910201d9b8
from within rc.conf. - Remove IPDIVERT kernel option - Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD Reviewed by: ru Approved by: keramida (mentor), trhodes (mentor) MFC after: 1 week
98 lines
2.0 KiB
Groff
98 lines
2.0 KiB
Groff
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd September 1, 2006
|
|
.Dt IPFW 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ipfw
|
|
.Nd IP packet filter and traffic accounting
|
|
.Sh SYNOPSIS
|
|
To compile
|
|
.Ns Nm
|
|
into the kernel, place the following option in the kernel configuration
|
|
file:
|
|
.Bd -ragged -offset indent
|
|
.Cd "options IPFIREWALL"
|
|
.Ed
|
|
.Pp
|
|
Other kernel options related to
|
|
.Ns Nm
|
|
which may also be useful are:
|
|
.Bd -ragged -offset indent
|
|
.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
|
|
.Cd "options IPFIREWALL_FORWARD"
|
|
.Cd "options IPFIREWALL_VERBOSE"
|
|
.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
|
|
.Ed
|
|
.Pp
|
|
To load
|
|
.Ns Nm
|
|
as a module at boot time, add the following line into the
|
|
.Xr rc.conf 5
|
|
file:
|
|
.Bd -literal -offset indent
|
|
ipfirewall_enable="YES"
|
|
.Ed
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
system facility allows filtering,
|
|
redirecting, and other operations on
|
|
.Tn IP
|
|
packets travelling through
|
|
network interfaces.
|
|
.Pp
|
|
The default behavior of
|
|
.Nm
|
|
is to block all incoming and outgoing traffic.
|
|
This behavior can be modified, to allow all traffic through the
|
|
.Nm
|
|
firewall by default, by enabling the
|
|
.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
|
|
kernel option.
|
|
This option may be useful when configuring
|
|
.Nm
|
|
for the first time.
|
|
If the default
|
|
.Nm
|
|
behavior is to allow everything, it is easier to cope with
|
|
firewall-tuning mistakes which may accidentally block all traffic.
|
|
.Pp
|
|
To enable logging of packets passing through
|
|
.Nm ,
|
|
enable the
|
|
.Dv IPFIREWALL_VERBOSE
|
|
kernel option.
|
|
The
|
|
.Dv IPFIREWALL_VERBOSE_LIMIT
|
|
option will prevent
|
|
.Xr syslogd 8
|
|
from flooding system logs or causing local Denial of Service.
|
|
This option may be set to the number of packets which will be logged on
|
|
a per-entry basis before the entry is rate-limited.
|
|
.Pp
|
|
Policy routing and transparent forwarding features of
|
|
.Nm
|
|
can be enabled by
|
|
.Dv IPFIREWALL_FORWARD
|
|
kernel option.
|
|
.Pp
|
|
The user interface for
|
|
.Nm
|
|
is implemented by the
|
|
.Xr ipfw 8
|
|
utility, so please refer to the
|
|
.Xr ipfw 8
|
|
manpage for a complete description of the
|
|
.Nm
|
|
capabilities and how to use it.
|
|
.Sh SEE ALSO
|
|
.Xr setsockopt 2 ,
|
|
.Xr divert 4 ,
|
|
.Xr ip 4 ,
|
|
.Xr ipfw 8 ,
|
|
.Xr sysctl 8 ,
|
|
.Xr syslogd 8 ,
|
|
.Xr pfil 9
|