freebsd-nq/share/man/man4/ipfirewall.4

.\"
.\" $FreeBSD$
.\"
.Dd August 19, 2020
.Dt IPFW 4
.Os
.Sh NAME
.Nm ipfw
.Nd IP packet filter and traffic accounting
.Sh SYNOPSIS
To compile
the driver
into the kernel, place the following option in the kernel configuration
file:
.Bd -ragged -offset indent
.Cd "options IPFIREWALL"
.Ed
.Pp
Other related kernel options
which may also be useful are:
.Bd -ragged -offset indent
.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
.Cd "options IPDIVERT"
.Cd "options IPFIREWALL_NAT"
.Cd "options IPFIREWALL_NAT64"
.Cd "options IPFIREWALL_NPTV6"
.Cd "options IPFIREWALL_PMOD"
.Cd "options IPFIREWALL_VERBOSE"
.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
.Cd "options LIBALIAS"
.Ed
.Pp
To load
the driver
as a module at boot time, add the following line into the
.Xr loader.conf 5
file:
.Bd -literal -offset indent
ipfw_load="YES"
.Ed
.Sh DESCRIPTION
The
.Nm
system facility allows filtering,
redirecting, and other operations on
.Tn IP
packets travelling through
network interfaces.
.Pp
The default behavior of
.Nm
is to block all incoming and outgoing traffic.
This behavior can be modified, to allow all traffic through the
.Nm
firewall by default, by enabling the
.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
kernel option.
This option may be useful when configuring
.Nm
for the first time.
If the default
.Nm
behavior is to allow everything, it is easier to cope with
firewall-tuning mistakes which may accidentally block all traffic.
.Pp
When using
.Xr natd 8
in conjunction with
.Nm
as
.Tn NAT
facility, the kernel option
.Dv IPDIVERT
enables diverting packets to
.Xr natd 8
for translation.
.Pp
When using the in-kernel
.Tn NAT
facility of
.Nm ,
the kernel option
.Dv IPFIREWALL_NAT
enables basic
.Xr libalias 3
functionality in the kernel.
.Pp
When using any of the
.Tn IPv4
to
.Tn IPv6
transition mechanisms in
.Nm ,
the kernel option
.Dv IPFIREWALL_NAT64
enables all of these
.Tn NAT64
methods in the kernel.
.Pp
When using the
.Tn IPv6
network prefix translation facility of
.Nm ,
the kernel option
.Dv IPFIREWALL_NPTV6
enables this functionality in the kernel.
.Pp
When using the packet modification facility of
.Nm ,
the kernel option
.Dv IPFIREWALL_PMOD
enables this functionality in the kernel.
.Pp
To enable logging of packets passing through
.Nm ,
enable the
.Dv IPFIREWALL_VERBOSE
kernel option.
The
.Dv IPFIREWALL_VERBOSE_LIMIT
option will prevent
.Xr syslogd 8
from flooding system logs or causing local Denial of Service.
This option may be set to the number of packets which will be logged on
a per-entry basis before the entry is rate-limited.
.Pp
When using the in-kernel
.Tn NAT
facility of
.Nm ,
the kernel option
.Dv LIBALIAS
enables full
.Xr libalias 3
functionality in the kernel.
Full functionality refers to included support for ftp, bbt,
skinny, irc, pptp and smedia packets, which are missing in the basic
.Xr libalias 3
functionality accomplished with the
.Dv IPFIREWALL_NAT
kernel option.
.Pp
The user interface for
.Nm
is implemented by the
.Xr ipfw 8
utility, so please refer to the
.Xr ipfw 8
man page for a complete description of the
.Nm
capabilities and how to use it.
