697718b9b6
Submitted by: Dries Michiels MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D26075
163 lines
3.2 KiB
Groff
163 lines
3.2 KiB
Groff
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd August 19, 2020
|
|
.Dt IPFW 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ipfw
|
|
.Nd IP packet filter and traffic accounting
|
|
.Sh SYNOPSIS
|
|
To compile
|
|
the driver
|
|
into the kernel, place the following option in the kernel configuration
|
|
file:
|
|
.Bd -ragged -offset indent
|
|
.Cd "options IPFIREWALL"
|
|
.Ed
|
|
.Pp
|
|
Other related kernel options
|
|
which may also be useful are:
|
|
.Bd -ragged -offset indent
|
|
.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
|
|
.Cd "options IPDIVERT"
|
|
.Cd "options IPFIREWALL_NAT"
|
|
.Cd "options IPFIREWALL_NAT64"
|
|
.Cd "options IPFIREWALL_NPTV6"
|
|
.Cd "options IPFIREWALL_PMOD"
|
|
.Cd "options IPFIREWALL_VERBOSE"
|
|
.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
|
|
.Cd "options LIBALIAS"
|
|
.Ed
|
|
.Pp
|
|
To load
|
|
the driver
|
|
as a module at boot time, add the following line into the
|
|
.Xr loader.conf 5
|
|
file:
|
|
.Bd -literal -offset indent
|
|
ipfw_load="YES"
|
|
.Ed
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
system facility allows filtering,
|
|
redirecting, and other operations on
|
|
.Tn IP
|
|
packets travelling through
|
|
network interfaces.
|
|
.Pp
|
|
The default behavior of
|
|
.Nm
|
|
is to block all incoming and outgoing traffic.
|
|
This behavior can be modified, to allow all traffic through the
|
|
.Nm
|
|
firewall by default, by enabling the
|
|
.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
|
|
kernel option.
|
|
This option may be useful when configuring
|
|
.Nm
|
|
for the first time.
|
|
If the default
|
|
.Nm
|
|
behavior is to allow everything, it is easier to cope with
|
|
firewall-tuning mistakes which may accidentally block all traffic.
|
|
.Pp
|
|
When using
|
|
.Xr natd 8
|
|
in conjunction with
|
|
.Nm
|
|
as
|
|
.Tn NAT
|
|
facility, the kernel option
|
|
.Dv IPDIVERT
|
|
enables diverting packets to
|
|
.Xr natd 8
|
|
for translation.
|
|
.Pp
|
|
When using the in-kernel
|
|
.Tn NAT
|
|
facility of
|
|
.Nm ,
|
|
the kernel option
|
|
.Dv IPFIREWALL_NAT
|
|
enables basic
|
|
.Xr libalias 3
|
|
functionality in the kernel.
|
|
.Pp
|
|
When using any of the
|
|
.Tn IPv4
|
|
to
|
|
.Tn IPv6
|
|
transition mechanisms in
|
|
.Nm ,
|
|
the kernel option
|
|
.Dv IPFIREWALL_NAT64
|
|
enables all of these
|
|
.Tn NAT64
|
|
methods in the kernel.
|
|
.Pp
|
|
When using the
|
|
.Tn IPv6
|
|
network prefix translation facility of
|
|
.Nm ,
|
|
the kernel option
|
|
.Dv IPFIREWALL_NPTV6
|
|
enables this functionality in the kernel.
|
|
.Pp
|
|
When using the packet modification facility of
|
|
.Nm ,
|
|
the kernel option
|
|
.Dv IPFIREWALL_PMOD
|
|
enables this functionality in the kernel.
|
|
.Pp
|
|
To enable logging of packets passing through
|
|
.Nm ,
|
|
enable the
|
|
.Dv IPFIREWALL_VERBOSE
|
|
kernel option.
|
|
The
|
|
.Dv IPFIREWALL_VERBOSE_LIMIT
|
|
option will prevent
|
|
.Xr syslogd 8
|
|
from flooding system logs or causing local Denial of Service.
|
|
This option may be set to the number of packets which will be logged on
|
|
a per-entry basis before the entry is rate-limited.
|
|
.Pp
|
|
When using the in-kernel
|
|
.Tn NAT
|
|
facility of
|
|
.Nm ,
|
|
the kernel option
|
|
.Dv LIBALIAS
|
|
enables full
|
|
.Xr libalias 3
|
|
functionality in the kernel.
|
|
Full functionality refers to included support for ftp, bbt,
|
|
skinny, irc, pptp and smedia packets, which are missing in the basic
|
|
.Xr libalias 3
|
|
functionality accomplished with the
|
|
.Dv IPFIREWALL_NAT
|
|
kernel option.
|
|
.Pp
|
|
The user interface for
|
|
.Nm
|
|
is implemented by the
|
|
.Xr ipfw 8
|
|
utility, so please refer to the
|
|
.Xr ipfw 8
|
|
man page for a complete description of the
|
|
.Nm
|
|
capabilities and how to use it.
|
|
.Sh SEE ALSO
|
|
.Xr setsockopt 2 ,
|
|
.Xr divert 4 ,
|
|
.Xr ip 4 ,
|
|
.Xr ip6 4 ,
|
|
.Xr ipfw 8 ,
|
|
.Xr libalias 3 ,
|
|
.Xr natd 8 ,
|
|
.Xr sysctl 8 ,
|
|
.Xr syslogd 8 ,
|
|
.Xr pfil 9
|