.Fx

.Fx

STABLE still uses

STABLE still uses

.Nm ipfw1

.Nm ipfw1

.Nm /sbin/ipfw

.Nm /sbin/ipfw

and

and

.Nm /usr/lib/libalias

.Nm /usr/lib/libalias

are recompiled with

are recompiled with

.Cm -DIPFW2

.Cm -DIPFW2

.Cm IPFW2=TRUE

.Cm IPFW2=TRUE

to

to

.Nm /etc/make.conf

.Nm /etc/make.conf

.Pp

.Pp

See the

See the

.Sx IPFW2 ENHANCEMENTS

.Sx IPFW2 ENHANCEMENTS

.Nm ipfw1 .

.Nm ipfw1 .

.Pp

.Pp

An

An

.Nm

.Nm

numbered from 1 to 65535.

numbered from 1 to 65535.

Packets are passed to

Packets are passed to

.Nm

.Nm

(depending on the source and destination of the packet,

(depending on the source and destination of the packet,

it is possible that

it is possible that

.Nm

.Nm

.Sx STATEFUL FIREWALL

.Sx STATEFUL FIREWALL

and

and

.Sx EXAMPLES

.Sx EXAMPLES

.Nm .

.Nm .

.Pp

.Pp

All rules (including dynamic ones) have a few associated counters:

All rules (including dynamic ones) have a few associated counters:

.Nm

.Nm

commands to atomically manipulate sets, such as enable,

commands to atomically manipulate sets, such as enable,

disable, swap sets, move all rules in a set to another

disable, swap sets, move all rules in a set to another

install temporary configurations, or to test them.

install temporary configurations, or to test them.

.Sx SETS OF RULES

.Sx SETS OF RULES

for more information on

for more information on

.Em sets .

.Em sets .

.Ql sh\ /etc/rc.firewall ) ,

.Ql sh\ /etc/rc.firewall ) ,

or by processing a file of many

or by processing a file of many

.Nm

.Nm

across a remote login session.

across a remote login session.

If a

If a

.Cm flush

.Cm flush

configuration), it prints a message.

configuration), it prints a message.

Because all rules are flushed, the message might not be delivered

Because all rules are flushed, the message might not be delivered

to the login session, causing the remote login session to be closed

to the login session, causing the remote login session to be closed

Access to the console would then be required to recover.

Access to the console would then be required to recover.

.It Fl S

.It Fl S

While listing rules, show the

While listing rules, show the

listed.

listed.

.It Fl s Op Ar field

.It Fl s Op Ar field

While listing pipes, sort according to one of the four

While listing pipes, sort according to one of the four

.It Fl t

.It Fl t

While listing, show last match timestamp.

While listing, show last match timestamp.

.El

.El

.Cm queue

.Cm queue

commands are used to configure the traffic shaper, as shown in the

commands are used to configure the traffic shaper, as shown in the

.Sx TRAFFIC SHAPER CONFIGURATION

.Sx TRAFFIC SHAPER CONFIGURATION

.Sh PACKET FLOW

.Sh PACKET FLOW

.Nm

.Nm

can be invoked from multiple places in the protocol stack,

can be invoked from multiple places in the protocol stack,

.Nm

.Nm

is invoked, or the source of the packet.

is invoked, or the source of the packet.

If a rule contains some match patterns or actions which are not valid

If a rule contains some match patterns or actions which are not valid

to match a MAC header when

to match a MAC header when

.Nm

.Nm

is called from

is called from

operator in front of such patterns will cause the pattern to

operator in front of such patterns will cause the pattern to

.Em always

.Em always

match on those packets, which might cause undesired results.

match on those packets, which might cause undesired results.

the programmer, if necessary, to write a suitable ruleset to

the programmer, if necessary, to write a suitable ruleset to

differentiate among the possible places.

differentiate among the possible places.

.Cm skipto

.Cm skipto

TCP, UDP, ICMP, etc.

TCP, UDP, ICMP, etc.

.It Source and dest. addresses and ports

.It Source and dest. addresses and ports

.It Direction

.It Direction

.Sx PACKET FLOW

.Sx PACKET FLOW

.It Transmit and receive interface

.It Transmit and receive interface

By name or address

By name or address

.It ICMP types

.It ICMP types

for ICMP packets

for ICMP packets

.It User/group ID

.It User/group ID

.El

.El

.Pp

.Pp

Note that some of the above information, e.g. source MAC or IP addresses and

Note that some of the above information, e.g. source MAC or IP addresses and

.Ar net.inet.ip.fw.autoinc_step

.Ar net.inet.ip.fw.autoinc_step

which defaults to 100.

which defaults to 100.

If this is not possible (e.g. because we would go beyond the

If this is not possible (e.g. because we would go beyond the

non-default value is used instead.

non-default value is used instead.

