1.\" 2.\" $FreeBSD$ 3.\" 4.Dd June 16, 2007 5.Dt IPFW 8 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd IP firewall and traffic shaper control program 10.Sh SYNOPSIS 11.Nm 12.Op Fl cq 13.Cm add 14.Ar rule 15.Nm 16.Op Fl acdefnNStT 17.Op Cm set Ar N 18.Brq Cm list | show 19.Op Ar rule | first-last ... 20.Nm 21.Op Fl f | q 22.Op Cm set Ar N 23.Cm flush 24.Nm 25.Op Fl q 26.Op Cm set Ar N 27.Brq Cm delete | zero | resetlog 28.Op Ar number ... 29.Nm 30.Cm enable 31.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive 32.Nm 33.Cm disable 34.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive 35.Pp 36.Nm 37.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ... 38.Nm 39.Cm set move 40.Op Cm rule 41.Ar number Cm to Ar number 42.Nm 43.Cm set swap Ar number number 44.Nm 45.Cm set show 46.Pp 47.Nm 48.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Op Ar value 49.Nm 50.Cm table Ar number Cm delete Ar addr Ns Op / Ns Ar masklen 51.Nm 52.Cm table Ar number Cm flush 53.Nm 54.Cm table Ar number Cm list 55.Pp 56.Nm 57.Brq Cm pipe | queue 58.Ar number 59.Cm config 60.Ar config-options 61.Nm 62.Op Fl s Op Ar field 63.Brq Cm pipe | queue 64.Brq Cm delete | list | show 65.Op Ar number ... 66.Pp 67.Nm 68.Cm nat 69.Ar number 70.Cm config 71.Ar config-options 72.Pp 73.Nm 74.Op Fl cfnNqS 75.Oo 76.Fl p Ar preproc 77.Oo 78.Ar preproc-flags 79.Oc 80.Oc 81.Ar pathname 82.Sh DESCRIPTION 83The 84.Nm 85utility is the user interface for controlling the 86.Xr ipfw 4 87firewall and the 88.Xr dummynet 4 89traffic shaper in 90.Fx . 91.Pp 92An 93.Nm 94configuration, or 95.Em ruleset , 96is made of a list of 97.Em rules 98numbered from 1 to 65535. 99Packets are passed to 100.Nm 101from a number of different places in the protocol stack 102(depending on the source and destination of the packet, 103it is possible that 104.Nm 105is invoked multiple times on the same packet). 106The packet passed to the firewall is compared 107against each of the rules in the firewall 108.Em ruleset . 109When a match is found, the action corresponding to the 110matching rule is performed. 111.Pp 112Depending on the action and certain system settings, packets 113can be reinjected into the firewall at some rule after the 114matching one for further processing. 115.Pp 116An 117.Nm 118ruleset always includes a 119.Em default 120rule (numbered 65535) which cannot be modified or deleted, 121and matches all packets. 122The action associated with the 123.Em default 124rule can be either 125.Cm deny 126or 127.Cm allow 128depending on how the kernel is configured. 129.Pp 130If the ruleset includes one or more rules with the 131.Cm keep-state 132or 133.Cm limit 134option, then 135.Nm 136assumes a 137.Em stateful 138behaviour, i.e., upon a match it will create dynamic rules matching 139the exact parameters (addresses and ports) of the matching packet. 140.Pp 141These dynamic rules, which have a limited lifetime, are checked 142at the first occurrence of a 143.Cm check-state , 144.Cm keep-state 145or 146.Cm limit 147rule, and are typically used to open the firewall on-demand to 148legitimate traffic only. 149See the 150.Sx STATEFUL FIREWALL 151and 152.Sx EXAMPLES 153Sections below for more information on the stateful behaviour of 154.Nm . 155.Pp 156All rules (including dynamic ones) have a few associated counters: 157a packet count, a byte count, a log count and a timestamp 158indicating the time of the last match. 159Counters can be displayed or reset with 160.Nm 161commands. 162.Pp 163Rules can be added with the 164.Cm add 165command; deleted individually or in groups with the 166.Cm delete 167command, and globally (except those in set 31) with the 168.Cm flush 169command; displayed, optionally with the content of the 170counters, using the 171.Cm show 172and 173.Cm list 174commands. 175Finally, counters can be reset with the 176.Cm zero 177and 178.Cm resetlog 179commands. 180.Pp 181Also, each rule belongs to one of 32 different 182.Em sets 183, and there are 184.Nm 185commands to atomically manipulate sets, such as enable, 186disable, swap sets, move all rules in a set to another 187one, delete all rules in a set. 188These can be useful to 189install temporary configurations, or to test them. 190See Section 191.Sx SETS OF RULES 192for more information on 193.Em sets . 194.Pp 195The following options are available: 196.Bl -tag -width indent 197.It Fl a 198While listing, show counter values. 199The 200.Cm show 201command just implies this option. 202.It Fl b 203Only show the action and the comment, not the body of a rule. 204Implies 205.Fl c . 206.It Fl c 207When entering or showing rules, print them in compact form, 208i.e., without the optional "ip from any to any" string 209when this does not carry any additional information. 210.It Fl d 211While listing, show dynamic rules in addition to static ones. 212.It Fl e 213While listing, if the 214.Fl d 215option was specified, also show expired dynamic rules. 216.It Fl f 217Do not ask for confirmation for commands that can cause problems 218if misused, 219.No i.e. Cm flush . 220If there is no tty associated with the process, this is implied. 221.It Fl n 222Only check syntax of the command strings, without actually passing 223them to the kernel. 224.It Fl N 225Try to resolve addresses and service names in output. 226.It Fl q 227While 228.Cm add Ns ing , 229.Cm zero Ns ing , 230.Cm resetlog Ns ging 231or 232.Cm flush Ns ing , 233be quiet about actions 234(implies 235.Fl f ) . 236This is useful for adjusting rules by executing multiple 237.Nm 238commands in a script 239(e.g., 240.Ql sh\ /etc/rc.firewall ) , 241or by processing a file of many 242.Nm 243rules across a remote login session. 244It also stops a table add or delete 245from failing if the entry already exists or is not present. 246If a 247.Cm flush 248is performed in normal (verbose) mode (with the default kernel 249configuration), it prints a message. 250Because all rules are flushed, the message might not be delivered 251to the login session, causing the remote login session to be closed 252and the remainder of the ruleset to not be processed. 253Access to the console would then be required to recover. 254.It Fl S 255While listing rules, show the 256.Em set 257each rule belongs to. 258If this flag is not specified, disabled rules will not be 259listed. 260.It Fl s Op Ar field 261While listing pipes, sort according to one of the four 262counters (total or current packets or bytes). 263.It Fl t 264While listing, show last match timestamp (converted with ctime()). 265.It Fl T 266While listing, show last match timestamp (as seconds from the epoch). 267This form can be more convenient for postprocessing by scripts. 268.El 269.Pp 270To ease configuration, rules can be put into a file which is 271processed using 272.Nm 273as shown in the last synopsis line. 274An absolute 275.Ar pathname 276must be used. 277The file will be read line by line and applied as arguments to the 278.Nm 279utility. 280.Pp 281Optionally, a preprocessor can be specified using 282.Fl p Ar preproc 283where 284.Ar pathname 285is to be piped through. 286Useful preprocessors include 287.Xr cpp 1 288and 289.Xr m4 1 . 290If 291.Ar preproc 292does not start with a slash 293.Pq Ql / 294as its first character, the usual 295.Ev PATH 296name search is performed. 297Care should be taken with this in environments where not all 298file systems are mounted (yet) by the time 299.Nm 300is being run (e.g.\& when they are mounted over NFS). 301Once 302.Fl p 303has been specified, any additional arguments as passed on to the preprocessor 304for interpretation. 305This allows for flexible configuration files (like conditionalizing 306them on the local hostname) and the use of macros to centralize 307frequently required arguments like IP addresses. 308.Pp 309The 310.Nm 311.Cm pipe 312and 313.Cm queue 314commands are used to configure the traffic shaper, as shown in the 315.Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION 316Section below. 317.Pp 318If the world and the kernel get out of sync the 319.Nm 320ABI may break, preventing you from being able to add any rules. 321This can 322adversely effect the booting process. 323You can use 324.Nm 325.Cm disable 326.Cm firewall 327to temporarily disable the firewall to regain access to the network, 328allowing you to fix the problem. 329.Sh PACKET FLOW 330A packet is checked against the active ruleset in multiple places 331in the protocol stack, under control of several sysctl variables. 332These places and variables are shown below, and it is important to 333have this picture in mind in order to design a correct ruleset. 334.Bd -literal -offset indent 335 ^ to upper layers V 336 | | 337 +----------->-----------+ 338 ^ V 339 [ip(6)_input] [ip(6)_output] net.inet(6).ip(6).fw.enable=1 340 | | 341 ^ V 342 [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 343 | | 344 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1 345 ^ V 346 | to devices | 347.Ed 348.Pp 349As can be noted from the above picture, the number of 350times the same packet goes through the firewall can 351vary between 0 and 4 depending on packet source and 352destination, and system configuration. 353.Pp 354Note that as packets flow through the stack, headers can be 355stripped or added to it, and so they may or may not be available 356for inspection. 357E.g., incoming packets will include the MAC header when 358.Nm 359is invoked from 360.Cm ether_demux() , 361but the same packets will have the MAC header stripped off when 362.Nm 363is invoked from 364.Cm ip_input() 365or 366.Cm ip6_input() . 367.Pp 368Also note that each packet is always checked against the complete ruleset, 369irrespective of the place where the check occurs, or the source of the packet. 370If a rule contains some match patterns or actions which are not valid 371for the place of invocation (e.g.\& trying to match a MAC header within 372.Cm ip_input 373or 374.Cm ip6_input ), 375the match pattern will not match, but a 376.Cm not 377operator in front of such patterns 378.Em will 379cause the pattern to 380.Em always 381match on those packets. 382It is thus the responsibility of 383the programmer, if necessary, to write a suitable ruleset to 384differentiate among the possible places. 385.Cm skipto 386rules can be useful here, as an example: 387.Bd -literal -offset indent 388# packets from ether_demux or bdg_forward 389ipfw add 10 skipto 1000 all from any to any layer2 in 390# packets from ip_input 391ipfw add 10 skipto 2000 all from any to any not layer2 in 392# packets from ip_output 393ipfw add 10 skipto 3000 all from any to any not layer2 out 394# packets from ether_output_frame 395ipfw add 10 skipto 4000 all from any to any layer2 out 396.Ed 397.Pp 398(yes, at the moment there is no way to differentiate between 399ether_demux and bdg_forward). 400.Sh SYNTAX 401In general, each keyword or argument must be provided as 402a separate command line argument, with no leading or trailing 403spaces. 