Changeset View
Changeset View
Standalone View
Standalone View
sbin/ipfw/ipfw.8
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd May 11, 2021 | .Dd June 4, 2021 | ||||
.Dt IPFW 8 | .Dt IPFW 8 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm ipfw | .Nm ipfw | ||||
.Nd User interface for firewall, traffic shaper, packet scheduler, | .Nd User interface for firewall, traffic shaper, packet scheduler, | ||||
in-kernel NAT. | in-kernel NAT. | ||||
.Sh SYNOPSIS | .Sh SYNOPSIS | ||||
.Ss FIREWALL CONFIGURATION | .Ss FIREWALL CONFIGURATION | ||||
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines | |||||
.Op Ar number ... | .Op Ar number ... | ||||
.Ss IN-KERNEL NAT | .Ss IN-KERNEL NAT | ||||
.Nm | .Nm | ||||
.Op Fl q | .Op Fl q | ||||
.Cm nat | .Cm nat | ||||
.Ar number | .Ar number | ||||
.Cm config | .Cm config | ||||
.Ar config-options | .Ar config-options | ||||
.Nm | |||||
.Cm nat | |||||
.Ar number | |||||
.Cm show | |||||
.Brq Cm config | log | |||||
.Ss STATEFUL IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | .Ss STATEFUL IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options | .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options | .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm nat64lsn | .Oo Cm set Ar N Oc Cm nat64lsn | ||||
.Brq Ar name | all | .Brq Ar name | all | ||||
▲ Show 20 Lines • Show All 801 Lines • ▼ Show 20 Lines | |||||
unless there is a matching rule on that system to capture them. | unless there is a matching rule on that system to capture them. | ||||
For packets forwarded locally, | For packets forwarded locally, | ||||
the local address of the socket will be | the local address of the socket will be | ||||
set to the original destination address of the packet. | set to the original destination address of the packet. | ||||
This makes the | This makes the | ||||
.Xr netstat 1 | .Xr netstat 1 | ||||
entry look rather weird but is intended for | entry look rather weird but is intended for | ||||
use with transparent proxy servers. | use with transparent proxy servers. | ||||
.It Cm nat Ar nat_nr | tablearg | .It Cm nat Ar nat_nr | global | tablearg | ||||
Pass packet to a | Pass packet to a | ||||
nat instance | nat instance | ||||
(for network address translation, address redirect, etc.): | (for network address translation, address redirect, etc.): | ||||
see the | see the | ||||
.Sx NETWORK ADDRESS TRANSLATION (NAT) | .Sx NETWORK ADDRESS TRANSLATION (NAT) | ||||
Section for further information. | Section for further information. | ||||
.It Cm nat64lsn Ar name | .It Cm nat64lsn Ar name | ||||
Pass packet to a stateful NAT64 instance (for IPv6/IPv4 network address and | Pass packet to a stateful NAT64 instance (for IPv6/IPv4 network address and | ||||
▲ Show 20 Lines • Show All 2,337 Lines • ▼ Show 20 Lines | |||||
Obey transparent proxy rules only, packet aliasing is not performed. | Obey transparent proxy rules only, packet aliasing is not performed. | ||||
.It Cm skip_global | .It Cm skip_global | ||||
Skip instance in case of global state lookup (see below). | Skip instance in case of global state lookup (see below). | ||||
.It Cm port_range Ar lower-upper | .It Cm port_range Ar lower-upper | ||||
Set the aliasing ports between the ranges given. Upper port has to be greater | Set the aliasing ports between the ranges given. Upper port has to be greater | ||||
than lower. | than lower. | ||||
.El | .El | ||||
.Pp | .Pp | ||||
Some specials value can be supplied instead of | Some special values can be supplied instead of | ||||
.Va nat_number : | .Va nat_number | ||||
in nat rule actions: | |||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||
.It Cm global | .It Cm global | ||||
Looks up translation state in all configured nat instances. | Looks up translation state in all configured nat instances. | ||||
If an entry is found, packet is aliased according to that entry. | If an entry is found, packet is aliased according to that entry. | ||||
If no entry was found in any of the instances, packet is passed unchanged, | If no entry was found in any of the instances, packet is passed unchanged, | ||||
and no new entry will be created. | and no new entry will be created. | ||||
See section | See section | ||||
.Sx MULTIPLE INSTANCES | .Sx MULTIPLE INSTANCES | ||||
Show All 9 Lines | |||||
.Pp | .Pp | ||||
To let the packet continue after being (de)aliased, set the sysctl variable | To let the packet continue after being (de)aliased, set the sysctl variable | ||||
.Va net.inet.ip.fw.one_pass | .Va net.inet.ip.fw.one_pass | ||||
to 0. | to 0. | ||||
For more information about aliasing modes, refer to | For more information about aliasing modes, refer to | ||||
.Xr libalias 3 . | .Xr libalias 3 . | ||||
See Section | See Section | ||||
.Sx EXAMPLES | .Sx EXAMPLES | ||||
for some examples about nat usage. | for some examples of nat usage. | ||||
.Ss REDIRECT AND LSNAT SUPPORT IN IPFW | .Ss REDIRECT AND LSNAT SUPPORT IN IPFW | ||||
Redirect and LSNAT support follow closely the syntax used in | Redirect and LSNAT support follow closely the syntax used in | ||||
.Xr natd 8 . | .Xr natd 8 . | ||||
See Section | See Section | ||||
.Sx EXAMPLES | .Sx EXAMPLES | ||||
for some examples on how to do redirect and lsnat. | for some examples on how to do redirect and lsnat. | ||||
.Ss SCTP NAT SUPPORT | .Ss SCTP NAT SUPPORT | ||||
SCTP nat can be configured in a similar manner to TCP through the | SCTP nat can be configured in a similar manner to TCP through the | ||||
▲ Show 20 Lines • Show All 1,540 Lines • Show Last 20 Lines |