1.\" 2.\" $FreeBSD$ 3.\" 4.Dd August 19, 2020 5.Dt IPFW 4 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd IP packet filter and traffic accounting 10.Sh SYNOPSIS 11To compile 12the driver 13into the kernel, place the following option in the kernel configuration 14file: 15.Bd -ragged -offset indent 16.Cd "options IPFIREWALL" 17.Ed 18.Pp 19Other related kernel options 20which may also be useful are: 21.Bd -ragged -offset indent 22.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" 23.Cd "options IPDIVERT" 24.Cd "options IPFIREWALL_NAT" 25.Cd "options IPFIREWALL_NAT64" 26.Cd "options IPFIREWALL_NPTV6" 27.Cd "options IPFIREWALL_PMOD" 28.Cd "options IPFIREWALL_VERBOSE" 29.Cd "options IPFIREWALL_VERBOSE_LIMIT=100" 30.Cd "options LIBALIAS" 31.Ed 32.Pp 33To load 34the driver 35as a module at boot time, add the following line into the 36.Xr loader.conf 5 37file: 38.Bd -literal -offset indent 39ipfw_load="YES" 40.Ed 41.Sh DESCRIPTION 42The 43.Nm 44system facility allows filtering, 45redirecting, and other operations on 46.Tn IP 47packets travelling through 48network interfaces. 49.Pp 50The default behavior of 51.Nm 52is to block all incoming and outgoing traffic. 53This behavior can be modified, to allow all traffic through the 54.Nm 55firewall by default, by enabling the 56.Dv IPFIREWALL_DEFAULT_TO_ACCEPT 57kernel option. 58This option may be useful when configuring 59.Nm 60for the first time. 61If the default 62.Nm 63behavior is to allow everything, it is easier to cope with 64firewall-tuning mistakes which may accidentally block all traffic. 65.Pp 66When using 67.Xr natd 8 68in conjunction with 69.Nm 70as 71.Tn NAT 72facility, the kernel option 73.Dv IPDIVERT 74enables diverting packets to 75.Xr natd 8 76for translation. 77.Pp 78When using the in-kernel 79.Tn NAT 80facility of 81.Nm , 82the kernel option 83.Dv IPFIREWALL_NAT 84enables basic 85.Xr libalias 3 86functionality in the kernel. 87.Pp 88When using any of the 89.Tn IPv4 90to 91.Tn IPv6 92transition mechanisms in 93.Nm , 94the kernel option 95.Dv IPFIREWALL_NAT64 96enables all of these 97.Tn NAT64 98methods in the kernel. 99.Pp 100When using the 101.Tn IPv6 102network prefix translation facility of 103.Nm , 104the kernel option 105.Dv IPFIREWALL_NPTV6 106enables this functionality in the kernel. 107.Pp 108When using the packet modification facility of 109.Nm , 110the kernel option 111.Dv IPFIREWALL_PMOD 112enables this functionality in the kernel. 113.Pp 114To enable logging of packets passing through 115.Nm , 116enable the 117.Dv IPFIREWALL_VERBOSE 118kernel option. 119The 120.Dv IPFIREWALL_VERBOSE_LIMIT 121option will prevent 122.Xr syslogd 8 123from flooding system logs or causing local Denial of Service. 124This option may be set to the number of packets which will be logged on 125a per-entry basis before the entry is rate-limited. 126.Pp 127When using the in-kernel 128.Tn NAT 129facility of 130.Nm , 131the kernel option 132.Dv LIBALIAS 133enables full 134.Xr libalias 3 135functionality in the kernel. 136Full functionality refers to included support for ftp, bbt, 137skinny, irc, pptp and smedia packets, which are missing in the basic 138.Xr libalias 3 139functionality accomplished with the 140.Dv IPFIREWALL_NAT 141kernel option. 142.Pp 143The user interface for 144.Nm 145is implemented by the 146.Xr ipfw 8 147utility, so please refer to the 148.Xr ipfw 8 149man page for a complete description of the 150.Nm 151capabilities and how to use it. 152.Sh SEE ALSO 153.Xr setsockopt 2 , 154.Xr divert 4 , 155.Xr ip 4 , 156.Xr ip6 4 , 157.Xr ipfw 8 , 158.Xr libalias 3 , 159.Xr natd 8 , 160.Xr sysctl 8 , 161.Xr syslogd 8 , 162.Xr pfil 9 163