Changeset View
Changeset View
Standalone View
Standalone View
head/sbin/ipfw/ipfw.8
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd June 21, 2019 | .Dd August 10, 2020 | ||||
.Dt IPFW 8 | .Dt IPFW 8 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm ipfw | .Nm ipfw | ||||
.Nd User interface for firewall, traffic shaper, packet scheduler, | .Nd User interface for firewall, traffic shaper, packet scheduler, | ||||
in-kernel NAT. | in-kernel NAT. | ||||
.Sh SYNOPSIS | .Sh SYNOPSIS | ||||
.Ss FIREWALL CONFIGURATION | .Ss FIREWALL CONFIGURATION | ||||
▲ Show 20 Lines • Show All 582 Lines • ▼ Show 20 Lines | |||||
.It Source and dest. addresses and ports | .It Source and dest. addresses and ports | ||||
.It Direction | .It Direction | ||||
See Section | See Section | ||||
.Sx PACKET FLOW | .Sx PACKET FLOW | ||||
.It Transmit and receive interface | .It Transmit and receive interface | ||||
By name or address | By name or address | ||||
.It Misc. IP header fields | .It Misc. IP header fields | ||||
Version, type of service, datagram length, identification, | Version, type of service, datagram length, identification, | ||||
fragment flag (non-zero IP offset), | fragmentation flags, | ||||
Time To Live | Time To Live | ||||
.It IP options | .It IP options | ||||
.It IPv6 Extension headers | .It IPv6 Extension headers | ||||
Fragmentation, Hop-by-Hop options, | Fragmentation, Hop-by-Hop options, | ||||
Routing Headers, Source routing rthdr0, Mobile IPv6 rthdr2, IPSec options. | Routing Headers, Source routing rthdr0, Mobile IPv6 rthdr2, IPSec options. | ||||
.It IPv6 Flow-ID | .It IPv6 Flow-ID | ||||
.It Misc. TCP header fields | .It Misc. TCP header fields | ||||
TCP flags (SYN, FIN, ACK, RST, etc.), | TCP flags (SYN, FIN, ACK, RST, etc.), | ||||
▲ Show 20 Lines • Show All 985 Lines • ▼ Show 20 Lines | |||||
See the | See the | ||||
.Sx LOOKUP TABLES | .Sx LOOKUP TABLES | ||||
section below for more information on lookup tables. | section below for more information on lookup tables. | ||||
.It Cm flow-id Ar labels | .It Cm flow-id Ar labels | ||||
Matches IPv6 packets containing any of the flow labels given in | Matches IPv6 packets containing any of the flow labels given in | ||||
.Ar labels . | .Ar labels . | ||||
.Ar labels | .Ar labels | ||||
is a comma separated list of numeric flow labels. | is a comma separated list of numeric flow labels. | ||||
.It Cm frag | .It Cm frag Ar spec | ||||
Matches packets that are fragments and not the first | Matches IPv4 packets whose | ||||
fragment of an IP datagram. | .Cm ip_off | ||||
Note that these packets will not have | field contains the comma separated list of IPv4 fragmentation | ||||
the next protocol header (e.g.\& TCP, UDP) so options that look into | options specified in | ||||
these headers cannot match. | .Ar spec . | ||||
The recognized options are: | |||||
.Cm df | |||||
.Pq Dv don't fragment , | |||||
.Cm mf | |||||
.Pq Dv more fragments , | |||||
.Cm rf | |||||
.Pq Dv reserved fragment bit | |||||
.Cm offset | |||||
.Pq Dv non-zero fragment offset . | |||||
The absence of a particular options may be denoted | |||||
with a | |||||
.Ql \&! . | |||||
.Pp | |||||
Empty list of options defaults to matching on non-zero fragment offset. | |||||
Such rule would match all not the first fragment datagrams, | |||||
both IPv4 and IPv6. | |||||
This is a backward compatibility with older rulesets. | |||||
.It Cm gid Ar group | .It Cm gid Ar group | ||||
Matches all TCP or UDP packets sent by or received for a | Matches all TCP or UDP packets sent by or received for a | ||||
.Ar group . | .Ar group . | ||||
A | A | ||||
.Ar group | .Ar group | ||||
may be specified by name or number. | may be specified by name or number. | ||||
.It Cm jail Ar jail | .It Cm jail Ar jail | ||||
Matches all TCP or UDP packets sent by or received for the | Matches all TCP or UDP packets sent by or received for the | ||||
▲ Show 20 Lines • Show All 3,201 Lines • Show Last 20 Lines |