1997-03-07 02:50:01 +00:00
|
|
|
.\"
|
1999-08-28 00:22:10 +00:00
|
|
|
.\" $FreeBSD$
|
1997-03-07 02:50:01 +00:00
|
|
|
.\"
|
2006-09-01 08:50:05 +00:00
|
|
|
.Dd September 1, 2006
|
2002-10-28 07:24:58 +00:00
|
|
|
.Dt IPFW 4
|
1995-02-17 18:48:36 +00:00
|
|
|
.Os
|
|
|
|
.Sh NAME
|
2002-10-28 07:24:58 +00:00
|
|
|
.Nm ipfw
|
1997-06-23 02:12:21 +00:00
|
|
|
.Nd IP packet filter and traffic accounting
|
2006-09-01 08:50:05 +00:00
|
|
|
.Sh SYNOPSIS
|
|
|
|
To compile
|
|
|
|
.Ns Nm
|
|
|
|
into the kernel, place the following option in the kernel configuration
|
|
|
|
file:
|
|
|
|
.Bd -ragged -offset indent
|
|
|
|
.Cd "options IPFIREWALL"
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
Other kernel options related to
|
|
|
|
.Ns Nm
|
|
|
|
which may also be useful are:
|
|
|
|
.Bd -ragged -offset indent
|
|
|
|
.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
|
|
|
|
.Cd "options IPFIREWALL_FORWARD"
|
|
|
|
.Cd "options IPFIREWALL_VERBOSE"
|
|
|
|
.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
To load
|
|
|
|
.Ns Nm
|
|
|
|
as a module at boot time, add the following line into the
|
|
|
|
.Xr rc.conf 5
|
|
|
|
file:
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
ipfirewall_enable="YES"
|
|
|
|
.Ed
|
1995-02-17 18:48:36 +00:00
|
|
|
.Sh DESCRIPTION
|
2002-11-29 11:39:20 +00:00
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
system facility allows filtering,
|
|
|
|
redirecting, and other operations on
|
|
|
|
.Tn IP
|
|
|
|
packets travelling through
|
|
|
|
network interfaces.
|
1996-07-11 02:37:59 +00:00
|
|
|
.Pp
|
2006-09-01 08:50:05 +00:00
|
|
|
The default behavior of
|
|
|
|
.Nm
|
|
|
|
is to block all incoming and outgoing traffic.
|
|
|
|
This behavior can be modified, to allow all traffic through the
|
|
|
|
.Nm
|
|
|
|
firewall by default, by enabling the
|
|
|
|
.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
|
|
|
|
kernel option.
|
|
|
|
This option may be useful when configuring
|
|
|
|
.Nm
|
|
|
|
for the first time.
|
|
|
|
If the default
|
|
|
|
.Nm
|
|
|
|
behavior is to allow everything, it is easier to cope with
|
|
|
|
firewall-tuning mistakes which may accidentally block all traffic.
|
|
|
|
.Pp
|
|
|
|
To enable logging of packets passing through
|
|
|
|
.Nm ,
|
|
|
|
enable the
|
|
|
|
.Dv IPFIREWALL_VERBOSE
|
|
|
|
kernel option.
|
|
|
|
The
|
|
|
|
.Dv IPFIREWALL_VERBOSE_LIMIT
|
|
|
|
option will prevent
|
|
|
|
.Xr syslogd 8
|
|
|
|
from flooding system logs or causing local Denial of Service.
|
|
|
|
This option may be set to the number of packets which will be logged on
|
|
|
|
a per-entry basis before the entry is rate-limited.
|
|
|
|
.Pp
|
|
|
|
Policy routing and transparent forwarding features of
|
|
|
|
.Nm
|
|
|
|
can be enabled by
|
|
|
|
.Dv IPFIREWALL_FORWARD
|
|
|
|
kernel option.
|
|
|
|
.Pp
|
2002-10-28 07:24:58 +00:00
|
|
|
The user interface for
|
2002-11-29 11:39:20 +00:00
|
|
|
.Nm
|
2002-10-28 07:24:58 +00:00
|
|
|
is implemented by the
|
|
|
|
.Xr ipfw 8
|
2002-11-29 11:39:20 +00:00
|
|
|
utility, so please refer to the
|
|
|
|
.Xr ipfw 8
|
|
|
|
manpage for a complete description of the
|
|
|
|
.Nm
|
|
|
|
capabilities and how to use it.
|
1995-02-17 18:48:36 +00:00
|
|
|
.Sh SEE ALSO
|
1996-07-11 02:37:59 +00:00
|
|
|
.Xr setsockopt 2 ,
|
1997-06-23 02:12:21 +00:00
|
|
|
.Xr divert 4 ,
|
1997-09-29 10:11:02 +00:00
|
|
|
.Xr ip 4 ,
|
1997-06-23 02:12:21 +00:00
|
|
|
.Xr ipfw 8 ,
|
2001-02-22 09:12:44 +00:00
|
|
|
.Xr sysctl 8 ,
|
2004-08-19 18:04:10 +00:00
|
|
|
.Xr syslogd 8 ,
|
|
|
|
.Xr pfil 9
|