Changeset View
Changeset View
Standalone View
Standalone View
sbin/ipfw/ipfw.8
Show First 20 Lines • Show All 270 Lines • ▼ Show 20 Lines | |||||
and | and | ||||
.Cm list | .Cm list | ||||
commands. | commands. | ||||
Finally, counters can be reset with the | Finally, counters can be reset with the | ||||
.Cm zero | .Cm zero | ||||
and | and | ||||
.Cm resetlog | .Cm resetlog | ||||
commands. | commands. | ||||
.Pp | |||||
.Ss COMMAND OPTIONS | .Ss COMMAND OPTIONS | ||||
The following general options are available when invoking | The following general options are available when invoking | ||||
.Nm : | .Nm : | ||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||
.It Fl a | .It Fl a | ||||
Show counter values when listing rules. | Show counter values when listing rules. | ||||
The | The | ||||
.Cm show | .Cm show | ||||
▲ Show 20 Lines • Show All 634 Lines • ▼ Show 20 Lines | |||||
.Ar number . | .Ar number . | ||||
The search continues with the first rule numbered | The search continues with the first rule numbered | ||||
.Ar number | .Ar number | ||||
or higher. | or higher. | ||||
It is possible to use the | It is possible to use the | ||||
.Cm tablearg | .Cm tablearg | ||||
keyword with a skipto for a | keyword with a skipto for a | ||||
.Em computed | .Em computed | ||||
skipto. Skipto may work either in O(log(N)) or in O(1) depending | skipto. | ||||
Skipto may work either in O(log(N)) or in O(1) depending | |||||
on amount of memory and/or sysctl variables. | on amount of memory and/or sysctl variables. | ||||
See the | See the | ||||
.Sx SYSCTL VARIABLES | .Sx SYSCTL VARIABLES | ||||
section for more details. | section for more details. | ||||
.It Cm call Ar number | tablearg | .It Cm call Ar number | tablearg | ||||
The current rule number is saved in the internal stack and | The current rule number is saved in the internal stack and | ||||
ruleset processing continues with the first rule numbered | ruleset processing continues with the first rule numbered | ||||
.Ar number | .Ar number | ||||
▲ Show 20 Lines • Show All 358 Lines • ▼ Show 20 Lines | |||||
.Ar number . | .Ar number . | ||||
If an optional 32-bit unsigned | If an optional 32-bit unsigned | ||||
.Ar value | .Ar value | ||||
is also specified, an entry will match only if it has this value. | is also specified, an entry will match only if it has this value. | ||||
See the | See the | ||||
.Sx LOOKUP TABLES | .Sx LOOKUP TABLES | ||||
section below for more information on lookup tables. | section below for more information on lookup tables. | ||||
.El | .El | ||||
.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list | .It Ar addr-list : ip-addr Ns Op Ns \&, Ns Ar addr-list | ||||
.It Ar ip-addr : | .It Ar ip-addr : | ||||
A host or subnet address specified in one of the following ways: | A host or subnet address specified in one of the following ways: | ||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||
.It Ar numeric-ip | hostname | .It Ar numeric-ip | hostname | ||||
Matches a single IPv4 address, specified as dotted-quad or a hostname. | Matches a single IPv4 address, specified as dotted-quad or a hostname. | ||||
Hostnames are resolved at the time the rule is added to the firewall list. | Hostnames are resolved at the time the rule is added to the firewall list. | ||||
.It Ar addr Ns / Ns Ar masklen | .It Ar addr Ns / Ns Ar masklen | ||||
Matches all addresses with base | Matches all addresses with base | ||||
.Ar addr | .Ar addr | ||||
(specified as an IP address, a network number, or a hostname) | (specified as an IP address, a network number, or a hostname) | ||||
and mask width of | and mask width of | ||||
.Cm masklen | .Cm masklen | ||||
bits. | bits. | ||||
As an example, 1.2.3.4/25 or 1.2.3.0/25 will match | As an example, 1.2.3.4/25 or 1.2.3.0/25 will match | ||||
all IP numbers from 1.2.3.0 to 1.2.3.127 . | all IP numbers from 1.2.3.0 to 1.2.3.127 . | ||||
.It Ar addr Ns : Ns Ar mask | .It Ar addr Ns \&: Ns Ar mask | ||||
Matches all addresses with base | Matches all addresses with base | ||||
.Ar addr | .Ar addr | ||||
(specified as an IP address, a network number, or a hostname) | (specified as an IP address, a network number, or a hostname) | ||||
and the mask of | and the mask of | ||||
.Ar mask , | .Ar mask , | ||||
specified as a dotted quad. | specified as a dotted quad. | ||||
As an example, 1.2.3.4:255.0.255.0 or 1.0.3.0:255.0.255.0 will match | As an example, 1.2.3.4:255.0.255.0 or 1.0.3.0:255.0.255.0 will match | ||||
1.*.3.*. | 1.*.3.*. | ||||
This form is advised only for non-contiguous | This form is advised only for non-contiguous | ||||
masks. | masks. | ||||