404Keywords are case-sensitive, whereas arguments may 405or may not be case-sensitive depending on their nature 406(e.g.\& uid's are, hostnames are not). 407.Pp 408In 409.Nm ipfw2 410you can introduce spaces after commas ',' to make 411the line more readable. 412You can also put the entire 413command (including flags) into a single argument. 414E.g., the following forms are equivalent: 415.Bd -literal -offset indent 416ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8 417ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8 418ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8" 419.Ed 420.Sh RULE FORMAT 421The format of 422.Nm 423rules is the following: 424.Bd -ragged -offset indent 425.Bk -words 426.Op Ar rule_number 427.Op Cm set Ar set_number 428.Op Cm prob Ar match_probability 429.Ar action 430.Op Cm log Op Cm logamount Ar number 431.Op Cm altq Ar queue 432.Oo 433.Bro Cm tag | untag 434.Brc Ar number 435.Oc 436.Ar body 437.Ek 438.Ed 439.Pp 440where the body of the rule specifies which information is used 441for filtering packets, among the following: 442.Pp 443.Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact 444.It Layer-2 header fields 445When available 446.It IPv4 and IPv6 Protocol 447TCP, UDP, ICMP, etc. 448.It Source and dest. addresses and ports 449.It Direction 450See Section 451.Sx PACKET FLOW 452.It Transmit and receive interface 453By name or address 454.It Misc. IP header fields 455Version, type of service, datagram length, identification, 456fragment flag (non-zero IP offset), 457Time To Live 458.It IP options 459.It IPv6 Extension headers 460Fragmentation, Hop-by-Hop options, 461Routing Headers, Source routing rthdr0, Mobile IPv6 rthdr2, IPSec options. 462.It IPv6 Flow-ID 463.It Misc. TCP header fields 464TCP flags (SYN, FIN, ACK, RST, etc.), 465sequence number, acknowledgment number, 466window 467.It TCP options 468.It ICMP types 469for ICMP packets 470.It ICMP6 types 471for ICMP6 packets 472.It User/group ID 473When the packet can be associated with a local socket. 474.It Divert status 475Whether a packet came from a divert socket (e.g., 476.Xr natd 8 ) . 477.El 478.Pp 479Note that some of the above information, e.g.\& source MAC or IP addresses and 480TCP/UDP ports, could easily be spoofed, so filtering on those fields 481alone might not guarantee the desired results. 482.Bl -tag -width indent 483.It Ar rule_number 484Each rule is associated with a 485.Ar rule_number 486in the range 1..65535, with the latter reserved for the 487.Em default 488rule. 489Rules are checked sequentially by rule number. 490Multiple rules can have the same number, in which case they are 491checked (and listed) according to the order in which they have 492been added. 493If a rule is entered without specifying a number, the kernel will 494assign one in such a way that the rule becomes the last one 495before the 496.Em default 497rule. 498Automatic rule numbers are assigned by incrementing the last 499non-default rule number by the value of the sysctl variable 500.Ar net.inet.ip.fw.autoinc_step 501which defaults to 100. 502If this is not possible (e.g.\& because we would go beyond the 503maximum allowed rule number), the number of the last 504non-default value is used instead. 505.It Cm set Ar set_number 506Each rule is associated with a 507.Ar set_number 508in the range 0..31. 509Sets can be individually disabled and enabled, so this parameter 510is of fundamental importance for atomic ruleset manipulation. 511It can be also used to simplify deletion of groups of rules. 512If a rule is entered without specifying a set number, 513set 0 will be used. 514.br 515Set 31 is special in that it cannot be disabled, 516and rules in set 31 are not deleted by the 517.Nm ipfw flush 518command (but you can delete them with the 519.Nm ipfw delete set 31 520command). 521Set 31 is also used for the 522.Em default 523rule. 524.It Cm prob Ar match_probability 525A match is only declared with the specified probability 526(floating point number between 0 and 1). 527This can be useful for a number of applications such as 528random packet drop or 529(in conjunction with 530.Xr dummynet 4 ) 531to simulate the effect of multiple paths leading to out-of-order 532packet delivery. 533.Pp 534Note: this condition is checked before any other condition, including 535ones such as keep-state or check-state which might have side effects. 536.It Cm log Op Cm logamount Ar number 537When a packet matches a rule with the 538.Cm log 539keyword, a message will be 540logged to 541.Xr syslogd 8 542with a 543.Dv LOG_SECURITY 544facility. 545The logging only occurs if the sysctl variable 546.Em net.inet.ip.fw.verbose 547is set to 1 548(which is the default when the kernel is compiled with 549.Dv IPFIREWALL_VERBOSE ) 550and the number of packets logged so far for that 551particular rule does not exceed the 552.Cm logamount 553parameter. 554If no 555.Cm logamount 556is specified, the limit is taken from the sysctl variable 557.Em net.inet.ip.fw.verbose_limit . 558In both cases, a value of 0 removes the logging limit. 559.Pp 560Once the limit is reached, logging can be re-enabled by 561clearing the logging counter or the packet counter for that entry, see the 562.Cm resetlog 563command. 564.Pp 565Note: logging is done after all other packet matching conditions 566have been successfully verified, and before performing the final 567action (accept, deny, etc.) on the packet. 568.It Cm tag Ar number 569When a packet matches a rule with the 570.Cm tag 571keyword, the numeric tag for the given 572.Ar number 573in the range 1..65534 will be attached to the packet. 574The tag acts as an internal marker (it is not sent out over 575the wire) that can be used to identify these packets later on. 576This can be used, for example, to provide trust between interfaces 577and to start doing policy-based filtering. 578A packet can have mutiple tags at the same time. 579Tags are "sticky", meaning once a tag is applied to a packet by a 580matching rule it exists until explicit removal. 581Tags are kept with the packet everywhere within the kernel, but are 582lost when packet leaves the kernel, for example, on transmitting 583packet out to the network or sending packet to a 584.Xr divert 4 585socket. 586.Pp 587To check for previously applied tags, use the 588.Cm tagged 589rule option. 590To delete previously applied tag, use the 591.Cm untag 592keyword. 593.Pp 594Note: since tags are kept with the packet everywhere in kernelspace, 595they can be set and unset anywhere in kernel network subsystem 596(using 597.Xr mbuf_tags 9 598facility), not only by means of 599.Xr ipfw 4 600.Cm tag 601and 602.Cm untag 603keywords. 604For example, there can be a specialized 605.Xr netgraph 4 606node doing traffic analyzing and tagging for later inspecting 607in firewall. 608.It Cm untag Ar number 609When a packet matches a rule with the 610.Cm untag 611keyword, the tag with the number 612.Ar number 613is searched among the tags attached to this packet and, 614if found, removed from it. 615Other tags bound to packet, if present, are left untouched. 616.It Cm altq Ar queue 617When a packet matches a rule with the 618.Cm altq 619keyword, the ALTQ identifier for the given 620.Ar queue 621(see 622.Xr altq 4 ) 623will be attached. 624Note that this ALTQ tag is only meaningful for packets going "out" of IPFW, 625and not being rejected or going to divert sockets. 626Note that if there is insufficient memory at the time the packet is 627processed, it will not be tagged, so it is wise to make your ALTQ 628"default" queue policy account for this. 629If multiple 630.Cm altq 631rules match a single packet, only the first one adds the ALTQ classification 632tag. 633In doing so, traffic may be shaped by using 634.Cm count Cm altq Ar queue 635rules for classification early in the ruleset, then later applying 636the filtering decision. 637For example, 638.Cm check-state 639and 640.Cm keep-state 641rules may come later and provide the actual filtering decisions in 642addition to the fallback ALTQ tag. 643.Pp 644You must run 645.Xr pfctl 8 646to set up the queues before IPFW will be able to look them up by name, 647and if the ALTQ disciplines are rearranged, the rules in containing the 648queue identifiers in the kernel will likely have gone stale and need 649to be reloaded. 650Stale queue identifiers will probably result in misclassification. 651.Pp 652All system ALTQ processing can be turned on or off via 653.Nm 654.Cm enable Ar altq 655and 656.Nm 657.Cm disable Ar altq . 658The usage of 659.Em net.inet.ip.fw.one_pass 660is irrelevant to ALTQ traffic shaping, as the actual rule action is followed 661always after adding an ALTQ tag. 662.El 663.Ss RULE ACTIONS 664A rule can be associated with one of the following actions, which 665will be executed when the packet matches the body of the rule. 666.Bl -tag -width indent 667.It Cm allow | accept | pass | permit 668Allow packets that match rule. 669The search terminates. 670.It Cm check-state 671Checks the packet against the dynamic ruleset. 672If a match is found, execute the action associated with 673the rule which generated this dynamic rule, otherwise 674move to the next rule. 675.br 676.Cm Check-state 677rules do not have a body. 678If no 679.Cm check-state 680rule is found, the dynamic ruleset is checked at the first 681.Cm keep-state 682or 683.Cm limit 684rule. 685.It Cm count 686Update counters for all packets that match rule. 687The search continues with the next rule. 688.It Cm deny | drop 689Discard packets that match this rule. 690The search terminates. 691.It Cm divert Ar port 692Divert packets that match this rule to the 693.Xr divert 4 694socket bound to port 695.Ar port . 696The search terminates. 697.It Cm fwd | forward Ar ipaddr | tablearg Ns Op , Ns Ar port 698Change the next-hop on matching packets to 699.Ar ipaddr , 700which can be an IP address or a host name. 701The next hop can also be supplied by the last table 702looked up for the packet by using the 703.Cm tablearg 704keyword instead of an explicit address. 705The search terminates if this rule matches. 706.Pp 707If 708.Ar ipaddr 709is a local address, then matching packets will be forwarded to 710.Ar port 711(or the port number in the packet if one is not specified in the rule) 712on the local machine. 713.br 714If 715.Ar ipaddr 716is not a local address, then the port number 717(if specified) is ignored, and the packet will be 718forwarded to the remote address, using the route as found in 719the local routing table for that IP. 720.br 721A 722.Ar fwd 723rule will not match layer-2 packets (those received 724on ether_input, ether_output, or bridged). 725.br 726The 727.Cm fwd 728action does not change the contents of the packet at all. 729In particular, the destination address remains unmodified, so 730packets forwarded to another system will usually be rejected by that system 731unless there is a matching rule on that system to capture them. 732For packets forwarded locally, 733the local address of the socket will be 734set to the original destination address of the packet. 