xref: /freebsd/share/man/man4/ipfirewall.4 (revision 2008043f386721d58158e37e0d7e50df8095942d)
1.\"
2.Dd August 19, 2020
3.Dt IPFW 4
4.Os
5.Sh NAME
6.Nm ipfw
7.Nd IP packet filter and traffic accounting
8.Sh SYNOPSIS
9To compile
10the driver
11into the kernel, place the following option in the kernel configuration
12file:
13.Bd -ragged -offset indent
14.Cd "options IPFIREWALL"
15.Ed
16.Pp
17Other related kernel options
18which may also be useful are:
19.Bd -ragged -offset indent
20.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
21.Cd "options IPDIVERT"
22.Cd "options IPFIREWALL_NAT"
23.Cd "options IPFIREWALL_NAT64"
24.Cd "options IPFIREWALL_NPTV6"
25.Cd "options IPFIREWALL_PMOD"
26.Cd "options IPFIREWALL_VERBOSE"
27.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
28.Cd "options LIBALIAS"
29.Ed
30.Pp
31To load
32the driver
33as a module at boot time, add the following line into the
34.Xr loader.conf 5
35file:
36.Bd -literal -offset indent
37ipfw_load="YES"
38.Ed
39.Sh DESCRIPTION
40The
41.Nm
42system facility allows filtering,
43redirecting, and other operations on
44.Tn IP
45packets travelling through
46network interfaces.
47.Pp
48The default behavior of
49.Nm
50is to block all incoming and outgoing traffic.
51This behavior can be modified, to allow all traffic through the
52.Nm
53firewall by default, by enabling the
54.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
55kernel option.
56This option may be useful when configuring
57.Nm
58for the first time.
59If the default
60.Nm
61behavior is to allow everything, it is easier to cope with
62firewall-tuning mistakes which may accidentally block all traffic.
63.Pp
64When using
65.Xr natd 8
66in conjunction with
67.Nm
68as
69.Tn NAT
70facility, the kernel option
71.Dv IPDIVERT
72enables diverting packets to
73.Xr natd 8
74for translation.
75.Pp
76When using the in-kernel
77.Tn NAT
78facility of
79.Nm ,
80the kernel option
81.Dv IPFIREWALL_NAT
82enables basic
83.Xr libalias 3
84functionality in the kernel.
85.Pp
86When using any of the
87.Tn IPv4
88to
89.Tn IPv6
90transition mechanisms in
91.Nm ,
92the kernel option
93.Dv IPFIREWALL_NAT64
94enables all of these
95.Tn NAT64
96methods in the kernel.
97.Pp
98When using the
99.Tn IPv6
100network prefix translation facility of
101.Nm ,
102the kernel option
103.Dv IPFIREWALL_NPTV6
104enables this functionality in the kernel.
105.Pp
106When using the packet modification facility of
107.Nm ,
108the kernel option
109.Dv IPFIREWALL_PMOD
110enables this functionality in the kernel.
111.Pp
112To enable logging of packets passing through
113.Nm ,
114enable the
115.Dv IPFIREWALL_VERBOSE
116kernel option.
117The
118.Dv IPFIREWALL_VERBOSE_LIMIT
119option will prevent
120.Xr syslogd 8
121from flooding system logs or causing local Denial of Service.
122This option may be set to the number of packets which will be logged on
123a per-entry basis before the entry is rate-limited.
124.Pp
125When using the in-kernel
126.Tn NAT
127facility of
128.Nm ,
129the kernel option
130.Dv LIBALIAS
131enables full
132.Xr libalias 3
133functionality in the kernel.
134Full functionality refers to included support for ftp, bbt,
135skinny, irc, pptp and smedia packets, which are missing in the basic
136.Xr libalias 3
137functionality accomplished with the
138.Dv IPFIREWALL_NAT
139kernel option.
140.Pp
141The user interface for
142.Nm
143is implemented by the
144.Xr ipfw 8
145utility, so please refer to the
146.Xr ipfw 8
147man page for a complete description of the
148.Nm
149capabilities and how to use it.
150.Sh SEE ALSO
151.Xr setsockopt 2 ,
152.Xr divert 4 ,
153.Xr ip 4 ,
154.Xr ip6 4 ,
155.Xr ipfw 8 ,
156.Xr libalias 3 ,
157.Xr natd 8 ,
158.Xr sysctl 8 ,
159.Xr syslogd 8 ,
160.Xr pfil 9
161