1892cb98eSJohn-Mark Gurney.\" 2697718b9SEd Maste.Dd August 19, 2020 39a96729cSLuigi Rizzo.Dt IPFW 4 4a53227ffSUgen J.S. Antsilevich.Os 5a53227ffSUgen J.S. Antsilevich.Sh NAME 69a96729cSLuigi Rizzo.Nm ipfw 72a81fd7cSJulian Elischer.Nd IP packet filter and traffic accounting 8910201d9SDaniel Gerzo.Sh SYNOPSIS 9910201d9SDaniel GerzoTo compile 107646a841SJoel Dahlthe driver 11910201d9SDaniel Gerzointo the kernel, place the following option in the kernel configuration 12910201d9SDaniel Gerzofile: 13910201d9SDaniel Gerzo.Bd -ragged -offset indent 14910201d9SDaniel Gerzo.Cd "options IPFIREWALL" 15910201d9SDaniel Gerzo.Ed 16910201d9SDaniel Gerzo.Pp 177646a841SJoel DahlOther related kernel options 18910201d9SDaniel Gerzowhich may also be useful are: 19910201d9SDaniel Gerzo.Bd -ragged -offset indent 20910201d9SDaniel Gerzo.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" 2124234982SRodney W. Grimes.Cd "options IPDIVERT" 2224234982SRodney W. Grimes.Cd "options IPFIREWALL_NAT" 2324234982SRodney W. Grimes.Cd "options IPFIREWALL_NAT64" 2424234982SRodney W. Grimes.Cd "options IPFIREWALL_NPTV6" 2524234982SRodney W. Grimes.Cd "options IPFIREWALL_PMOD" 26910201d9SDaniel Gerzo.Cd "options IPFIREWALL_VERBOSE" 27910201d9SDaniel Gerzo.Cd "options IPFIREWALL_VERBOSE_LIMIT=100" 2824234982SRodney W. Grimes.Cd "options LIBALIAS" 29910201d9SDaniel Gerzo.Ed 30910201d9SDaniel Gerzo.Pp 31910201d9SDaniel GerzoTo load 327646a841SJoel Dahlthe driver 33910201d9SDaniel Gerzoas a module at boot time, add the following line into the 347ebbc96cSDaniel Gerzo.Xr loader.conf 5 35910201d9SDaniel Gerzofile: 36910201d9SDaniel Gerzo.Bd -literal -offset indent 377ebbc96cSDaniel Gerzoipfw_load="YES" 38910201d9SDaniel Gerzo.Ed 392a81fd7cSJulian Elischer.Sh DESCRIPTION 40d962d52aSRuslan ErmilovThe 41d962d52aSRuslan Ermilov.Nm 42d962d52aSRuslan Ermilovsystem facility allows filtering, 43d962d52aSRuslan Ermilovredirecting, and other operations on 44d962d52aSRuslan Ermilov.Tn IP 45d962d52aSRuslan Ermilovpackets travelling through 46d962d52aSRuslan Ermilovnetwork interfaces. 472a81fd7cSJulian Elischer.Pp 48910201d9SDaniel GerzoThe default behavior of 49910201d9SDaniel Gerzo.Nm 50910201d9SDaniel Gerzois to block all incoming and outgoing traffic. 51910201d9SDaniel GerzoThis behavior can be modified, to allow all traffic through the 52910201d9SDaniel Gerzo.Nm 53910201d9SDaniel Gerzofirewall by default, by enabling the 54910201d9SDaniel Gerzo.Dv IPFIREWALL_DEFAULT_TO_ACCEPT 55910201d9SDaniel Gerzokernel option. 56910201d9SDaniel GerzoThis option may be useful when configuring 57910201d9SDaniel Gerzo.Nm 58910201d9SDaniel Gerzofor the first time. 59910201d9SDaniel GerzoIf the default 60910201d9SDaniel Gerzo.Nm 61910201d9SDaniel Gerzobehavior is to allow everything, it is easier to cope with 62910201d9SDaniel Gerzofirewall-tuning mistakes which may accidentally block all traffic. 63910201d9SDaniel Gerzo.Pp 6424234982SRodney W. GrimesWhen using 6524234982SRodney W. Grimes.Xr natd 8 6624234982SRodney W. Grimesin conjunction with 6724234982SRodney W. Grimes.Nm 6824234982SRodney W. Grimesas 6924234982SRodney W. Grimes.Tn NAT 7024234982SRodney W. Grimesfacility, the kernel option 7124234982SRodney W. Grimes.Dv IPDIVERT 7224234982SRodney W. Grimesenables diverting packets to 7324234982SRodney W. Grimes.Xr natd 8 7424234982SRodney W. Grimesfor translation. 7524234982SRodney W. Grimes.Pp 7624234982SRodney W. GrimesWhen using the in-kernel 7724234982SRodney W. Grimes.Tn NAT 7824234982SRodney W. Grimesfacility of 7924234982SRodney W. Grimes.Nm , 8024234982SRodney W. Grimesthe kernel option 8124234982SRodney W. Grimes.Dv IPFIREWALL_NAT 8224234982SRodney W. Grimesenables basic 8324234982SRodney W. Grimes.Xr libalias 3 8424234982SRodney W. Grimesfunctionality in the kernel. 