Changeset View
Changeset View
Standalone View
Standalone View
share/man/man4/ipfirewall.4
| .\" | .\" | ||||
| .\" $FreeBSD$ | .\" $FreeBSD$ | ||||
| .\" | .\" | ||||
| .Dd May 21, 2020 | .Dd May 21, 2020 | ||||
| .Dt IPFW 4 | .Dt IPFW 4 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm ipfw | .Nm ipfw | ||||
| .Nd IP packet filter and traffic accounting | .Nd IP packet filter and traffic accounting | ||||
| .Sh SYNOPSIS | .Sh SYNOPSIS | ||||
| To compile | To compile the driver into the kernel, | ||||
| the driver | place the following option in the kernel configuration file: | ||||
| into the kernel, place the following option in the kernel configuration | |||||
| file: | |||||
| .Bd -ragged -offset indent | .Bd -ragged -offset indent | ||||
| .Cd "options IPFIREWALL" | .Cd "options IPFIREWALL" | ||||
| .Ed | .Ed | ||||
| .Pp | .Pp | ||||
| Other related kernel options | Other related kernel options | ||||
| which may also be useful are: | which may also be useful are: | ||||
rgrimes: I usually leave sentences line broken and points like and/or/which/when/.... there is actual a… | |||||
Done Inline ActionsSo would that be: ..... which \n ... \n driesm: So would that be:
..... which \n
or
... \n
which | |||||
Done Inline ActionsJust put it back how it was, as in no change needed here. rgrimes: Just put it back how it was, as in no change needed here. | |||||
| .Bd -ragged -offset indent | .Bd -ragged -offset indent | ||||
| .Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" | .Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT" | ||||
| .Cd "options IPDIVERT" | .Cd "options IPDIVERT" | ||||
| .Cd "options IPFIREWALL_NAT" | .Cd "options IPFIREWALL_NAT" | ||||
| .Cd "options IPFIREWALL_NAT64" | .Cd "options IPFIREWALL_NAT64" | ||||
| .Cd "options IPFIREWALL_NPTV6" | .Cd "options IPFIREWALL_NPTV6" | ||||
| .Cd "options IPFIREWALL_PMOD" | .Cd "options IPFIREWALL_PMOD" | ||||
| .Cd "options IPFIREWALL_VERBOSE" | .Cd "options IPFIREWALL_VERBOSE" | ||||
| .Cd "options IPFIREWALL_VERBOSE_LIMIT=100" | .Cd "options IPFIREWALL_VERBOSE_LIMIT=100" | ||||
| .Cd "options LIBALIAS" | .Cd "options LIBALIAS" | ||||
| .Ed | .Ed | ||||
| .Pp | .Pp | ||||
| To load | To load the driver as a module at boot time, | ||||
| the driver | add the following line into the | ||||
| as a module at boot time, add the following line into the | |||||
| .Xr loader.conf 5 | .Xr loader.conf 5 | ||||
| file: | file: | ||||
| .Bd -literal -offset indent | .Bd -literal -offset indent | ||||
| ipfw_load="YES" | ipfw_load="YES" | ||||
| .Ed | .Ed | ||||
| .Sh DESCRIPTION | .Sh DESCRIPTION | ||||
| The | The | ||||
| .Nm | .Nm | ||||
| system facility allows filtering, | system facility allows filtering, redirecting, | ||||
| redirecting, and other operations on | and other operations on IP packets | ||||
| .Tn IP | travelling through network interfaces. | ||||
| packets travelling through | |||||
| network interfaces. | |||||
| .Pp | .Pp | ||||
| The default behavior of | The default behavior of | ||||
| .Nm | .Nm | ||||
| is to block all incoming and outgoing traffic. | is to block all incoming and outgoing traffic. | ||||
| This behavior can be modified, to allow all traffic through the | This behavior can be modified, to allow all traffic through the | ||||
| .Nm | .Nm | ||||
| firewall by default, by enabling the | firewall by default, by enabling the | ||||
| .Dv IPFIREWALL_DEFAULT_TO_ACCEPT | .Dv IPFIREWALL_DEFAULT_TO_ACCEPT | ||||
| kernel option. | kernel option. | ||||
| This option may be useful when configuring | This option may be useful when configuring | ||||
| .Nm | .Nm | ||||
| for the first time. | for the first time. | ||||
| If the default | If the default | ||||
| .Nm | .Nm | ||||
| behavior is to allow everything, it is easier to cope with | behavior is to allow everything, it is easier to cope with | ||||
| firewall-tuning mistakes which may accidentally block all traffic. | firewall-tuning mistakes which may accidentally block all traffic. | ||||
