xref: /freebsd/share/man/man4/ipfirewall.4 (revision 242349823cf73b134e10391013291781c5d2de10)

.\"
.\" $FreeBSD$
.\"
.Dd May 21, 2020
.Dt IPFW 4
.Os
.Sh NAME
.Nm ipfw
.Nd IP packet filter and traffic accounting
.Sh SYNOPSIS
To compile
the driver
into the kernel, place the following option in the kernel configuration
file:
.Bd -ragged -offset indent
.Cd "options IPFIREWALL"
.Ed
.Pp
Other related kernel options
which may also be useful are:
.Bd -ragged -offset indent
.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
.Cd "options IPDIVERT"
.Cd "options IPFIREWALL_NAT"
.Cd "options IPFIREWALL_NAT64"
.Cd "options IPFIREWALL_NPTV6"
.Cd "options IPFIREWALL_PMOD"
.Cd "options IPFIREWALL_VERBOSE"
.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
.Cd "options LIBALIAS"
.Ed
.Pp
To load
the driver
as a module at boot time, add the following line into the
.Xr loader.conf 5
file:
.Bd -literal -offset indent
ipfw_load="YES"
.Ed
.Sh DESCRIPTION
The
.Nm
system facility allows filtering,
redirecting, and other operations on
.Tn IP
packets travelling through
network interfaces.
.Pp
The default behavior of
.Nm
is to block all incoming and outgoing traffic.
This behavior can be modified, to allow all traffic through the
.Nm
firewall by default, by enabling the
.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
kernel option.
This option may be useful when configuring
.Nm
for the first time.
If the default
.Nm
behavior is to allow everything, it is easier to cope with
firewall-tuning mistakes which may accidentally block all traffic.
.Pp
When using
.Xr natd 8
in conjunction with
.Nm
as
.Tn NAT
facility, the kernel option
.Dv IPDIVERT
enables diverting packets to
.Xr natd 8
for translation.
.Pp
When using the in-kernel
.Tn NAT
facility of
.Nm ,
the kernel option
.Dv IPFIREWALL_NAT
enables basic
.Xr libalias 3
functionality in the kernel.
.Pp
When using any of the
.Tn IPv4
to
.Tn IPv6
transition mechanisms in
.Nm ,
the kernel option
.Dv IPFIREWALL_NAT64
enables all of these
.Tn NAT64
methods in the kernel.
.Pp
When using the
.Tn IPv6
network prefix translation facility of
.Nm ,
the kernel option
.Dv IPFIREWALL_NPTV6
enables this functionality in the kernel.
.Pp
When using the packet modification facility of
.Nm ,
the kernel option
.Dv IPFIREWALL_PMOD
enables this functionality in the kernel.
.Pp
To enable logging of packets passing through
.Nm ,
enable the
.Dv IPFIREWALL_VERBOSE
kernel option.
The
.Dv IPFIREWALL_VERBOSE_LIMIT
option will prevent
.Xr syslogd 8
from flooding system logs or causing local Denial of Service.
This option may be set to the number of packets which will be logged on
a per-entry basis before the entry is rate-limited.
.Pp
When using the in-kernel
.Tn NAT
facility of
.Nm ,
the kernel option
.Dv LIBALIAS
enables full
.Xr libalias 3
functionality in the kernel.
Full functionality refers to included support for cuseeme, ftp, bbt,
skinny, irc, pptp and smedia packets, which are missing in the basic
.Xr libalias 3
functionality accomplished with the
.Dv IPFIREWALL_NAT
kernel option.
.Pp
The user interface for
.Nm
is implemented by the
.Xr ipfw 8
utility, so please refer to the
.Xr ipfw 8
man page for a complete description of the
.Nm
capabilities and how to use it.
.Sh SEE ALSO
.Xr setsockopt 2 ,
.Xr divert 4 ,
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr ipfw 8 ,
.Xr libalias 3 ,
.Xr natd 8 ,
.Xr sysctl 8 ,
.Xr syslogd 8 ,
.Xr pfil 9