735This makes the 736.Xr netstat 1 737entry look rather weird but is intended for 738use with transparent proxy servers. 739.Pp 740To enable 741.Cm fwd 742a custom kernel needs to be compiled with the option 743.Cd "options IPFIREWALL_FORWARD" . 744.It Cm nat Ar nat_nr 745Pass packet to a 746nat instance 747(for network address translation, address redirect, etc.): 748see the 749.Sx NETWORK ADDRESS TRANSLATION (NAT) 750Section for further information. 751.It Cm pipe Ar pipe_nr 752Pass packet to a 753.Xr dummynet 4 754.Dq pipe 755(for bandwidth limitation, delay, etc.). 756See the 757.Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION 758Section for further information. 759The search terminates; however, on exit from the pipe and if 760the 761.Xr sysctl 8 762variable 763.Em net.inet.ip.fw.one_pass 764is not set, the packet is passed again to the firewall code 765starting from the next rule. 766.It Cm queue Ar queue_nr 767Pass packet to a 768.Xr dummynet 4 769.Dq queue 770(for bandwidth limitation using WF2Q+). 771.It Cm reject 772(Deprecated). 773Synonym for 774.Cm unreach host . 775.It Cm reset 776Discard packets that match this rule, and if the 777packet is a TCP packet, try to send a TCP reset (RST) notice. 778The search terminates. 779.It Cm reset6 780Discard packets that match this rule, and if the 781packet is a TCP packet, try to send a TCP reset (RST) notice. 782The search terminates. 783.It Cm skipto Ar number 784Skip all subsequent rules numbered less than 785.Ar number . 786The search continues with the first rule numbered 787.Ar number 788or higher. 789.It Cm tee Ar port 790Send a copy of packets matching this rule to the 791.Xr divert 4 792socket bound to port 793.Ar port . 794The search continues with the next rule. 795.It Cm unreach Ar code 796Discard packets that match this rule, and try to send an ICMP 797unreachable notice with code 798.Ar code , 799where 800.Ar code 801is a number from 0 to 255, or one of these aliases: 802.Cm net , host , protocol , port , 803.Cm needfrag , srcfail , net-unknown , host-unknown , 804.Cm isolated , net-prohib , host-prohib , tosnet , 805.Cm toshost , filter-prohib , host-precedence 806or 807.Cm precedence-cutoff . 808The search terminates. 809.It Cm unreach6 Ar code 810Discard packets that match this rule, and try to send an ICMPv6 811unreachable notice with code 812.Ar code , 813where 814.Ar code 815is a number from 0, 1, 3 or 4, or one of these aliases: 816.Cm no-route, admin-prohib, address 817or 818.Cm port . 819The search terminates. 820.It Cm netgraph Ar cookie 821Divert packet into netgraph with given 822.Ar cookie . 823The search terminates. 824If packet is later returned from netgraph it is either 825accepted or continues with the next rule, depending on 826.Em net.inet.ip.fw.one_pass 827sysctl variable. 828.It Cm ngtee Ar cookie 829A copy of packet is diverted into netgraph, original 830packet is either accepted or continues with the next rule, depending on 831.Em net.inet.ip.fw.one_pass 832sysctl variable. 833See 834.Xr ng_ipfw 4 835for more information on 836.Cm netgraph 837and 838.Cm ngtee 839actions. 840.El 841.Ss RULE BODY 842The body of a rule contains zero or more patterns (such as 843specific source and destination addresses or ports, 844protocol options, incoming or outgoing interfaces, etc.) 845that the packet must match in order to be recognised. 846In general, the patterns are connected by (implicit) 847.Cm and 848operators -- i.e., all must match in order for the 849rule to match. 850Individual patterns can be prefixed by the 851.Cm not 852operator to reverse the result of the match, as in 853.Pp 854.Dl "ipfw add 100 allow ip from not 1.2.3.4 to any" 855.Pp 856Additionally, sets of alternative match patterns 857.Pq Em or-blocks 858can be constructed by putting the patterns in 859lists enclosed between parentheses ( ) or braces { }, and 860using the 861.Cm or 862operator as follows: 863.Pp 864.Dl "ipfw add 100 allow ip from { x or not y or z } to any" 865.Pp 866Only one level of parentheses is allowed. 867Beware that most shells have special meanings for parentheses 868or braces, so it is advisable to put a backslash \\ in front of them 869to prevent such interpretations. 870.Pp 871The body of a rule must in general include a source and destination 872address specifier. 873The keyword 874.Ar any 875can be used in various places to specify that the content of 876a required field is irrelevant. 877.Pp 878The rule body has the following format: 879.Bd -ragged -offset indent 880.Op Ar proto Cm from Ar src Cm to Ar dst 881.Op Ar options 882.Ed 883.Pp 884The first part (proto from src to dst) is for backward 885compatibility with earlier versions of 886.Fx . 887In modern 888.Fx 889any match pattern (including MAC headers, IP protocols, 890addresses and ports) can be specified in the 891.Ar options 892section. 893.Pp 894Rule fields have the following meaning: 895.Bl -tag -width indent 896.It Ar proto : protocol | Cm { Ar protocol Cm or ... } 897.It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number 898An IP protocol specified by number or name 899(for a complete list see 900.Pa /etc/protocols ) , 901or one of the following keywords: 902.Bl -tag -width indent 903.It Cm ip4 | ipv4 904Matches IPv4 packets. 905.It Cm ip6 | ipv6 906Matches IPv6 packets. 907.It Cm ip | all 908Matches any packet. 909.El 910.Pp 911The 912.Cm ipv6 913in 914.Cm proto 915option will be treated as inner protocol. 916And, the 917.Cm ipv4 918is not available in 919.Cm proto 920option. 921.Pp 922The 923.Cm { Ar protocol Cm or ... } 924format (an 925.Em or-block ) 926is provided for convenience only but its use is deprecated. 927.It Ar src No and Ar dst : Bro Cm addr | Cm { Ar addr Cm or ... } Brc Op Oo Cm not Oc Ar ports 928An address (or a list, see below) 929optionally followed by 930.Ar ports 931specifiers. 932.Pp 933The second format 934.Em ( or-block 935with multiple addresses) is provided for convenience only and 936its use is discouraged. 937.It Ar addr : Oo Cm not Oc Bro 938.Cm any | me | me6 | 939.Cm table Ns Pq Ar number Ns Op , Ns Ar value 940.Ar | addr-list | addr-set 941.Brc 942.It Cm any 943matches any IP address. 944.It Cm me 945matches any IP address configured on an interface in the system. 946.It Cm me6 947matches any IPv6 address configured on an interface in the system. 948The address list is evaluated at the time the packet is 949analysed. 950.It Cm table Ns Pq Ar number Ns Op , Ns Ar value 951Matches any IPv4 address for which an entry exists in the lookup table 952.Ar number . 953If an optional 32-bit unsigned 954.Ar value 955is also specified, an entry will match only if it has this value. 956See the 957.Sx LOOKUP TABLES 958section below for more information on lookup tables. 959.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list 960.It Ar ip-addr : 961A host or subnet address specified in one of the following ways: 962.Bl -tag -width indent 963.It Ar numeric-ip | hostname 964Matches a single IPv4 address, specified as dotted-quad or a hostname. 965Hostnames are resolved at the time the rule is added to the firewall list. 966.It Ar addr Ns / Ns Ar masklen 967Matches all addresses with base 968.Ar addr 969(specified as an IP address, a network number, or a hostname) 970and mask width of 971.Cm masklen 972bits. 973As an example, 1.2.3.4/25 or 1.2.3.0/25 will match 974all IP numbers from 1.2.3.0 to 1.2.3.127 . 975.It Ar addr Ns : Ns Ar mask 976Matches all addresses with base 977.Ar addr 978(specified as an IP address, a network number, or a hostname) 979and the mask of 980.Ar mask , 981specified as a dotted quad. 982As an example, 1.2.3.4:255.0.255.0 or 1.0.3.0:255.0.255.0 will match 9831.*.3.*. 984This form is advised only for non-contiguous 985masks. 986It is better to resort to the 987.Ar addr Ns / Ns Ar masklen 988format for contiguous masks, which is more compact and less 989error-prone. 990.El 991.It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm } 992.It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list 993Matches all addresses with base address 994.Ar addr 995(specified as an IP address, a network number, or a hostname) 996and whose last byte is in the list between braces { } . 997Note that there must be no spaces between braces and 998numbers (spaces after commas are allowed). 999Elements of the list can be specified as single entries 1000or ranges. 1001The 1002.Ar masklen 1003field is used to limit the size of the set of addresses, 1004and can have any value between 24 and 32. 1005If not specified, 1006it will be assumed as 24. 1007.br 1008This format is particularly useful to handle sparse address sets 1009within a single rule. 1010Because the matching occurs using a 1011bitmask, it takes constant time and dramatically reduces 1012the complexity of rulesets. 1013.br 1014As an example, an address specified as 1.2.3.4/24{128,35-55,89} 1015or 1.2.3.0/24{128,35-55,89} 1016will match the following IP addresses: 1017.br 10181.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 . 1019.It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list 1020.It Ar ip6-addr : 1021A host or subnet specified one of the following ways: 1022.Pp 1023.Bl -tag -width indent 1024.It Ar numeric-ip | hostname 1025Matches a single IPv6 address as allowed by 1026.Xr inet_pton 3 1027or a hostname. 1028Hostnames are resolved at the time the rule is added to the firewall 1029list. 1030.It Ar addr Ns / Ns Ar masklen 1031Matches all IPv6 addresses with base 1032.Ar addr 1033(specified as allowed by 1034.Xr inet_pton 1035or a hostname) 1036and mask width of 1037.Cm masklen 1038bits. 1039.El 1040.Pp 1041No support for sets of IPv6 addresses is provided because IPv6 addresses 1042are typically random past the initial prefix. 1043.It Ar ports : Bro Ar port | port Ns \&- Ns Ar port Ns Brc Ns Op , Ns Ar ports 1044For protocols which support port numbers (such as TCP and UDP), optional 1045.Cm ports 1046may be specified as one or more ports or port ranges, separated 1047by commas but no spaces, and an optional 1048.Cm not 1049operator. 1050The 1051.Ql \&- 1052notation specifies a range of ports (including boundaries). 1053.Pp 1054Service names (from 1055.Pa /etc/services ) 1056may be used instead of numeric port values. 1057The length of the port list is limited to 30 ports or ranges, 1058though one can specify larger ranges by using an 1059.Em or-block 1060in the 1061.Cm options 1062section of the rule. 1063.Pp 1064A backslash 1065.Pq Ql \e 1066can be used to escape the dash 1067.Pq Ql - 1068character in a service name (from a shell, the backslash must be 1069typed twice to avoid the shell itself interpreting it as an escape 1070character). 1071.Pp 1072.Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any" 1073.Pp 1074Fragmented packets which have a non-zero offset (i.e., not the first 1075fragment) will never match a rule which has one or more port 1076specifications. 1077See the 1078.Cm frag 1079option for details on matching fragmented packets. 1080.El 1081.Ss RULE OPTIONS (MATCH PATTERNS) 1082Additional match patterns can be used within 1083rules. 1084Zero or more of these so-called 1085.Em options 1086can be present in a rule, optionally prefixed by the 1087.Cm not 1088operand, and possibly grouped into 1089.Em or-blocks . 1090.Pp 1091The following match patterns can be used (listed in alphabetical order): 1092.Bl -tag -width indent 1093.It Cm // this is a comment. 1094Inserts the specified text as a comment in the rule. 1095Everything following // is considered as a comment and stored in the rule. 1096You can have comment-only rules, which are listed as having a 1097.Cm count 1098action followed by the comment. 1099.It Cm bridged 1100Alias for 1101.Cm layer2 . 1102.It Cm diverted 1103Matches only packets generated by a divert socket. 1104.It Cm diverted-loopback 1105Matches only packets coming from a divert socket back into the IP stack 1106input for delivery. 1107.It Cm diverted-output 1108Matches only packets going from a divert socket back outward to the IP 1109stack output for delivery. 1110.It Cm dst-ip Ar ip-address 1111Matches IPv4 packets whose destination IP is one of the address(es) 1112specified as argument. 1113.It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address 1114Matches IPv6 packets whose destination IP is one of the address(es) 1115specified as argument. 1116.It Cm dst-port Ar ports 1117Matches IP packets whose destination port is one of the port(s) 1118specified as argument. 1119.It Cm established 1120Matches TCP packets that have the RST or ACK bits set. 1121.It Cm ext6hdr Ar header 1122Matches IPv6 packets containing the extended header given by 1123.Ar header . 1124Supported headers are: 1125.Pp 1126Fragment, 1127.Pq Cm frag , 1128Hop-to-hop options 1129.Pq Cm hopopt , 1130any type of Routing Header 1131.Pq Cm route , 1132Source routing Routing Header Type 0 1133.Pq Cm rthdr0 , 1134Mobile IPv6 Routing Header Type 2 1135.Pq Cm rthdr2 , 1136Destination options 1137.Pq Cm dstopt , 1138IPSec authentication headers 1139.Pq Cm ah , 1140and IPSec encapsulated security payload headers 1141.Pq Cm esp . 1142.It Cm flow-id Ar labels 1143Matches IPv6 packets containing any of the flow labels given in 1144.Ar labels . 1145.Ar labels 1146is a comma seperate list of numeric flow labels. 1147.It Cm frag 1148Matches packets that are fragments and not the first 1149fragment of an IP datagram. 1150Note that these packets will not have 1151the next protocol header (e.g.\& TCP, UDP) so options that look into 1152these headers cannot match. 1153.It Cm gid Ar group 1154Matches all TCP or UDP packets sent by or received for a 1155.Ar group . 1156A 1157.Ar group 1158may be specified by name or number. 1159This option should be used only if debug.mpsafenet=0 to avoid possible 1160deadlocks due to layering violations in its implementation. 1161.It Cm jail Ar prisonID 1162Matches all TCP or UDP packets sent by or received for the 1163jail whos prison ID is 1164.Ar prisonID . 1165This option should be used only if debug.mpsafenet=0 to avoid possible 1166deadlocks due to layering violations in its implementation. 1167.It Cm icmptypes Ar types 1168Matches ICMP packets whose ICMP type is in the list 1169.Ar types . 1170The list may be specified as any combination of 1171individual types (numeric) separated by commas. 1172.Em Ranges are not allowed. 1173The supported ICMP types are: 1174.Pp 1175echo reply 1176.Pq Cm 0 , 1177destination unreachable 1178.Pq Cm 3 , 1179source quench 1180.Pq Cm 4 , 1181redirect 1182.Pq Cm 5 , 1183echo request 1184.Pq Cm 8 , 1185router advertisement 1186.Pq Cm 9 , 1187router solicitation 1188.Pq Cm 10 , 1189time-to-live exceeded 1190.Pq Cm 11 , 1191IP header bad 1192.Pq Cm 12 , 1193timestamp request 1194.Pq Cm 13 , 1195timestamp reply 1196.Pq Cm 14 , 1197information request 1198.Pq Cm 15 , 1199information reply 1200.Pq Cm 16 , 1201address mask request 1202.Pq Cm 17 1203and address mask reply 1204.Pq Cm 18 . 1205.It Cm icmp6types Ar types 1206Matches ICMP6 packets whose ICMP6 type is in the list of 1207.Ar types . 1208The list may be specified as any combination of 1209individual types (numeric) separated by commas. 1210.Em Ranges are not allowed. 1211.It Cm in | out 1212Matches incoming or outgoing packets, respectively. 1213.Cm in 1214and 1215.Cm out 1216are mutually exclusive (in fact, 1217.Cm out 1218is implemented as 1219.Cm not in Ns No ). 1220.It Cm ipid Ar id-list 1221Matches IPv4 packets whose 1222.Cm ip_id 1223field has value included in 1224.Ar id-list , 1225which is either a single value or a list of values or ranges 1226specified in the same way as 1227.Ar ports . 1228.It Cm iplen Ar len-list 1229Matches IP packets whose total length, including header and data, is 1230in the set 1231.Ar len-list , 1232which is either a single value or a list of values or ranges 1233specified in the same way as 1234.Ar ports . 1235.It Cm ipoptions Ar spec 1236Matches packets whose IPv4 header contains the comma separated list of 1237options specified in 1238.Ar spec . 1239The supported IP options are: 1240.Pp 1241.Cm ssrr 1242(strict source route), 1243.Cm lsrr 1244(loose source route), 1245.Cm rr 1246(record packet route) and 1247.Cm ts 1248(timestamp). 1249The absence of a particular option may be denoted 1250with a 1251.Ql \&! . 1252.It Cm ipprecedence Ar precedence 1253Matches IPv4 packets whose precedence field is equal to 1254.Ar precedence . 1255.It Cm ipsec 1256Matches packets that have IPSEC history associated with them 1257(i.e., the packet comes encapsulated in IPSEC, the kernel 1258has IPSEC support and IPSEC_FILTERGIF option, and can correctly 1259decapsulate it). 1260.Pp 1261Note that specifying 1262.Cm ipsec 1263is different from specifying 1264.Cm proto Ar ipsec 1265as the latter will only look at the specific IP protocol field, 1266irrespective of IPSEC kernel support and the validity of the IPSEC data. 1267.Pp 1268Further note that this flag is silently ignored in kernels without 1269IPSEC support. 1270It does not affect rule processing when given and the 1271rules are handled as if with no 1272.Cm ipsec 1273flag. 1274.It Cm iptos Ar spec 1275Matches IPv4 packets whose 1276.Cm tos 1277field contains the comma separated list of 1278service types specified in 1279.Ar spec . 1280The supported IP types of service are: 1281.Pp 1282.Cm lowdelay 1283.Pq Dv IPTOS_LOWDELAY , 1284.Cm throughput 1285.Pq Dv IPTOS_THROUGHPUT , 1286.Cm reliability 1287.Pq Dv IPTOS_RELIABILITY , 1288.Cm mincost 1289.Pq Dv IPTOS_MINCOST , 1290.Cm congestion 1291.Pq Dv IPTOS_CE . 1292The absence of a particular type may be denoted 1293with a 1294.Ql \&! . 1295.It Cm ipttl Ar ttl-list 1296Matches IPv4 packets whose time to live is included in 1297.Ar ttl-list , 1298which is either a single value or a list of values or ranges 1299specified in the same way as 1300.Ar ports . 1301.It Cm ipversion Ar ver 1302Matches IP packets whose IP version field is 1303.Ar ver . 1304.It Cm keep-state 1305Upon a match, the firewall will create a dynamic rule, whose 1306default behaviour is to match bidirectional traffic between 1307source and destination IP/port using the same protocol. 1308The rule has a limited lifetime (controlled by a set of 1309.Xr sysctl 8 1310variables), and the lifetime is refreshed every time a matching 1311packet is found. 1312.It Cm layer2 1313Matches only layer2 packets, i.e., those passed to 1314.Nm 1315from ether_demux() and ether_output_frame(). 1316.It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N 1317The firewall will only allow 1318.Ar N 1319connections with the same 1320set of parameters as specified in the rule. 1321One or more 1322of source and destination addresses and ports can be 1323specified. 1324Currently, 1325only IPv4 flows are supported. 1326.It Cm { MAC | mac } Ar dst-mac src-mac 1327Match packets with a given 1328.Ar dst-mac 1329and 1330.Ar src-mac 1331addresses, specified as the 1332.Cm any 1333keyword (matching any MAC address), or six groups of hex digits 1334separated by colons, 1335and optionally followed by a mask indicating the significant bits. 1336The mask may be specified using either of the following methods: 1337.Bl -enum -width indent 1338.It 1339A slash 1340.Pq / 1341followed by the number of significant bits. 1342For example, an address with 33 significant bits could be specified as: 1343.Pp 1344.Dl "MAC 10:20:30:40:50:60/33 any" 1345.Pp 1346.It 1347An ampersand 1348.Pq & 1349followed by a bitmask specified as six groups of hex digits separated 1350by colons. 1351For example, an address in which the last 16 bits are significant could 1352be specified as: 1353.Pp 1354.Dl "MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any" 1355.Pp 1356Note that the ampersand character has a special meaning in many shells 1357and should generally be escaped. 1358.Pp 1359.El 1360Note that the order of MAC addresses (destination first, 1361source second) is 1362the same as on the wire, but the opposite of the one used for 1363IP addresses. 1364.It Cm mac-type Ar mac-type 1365Matches packets whose Ethernet Type field 1366corresponds to one of those specified as argument. 1367.Ar mac-type 1368is specified in the same way as 1369.Cm port numbers 1370(i.e., one or more comma-separated single values or ranges). 1371You can use symbolic names for known values such as 1372.Em vlan , ipv4, ipv6 . 1373Values can be entered as decimal or hexadecimal (if prefixed by 0x), 1374and they are always printed as hexadecimal (unless the 1375.Cm -N 1376option is used, in which case symbolic resolution will be attempted). 1377.It Cm proto Ar protocol 1378Matches packets with the corresponding IP protocol. 1379.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any 1380Matches packets received, transmitted or going through, 1381respectively, the interface specified by exact name 1382.Ns No ( Ar ifX Ns No ), 1383by device name 1384.Ns No ( Ar if Ns Ar * Ns No ), 1385by IP address, or through some interface. 1386.Pp 1387The 1388.Cm via 1389keyword causes the interface to always be checked. 1390If 1391.Cm recv 1392or 1393.Cm xmit 1394is used instead of 1395.Cm via , 1396then only the receive or transmit interface (respectively) 1397is checked. 1398By specifying both, it is possible to match packets based on 1399both receive and transmit interface, e.g.: 1400.Pp 1401.Dl "ipfw add deny ip from any to any out recv ed0 xmit ed1" 1402.Pp 1403The 1404.Cm recv 1405interface can be tested on either incoming or outgoing packets, 1406while the 1407.Cm xmit 1408interface can only be tested on outgoing packets. 