| .Pp | .Pp | ||||
| When using | When using | ||||
| .Xr natd 8 | .Xr natd 8 | ||||
| in conjunction with | in conjunction with | ||||
| .Nm | .Nm | ||||
| as | as NAT facility, | ||||
| .Tn NAT | the kernel option | ||||
Done Inline Actionsas a NAT facility reads slight clearer for me, start a new line at "the kernel option" rgrimes: as a NAT facility reads slight clearer for me, start a new line at "the kernel option" | |||||
| facility, the kernel option | |||||
| .Dv IPDIVERT | .Dv IPDIVERT | ||||
| enables diverting packets to | enables diverting packets to | ||||
| .Xr natd 8 | .Xr natd 8 | ||||
| for translation. | for translation. | ||||
| .Pp | .Pp | ||||
| When using the in-kernel | When using the in-kernel NAT facility of | ||||
| .Tn NAT | |||||
| facility of | |||||
| .Nm , | .Nm , | ||||
| the kernel option | the kernel option | ||||
| .Dv IPFIREWALL_NAT | .Dv IPFIREWALL_NAT | ||||
| enables basic | enables basic | ||||
| .Xr libalias 3 | .Xr libalias 3 | ||||
| functionality in the kernel. | functionality in the kernel. | ||||
| .Pp | .Pp | ||||
| When using any of the | When using any of the IPv4 to IPv6 transition mechanisms in | ||||
| .Tn IPv4 | |||||
| to | |||||
| .Tn IPv6 | |||||
| transition mechanisms in | |||||
| .Nm , | .Nm , | ||||
| the kernel option | the kernel option | ||||
| .Dv IPFIREWALL_NAT64 | .Dv IPFIREWALL_NAT64 | ||||
| enables all of these | enables all of these NAT64 methods in the kernel. | ||||
| .Tn NAT64 | |||||
| methods in the kernel. | |||||
| .Pp | .Pp | ||||
| When using the | When using the IPv6 network prefix translation facility of | ||||
| .Tn IPv6 | |||||
| network prefix translation facility of | |||||
| .Nm , | .Nm , | ||||
| the kernel option | the kernel option | ||||
| .Dv IPFIREWALL_NPTV6 | .Dv IPFIREWALL_NPTV6 | ||||
| enables this functionality in the kernel. | enables this functionality in the kernel. | ||||
| .Pp | .Pp | ||||
| When using the packet modification facility of | When using the packet modification facility of | ||||
| .Nm , | .Nm , | ||||
| the kernel option | the kernel option | ||||
| .Dv IPFIREWALL_PMOD | .Dv IPFIREWALL_PMOD | ||||
| enables this functionality in the kernel. | enables this functionality in the kernel. | ||||
| .Pp | .Pp | ||||
| To enable logging of packets passing through | To enable logging of packets passing through | ||||
| .Nm , | .Nm , | ||||
| enable the | enable the | ||||
| .Dv IPFIREWALL_VERBOSE | .Dv IPFIREWALL_VERBOSE | ||||
| kernel option. | kernel option. | ||||
| The | The | ||||
| .Dv IPFIREWALL_VERBOSE_LIMIT | .Dv IPFIREWALL_VERBOSE_LIMIT | ||||
| option will prevent | option will prevent | ||||
| .Xr syslogd 8 | .Xr syslogd 8 | ||||
| from flooding system logs or causing local Denial of Service. | from flooding system logs or causing local Denial of Service. | ||||
| This option may be set to the number of packets which will be logged on | This option may be set to the number of packets which will be logged on | ||||
| a per-entry basis before the entry is rate-limited. | a per-entry basis before the entry is rate-limited. | ||||
| .Pp | .Pp | ||||
| When using the in-kernel | When using the in-kernel NAT facility of | ||||
| .Tn NAT | |||||
| facility of | |||||
| .Nm , | .Nm , | ||||
| the kernel option | the kernel option | ||||
| .Dv LIBALIAS | .Dv LIBALIAS | ||||
| enables full | enables full | ||||
| .Xr libalias 3 | .Xr libalias 3 | ||||
| functionality in the kernel. | functionality in the kernel. | ||||
| Full functionality refers to included support for cuseeme, ftp, bbt, | Full functionality refers to included support for cuseeme, ftp, bbt, | ||||
| skinny, irc, pptp and smedia packets, which are missing in the basic | skinny, irc, pptp and smedia packets, which are missing in the basic | ||||
| Show All 25 Lines | |||||
I usually leave sentences line broken and points like and/or/which/when/.... there is actual a very old groff style guide that recommends this.