.Sh SEE ALSO
.Xr setsockopt 2 ,
.Xr divert 4 ,
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr ipfw 8 ,
.Xr libalias 3 ,
.Xr natd 8 ,
.Xr sysctl 8 ,
.Xr syslogd 8 ,
.Xr pfil 9
add missing cvs Id lines. 1997-03-07 02:50:01 +00:00			`.\"`
$Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00			`.\" $FreeBSD$`
add missing cvs Id lines. 1997-03-07 02:50:01 +00:00			`.\"`
ipfirewall(4): remove Cuseeme from supported list Submitted by: Dries Michiels MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D26075 2020-08-19 17:52:06 +00:00			`.Dd August 19, 2020`
Remove stale information from these two manpage, and point the readers to the one up-to-date page which is ipfw(8). MFC after: 3 days 2002-10-28 07:24:58 +00:00			`.Dt IPFW 4`
Move ipfirewall.4 & snp.4 facility manpage to share/man/man4 1995-02-17 18:48:36 +00:00			`.Os`
			`.Sh NAME`
Remove stale information from these two manpage, and point the readers to the one up-to-date page which is ipfw(8). MFC after: 3 days 2002-10-28 07:24:58 +00:00			`.Nm ipfw`
Make this file bare a small resemblance to reality again Requested from: Archie Cobbs (archie@whistle.com) 1997-06-23 02:12:21 +00:00			`.Nd IP packet filter and traffic accounting`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`.Sh SYNOPSIS`
			`To compile`
mdoc: Avoid playing tricks with Ns: If Nm is present in the SYNOPSIS section, it will be output on its own line. Ns cancels this effect however. This change is also consistent with the rest of our manual pages. 2012-05-14 16:25:17 +00:00			`the driver`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`into the kernel, place the following option in the kernel configuration`
			`file:`
			`.Bd -ragged -offset indent`
			`.Cd "options IPFIREWALL"`
			`.Ed`
			`.Pp`
mdoc: Avoid playing tricks with Ns: If Nm is present in the SYNOPSIS section, it will be output on its own line. Ns cancels this effect however. This change is also consistent with the rest of our manual pages. 2012-05-14 16:25:17 +00:00			`Other related kernel options`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`which may also be useful are:`
			`.Bd -ragged -offset indent`
			`.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`.Cd "options IPDIVERT"`
			`.Cd "options IPFIREWALL_NAT"`
			`.Cd "options IPFIREWALL_NAT64"`
			`.Cd "options IPFIREWALL_NPTV6"`
			`.Cd "options IPFIREWALL_PMOD"`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`.Cd "options IPFIREWALL_VERBOSE"`
			`.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`.Cd "options LIBALIAS"`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`.Ed`
			`.Pp`
			`To load`
mdoc: Avoid playing tricks with Ns: If Nm is present in the SYNOPSIS section, it will be output on its own line. Ns cancels this effect however. This change is also consistent with the rest of our manual pages. 2012-05-14 16:25:17 +00:00			`the driver`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`as a module at boot time, add the following line into the`
Use the loader.conf example. Approved by: trhodes (mentor), keramida (mentor) MFC after: 3 days 2006-10-16 07:56:36 +00:00			`.Xr loader.conf 5`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`file:`
			`.Bd -literal -offset indent`
Use the loader.conf example. Approved by: trhodes (mentor), keramida (mentor) MFC after: 3 days 2006-10-16 07:56:36 +00:00			`ipfw_load="YES"`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`.Ed`
Move ipfirewall.4 & snp.4 facility manpage to share/man/man4 1995-02-17 18:48:36 +00:00			`.Sh DESCRIPTION`
mdoc(7) police: scheduled sweep. Approved by: re 2002-11-29 11:39:20 +00:00			`The`
			`.Nm`
			`system facility allows filtering,`
			`redirecting, and other operations on`
			`.Tn IP`
			`packets travelling through`
			`network interfaces.`
A QUICK pass through this man page to make it conform to mdoc standards and to clean up some of the English. The job is nowhere complete. This man page would be a good project for someone who knows something about the firewall software, and would like to contribute to the documentation effort. Many of the things in this man page are out of date and do not reflect reality. 1996-07-11 02:37:59 +00:00			`.Pp`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`The default behavior of`
			`.Nm`
			`is to block all incoming and outgoing traffic.`
			`This behavior can be modified, to allow all traffic through the`
			`.Nm`
			`firewall by default, by enabling the`
			`.Dv IPFIREWALL_DEFAULT_TO_ACCEPT`
			`kernel option.`
			`This option may be useful when configuring`
			`.Nm`
			`for the first time.`
			`If the default`
			`.Nm`
			`behavior is to allow everything, it is easier to cope with`
			`firewall-tuning mistakes which may accidentally block all traffic.`