1409So 1410.Cm out 1411is required (and 1412.Cm in 1413is invalid) whenever 1414.Cm xmit 1415is used. 1416.Pp 1417A packet may not have a receive or transmit interface: packets 1418originating from the local host have no receive interface, 1419while packets destined for the local host have no transmit 1420interface. 1421.It Cm setup 1422Matches TCP packets that have the SYN bit set but no ACK bit. 1423This is the short form of 1424.Dq Li tcpflags\ syn,!ack . 1425.It Cm src-ip Ar ip-address 1426Matches IPv4 packets whose source IP is one of the address(es) 1427specified as an argument. 1428.It Cm src-ip6 Ar ip6-address 1429Matches IPv6 packets whose source IP is one of the address(es) 1430specified as an argument. 1431.It Cm src-port Ar ports 1432Matches IP packets whose source port is one of the port(s) 1433specified as argument. 1434.It Cm tagged Ar tag-list 1435Matches packets whose tags are included in 1436.Ar tag-list , 1437which is either a single value or a list of values or ranges 1438specified in the same way as 1439.Ar ports . 1440Tags can be applied to the packet using 1441.Cm tag 1442rule action parameter (see it's description for details on tags). 1443.It Cm tcpack Ar ack 1444TCP packets only. 1445Match if the TCP header acknowledgment number field is set to 1446.Ar ack . 1447.It Cm tcpdatalen Ar tcpdatalen-list 1448Matches TCP packets whose length of TCP data is 1449.Ar tcpdatalen-list , 1450which is either a single value or a list of values or ranges 1451specified in the same way as 1452.Ar ports . 1453.It Cm tcpflags Ar spec 1454TCP packets only. 1455Match if the TCP header contains the comma separated list of 1456flags specified in 1457.Ar spec . 1458The supported TCP flags are: 1459.Pp 1460.Cm fin , 1461.Cm syn , 1462.Cm rst , 1463.Cm psh , 1464.Cm ack 1465and 1466.Cm urg . 1467The absence of a particular flag may be denoted 1468with a 1469.Ql \&! . 1470A rule which contains a 1471.Cm tcpflags 1472specification can never match a fragmented packet which has 1473a non-zero offset. 1474See the 1475.Cm frag 1476option for details on matching fragmented packets. 1477.It Cm tcpseq Ar seq 1478TCP packets only. 1479Match if the TCP header sequence number field is set to 1480.Ar seq . 1481.It Cm tcpwin Ar win 1482TCP packets only. 1483Match if the TCP header window field is set to 1484.Ar win . 1485.It Cm tcpoptions Ar spec 1486TCP packets only. 1487Match if the TCP header contains the comma separated list of 1488options specified in 1489.Ar spec . 1490The supported TCP options are: 1491.Pp 1492.Cm mss 1493(maximum segment size), 1494.Cm window 1495(tcp window advertisement), 1496.Cm sack 1497(selective ack), 1498.Cm ts 1499(rfc1323 timestamp) and 1500.Cm cc 1501(rfc1644 t/tcp connection count). 1502The absence of a particular option may be denoted 1503with a 1504.Ql \&! . 1505.It Cm uid Ar user 1506Match all TCP or UDP packets sent by or received for a 1507.Ar user . 1508A 1509.Ar user 1510may be matched by name or identification number. 1511This option should be used only if debug.mpsafenet=0 to avoid possible 1512deadlocks due to layering violations in its implementation. 1513.It Cm verrevpath 1514For incoming packets, 1515a routing table lookup is done on the packet's source address. 1516If the interface on which the packet entered the system matches the 1517outgoing interface for the route, 1518the packet matches. 1519If the interfaces do not match up, 1520the packet does not match. 1521All outgoing packets or packets with no incoming interface match. 1522.Pp 1523The name and functionality of the option is intentionally similar to 1524the Cisco IOS command: 1525.Pp 1526.Dl ip verify unicast reverse-path 1527.Pp 1528This option can be used to make anti-spoofing rules to reject all 1529packets with source addresses not from this interface. 1530See also the option 1531.Cm antispoof . 1532.It Cm versrcreach 1533For incoming packets, 1534a routing table lookup is done on the packet's source address. 1535If a route to the source address exists, but not the default route 1536or a blackhole/reject route, the packet matches. 1537Otherwise, the packet does not match. 1538All outgoing packets match. 1539.Pp 1540The name and functionality of the option is intentionally similar to 1541the Cisco IOS command: 1542.Pp 1543.Dl ip verify unicast source reachable-via any 1544.Pp 1545This option can be used to make anti-spoofing rules to reject all 1546packets whose source address is unreachable. 1547.It Cm antispoof 1548For incoming packets, the packet's source address is checked if it 1549belongs to a directly connected network. 1550If the network is directly connected, then the interface the packet 1551came on in is compared to the interface the network is connected to. 1552When incoming interface and directly connected interface are not the 1553same, the packet does not match. 1554Otherwise, the packet does match. 1555All outgoing packets match. 1556.Pp 1557This option can be used to make anti-spoofing rules to reject all 1558packets that pretend to be from a directly connected network but do 1559not come in through that interface. 1560This option is similar to but more restricted than 1561.Cm verrevpath 1562because it engages only on packets with source addresses of directly 1563connected networks instead of all source addresses. 1564.El 1565.Sh LOOKUP TABLES 1566Lookup tables are useful to handle large sparse address sets, 1567typically from a hundred to several thousands of entries. 1568There may be up to 128 different lookup tables, numbered 0 to 127. 1569.Pp 1570Each entry is represented by an 1571.Ar addr Ns Op / Ns Ar masklen 1572and will match all addresses with base 1573.Ar addr 1574(specified as an IP address or a hostname) 1575and mask width of 1576.Ar masklen 1577bits. 1578If 1579.Ar masklen 1580is not specified, it defaults to 32. 1581When looking up an IP address in a table, the most specific 1582entry will match. 1583Associated with each entry is a 32-bit unsigned 1584.Ar value , 1585which can optionally be checked by a rule matching code. 1586When adding an entry, if 1587.Ar value 1588is not specified, it defaults to 0. 1589.Pp 1590An entry can be added to a table 1591.Pq Cm add , 1592removed from a table 1593.Pq Cm delete , 1594a table can be examined 1595.Pq Cm list 1596or flushed 1597.Pq Cm flush . 1598.Pp 1599Internally, each table is stored in a Radix tree, the same way as 1600the routing table (see 1601.Xr route 4 ) . 1602.Pp 1603Lookup tables currently support IPv4 addresses only. 1604.Pp 1605The 1606.Cm tablearg 1607feature provides the ability to use a value, looked up in the table, as 1608the argument for a rule action, action parameter or rule option. 1609This can significantly reduce number of rules in some configurations. 1610The 1611.Cm tablearg 1612argument can be used with the following actions: 1613.Cm pipe , queue, divert, tee, netgraph, ngtee, fwd 1614action parameters: 1615.Cm tag, untag, 1616rule options: 1617.Cm limit, tagged. 1618.Pp 1619When used with 1620.Cm fwd 1621it is possible to supply table entries with values 1622that are in the form of IP addresses or hostnames. 1623See the 1624.Sx EXAMPLES 1625Section for example usage of tables and the tablearg keyword. 1626.Sh SETS OF RULES 1627Each rule belongs to one of 32 different 1628.Em sets 1629, numbered 0 to 31. 1630Set 31 is reserved for the default rule. 1631.Pp 1632By default, rules are put in set 0, unless you use the 1633.Cm set N 1634attribute when entering a new rule. 1635Sets can be individually and atomically enabled or disabled, 1636so this mechanism permits an easy way to store multiple configurations 1637of the firewall and quickly (and atomically) switch between them. 1638The command to enable/disable sets is 1639.Bd -ragged -offset indent 1640.Nm 1641.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ... 1642.Ed 1643.Pp 1644where multiple 1645.Cm enable 1646or 1647.Cm disable 1648sections can be specified. 1649Command execution is atomic on all the sets specified in the command. 1650By default, all sets are enabled. 1651.Pp 1652When you disable a set, its rules behave as if they do not exist 1653in the firewall configuration, with only one exception: 1654.Bd -ragged -offset indent 1655dynamic rules created from a rule before it had been disabled 1656will still be active until they expire. 1657In order to delete 1658dynamic rules you have to explicitly delete the parent rule 1659which generated them. 1660.Ed 1661.Pp 1662The set number of rules can be changed with the command 1663.Bd -ragged -offset indent 1664.Nm 1665.Cm set move 1666.Brq Cm rule Ar rule-number | old-set 1667.Cm to Ar new-set 1668.Ed 1669.Pp 1670Also, you can atomically swap two rulesets with the command 1671.Bd -ragged -offset indent 1672.Nm 1673.Cm set swap Ar first-set second-set 1674.Ed 1675.Pp 1676See the 1677.Sx EXAMPLES 1678Section on some possible uses of sets of rules. 1679.Sh STATEFUL FIREWALL 1680Stateful operation is a way for the firewall to dynamically 1681create rules for specific flows when packets that 1682match a given pattern are detected. 1683Support for stateful 1684operation comes through the 1685.Cm check-state , keep-state 1686and 1687.Cm limit 1688options of 1689.Nm rules . 1690.Pp 1691Dynamic rules are created when a packet matches a 1692.Cm keep-state 1693or 1694.Cm limit 1695rule, causing the creation of a 1696.Em dynamic 1697rule which will match all and only packets with 1698a given 1699.Em protocol 1700between a 1701.Em src-ip/src-port dst-ip/dst-port 1702pair of addresses 1703.Em ( src 1704and 1705.Em dst 1706are used here only to denote the initial match addresses, but they 1707are completely equivalent afterwards). 1708Dynamic rules will be checked at the first 1709.Cm check-state, keep-state 1710or 1711.Cm limit 1712occurrence, and the action performed upon a match will be the same 1713as in the parent rule. 1714.Pp 1715Note that no additional attributes other than protocol and IP addresses 1716and ports are checked on dynamic rules. 1717.Pp 1718The typical use of dynamic rules is to keep a closed firewall configuration, 1719but let the first TCP SYN packet from the inside network install a 1720dynamic rule for the flow so that packets belonging to that session 1721will be allowed through the firewall: 1722.Pp 1723.Dl "ipfw add check-state" 1724.Dl "ipfw add allow tcp from my-subnet to any setup keep-state" 1725.Dl "ipfw add deny tcp from any to any" 1726.Pp 1727A similar approach can be used for UDP, where an UDP packet coming 1728from the inside will install a dynamic rule to let the response through 1729the firewall: 1730.Pp 1731.Dl "ipfw add check-state" 1732.Dl "ipfw add allow udp from my-subnet to any keep-state" 1733.Dl "ipfw add deny udp from any to any" 1734.Pp 1735Dynamic rules expire after some time, which depends on the status 1736of the flow and the setting of some 1737.Cm sysctl 1738variables. 1739See Section 1740.Sx SYSCTL VARIABLES 1741for more details. 1742For TCP sessions, dynamic rules can be instructed to periodically 1743send keepalive packets to refresh the state of the rule when it is 1744about to expire. 