It is better to resort to the | It is better to resort to the | ||||
.Ar addr Ns / Ns Ar masklen | .Ar addr Ns / Ns Ar masklen | ||||
format for contiguous masks, which is more compact and less | format for contiguous masks, which is more compact and less | ||||
error-prone. | error-prone. | ||||
.El | .El | ||||
.It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm } | .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm } | ||||
.It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list | .It Ar list : Bro Ar num | num-num Brc Ns Op Ns \&, Ns Ar list | ||||
Matches all addresses with base address | Matches all addresses with base address | ||||
.Ar addr | .Ar addr | ||||
(specified as an IP address, a network number, or a hostname) | (specified as an IP address, a network number, or a hostname) | ||||
and whose last byte is in the list between braces { } . | and whose last byte is in the list between braces { } . | ||||
Note that there must be no spaces between braces and | Note that there must be no spaces between braces and | ||||
numbers (spaces after commas are allowed). | numbers (spaces after commas are allowed). | ||||
Elements of the list can be specified as single entries | Elements of the list can be specified as single entries | ||||
or ranges. | or ranges. | ||||
Show All 10 Lines | |||||
bitmask, it takes constant time and dramatically reduces | bitmask, it takes constant time and dramatically reduces | ||||
the complexity of rulesets. | the complexity of rulesets. | ||||
.br | .br | ||||
As an example, an address specified as 1.2.3.4/24{128,35-55,89} | As an example, an address specified as 1.2.3.4/24{128,35-55,89} | ||||
or 1.2.3.0/24{128,35-55,89} | or 1.2.3.0/24{128,35-55,89} | ||||
will match the following IP addresses: | will match the following IP addresses: | ||||
.br | .br | ||||
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 . | 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 . | ||||
.It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list | .It Ar addr6-list : ip6-addr Ns Op Ns \&, Ns Ar addr6-list | ||||
.It Ar ip6-addr : | .It Ar ip6-addr : | ||||
A host or subnet specified one of the following ways: | A host or subnet specified one of the following ways: | ||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||
.It Ar numeric-ip | hostname | .It Ar numeric-ip | hostname | ||||
Matches a single IPv6 address as allowed by | Matches a single IPv6 address as allowed by | ||||
.Xr inet_pton 3 | .Xr inet_pton 3 | ||||
or a hostname. | or a hostname. | ||||
Hostnames are resolved at the time the rule is added to the firewall | Hostnames are resolved at the time the rule is added to the firewall | ||||
list. | list. | ||||
.It Ar addr Ns / Ns Ar masklen | .It Ar addr Ns / Ns Ar masklen | ||||
Matches all IPv6 addresses with base | Matches all IPv6 addresses with base | ||||
.Ar addr | .Ar addr | ||||
(specified as allowed by | (specified as allowed by | ||||
.Xr inet_pton | .Xr inet_pton 3 | ||||
or a hostname) | or a hostname) | ||||
and mask width of | and mask width of | ||||
.Cm masklen | .Cm masklen | ||||
bits. | bits. | ||||
.It Ar addr Ns / Ns Ar mask | .It Ar addr Ns / Ns Ar mask | ||||
Matches all IPv6 addresses with base | Matches all IPv6 addresses with base | ||||
.Ar addr | .Ar addr | ||||
(specified as allowed by | (specified as allowed by | ||||
.Xr inet_pton | .Xr inet_pton 3 | ||||
or a hostname) | or a hostname) | ||||
and the mask of | and the mask of | ||||
.Ar mask , | .Ar mask , | ||||
specified as allowed by | specified as allowed by | ||||
.Xr inet_pton. | .Xr inet_pton 3 . | ||||
As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match | As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match | ||||
fe:*:*:*:0:640:*:*. | fe:*:*:*:0:640:*:*. | ||||
This form is advised only for non-contiguous | This form is advised only for non-contiguous | ||||
masks. | masks. | ||||
It is better to resort to the | It is better to resort to the | ||||
.Ar addr Ns / Ns Ar masklen | .Ar addr Ns / Ns Ar masklen | ||||
format for contiguous masks, which is more compact and less | format for contiguous masks, which is more compact and less | ||||
error-prone. | error-prone. | ||||
▲ Show 20 Lines • Show All 290 Lines • ▼ Show 20 Lines | |||||
source and destination IP/port using the same protocol. | source and destination IP/port using the same protocol. | ||||
The rule has a limited lifetime (controlled by a set of | The rule has a limited lifetime (controlled by a set of | ||||
.Xr sysctl 8 | .Xr sysctl 8 | ||||
variables), and the lifetime is refreshed every time a matching | variables), and the lifetime is refreshed every time a matching | ||||