			`.Pp`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`When using`
			`.Xr natd 8`
			`in conjunction with`
			`.Nm`
			`as`
			`.Tn NAT`
			`facility, the kernel option`
			`.Dv IPDIVERT`
			`enables diverting packets to`
			`.Xr natd 8`
			`for translation.`
			`.Pp`
			`When using the in-kernel`
			`.Tn NAT`
			`facility of`
			`.Nm ,`
			`the kernel option`
			`.Dv IPFIREWALL_NAT`
			`enables basic`
			`.Xr libalias 3`
			`functionality in the kernel.`
			`.Pp`
			`When using any of the`
			`.Tn IPv4`
			`to`
			`.Tn IPv6`
			`transition mechanisms in`
			`.Nm ,`
			`the kernel option`
			`.Dv IPFIREWALL_NAT64`
			`enables all of these`
			`.Tn NAT64`
			`methods in the kernel.`
			`.Pp`
			`When using the`
			`.Tn IPv6`
			`network prefix translation facility of`
			`.Nm ,`
			`the kernel option`
			`.Dv IPFIREWALL_NPTV6`
			`enables this functionality in the kernel.`
			`.Pp`
			`When using the packet modification facility of`
			`.Nm ,`
			`the kernel option`
			`.Dv IPFIREWALL_PMOD`
			`enables this functionality in the kernel.`
			`.Pp`
- Move available kernel options to SYNOPSIS, describe how to enable ipfw from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week 2006-09-01 08:50:05 +00:00			`To enable logging of packets passing through`
			`.Nm ,`
			`enable the`
			`.Dv IPFIREWALL_VERBOSE`
			`kernel option.`
			`The`
			`.Dv IPFIREWALL_VERBOSE_LIMIT`
			`option will prevent`
			`.Xr syslogd 8`
			`from flooding system logs or causing local Denial of Service.`
			`This option may be set to the number of packets which will be logged on`
			`a per-entry basis before the entry is rate-limited.`
			`.Pp`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`When using the in-kernel`
			`.Tn NAT`
			`facility of`
			`.Nm ,`
			`the kernel option`
			`.Dv LIBALIAS`
			`enables full`
			`.Xr libalias 3`
			`functionality in the kernel.`
ipfirewall(4): remove Cuseeme from supported list Submitted by: Dries Michiels MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D26075 2020-08-19 17:52:06 +00:00			`Full functionality refers to included support for ftp, bbt,`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`skinny, irc, pptp and smedia packets, which are missing in the basic`
			`.Xr libalias 3`
			`functionality accomplished with the`
			`.Dv IPFIREWALL_NAT`
			`kernel option.`
			`.Pp`
Remove stale information from these two manpage, and point the readers to the one up-to-date page which is ipfw(8). MFC after: 3 days 2002-10-28 07:24:58 +00:00			`The user interface for`
mdoc(7) police: scheduled sweep. Approved by: re 2002-11-29 11:39:20 +00:00			`.Nm`
Remove stale information from these two manpage, and point the readers to the one up-to-date page which is ipfw(8). MFC after: 3 days 2002-10-28 07:24:58 +00:00			`is implemented by the`
			`.Xr ipfw 8`
mdoc(7) police: scheduled sweep. Approved by: re 2002-11-29 11:39:20 +00:00			`utility, so please refer to the`
			`.Xr ipfw 8`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`man page for a complete description of the`
mdoc(7) police: scheduled sweep. Approved by: re 2002-11-29 11:39:20 +00:00			`.Nm`
			`capabilities and how to use it.`
Move ipfirewall.4 & snp.4 facility manpage to share/man/man4 1995-02-17 18:48:36 +00:00			`.Sh SEE ALSO`
A QUICK pass through this man page to make it conform to mdoc standards and to clean up some of the English. The job is nowhere complete. This man page would be a good project for someone who knows something about the firewall software, and would like to contribute to the documentation effort. Many of the things in this man page are out of date and do not reflect reality. 1996-07-11 02:37:59 +00:00			`.Xr setsockopt 2 ,`
Make this file bare a small resemblance to reality again Requested from: Archie Cobbs (archie@whistle.com) 1997-06-23 02:12:21 +00:00			`.Xr divert 4 ,`
Sort cross refereces in section SEE ALSO. 1997-09-29 10:11:02 +00:00			`.Xr ip 4 ,`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`.Xr ip6 4 ,`
Make this file bare a small resemblance to reality again Requested from: Archie Cobbs (archie@whistle.com) 1997-06-23 02:12:21 +00:00			`.Xr ipfw 8 ,`
Include all currently present kernel options for IPFW Also fix igor complaint about manpage/s/man page Reported by: rgrimes@freebsd.org PR: 219075 Submitted by: Dries Michiels driesm.michiels_gmail.com Reported by: rgrimes Reviewed by: bcr (manpages), 0mp MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D24541 2020-05-22 03:13:29 +00:00			`.Xr libalias 3 ,`
			`.Xr natd 8 ,`
Document that the IPFW messages are logged via syslogd(8). 2001-02-22 09:12:44 +00:00			`.Xr sysctl 8 ,`
Note that IPFIREWALL depends on PFIL_HOOKS compiled into the kernel as well. Submitted by: ceri, simon (mdoc fixes) 2004-08-19 18:04:10 +00:00			`.Xr syslogd 8 ,`
			`.Xr pfil 9`