1745.Pp 1746See Section 1747.Sx EXAMPLES 1748for more examples on how to use dynamic rules. 1749.Sh TRAFFIC SHAPER (DUMMYNET) CONFIGURATION 1750.Nm 1751is also the user interface for the 1752.Xr dummynet 4 1753traffic shaper. 1754.Pp 1755.Nm dummynet 1756operates by first using the firewall to classify packets and divide them into 1757.Em flows , 1758using any match pattern that can be used in 1759.Nm 1760rules. 1761Depending on local policies, a flow can contain packets for a single 1762TCP connection, or from/to a given host, or entire subnet, or a 1763protocol type, etc. 1764.Pp 1765Packets belonging to the same flow are then passed to either of two 1766different objects, which implement the traffic regulation: 1767.Bl -hang -offset XXXX 1768.It Em pipe 1769A pipe emulates a link with given bandwidth, propagation delay, 1770queue size and packet loss rate. 1771Packets are queued in front of the pipe as they come out from the classifier, 1772and then transferred to the pipe according to the pipe's parameters. 1773.Pp 1774.It Em queue 1775A queue 1776is an abstraction used to implement the WF2Q+ 1777(Worst-case Fair Weighted Fair Queueing) policy, which is 1778an efficient variant of the WFQ policy. 1779.br 1780The queue associates a 1781.Em weight 1782and a reference pipe to each flow, and then all backlogged (i.e., 1783with packets queued) flows linked to the same pipe share the pipe's 1784bandwidth proportionally to their weights. 1785Note that weights are not priorities; a flow with a lower weight 1786is still guaranteed to get its fraction of the bandwidth even if a 1787flow with a higher weight is permanently backlogged. 1788.Pp 1789.El 1790In practice, 1791.Em pipes 1792can be used to set hard limits to the bandwidth that a flow can use, whereas 1793.Em queues 1794can be used to determine how different flow share the available bandwidth. 1795.Pp 1796The 1797.Em pipe 1798and 1799.Em queue 1800configuration commands are the following: 1801.Bd -ragged -offset indent 1802.Cm pipe Ar number Cm config Ar pipe-configuration 1803.Pp 1804.Cm queue Ar number Cm config Ar queue-configuration 1805.Ed 1806.Pp 1807The following parameters can be configured for a pipe: 1808.Pp 1809.Bl -tag -width indent -compact 1810.It Cm bw Ar bandwidth | device 1811Bandwidth, measured in 1812.Sm off 1813.Op Cm K | M 1814.Brq Cm bit/s | Byte/s . 1815.Sm on 1816.Pp 1817A value of 0 (default) means unlimited bandwidth. 1818The unit must immediately follow the number, as in 1819.Pp 1820.Dl "ipfw pipe 1 config bw 300Kbit/s" 1821.Pp 1822If a device name is specified instead of a numeric value, as in 1823.Pp 1824.Dl "ipfw pipe 1 config bw tun0" 1825.Pp 1826then the transmit clock is supplied by the specified device. 1827At the moment only the 1828.Xr tun 4 1829device supports this 1830functionality, for use in conjunction with 1831.Xr ppp 8 . 1832.Pp 1833.It Cm delay Ar ms-delay 1834Propagation delay, measured in milliseconds. 1835The value is rounded to the next multiple of the clock tick 1836(typically 10ms, but it is a good practice to run kernels 1837with 1838.Dq "options HZ=1000" 1839to reduce 1840the granularity to 1ms or less). 1841Default value is 0, meaning no delay. 1842.El 1843.Pp 1844The following parameters can be configured for a queue: 1845.Pp 1846.Bl -tag -width indent -compact 1847.It Cm pipe Ar pipe_nr 1848Connects a queue to the specified pipe. 1849Multiple queues (with the same or different weights) can be connected to 1850the same pipe, which specifies the aggregate rate for the set of queues. 1851.Pp 1852.It Cm weight Ar weight 1853Specifies the weight to be used for flows matching this queue. 1854The weight must be in the range 1..100, and defaults to 1. 1855.El 1856.Pp 1857Finally, the following parameters can be configured for both 1858pipes and queues: 1859.Pp 1860.Bl -tag -width XXXX -compact 1861.Pp 1862.It Cm buckets Ar hash-table-size 1863Specifies the size of the hash table used for storing the 1864various queues. 1865Default value is 64 controlled by the 1866.Xr sysctl 8 1867variable 1868.Em net.inet.ip.dummynet.hash_size , 1869allowed range is 16 to 65536. 1870.Pp 1871.It Cm mask Ar mask-specifier 1872Packets sent to a given pipe or queue by an 1873.Nm 1874rule can be further classified into multiple flows, each of which is then 1875sent to a different 1876.Em dynamic 1877pipe or queue. 1878A flow identifier is constructed by masking the IP addresses, 1879ports and protocol types as specified with the 1880.Cm mask 1881options in the configuration of the pipe or queue. 1882For each different flow identifier, a new pipe or queue is created 1883with the same parameters as the original object, and matching packets 1884are sent to it. 1885.Pp 1886Thus, when 1887.Em dynamic pipes 1888are used, each flow will get the same bandwidth as defined by the pipe, 1889whereas when 1890.Em dynamic queues 1891are used, each flow will share the parent's pipe bandwidth evenly 1892with other flows generated by the same queue (note that other queues 1893with different weights might be connected to the same pipe). 1894.br 1895Available mask specifiers are a combination of one or more of the following: 1896.Pp 1897.Cm dst-ip Ar mask , 1898.Cm dst-ip6 Ar mask , 1899.Cm src-ip Ar mask , 1900.Cm src-ip6 Ar mask , 1901.Cm dst-port Ar mask , 1902.Cm src-port Ar mask , 1903.Cm flow-id Ar mask , 1904.Cm proto Ar mask 1905or 1906.Cm all , 1907.Pp 1908where the latter means all bits in all fields are significant. 1909.Pp 1910.It Cm noerror 1911When a packet is dropped by a dummynet queue or pipe, the error 1912is normally reported to the caller routine in the kernel, in the 1913same way as it happens when a device queue fills up. 1914Setting this 1915option reports the packet as successfully delivered, which can be 1916needed for some experimental setups where you want to simulate 1917loss or congestion at a remote router. 1918.Pp 1919.It Cm plr Ar packet-loss-rate 1920Packet loss rate. 1921Argument 1922.Ar packet-loss-rate 1923is a floating-point number between 0 and 1, with 0 meaning no 1924loss, 1 meaning 100% loss. 1925The loss rate is internally represented on 31 bits. 1926.Pp 1927.It Cm queue Brq Ar slots | size Ns Cm Kbytes 1928Queue size, in 1929.Ar slots 1930or 1931.Cm KBytes . 1932Default value is 50 slots, which 1933is the typical queue size for Ethernet devices. 1934Note that for slow speed links you should keep the queue 1935size short or your traffic might be affected by a significant 1936queueing delay. 1937E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit 1938or 20s of queue on a 30Kbit/s pipe. 1939Even worse effects can result if you get packets from an 1940interface with a much larger MTU, e.g.\& the loopback interface 1941with its 16KB packets. 1942.Pp 1943.It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p 1944Make use of the RED (Random Early Detection) queue management algorithm. 1945.Ar w_q 1946and 1947.Ar max_p 1948are floating 1949point numbers between 0 and 1 (0 not included), while 1950.Ar min_th 1951and 1952.Ar max_th 1953are integer numbers specifying thresholds for queue management 1954(thresholds are computed in bytes if the queue has been defined 1955in bytes, in slots otherwise). 1956The 1957.Xr dummynet 4 1958also supports the gentle RED variant (gred). 1959Three 1960.Xr sysctl 8 1961variables can be used to control the RED behaviour: 1962.Bl -tag -width indent 1963.It Em net.inet.ip.dummynet.red_lookup_depth 1964specifies the accuracy in computing the average queue 1965when the link is idle (defaults to 256, must be greater than zero) 1966.It Em net.inet.ip.dummynet.red_avg_pkt_size 1967specifies the expected average packet size (defaults to 512, must be 1968greater than zero) 1969.It Em net.inet.ip.dummynet.red_max_pkt_size 1970specifies the expected maximum packet size, only used when queue 1971thresholds are in bytes (defaults to 1500, must be greater than zero). 1972.El 1973.El 1974.Pp 1975When used with IPv6 data, dummynet currently has several limitations. 1976First, debug.mpsafenet=0 must be set. 1977Second, the information necessicary to route link-local packets to an 1978interface is not avalable after processing by dummynet so those packets 1979are dropped in the output path. 1980Care should be taken to insure that link-local packets are not passed to 1981dummynet. 1982.Sh CHECKLIST 1983Here are some important points to consider when designing your 1984rules: 1985.Bl -bullet 1986.It 1987Remember that you filter both packets going 1988.Cm in 1989and 1990.Cm out . 1991Most connections need packets going in both directions. 1992.It 1993Remember to test very carefully. 1994It is a good idea to be near the console when doing this. 1995If you cannot be near the console, 1996use an auto-recovery script such as the one in 1997.Pa /usr/share/examples/ipfw/change_rules.sh . 1998.It 1999Do not forget the loopback interface. 2000.El 2001.Sh FINE POINTS 2002.Bl -bullet 2003.It 2004There are circumstances where fragmented datagrams are unconditionally 2005dropped. 2006TCP packets are dropped if they do not contain at least 20 bytes of 2007TCP header, UDP packets are dropped if they do not contain a full 8 2008byte UDP header, and ICMP packets are dropped if they do not contain 20094 bytes of ICMP header, enough to specify the ICMP type, code, and 2010checksum. 2011These packets are simply logged as 2012.Dq pullup failed 2013since there may not be enough good data in the packet to produce a 2014meaningful log entry. 2015.It 2016Another type of packet is unconditionally dropped, a TCP packet with a 2017fragment offset of one. 2018This is a valid packet, but it only has one use, to try 2019to circumvent firewalls. 2020When logging is enabled, these packets are 2021reported as being dropped by rule -1. 2022.It 2023If you are logged in over a network, loading the 2024.Xr kld 4 2025version of 2026.Nm 2027is probably not as straightforward as you would think. 2028I recommend the following command line: 2029.Bd -literal -offset indent 2030kldload ipfw && \e 2031ipfw add 32000 allow ip from any to any 2032.Ed 2033.Pp 2034Along the same lines, doing an 2035.Bd -literal -offset indent 2036ipfw flush 2037.Ed 2038.Pp 2039in similar surroundings is also a bad idea. 2040.It 2041The 2042.Nm 2043filter list may not be modified if the system security level 2044is set to 3 or higher 2045(see 2046.Xr init 8 2047for information on system security levels). 2048.El 2049.Sh PACKET DIVERSION 2050A 2051.Xr divert 4 2052socket bound to the specified port will receive all packets 2053diverted to that port. 2054If no socket is bound to the destination port, or if the divert module is 2055not loaded, or if the kernel was not compiled with divert socket support, 2056the packets are dropped. 2057.Sh NETWORK ADDRESS TRANSLATION (NAT) 2058The nat configuration command is the following: 2059.Bd -ragged -offset indent 2060.Bk -words 2061.Cm nat 2062.Ar nat_number 2063.Cm config 2064.Ar nat-configuration 2065.Ek 2066.Ed 2067.Pp 2068. 