8524234982SRodney W. Grimes.Pp 8624234982SRodney W. GrimesWhen using any of the 8724234982SRodney W. Grimes.Tn IPv4 8824234982SRodney W. Grimesto 8924234982SRodney W. Grimes.Tn IPv6 9024234982SRodney W. Grimestransition mechanisms in 9124234982SRodney W. Grimes.Nm , 9224234982SRodney W. Grimesthe kernel option 9324234982SRodney W. Grimes.Dv IPFIREWALL_NAT64 9424234982SRodney W. Grimesenables all of these 9524234982SRodney W. Grimes.Tn NAT64 9624234982SRodney W. Grimesmethods in the kernel. 9724234982SRodney W. Grimes.Pp 9824234982SRodney W. GrimesWhen using the 9924234982SRodney W. Grimes.Tn IPv6 10024234982SRodney W. Grimesnetwork prefix translation facility of 10124234982SRodney W. Grimes.Nm , 10224234982SRodney W. Grimesthe kernel option 10324234982SRodney W. Grimes.Dv IPFIREWALL_NPTV6 10424234982SRodney W. Grimesenables this functionality in the kernel. 10524234982SRodney W. Grimes.Pp 10624234982SRodney W. GrimesWhen using the packet modification facility of 10724234982SRodney W. Grimes.Nm , 10824234982SRodney W. Grimesthe kernel option 10924234982SRodney W. Grimes.Dv IPFIREWALL_PMOD 11024234982SRodney W. Grimesenables this functionality in the kernel. 11124234982SRodney W. Grimes.Pp 112910201d9SDaniel GerzoTo enable logging of packets passing through 113910201d9SDaniel Gerzo.Nm , 114910201d9SDaniel Gerzoenable the 115910201d9SDaniel Gerzo.Dv IPFIREWALL_VERBOSE 116910201d9SDaniel Gerzokernel option. 117910201d9SDaniel GerzoThe 118910201d9SDaniel Gerzo.Dv IPFIREWALL_VERBOSE_LIMIT 119910201d9SDaniel Gerzooption will prevent 120910201d9SDaniel Gerzo.Xr syslogd 8 121910201d9SDaniel Gerzofrom flooding system logs or causing local Denial of Service. 122910201d9SDaniel GerzoThis option may be set to the number of packets which will be logged on 123910201d9SDaniel Gerzoa per-entry basis before the entry is rate-limited. 124910201d9SDaniel Gerzo.Pp 12524234982SRodney W. GrimesWhen using the in-kernel 12624234982SRodney W. Grimes.Tn NAT 12724234982SRodney W. Grimesfacility of 12824234982SRodney W. Grimes.Nm , 12924234982SRodney W. Grimesthe kernel option 13024234982SRodney W. Grimes.Dv LIBALIAS 13124234982SRodney W. Grimesenables full 13224234982SRodney W. Grimes.Xr libalias 3 13324234982SRodney W. Grimesfunctionality in the kernel. 134697718b9SEd MasteFull functionality refers to included support for ftp, bbt, 13524234982SRodney W. Grimesskinny, irc, pptp and smedia packets, which are missing in the basic 13624234982SRodney W. Grimes.Xr libalias 3 13724234982SRodney W. Grimesfunctionality accomplished with the 13824234982SRodney W. Grimes.Dv IPFIREWALL_NAT 13924234982SRodney W. Grimeskernel option. 14024234982SRodney W. Grimes.Pp 1419a96729cSLuigi RizzoThe user interface for 142d962d52aSRuslan Ermilov.Nm 1439a96729cSLuigi Rizzois implemented by the 1449a96729cSLuigi Rizzo.Xr ipfw 8 145d962d52aSRuslan Ermilovutility, so please refer to the 146d962d52aSRuslan Ermilov.Xr ipfw 8 147d962d52aSRuslan Ermilovman page for a complete description of the 148d962d52aSRuslan Ermilov.Nm 149d962d52aSRuslan Ermilovcapabilities and how to use it. 150a53227ffSUgen J.S. Antsilevich.Sh SEE ALSO 151b805452cSMike Pritchard.Xr setsockopt 2 , 152*6e1fc011SGraham Percival.Xr libalias 3 , 1532a81fd7cSJulian Elischer.Xr divert 4 , 154bceb8aedSWolfram Schneider.Xr ip 4 , 15524234982SRodney W. Grimes.Xr ip6 4 , 1562a81fd7cSJulian Elischer.Xr ipfw 8 , 15724234982SRodney W. Grimes.Xr natd 8 , 158dc60ef4aSRuslan Ermilov.Xr sysctl 8 , 1591cc2c797SAndre Oppermann.Xr syslogd 8 , 1601cc2c797SAndre Oppermann.Xr pfil 9 161