Complete list of differences between ipfw1 and ipfw2.
This commit is contained in:
parent
f050add5c1
commit
654399a477
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=101989
103
sbin/ipfw/ipfw.8
103
sbin/ipfw/ipfw.8
@ -81,11 +81,33 @@ The commands listed here are a superset of the old
|
|||||||
firewall, which we will call
|
firewall, which we will call
|
||||||
.Nm ipfw1
|
.Nm ipfw1
|
||||||
when it is necessary to distinguish between the two.
|
when it is necessary to distinguish between the two.
|
||||||
|
.Pp
|
||||||
|
.Nm ipfw2
|
||||||
|
is standard in
|
||||||
|
.Fx
|
||||||
|
CURRENT, whereas
|
||||||
|
.Fx
|
||||||
|
STABLE still uses
|
||||||
|
.Nm ipfw1
|
||||||
|
unless the kernel is compiled with
|
||||||
|
.Cm options IPFW2 ,
|
||||||
|
and
|
||||||
|
.Nm /sbin/ipfw
|
||||||
|
and
|
||||||
|
.Nm /usr/lib/libalias
|
||||||
|
are recompiled with
|
||||||
|
.Cm -DIPFW2
|
||||||
|
and reinstalled (the same effect can be achieved by adding
|
||||||
|
.Cm IPFW2=TRUE
|
||||||
|
to
|
||||||
|
.Nm /etc/make.conf
|
||||||
|
before a buildworld).
|
||||||
|
.Pp
|
||||||
See the
|
See the
|
||||||
.Sx IPFW2 ENHANCEMENTS
|
.Sx IPFW2 ENHANCEMENTS
|
||||||
Section for a list of features which are not present in
|
Section for a list of features which are not present in
|
||||||
.Nm ipfw1 .
|
.Nm ipfw1 .
|
||||||
This list can also be useful to revise your ruleset and
|
This list can also be useful to revise your rules and
|
||||||
write them more efficiently.
|
write them more efficiently.
|
||||||
.Pp
|
.Pp
|
||||||
An
|
An
|
||||||
@ -1466,12 +1488,36 @@ dropped.
|
|||||||
.Sh SYSCTL VARIABLES
|
.Sh SYSCTL VARIABLES
|
||||||
A set of
|
A set of
|
||||||
.Xr sysctl 8
|
.Xr sysctl 8
|
||||||
variables controls the behaviour of the firewall.
|
variables controls the behaviour of the firewall and
|
||||||
|
associated modules (
|
||||||
|
.Nm dummynet, bridge
|
||||||
|
).
|
||||||
These are shown below together with their default value
|
These are shown below together with their default value
|
||||||
(but always check with the
|
(but always check with the
|
||||||
.Xr sysctl 8
|
.Xr sysctl 8
|
||||||
command what value is actually in use) and meaning:
|
command what value is actually in use) and meaning:
|
||||||
.Bl -tag -width indent
|
.Bl -tag -width indent
|
||||||
|
.It Em net.inet.ip.dummynet.expire : No 1
|
||||||
|
Lazily delete dynamic pipes/queue once they have no pending traffic.
|
||||||
|
You can disable this by setting the variable to 0, in which case
|
||||||
|
the pipes/queues will only be deleted when the threshold is reached.
|
||||||
|
.It Em net.inet.ip.dummynet.hash_size : No 64
|
||||||
|
Default size of the hash table used for dynamic pipes/queues.
|
||||||
|
This value is used when no
|
||||||
|
.Cm buckets
|
||||||
|
option is specified when configuring a pipe/queue.
|
||||||
|
.It Em net.inet.ip.dummynet.max_chain_len : No 16
|
||||||
|
Target value for the maximum number of pipes/queues in a hash bucket.
|
||||||
|
The product
|
||||||
|
.Cm max_chain_len*hash_size
|
||||||
|
is used to determine the threshold over which empty pipes/queues
|
||||||
|
will be expired even when
|
||||||
|
.Cm net.inet.ip.dummynet.expire=0 .
|
||||||
|
.It net.inet.ip.dummynet.red_lookup_depth : No 256
|
||||||
|
.It net.inet.ip.dummynet.red_avg_pkt_size : No 512
|
||||||
|
.It net.inet.ip.dummynet.red_max_pkt_size : No 1500
|
||||||
|
Parameters used in the computations of the drop probability
|
||||||
|
for the RED algorithm.
|
||||||
.It Em net.inet.ip.fw.autoinc_step : No 100
|
.It Em net.inet.ip.fw.autoinc_step : No 100
|
||||||
Delta beween rule numbers when auto-generating them.
|
Delta beween rule numbers when auto-generating them.
|
||||||
The value must be in the range 1..1000.
|
The value must be in the range 1..1000.
|
||||||
@ -1483,7 +1529,7 @@ Controls debugging messages produced by
|
|||||||
.Nm .
|
.Nm .
|
||||||
.It Em net.inet.ip.fw.dyn_buckets : No 256
|
.It Em net.inet.ip.fw.dyn_buckets : No 256
|
||||||
The number of buckets in the hash table for dynamic rules.
|
The number of buckets in the hash table for dynamic rules.
|
||||||
Must be a power of 2, up to 1^^20.
|
Must be a power of 2, up to 65536.