2069The following parameters can be configured: 2070.Bl -tag -width indent 2071.It Cm ip Ar ip_address 2072Define an ip address to use for aliasing. 2073.It Cm if Ar nic 2074Use ip addres of NIC for aliasing, dynamically changing 2075it if NIC's ip address change. 2076.It Cm log 2077Enable logging on this nat instance. 2078.It Cm deny_in 2079Deny any incoming connection from outside world. 2080.It Cm same_ports 2081Try to leave the alias port numbers unchanged from 2082the actual local port numbers. 2083.It Cm unreg_only 2084Traffic on the local network not originating from an 2085unregistered address spaces will be ignored. 2086.It Cm reset 2087Reset table of the packet aliasing engine on address change. 2088.It Cm reverse 2089Reverse the way libalias handles aliasing. 2090.It Cm proxy_only 2091Obey transparent proxy rules only, packet aliasing is not performed. 2092.El 2093.Pp 2094To let the packet continue after being (de)aliased, set the sysctl variable 2095.Em net.inet.ip.fw.one_pass 2096to 0. 2097For more information about aliasing modes, refer to 2098.Xr libalias 3 2099. 2100See Section 2101.Sx EXAMPLES 2102for some examples about nat usage. 2103.Sh REDIRECT AND LSNAT SUPPORT IN IPFW 2104Redirect and LSNAT support follow closely the syntax used in 2105.Xr natd 8 2106. 2107See Section 2108.Sx EXAMPLES 2109for some examples on how to do redirect and lsnat. 2110.Sh SYSCTL VARIABLES 2111A set of 2112.Xr sysctl 8 2113variables controls the behaviour of the firewall and 2114associated modules 2115.Pq Nm dummynet , bridge . 2116These are shown below together with their default value 2117(but always check with the 2118.Xr sysctl 8 2119command what value is actually in use) and meaning: 2120.Bl -tag -width indent 2121.It Em net.inet.ip.dummynet.expire : No 1 2122Lazily delete dynamic pipes/queue once they have no pending traffic. 2123You can disable this by setting the variable to 0, in which case 2124the pipes/queues will only be deleted when the threshold is reached. 2125.It Em net.inet.ip.dummynet.hash_size : No 64 2126Default size of the hash table used for dynamic pipes/queues. 2127This value is used when no 2128.Cm buckets 2129option is specified when configuring a pipe/queue. 2130.It Em net.inet.ip.dummynet.max_chain_len : No 16 2131Target value for the maximum number of pipes/queues in a hash bucket. 2132The product 2133.Cm max_chain_len*hash_size 2134is used to determine the threshold over which empty pipes/queues 2135will be expired even when 2136.Cm net.inet.ip.dummynet.expire=0 . 2137.It Em net.inet.ip.dummynet.red_lookup_depth : No 256 2138.It Em net.inet.ip.dummynet.red_avg_pkt_size : No 512 2139.It Em net.inet.ip.dummynet.red_max_pkt_size : No 1500 2140Parameters used in the computations of the drop probability 2141for the RED algorithm. 2142.It Em net.inet.ip.fw.autoinc_step : No 100 2143Delta between rule numbers when auto-generating them. 2144The value must be in the range 1..1000. 2145.It Em net.inet.ip.fw.curr_dyn_buckets : Em net.inet.ip.fw.dyn_buckets 2146The current number of buckets in the hash table for dynamic rules 2147(readonly). 2148.It Em net.inet.ip.fw.debug : No 1 2149Controls debugging messages produced by 2150.Nm . 2151.It Em net.inet.ip.fw.dyn_buckets : No 256 2152The number of buckets in the hash table for dynamic rules. 2153Must be a power of 2, up to 65536. 2154It only takes effect when all dynamic rules have expired, so you 2155are advised to use a 2156.Cm flush 2157command to make sure that the hash table is resized. 2158.It Em net.inet.ip.fw.dyn_count : No 3 2159Current number of dynamic rules 2160(read-only). 2161.It Em net.inet.ip.fw.dyn_keepalive : No 1 2162Enables generation of keepalive packets for 2163.Cm keep-state 2164rules on TCP sessions. 2165A keepalive is generated to both 2166sides of the connection every 5 seconds for the last 20 2167seconds of the lifetime of the rule. 2168.It Em net.inet.ip.fw.dyn_max : No 8192 2169Maximum number of dynamic rules. 2170When you hit this limit, no more dynamic rules can be 2171installed until old ones expire. 2172.It Em net.inet.ip.fw.dyn_ack_lifetime : No 300 2173.It Em net.inet.ip.fw.dyn_syn_lifetime : No 20 2174.It Em net.inet.ip.fw.dyn_fin_lifetime : No 1 2175.It Em net.inet.ip.fw.dyn_rst_lifetime : No 1 2176.It Em net.inet.ip.fw.dyn_udp_lifetime : No 5 2177.It Em net.inet.ip.fw.dyn_short_lifetime : No 30 2178These variables control the lifetime, in seconds, of dynamic 2179rules. 2180Upon the initial SYN exchange the lifetime is kept short, 2181then increased after both SYN have been seen, then decreased 2182again during the final FIN exchange or when a RST is received. 2183Both 2184.Em dyn_fin_lifetime 2185and 2186.Em dyn_rst_lifetime 2187must be strictly lower than 5 seconds, the period of 2188repetition of keepalives. 2189The firewall enforces that. 2190.It Em net.inet.ip.fw.enable : No 1 2191Enables the firewall. 2192Setting this variable to 0 lets you run your machine without 2193firewall even if compiled in. 2194.It Em net.inet6.ip6.fw.enable : No 1 2195provides the same functionality as above for the IPv6 case. 2196.It Em net.inet.ip.fw.one_pass : No 1 2197When set, the packet exiting from the 2198.Xr dummynet 4 2199pipe or from 2200.Xr ng_ipfw 4 2201node is not passed though the firewall again. 2202Otherwise, after an action, the packet is 2203reinjected into the firewall at the next rule. 2204.It Em net.inet.ip.fw.verbose : No 1 2205Enables verbose messages. 2206.It Em net.inet.ip.fw.verbose_limit : No 0 2207Limits the number of messages produced by a verbose firewall. 2208.It Em net.inet6.ip6.fw.deny_unknown_exthdrs : No 1 2209If enabled packets with unknown IPv6 Extension Headers will be denied. 2210.It Em net.link.ether.ipfw : No 0 2211Controls whether layer-2 packets are passed to 2212.Nm . 2213Default is no. 2214.It Em net.link.bridge.ipfw : No 0 2215Controls whether bridged packets are passed to 2216.Nm . 2217Default is no. 2218.El 2219.Pp 2220.Sh EXAMPLES 2221There are far too many possible uses of 2222.Nm 2223so this Section will only give a small set of examples. 2224.Pp 2225.Ss BASIC PACKET FILTERING 2226This command adds an entry which denies all tcp packets from 2227.Em cracker.evil.org 2228to the telnet port of 2229.Em wolf.tambov.su 2230from being forwarded by the host: 2231.Pp 2232.Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet" 2233.Pp 2234This one disallows any connection from the entire cracker's 2235network to my host: 2236.Pp 2237.Dl "ipfw add deny ip from 123.45.67.0/24 to my.host.org" 2238.Pp 2239A first and efficient way to limit access (not using dynamic rules) 2240is the use of the following rules: 2241.Pp 2242.Dl "ipfw add allow tcp from any to any established" 2243.Dl "ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup" 2244.Dl "ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup" 2245.Dl "..." 2246.Dl "ipfw add deny tcp from any to any" 2247.Pp 2248The first rule will be a quick match for normal TCP packets, 2249but it will not match the initial SYN packet, which will be 2250matched by the 2251.Cm setup 2252rules only for selected source/destination pairs. 2253All other SYN packets will be rejected by the final 2254.Cm deny 2255rule. 2256.Pp 2257If you administer one or more subnets, you can take advantage 2258of the address sets and or-blocks and write extremely 2259compact rulesets which selectively enable services to blocks 2260of clients, as below: 2261.Pp 2262.Dl "goodguys=\*q{ 10.1.2.0/24{20,35,66,18} or 10.2.3.0/28{6,3,11} }\*q" 2263.Dl "badguys=\*q10.1.2.0/24{8,38,60}\*q" 2264.Dl "" 2265.Dl "ipfw add allow ip from ${goodguys} to any" 2266.Dl "ipfw add deny ip from ${badguys} to any" 2267.Dl "... normal policies ..." 2268.Pp 2269The 2270.Cm verrevpath 2271option could be used to do automated anti-spoofing by adding the 2272following to the top of a ruleset: 2273.Pp 2274.Dl "ipfw add deny ip from any to any not verrevpath in" 2275.Pp 2276This rule drops all incoming packets that appear to be coming to the 2277system on the wrong interface. 2278For example, a packet with a source 2279address belonging to a host on a protected internal network would be 2280dropped if it tried to enter the system from an external interface. 2281.Pp 2282The 2283.Cm antispoof 2284option could be used to do similar but more restricted anti-spoofing 2285by adding the following to the top of a ruleset: 2286.Pp 2287.Dl "ipfw add deny ip from any to any not antispoof in" 2288.Pp 2289This rule drops all incoming packets that appear to be coming from another 2290directly connected system but on the wrong interface. 2291For example, a packet with a source address of 2292.Li 192.168.0.0/24 2293, configured on 2294.Li fxp0 2295, but coming in on 2296.Li fxp1 2297would be dropped. 2298.Ss DYNAMIC RULES 2299In order to protect a site from flood attacks involving fake 2300TCP packets, it is safer to use dynamic rules: 2301.Pp 2302.Dl "ipfw add check-state" 2303.Dl "ipfw add deny tcp from any to any established" 2304.Dl "ipfw add allow tcp from my-net to any setup keep-state" 2305.Pp 2306This will let the firewall install dynamic rules only for 2307those connection which start with a regular SYN packet coming 2308from the inside of our network. 2309Dynamic rules are checked when encountering the first 2310.Cm check-state 2311or 2312.Cm keep-state 2313rule. 2314A 2315.Cm check-state 2316rule should usually be placed near the beginning of the 2317ruleset to minimize the amount of work scanning the ruleset. 2318Your mileage may vary. 2319.Pp 2320To limit the number of connections a user can open 2321you can use the following type of rules: 2322.Pp 2323.Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10" 2324.Dl "ipfw add allow tcp from any to me setup limit src-addr 4" 2325.Pp 2326The former (assuming it runs on a gateway) will allow each host 2327on a /24 network to open at most 10 TCP connections. 2328The latter can be placed on a server to make sure that a single 2329client does not use more than 4 simultaneous connections. 2330.Pp 2331.Em BEWARE : 2332stateful rules can be subject to denial-of-service attacks 2333by a SYN-flood which opens a huge number of dynamic rules. 2334The effects of such attacks can be partially limited by 2335acting on a set of 2336.Xr sysctl 8 2337variables which control the operation of the firewall. 2338.Pp 2339Here is a good usage of the 2340.Cm list 2341command to see accounting records and timestamp information: 2342.Pp 2343.Dl ipfw -at list 2344.Pp 2345or in short form without timestamps: 2346.Pp 2347.Dl ipfw -a list 2348.Pp 2349which is equivalent to: 2350.Pp 2351.Dl ipfw show 2352.Pp 2353Next rule diverts all incoming packets from 192.168.2.0/24 2354to divert port 5000: 2355.Pp 2356.Dl ipfw divert 5000 ip from 192.168.2.0/24 to any in 2357.Pp 2358.Ss TRAFFIC SHAPING 2359The following rules show some of the applications of 2360.Nm 2361and 2362.Xr dummynet 4 2363for simulations and the like. 2364.Pp 2365This rule drops random incoming packets with a probability 2366of 5%: 2367.Pp 2368.Dl "ipfw add prob 0.05 deny ip from any to any in" 2369.Pp 2370A similar effect can be achieved making use of dummynet pipes: 2371.Pp 2372.Dl "ipfw add pipe 10 ip from any to any" 2373.Dl "ipfw pipe 10 config plr 0.05" 2374.Pp 2375We can use pipes to artificially limit bandwidth, e.g.