packet is found. | packet is found. | ||||
The | The | ||||
.Ar :flowname | .Ar :flowname | ||||
is used to assign additional to addresses, ports and protocol parameter | is used to assign additional to addresses, ports and protocol parameter | ||||
to dynamic rule. It can be used for more accurate matching by | to dynamic rule. | ||||
It can be used for more accurate matching by | |||||
.Cm check-state | .Cm check-state | ||||
rule. | rule. | ||||
The | The | ||||
.Cm :default | .Cm :default | ||||
keyword is special name used for compatibility with old rulesets. | keyword is special name used for compatibility with old rulesets. | ||||
.It Cm layer2 | .It Cm layer2 | ||||
Matches only layer2 packets, i.e., those passed to | Matches only layer2 packets, i.e., those passed to | ||||
.Nm | .Nm | ||||
▲ Show 20 Lines • Show All 375 Lines • ▼ Show 20 Lines | |||||
would result in limits hit. | would result in limits hit. | ||||
Operation is performed atomically. | Operation is performed atomically. | ||||
.Pp | .Pp | ||||
One or more entries can be added to a table at once using | One or more entries can be added to a table at once using | ||||
.Cm add | .Cm add | ||||
command. | command. | ||||
Addition of all items are performed atomically. | Addition of all items are performed atomically. | ||||
By default, error in addition of one entry does not influence | By default, error in addition of one entry does not influence | ||||
addition of other entries. However, non-zero error code is returned | addition of other entries. | ||||
in that case. | However, non-zero error code is returned in that case. | ||||
Special | Special | ||||
.Cm atomic | .Cm atomic | ||||
keyword may be specified before | keyword may be specified before | ||||
.Cm add | .Cm add | ||||
to indicate all-or-none add request. | to indicate all-or-none add request. | ||||
.Pp | .Pp | ||||
One or more entries can be removed from a table at once using | One or more entries can be removed from a table at once using | ||||
.Cm delete | .Cm delete | ||||
command. | command. | ||||
By default, error in removal of one entry does not influence | By default, error in removal of one entry does not influence | ||||
removing of other entries. However, non-zero error code is returned | removing of other entries. | ||||
in that case. | However, non-zero error code is returned in that case. | ||||
.Pp | .Pp | ||||
It may be possible to check what entry will be found on particular | It may be possible to check what entry will be found on particular | ||||
.Ar table-key | .Ar table-key | ||||
using | using | ||||
.Cm lookup | .Cm lookup | ||||
.Ar table-key | .Ar table-key | ||||
command. | command. | ||||
This functionality is optional and may be unsupported in some algorithms. | This functionality is optional and may be unsupported in some algorithms. | ||||
▲ Show 20 Lines • Show All 366 Lines • ▼ Show 20 Lines | |||||
The default mode is | The default mode is | ||||
.Dq normal . | .Dq normal . | ||||
The | The | ||||
.Dq fast | .Dq fast | ||||
mode can be enabled by setting the | mode can be enabled by setting the | ||||
.Va net.inet.ip.dummynet.io_fast | .Va net.inet.ip.dummynet.io_fast | ||||
.Xr sysctl 8 | .Xr sysctl 8 | ||||
variable to a non-zero value. | variable to a non-zero value. | ||||
.Pp | |||||
.Ss PIPE, QUEUE AND SCHEDULER CONFIGURATION | .Ss PIPE, QUEUE AND SCHEDULER CONFIGURATION | ||||
The | The | ||||
.Em pipe , | .Em pipe , | ||||
.Em queue | .Em queue | ||||
and | and | ||||
.Em scheduler | .Em scheduler | ||||
configuration commands are the following: | configuration commands are the following: | ||||
.Bd -ragged -offset indent | .Bd -ragged -offset indent | ||||
▲ Show 20 Lines • Show All 295 Lines • ▼ Show 20 Lines | |||||
are floating | are floating | ||||
point numbers between 0 and 1 (inclusive), while | point numbers between 0 and 1 (inclusive), while | ||||
.Ar min_th | .Ar min_th | ||||
and | and | ||||
.Ar max_th | .Ar max_th | ||||
are integer numbers specifying thresholds for queue management | are integer numbers specifying thresholds for queue management | ||||
(thresholds are computed in bytes if the queue has been defined | (thresholds are computed in bytes if the queue has been defined | ||||
in bytes, in slots otherwise). | in bytes, in slots otherwise). | ||||
The two parameters can also be of the same value if needed. The | The two parameters can also be of the same value if needed. | ||||
The | |||||
.Nm dummynet | .Nm dummynet | ||||
also supports the gentle RED variant (gred) and ECN (Explicit Congestion | also supports the gentle RED variant (gred) and ECN (Explicit Congestion | ||||