.It Cm set Ar set_number

.It Cm set Ar set_number

.Ar set_number

.Ar set_number

in the range 0..31, with the latter reserved for the

in the range 0..31, with the latter reserved for the

.Em default

.Em default

(which is the default when the kernel is compiled with

(which is the default when the kernel is compiled with

.Dv IPFIREWALL_VERBOSE

.Dv IPFIREWALL_VERBOSE

) and the number of packets logged so far for that

) and the number of packets logged so far for that

.Cm logamount

.Cm logamount

parameter.

parameter.

If no

If no

.Pp

.Pp

Once the limit is reached, logging can be re-enabled by

Once the limit is reached, logging can be re-enabled by

clearing the logging counter

clearing the logging counter

.Cm resetlog

.Cm resetlog

command.

command.

.Pp

.Pp

.It Cm fwd | forward Ar ipaddr Ns Op , Ns Ar port

.It Cm fwd | forward Ar ipaddr Ns Op , Ns Ar port

Change the next-hop on matching packets to

Change the next-hop on matching packets to

.Ar ipaddr ,

.Ar ipaddr ,

The search terminates if this rule matches.

The search terminates if this rule matches.

.Pp

.Pp

If

If

(for bandwidth limitation, delay, etc.).

(for bandwidth limitation, delay, etc.).

See the

See the

.Sx TRAFFIC SHAPER CONFIGURATION

.Sx TRAFFIC SHAPER CONFIGURATION

The search terminates; however, on exit from the pipe and if

The search terminates; however, on exit from the pipe and if

the

the

.Xr sysctl 8

.Xr sysctl 8

socket bound to port

socket bound to port

.Ar port .

.Ar port .

The search terminates and the original packet is accepted

The search terminates and the original packet is accepted

.Sx BUGS

.Sx BUGS

below).

below).

.It Cm unreach Ar code

.It Cm unreach Ar code

can be used to escape the dash

can be used to escape the dash

.Pq Ql -

.Pq Ql -

character in a service name (from a shell, the backslash must be

character in a service name (from a shell, the backslash must be

character).

character).

.Pp

.Pp

.Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"

.Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"

.Ar ver .

.Ar ver .

.It Cm keep-state

.It Cm keep-state

Upon a match, the firewall will create a dynamic rule, whose

Upon a match, the firewall will create a dynamic rule, whose

source and destination IP/port using the same protocol.

source and destination IP/port using the same protocol.

The rule has a limited lifetime (controlled by a set of

The rule has a limited lifetime (controlled by a set of

.Xr sysctl 8

.Xr sysctl 8

(i.e. one or more comma-separated single values or ranges).

(i.e. one or more comma-separated single values or ranges).

You can use symbolic names for known values such as

You can use symbolic names for known values such as

.Em vlan , ipv4, ipv6 .

.Em vlan , ipv4, ipv6 .

and they are always printed as hexadecimal (unless the

and they are always printed as hexadecimal (unless the

.Cm -N

.Cm -N

option is used, in which case symbolic resolution will be attempted).

option is used, in which case symbolic resolution will be attempted).

.It Cm proto Ar protocol

.It Cm proto Ar protocol

Matches packets with the corresponding IPv4 protocol.

Matches packets with the corresponding IPv4 protocol.

.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any

.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any

respectively, the interface specified by exact name

respectively, the interface specified by exact name

.Ns No ( Ar ifX Ns No ),

.Ns No ( Ar ifX Ns No ),

by device name

by device name

Command execution is atomic on all the sets specified in the command.

Command execution is atomic on all the sets specified in the command.

By default, all sets are enabled.

By default, all sets are enabled.

.Pp

.Pp

in the firewall configuration, with only one exception:

in the firewall configuration, with only one exception:

.Bl -bullet

.Bl -bullet

.It

.It

.Pp

.Pp

See the

See the

.Sx EXAMPLES

.Sx EXAMPLES

.Sh STATEFUL FIREWALL

.Sh STATEFUL FIREWALL

Stateful operation is a way for the firewall to dynamically

Stateful operation is a way for the firewall to dynamically

create rules for specific flows when packets that

create rules for specific flows when packets that

of the flow and the setting of some

of the flow and the setting of some

.Cm sysctl

.Cm sysctl

variables.

variables.

.Sx SYSCTL VARIABLES

.Sx SYSCTL VARIABLES

for more details.

for more details.

For TCP sessions, dynamic rules can be instructed to periodically

For TCP sessions, dynamic rules can be instructed to periodically

send keepalive packets to refresh the state of the rule when it is

send keepalive packets to refresh the state of the rule when it is

about to expire.

about to expire.

.Pp

.Pp

.Sx EXAMPLES

.Sx EXAMPLES

for more examples on how to use dynamic rules.

for more examples on how to use dynamic rules.