\& on a 2376machine acting as a router, if we want to limit traffic from 2377local clients on 192.168.2.0/24 we do: 2378.Pp 2379.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out" 2380.Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes" 2381.Pp 2382note that we use the 2383.Cm out 2384modifier so that the rule is not used twice. 2385Remember in fact that 2386.Nm 2387rules are checked both on incoming and outgoing packets. 2388.Pp 2389Should we want to simulate a bidirectional link with bandwidth 2390limitations, the correct way is the following: 2391.Pp 2392.Dl "ipfw add pipe 1 ip from any to any out" 2393.Dl "ipfw add pipe 2 ip from any to any in" 2394.Dl "ipfw pipe 1 config bw 64Kbit/s queue 10Kbytes" 2395.Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes" 2396.Pp 2397The above can be very useful, e.g.\& if you want to see how 2398your fancy Web page will look for a residential user who 2399is connected only through a slow link. 2400You should not use only one pipe for both directions, unless 2401you want to simulate a half-duplex medium (e.g.\& AppleTalk, 2402Ethernet, IRDA). 2403It is not necessary that both pipes have the same configuration, 2404so we can also simulate asymmetric links. 2405.Pp 2406Should we want to verify network performance with the RED queue 2407management algorithm: 2408.Pp 2409.Dl "ipfw add pipe 1 ip from any to any" 2410.Dl "ipfw pipe 1 config bw 500Kbit/s queue 100 red 0.002/30/80/0.1" 2411.Pp 2412Another typical application of the traffic shaper is to 2413introduce some delay in the communication. 2414This can significantly affect applications which do a lot of Remote 2415Procedure Calls, and where the round-trip-time of the 2416connection often becomes a limiting factor much more than 2417bandwidth: 2418.Pp 2419.Dl "ipfw add pipe 1 ip from any to any out" 2420.Dl "ipfw add pipe 2 ip from any to any in" 2421.Dl "ipfw pipe 1 config delay 250ms bw 1Mbit/s" 2422.Dl "ipfw pipe 2 config delay 250ms bw 1Mbit/s" 2423.Pp 2424Per-flow queueing can be useful for a variety of purposes. 2425A very simple one is counting traffic: 2426.Pp 2427.Dl "ipfw add pipe 1 tcp from any to any" 2428.Dl "ipfw add pipe 1 udp from any to any" 2429.Dl "ipfw add pipe 1 ip from any to any" 2430.Dl "ipfw pipe 1 config mask all" 2431.Pp 2432The above set of rules will create queues (and collect 2433statistics) for all traffic. 2434Because the pipes have no limitations, the only effect is 2435collecting statistics. 2436Note that we need 3 rules, not just the last one, because 2437when 2438.Nm 2439tries to match IP packets it will not consider ports, so we 2440would not see connections on separate ports as different 2441ones. 2442.Pp 2443A more sophisticated example is limiting the outbound traffic 2444on a net with per-host limits, rather than per-network limits: 2445.Pp 2446.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out" 2447.Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in" 2448.Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" 2449.Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" 2450.Ss LOOKUP TABLES 2451In the following example, we need to create several traffic bandwidth 2452classes and we need different hosts/networks to fall into different classes. 2453We create one pipe for each class and configure them accordingly. 2454Then we create a single table and fill it with IP subnets and addresses. 2455For each subnet/host we set the argument equal to the number of the pipe 2456that it should use. 2457Then we classify traffic using a single rule: 2458.Pp 2459.Dl "ipfw pipe 1 config bw 1000Kbyte/s" 2460.Dl "ipfw pipe 4 config bw 4000Kbyte/s" 2461.Dl "..." 2462.Dl "ipfw table 1 add 192.168.2.0/24 1" 2463.Dl "ipfw table 1 add 192.168.0.0/27 4" 2464.Dl "ipfw table 1 add 192.168.0.2 1" 2465.Dl "..." 2466.Dl "ipfw pipe tablearg ip from table(1) to any" 2467.Pp 2468Using the 2469.Cm fwd 2470action, the table entries may include hostnames and IP addresses. 2471.Pp 2472.Dl "ipfw table 1 add 192.168.2.0/24 10.23.2.1" 2473.Dl "ipfw table 1 add 192.168.0.0/27 router1.dmz" 2474.Dl "..." 2475.Dl "ipfw add 100 fwd tablearg ip from any to table(1)" 2476.Ss SETS OF RULES 2477To add a set of rules atomically, e.g.\& set 18: 2478.Pp 2479.Dl "ipfw set disable 18" 2480.Dl "ipfw add NN set 18 ... # repeat as needed" 2481.Dl "ipfw set enable 18" 2482.Pp 2483To delete a set of rules atomically the command is simply: 2484.Pp 2485.Dl "ipfw delete set 18" 2486.Pp 2487To test a ruleset and disable it and regain control if something goes wrong: 2488.Pp 2489.Dl "ipfw set disable 18" 2490.Dl "ipfw add NN set 18 ... # repeat as needed" 2491.Dl "ipfw set enable 18; echo done; sleep 30 && ipfw set disable 18" 2492.Pp 2493Here if everything goes well, you press control-C before the "sleep" 2494terminates, and your ruleset will be left active. 2495Otherwise, e.g.\& if 2496you cannot access your box, the ruleset will be disabled after 2497the sleep terminates thus restoring the previous situation. 2498.Pp 2499To show rules of the specific set: 2500.Pp 2501.Dl "ipfw set 18 show" 2502.Pp 2503To show rules of the disabled set: 2504.Pp 2505.Dl "ipfw -S set 18 show" 2506.Pp 2507To clear a specific rule counters of the specific set: 2508.Pp 2509.Dl "ipfw set 18 zero NN" 2510.Pp 2511To delete a specific rule of the specific set: 2512.Pp 2513.Dl "ipfw set 18 delete NN" 2514.Ss NAT, REDIRECT AND LSNAT 2515First redirect all the traffic to nat instance 123: 2516.Pp 2517.Dl "ipfw add nat 123 all from any to any" 2518.Pp 2519Then to configure nat instance 123 to alias all the outgoing traffic with ip 2520192.168.0.123, blocking all incoming connections, trying to keep 2521same ports on both sides, clearing aliasing table on address change 2522and keeping a log of traffic/link statistics: 2523.Pp 2524.Dl "ipfw nat 123 config ip 192.168.0.123 log deny_in reset same_ports" 2525.Pp 2526Or to change address of instance 123, aliasing table will be cleared (see 2527reset option): 2528.Pp 2529.Dl "ipfw nat 123 config ip 10.0.0.1" 2530.Pp 2531To see configuration of nat instance 123: 2532.Pp 2533.Dl "ipfw nat 123 show config" 2534.Pp 2535To show logs of all the instances in range 111-999: 2536.Pp 2537.Dl "ipfw nat 111-999 show" 2538.Pp 2539To see configurations of all instances: 2540.Pp 2541.Dl "ipfw nat show config" 2542.Pp 2543Or a redirect rule with mixed modes could looks like: 2544.Pp 2545.Dl "ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66" 2546.Dl " redirect_port tcp 192.168.0.1:80 500" 2547.Dl " redirect_proto udp 192.168.1.43 192.168.1.1" 2548.Dl " redirect_addr 192.168.0.10,192.168.0.11" 2549.Dl " 10.0.0.100 # LSNAT" 2550.Dl " redirect_port tcp 192.168.0.1:80,192.168.0.10:22" 2551.Dl " 500 # LSNAT" 2552.Pp 2553or it could be splitted in: 2554.Pp 2555.Dl "ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66" 2556.Dl "ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500" 2557.Dl "ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1" 2558.Dl "ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12" 2559.Dl " 10.0.0.100" 2560.Dl "ipfw nat 5 config redirect_port tcp" 2561.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" 2562.Pp 2563.Sh SEE ALSO 2564.Xr cpp 1 , 2565.Xr m4 1 , 2566.Xr altq 4 , 2567.Xr divert 4 , 2568.Xr dummynet 4 , 2569.Xr if_bridge 4 , 2570.Xr ip 4 , 2571.Xr ipfirewall 4 , 2572.Xr ng_ipfw 4 , 2573.Xr protocols 5 , 2574.Xr services 5 , 2575.Xr init 8 , 2576.Xr kldload 8 , 2577.Xr reboot 8 , 2578.Xr sysctl 8 , 2579.Xr syslogd 8 2580.Sh HISTORY 2581The 2582.Nm 2583utility first appeared in 2584.Fx 2.0 . 2585.Xr dummynet 4 2586was introduced in 2587.Fx 2.2.8 . 2588Stateful extensions were introduced in 2589.Fx 4.0 . 2590.Nm ipfw2 2591was introduced in Summer 2002. 2592.Sh AUTHORS 2593.An Ugen J. S. Antsilevich , 2594.An Poul-Henning Kamp , 2595.An Alex Nash , 2596.An Archie Cobbs , 2597.An Luigi Rizzo . 2598.Pp 2599.An -nosplit 2600API based upon code written by 2601.An Daniel Boulet 2602for BSDI. 2603.Pp 2604.An -nosplit 2605In-kernel NAT support written by 2606.An Paolo Pisati Aq piso@FreeBSD.org 2607as part of a Summer of Code 2005 project. 2608.Pp 2609Work on 2610.Xr dummynet 4 2611traffic shaper supported by Akamba Corp. 2612.Sh BUGS 2613Use of dummynet with IPv6 requires that debug.mpsafenet be set to 0. 2614.Pp 2615The syntax has grown over the years and sometimes it might be confusing. 2616Unfortunately, backward compatibility prevents cleaning up mistakes 2617made in the definition of the syntax. 2618.Pp 2619.Em !!! WARNING !!! 2620.Pp 2621Misconfiguring the firewall can put your computer in an unusable state, 2622possibly shutting down network services and requiring console access to 2623regain control of it. 2624.Pp 2625Incoming packet fragments diverted by 2626.Cm divert 2627are reassembled before delivery to the socket. 2628The action used on those packet is the one from the 2629rule which matches the first fragment of the packet. 2630.Pp 2631Packets diverted to userland, and then reinserted by a userland process 2632may lose various packet attributes. 2633The packet source interface name 2634will be preserved if it is shorter than 8 bytes and the userland process 2635saves and reuses the sockaddr_in 2636(as does 2637.Xr natd 8 ) ; 2638otherwise, it may be lost. 2639If a packet is reinserted in this manner, later rules may be incorrectly 2640applied, making the order of 2641.Cm divert 2642rules in the rule sequence very important. 2643.Pp 2644Dummynet drops all packets with IPv6 link-local addresses. 2645.Pp 2646Rules using 2647.Cm uid 2648or 2649.Cm gid 2650may not behave as expected. 2651In particular, incoming SYN packets may 2652have no uid or gid associated with them since they do not yet belong 2653to a TCP connection, and the uid/gid associated with a packet may not 2654be as expected if the associated process calls 2655.Xr setuid 2 2656or similar system calls. 2657.Pp 2658Rules which use uid, gid or jail based matching should be used only 2659if debug.mpsafenet=0 to avoid possible deadlocks due to layering 2660violations in its implementation. 2661.Pp 2662Rule syntax is subject to the command line environment and some patterns 2663may need to be escaped with the backslash character 2664or quoted appropriately. 2665.Pp 2666Due to the architecture of 2667.Xr libalias 3 , 2668ipfw nat is not compatible with the tcp segmentation offloading 2669(TSO). Thus, to reliably nat your network traffic, please disable TSO 2670on your NICs using 2671.Xr ifconfig 8 . 2672