1892cb98eSJohn-Mark Gurney.\" 27f3dea24SPeter Wemm.\" $FreeBSD$ 3892cb98eSJohn-Mark Gurney.\" 4910201d9SDaniel Gerzo.Dd September 1, 2006 59a96729cSLuigi Rizzo.Dt IPFW 4 6a53227ffSUgen J.S. Antsilevich.Os 7a53227ffSUgen J.S. Antsilevich.Sh NAME 89a96729cSLuigi Rizzo.Nm ipfw 92a81fd7cSJulian Elischer.Nd IP packet filter and traffic accounting 10910201d9SDaniel Gerzo.Sh SYNOPSIS 11910201d9SDaniel GerzoTo compile 12910201d9SDaniel Gerzo.Ns Nm 13910201d9SDaniel Gerzointo the kernel, place the following option in the kernel configuration 14910201d9SDaniel Gerzofile: 15910201d9SDaniel Gerzo.Bd -ragged -offset indent 16910201d9SDaniel Gerzo.Cd "options IPFIREWALL" 17910201d9SDaniel Gerzo.Ed 18910201d9SDaniel Gerzo.Pp 19910201d9SDaniel GerzoOther kernel options related to 20910201d9SDaniel Gerzo.Ns Nm 21910201d9SDaniel Gerzowhich may also be useful are: 22910201d9SDaniel Gerzo.Bd -ragged -offset indent 23910201d9SDaniel Gerzo.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" 24910201d9SDaniel Gerzo.Cd "options IPFIREWALL_FORWARD" 25910201d9SDaniel Gerzo.Cd "options IPFIREWALL_VERBOSE" 26910201d9SDaniel Gerzo.Cd "options IPFIREWALL_VERBOSE_LIMIT=100" 27910201d9SDaniel Gerzo.Ed 28910201d9SDaniel Gerzo.Pp 29910201d9SDaniel GerzoTo load 30910201d9SDaniel Gerzo.Ns Nm 31910201d9SDaniel Gerzoas a module at boot time, add the following line into the 327ebbc96cSDaniel Gerzo.Xr loader.conf 5 33910201d9SDaniel Gerzofile: 34910201d9SDaniel Gerzo.Bd -literal -offset indent 357ebbc96cSDaniel Gerzoipfw_load="YES" 36910201d9SDaniel Gerzo.Ed 372a81fd7cSJulian Elischer.Sh DESCRIPTION 38d962d52aSRuslan ErmilovThe 39d962d52aSRuslan Ermilov.Nm 40d962d52aSRuslan Ermilovsystem facility allows filtering, 41d962d52aSRuslan Ermilovredirecting, and other operations on 42d962d52aSRuslan Ermilov.Tn IP 43d962d52aSRuslan Ermilovpackets travelling through 44d962d52aSRuslan Ermilovnetwork interfaces. 452a81fd7cSJulian Elischer.Pp 46910201d9SDaniel GerzoThe default behavior of 47910201d9SDaniel Gerzo.Nm 48910201d9SDaniel Gerzois to block all incoming and outgoing traffic. 49910201d9SDaniel GerzoThis behavior can be modified, to allow all traffic through the 50910201d9SDaniel Gerzo.Nm 51910201d9SDaniel Gerzofirewall by default, by enabling the 52910201d9SDaniel Gerzo.Dv IPFIREWALL_DEFAULT_TO_ACCEPT 53910201d9SDaniel Gerzokernel option. 54910201d9SDaniel GerzoThis option may be useful when configuring 55910201d9SDaniel Gerzo.Nm 56910201d9SDaniel Gerzofor the first time. 57910201d9SDaniel GerzoIf the default 58910201d9SDaniel Gerzo.Nm 59910201d9SDaniel Gerzobehavior is to allow everything, it is easier to cope with 60910201d9SDaniel Gerzofirewall-tuning mistakes which may accidentally block all traffic. 61910201d9SDaniel Gerzo.Pp 62910201d9SDaniel GerzoTo enable logging of packets passing through 63910201d9SDaniel Gerzo.Nm , 64910201d9SDaniel Gerzoenable the 65910201d9SDaniel Gerzo.Dv IPFIREWALL_VERBOSE 66910201d9SDaniel Gerzokernel option. 67910201d9SDaniel GerzoThe 68910201d9SDaniel Gerzo.Dv IPFIREWALL_VERBOSE_LIMIT 69910201d9SDaniel Gerzooption will prevent 70910201d9SDaniel Gerzo.Xr syslogd 8 71910201d9SDaniel Gerzofrom flooding system logs or causing local Denial of Service. 72910201d9SDaniel GerzoThis option may be set to the number of packets which will be logged on 73910201d9SDaniel Gerzoa per-entry basis before the entry is rate-limited. 74910201d9SDaniel Gerzo.Pp 75910201d9SDaniel GerzoPolicy routing and transparent forwarding features of 76910201d9SDaniel Gerzo.Nm 77910201d9SDaniel Gerzocan be enabled by 78910201d9SDaniel Gerzo.Dv IPFIREWALL_FORWARD 79910201d9SDaniel Gerzokernel option. 80910201d9SDaniel Gerzo.Pp 819a96729cSLuigi RizzoThe user interface for 82d962d52aSRuslan Ermilov.Nm 839a96729cSLuigi Rizzois implemented by the 849a96729cSLuigi Rizzo.Xr ipfw 8 85d962d52aSRuslan Ermilovutility, so please refer to the 86d962d52aSRuslan Ermilov.Xr ipfw 8 87d962d52aSRuslan Ermilovmanpage for a complete description of the 88d962d52aSRuslan Ermilov.Nm 89d962d52aSRuslan Ermilovcapabilities and how to use it. 90a53227ffSUgen J.S. Antsilevich.Sh SEE ALSO 91b805452cSMike Pritchard.Xr setsockopt 2 , 922a81fd7cSJulian Elischer.Xr divert 4 , 93bceb8aedSWolfram Schneider.Xr ip 4 , 942a81fd7cSJulian Elischer.Xr ipfw 8 , 95dc60ef4aSRuslan Ermilov.Xr sysctl 8 , 961cc2c797SAndre Oppermann.Xr syslogd 8 , 971cc2c797SAndre Oppermann.Xr pfil 9 98