|
||||||
It only takes effect when all dynamic rules have expired, so you
|
It only takes effect when all dynamic rules have expired, so you
|
||||||
are advised to use a
|
are advised to use a
|
||||||
.Cm flush
|
.Cm flush
|
||||||
@ -1559,7 +1605,19 @@ write your rulesets in a more efficient way.
|
|||||||
.Nm ipfw1
|
.Nm ipfw1
|
||||||
does not supports address sets (those in the form
|
does not supports address sets (those in the form
|
||||||
.Ar addr/masklen{num,num,...}
|
.Ar addr/masklen{num,num,...}
|
||||||
)
|
).
|
||||||
|
.Pp
|
||||||
|
A minor difference between
|
||||||
|
.Nm ipfw1
|
||||||
|
and
|
||||||
|
.Nm ipfw2
|
||||||
|
is that the former allows addresses to be specified as
|
||||||
|
.Ar ipno:mask
|
||||||
|
where the mask can be an arbitrary bitmask instead of
|
||||||
|
a countiguous set of bits.
|
||||||
|
.Nm ipfw2
|
||||||
|
no longer supports this syntax though it would be trivial
|
||||||
|
to reintroduce it as it is supported on the kernel side.
|
||||||
.It Port specifications
|
.It Port specifications
|
||||||
.Nm ipfw1
|
.Nm ipfw1
|
||||||
only allows one port range when specifying TCP and UDP ports, and
|
only allows one port range when specifying TCP and UDP ports, and
|
||||||
@ -1576,12 +1634,20 @@ packets. With
|
|||||||
you can put port specifications in rules matching all packets,
|
you can put port specifications in rules matching all packets,
|
||||||
and the match will be attempted only on those packets carrying
|
and the match will be attempted only on those packets carrying
|
||||||
protocols which include port identifiers.
|
protocols which include port identifiers.
|
||||||
|
.Pp
|
||||||
|
Finally,
|
||||||
|
.Nm ipfw1
|
||||||
|
allowed the first port entry to be specified as
|
||||||
|
.Ar port:mask
|
||||||
|
where
|
||||||
|
.Ar mask
|
||||||
|
can be an arbitrary 16-bit mask.
|
||||||
|
This syntax is of questionable usefulness and it is not
|
||||||
|
supported anymore in
|
||||||
|
.Nm ipfw2 .
|
||||||
.It Or-blocks
|
.It Or-blocks
|
||||||
.Nm ipfw1
|
.Nm ipfw1
|
||||||
does not support Or-blocks. All match operators are implicitly
|
does not support Or-blocks.
|
||||||
connected by
|
|
||||||
.Cm and
|
|
||||||
operators.
|
|
||||||
.It keepalives
|
.It keepalives
|
||||||
.Nm ipfw1
|
.Nm ipfw1
|
||||||
does not generate keepalives for stateful sessions.
|
does not generate keepalives for stateful sessions.
|
||||||
@ -1600,6 +1666,19 @@ and
|
|||||||
The sysctl variable
|
The sysctl variable
|
||||||
.Em net.link.ether.ipfw
|
.Em net.link.ether.ipfw
|
||||||
has no effect there.
|
has no effect there.
|
||||||
|
.It Options
|
||||||
|
The following options are not supported in
|
||||||
|
.Nm ipfw1
|
||||||
|
(RELENG_4)
|
||||||
|
rules:
|
||||||
|
.Pp
|
||||||
|
.Cm layer2, ipid, iplen, ipprecedence, iptos, ipttl,
|
||||||
|
.Cm ipversion, tcpack, tcpseq, tcpwin .
|
||||||
|
.It Dummynet options
|
||||||
|
The following option for
|
||||||
|
.Nm dummynet
|
||||||
|
pipes/queues is not supported:
|
||||||
|
.Cm noerror .
|
||||||
.El
|
.El
|
||||||
.Sh EXAMPLES
|
.Sh EXAMPLES
|
||||||
There are far too many possible uses of
|
There are far too many possible uses of
|
||||||
@ -1870,9 +1949,11 @@ the sleep terminates thus restoring the previous situation.
|
|||||||
.%O "RFC 2309"
|
.%O "RFC 2309"
|
||||||
.Re
|
.Re
|
||||||
.Sh BUGS
|
.Sh BUGS
|
||||||
The syntax has grown over the years and it is not very clean.
|
The syntax has grown over the years and sometimes it might be confusing.
|
||||||
|
Unfortunately, backward compatibility prevents cleaning up mistakes
|
||||||
|
done in the definition of the syntax.
|
||||||
.Pp
|
.Pp
|
||||||
.Em WARNING
|
.Em !!! WARNING !!!
|
||||||
.Pp
|
.Pp
|
||||||
Misconfiguring the firewall can put your computer in an unusable state,
|
Misconfiguring the firewall can put your computer in an unusable state,
|
||||||
possibly shutting down network services and requiring console access to
|
possibly shutting down network services and requiring console access to
|
||||||
@ -1925,3 +2006,5 @@ was introduced in
|
|||||||
.Fx 2.2.8 .
|
.Fx 2.2.8 .
|
||||||
Stateful extensions were introduced in
|
Stateful extensions were introduced in
|
||||||
.Fx 4.0 .
|
.Fx 4.0 .
|
||||||
|
.Nm ipfw2
|
||||||
|
was introduced in Summer 2002.
|
||||||
|
Loading…
Reference in New Issue
Block a user