.Sh TRAFFIC SHAPER CONFIGURATION

.Sh TRAFFIC SHAPER CONFIGURATION

.Sm on

.Sm on

.Pp

.Pp

A value of 0 (default) means unlimited bandwidth.

A value of 0 (default) means unlimited bandwidth.

.Pp

.Pp

.Dl "ipfw pipe 1 config bw 300Kbit/s"

.Dl "ipfw pipe 1 config bw 300Kbit/s"

.Pp

.Pp

Default is no.

Default is no.

.El

.El

.Sh IPFW2 ENHANCEMENTS

.Sh IPFW2 ENHANCEMENTS

.Nm ipfw2

.Nm ipfw2

.Nm ipfw1 .

.Nm ipfw1 .

We list them in order of the potential impact that they can

We list them in order of the potential impact that they can

You might want to consider using these features in order to

You might want to consider using these features in order to

write your rulesets in a more efficient way.

write your rulesets in a more efficient way.

.Bl -tag -width indent

.Bl -tag -width indent

.Pp

.Pp

The

The

.Cm layer2

.Cm layer2

passed to the firewall from layer3 will not have a MAC header,

passed to the firewall from layer3 will not have a MAC header,

so the

so the

.Cm mac-type ip

.Cm mac-type ip

does not implement sets of rules.

does not implement sets of rules.

.It MAC header filtering and Layer-2 firewalling.

.It MAC header filtering and Layer-2 firewalling.

.Nm ipfw1

.Nm ipfw1

invoked on packets from

invoked on packets from

.Cm ether_demux()

.Cm ether_demux()

and

and

.Sh EXAMPLES

.Sh EXAMPLES

There are far too many possible uses of

There are far too many possible uses of

.Nm

.Nm

.Pp

.Pp

.Ss BASIC PACKET FILTERING

.Ss BASIC PACKET FILTERING

This command adds an entry which denies all tcp packets from

This command adds an entry which denies all tcp packets from

.Pp

.Pp

.Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet"

.Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet"

.Pp

.Pp

network to my host:

network to my host:

.Pp

.Pp

.Dl "ipfw add deny ip from 123.45.67.0/24 to my.host.org"

.Dl "ipfw add deny ip from 123.45.67.0/24 to my.host.org"

rule.

rule.

A

A

.Cm check-state

.Cm check-state

ruleset to minimize the amount of work scanning the ruleset.

ruleset to minimize the amount of work scanning the ruleset.

Your mileage may vary.

Your mileage may vary.

.Pp

.Pp

.Nm

.Nm

rules are checked both on incoming and outgoing packets.

rules are checked both on incoming and outgoing packets.

.Pp

.Pp

limitations, the correct way is the following:

limitations, the correct way is the following:

.Pp

.Pp

.Dl "ipfw add pipe 1 ip from any to any out"

.Dl "ipfw add pipe 1 ip from any to any out"

.Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes"

.Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes"

.Pp

.Pp

The above can be very useful, e.g. if you want to see how

The above can be very useful, e.g. if you want to see how

is connected only through a slow link.

is connected only through a slow link.

You should not use only one pipe for both directions, unless

You should not use only one pipe for both directions, unless

you want to simulate a half-duplex medium (e.g. AppleTalk,

you want to simulate a half-duplex medium (e.g. AppleTalk,

It is not necessary that both pipes have the same configuration,

It is not necessary that both pipes have the same configuration,

so we can also simulate asymmetric links.

so we can also simulate asymmetric links.

.Pp

.Pp

management algorithm:

management algorithm:

.Pp

.Pp

.Dl "ipfw add pipe 1 ip from any to any"

.Dl "ipfw add pipe 1 ip from any to any"

.Pp

.Pp

Another typical application of the traffic shaper is to

Another typical application of the traffic shaper is to

introduce some delay in the communication.

introduce some delay in the communication.

Procedure Calls, and where the round-trip-time of the

Procedure Calls, and where the round-trip-time of the

connection often becomes a limiting factor much more than

connection often becomes a limiting factor much more than

bandwidth:

bandwidth:

.Sh BUGS

.Sh BUGS

The syntax has grown over the years and sometimes it might be confusing.

The syntax has grown over the years and sometimes it might be confusing.

Unfortunately, backward compatibility prevents cleaning up mistakes

Unfortunately, backward compatibility prevents cleaning up mistakes

.Pp

.Pp

.Em !!! WARNING !!!

.Em !!! WARNING !!!

.Pp

.Pp

Misconfiguring the firewall can put your computer in an unusable state,

Misconfiguring the firewall can put your computer in an unusable state,

possibly shutting down network services and requiring console access to

possibly shutting down network services and requiring console access to

.Pp

.Pp

Incoming packet fragments diverted by

Incoming packet fragments diverted by

.Cm divert

.Cm divert