (There are versions of these for DOS, Windows® and Mac OS® as well.) They need both the iteration count and the seed as command line options. You can cut-and-paste these right from the login prompt on the machine that you are logging in to.
+At this point you need to generate your one-time password to answer this login prompt. This must be done on a trusted system that you can run `key` or `opiekey` on. (There are versions of these for DOS, Windows® and Mac OS® as well.) They need both the iteration count and the seed as command line options. You can cut-and-paste these right from the login prompt on the machine that you are logging in to.
Proxy servers often have ways of restricting access further, so that only certain hosts can gain access to the servers. Most will also allow the administrator to specify which users can talk to which destination machines. Again, what facilities are available depends largely on what proxy software you choose.
+### Firewall options in DragonFlyBSD
+
+DragonFlyBSD inherited the IPFW firewall (versions 1 and 2) when it forked from FreeBSD. Pretty soon after though, we imported the new pf packet filter that the OpenBSD developers created from scratch. It is a cleaner code base and is now the recommended solution for firewalling DragonFly. Keep in mind that the PF version in DragonFly is not in sync with OpenBSD's PF code. We have not yet incorporated the improvements made in PF over the last few years, but we have some improvements of our own. IPFW is still and will remain supported for the forseeable future; it has some features not yet available in PF.
+
+A copy of the OpenBSD PF user's guide corresponding to the version of PF in DragonFly can be found in [[PFUsersGuide]].
-### What Does IPFW Allow Me to Do?
+#### What Does IPFW Allow Me to Do?
-### Enabling IPFW on DragonFly
+#### Enabling IPFW on DragonFly
-### Configuring IPFW
+#### Configuring IPFW
-#### Altering the IPFW Rules
+##### Altering the IPFW Rules
-#### Listing the IPFW Rules
+##### Listing the IPFW Rules
-#### Flushing the IPFW Rules
+##### Flushing the IPFW Rules
-#### Clearing the IPFW Packet Counters
+##### Clearing the IPFW Packet Counters
-### Example Commands for **ipfw**
+#### Example Commands for **ipfw**
-### Building a Packet Filtering Firewall
-
-<!-- XXX: AFAIK pf is vastly superior to ipfw, so this should be focused on pf, not ipfw -->
-
+#### Building a Packet Filtering Firewall
**Note:** The following suggestions are just that: suggestions. The requirements of each firewall are different and we cannot tell you how to build a firewall to meet your particular requirements.
-### IPFW Overhead and Optimization
+#### IPFW Overhead and Optimization
-The per-packet processing overhead in the former case was approximately 2.703 ms/packet, or roughly 2.7 microseconds per rule. Thus the theoretical packet processing limit with these rules is around 370 packets per second. Assuming 10 Mbps Ethernet and a ~1500 byte packet size, we would only be able to achieve 55.5% bandwidth utilization.
+The per-packet processing overhead in the former case was approximately 2.703 ms/packet, or roughly 2.7 microseconds per rule. Thus the theoretical packet processing limit with these rules is around 370 packets per second. Assuming 10 Mbps Ethernet and a ~1500 byte packet size, we would only be able to achieve 55.5% bandwidth utilization.
-For the latter case each packet was processed in approximately 1.172 ms, or roughly 1.2 microseconds per rule. The theoretical packet processing limit here would be about 853 packets per second, which could consume 10 Mbps Ethernet bandwidth.
+For the latter case each packet was processed in approximately 1.172 ms, or roughly 1.2 microseconds per rule. The theoretical packet processing limit here would be about 853 packets per second, which could consume 10 Mbps Ethernet bandwidth.
-This section will guide you through the process of setting up IPsec, and to use it in an environment which consists of DragonFly and **Microsoft® Windows® 2000/XP** machines, to make them communicate securely. In order to set up IPsec, it is necessary that you are familiar with the concepts of building a custom kernel (see [kernelconfig.html Chapter 9]).
+This section will guide you through the process of setting up IPsec, and to use it in an environment which consists of DragonFly and **Microsoft® Windows® 2000/XP** machines, to make them communicate securely. In order to set up IPsec, it is necessary that you are familiar with the concepts of building a custom kernel (see [kernelconfig.html Chapter 9]).
projects / ikiwiki.git / commitdiff