Notification) as optional. Three | Notification) as optional. | ||||
Three | |||||
.Xr sysctl 8 | .Xr sysctl 8 | ||||
variables can be used to control the RED behaviour: | variables can be used to control the RED behaviour: | ||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||
.It Va net.inet.ip.dummynet.red_lookup_depth | .It Va net.inet.ip.dummynet.red_lookup_depth | ||||
specifies the accuracy in computing the average queue | specifies the accuracy in computing the average queue | ||||
when the link is idle (defaults to 256, must be greater than zero) | when the link is idle (defaults to 256, must be greater than zero) | ||||
.It Va net.inet.ip.dummynet.red_avg_pkt_size | .It Va net.inet.ip.dummynet.red_avg_pkt_size | ||||
specifies the expected average packet size (defaults to 512, must be | specifies the expected average packet size (defaults to 512, must be | ||||
▲ Show 20 Lines • Show All 338 Lines • ▼ Show 20 Lines | |||||
.Bd -ragged -offset indent | .Bd -ragged -offset indent | ||||
.Bk -words | .Bk -words | ||||
.Cm nat64lsn | .Cm nat64lsn | ||||
.Ar name | .Ar name | ||||
.Cm show Cm states | .Cm show Cm states | ||||
.Ek | .Ek | ||||
.Ed | .Ed | ||||
.Pp | .Pp | ||||
.Pp | |||||
Stateless NAT64 translator doesn't use a states table for translation | Stateless NAT64 translator doesn't use a states table for translation | ||||
and converts IPv4 addresses to IPv6 and vice versa solely based on the | and converts IPv4 addresses to IPv6 and vice versa solely based on the | ||||
mappings taken from configured lookup tables. | mappings taken from configured lookup tables. | ||||
Since a states table doesn't used by stateless translator, | Since a states table doesn't used by stateless translator, | ||||
it can be configured to pass IPv4 clients to IPv6-only servers. | it can be configured to pass IPv4 clients to IPv6-only servers. | ||||
.Pp | .Pp | ||||
The stateless NAT64 configuration command is the following: | The stateless NAT64 configuration command is the following: | ||||
.Bd -ragged -offset indent | .Bd -ragged -offset indent | ||||
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines | |||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||
.It Cm int_prefix Ar ipv6_prefix | .It Cm int_prefix Ar ipv6_prefix | ||||
IPv6 prefix used in internal network. | IPv6 prefix used in internal network. | ||||
NPTv6 module translates source address when it matches this prefix. | NPTv6 module translates source address when it matches this prefix. | ||||
.It Cm ext_prefix Ar ipv6_prefix | .It Cm ext_prefix Ar ipv6_prefix | ||||
IPv6 prefix used in external network. | IPv6 prefix used in external network. | ||||
NPTv6 module translates destination address when it matches this prefix. | NPTv6 module translates destination address when it matches this prefix. | ||||
.It Cm prefixlen Ar length | .It Cm prefixlen Ar length | ||||
The length of specified IPv6 prefixes. It must be in range from 8 to 64. | The length of specified IPv6 prefixes. | ||||
It must be in range from 8 to 64. | |||||
.El | .El | ||||
.Pp | .Pp | ||||
Note that the prefix translation rules are silently ignored when IPv6 packet | Note that the prefix translation rules are silently ignored when IPv6 packet | ||||
forwarding is disabled. | forwarding is disabled. | ||||
To enable the packet forwarding, set the sysctl variable | To enable the packet forwarding, set the sysctl variable | ||||
.Va net.inet6.ip6.forwarding | .Va net.inet6.ip6.forwarding | ||||
to 1. | to 1. | ||||
.Pp | .Pp | ||||
▲ Show 20 Lines • Show All 318 Lines • ▼ Show 20 Lines | |||||
with their in-kernel status. | with their in-kernel status. | ||||
.It Cm talist | .It Cm talist | ||||
List all table lookup algorithms currently available. | List all table lookup algorithms currently available. | ||||
.El | .El | ||||
.Sh EXAMPLES | .Sh EXAMPLES | ||||
There are far too many possible uses of | There are far too many possible uses of | ||||
.Nm | .Nm | ||||
so this Section will only give a small set of examples. | so this Section will only give a small set of examples. | ||||
.Pp | |||||
.Ss BASIC PACKET FILTERING | .Ss BASIC PACKET FILTERING | ||||
This command adds an entry which denies all tcp packets from | This command adds an entry which denies all tcp packets from | ||||
.Em cracker.evil.org | .Em cracker.evil.org | ||||
to the telnet port of | to the telnet port of | ||||
.Em wolf.tambov.su | .Em wolf.tambov.su | ||||
from being forwarded by the host: | from being forwarded by the host: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet" | .Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet" | ||||
▲ Show 20 Lines • Show All 506 Lines • Show Last 20 Lines |