Changeset View
Changeset View
Standalone View
Standalone View
sbin/ipfw/ipfw.8
.\" | .\" | ||||
.\" $FreeBSD$ | .\" $FreeBSD$ | ||||
.\" | .\" | ||||
.Dd June 4, 2021 | .Dd June 14, 2021 | ||||
.Dt IPFW 8 | .Dt IPFW 8 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm ipfw | .Nm ipfw , dnctl | ||||
.Nd User interface for firewall, traffic shaper, packet scheduler, | .Nd User interface for firewall, traffic shaper, packet scheduler, | ||||
in-kernel NAT. | in-kernel NAT. | ||||
.Sh SYNOPSIS | .Sh SYNOPSIS | ||||
.Ss FIREWALL CONFIGURATION | .Ss FIREWALL CONFIGURATION | ||||
.Nm | .Nm | ||||
.Op Fl cq | .Op Fl cq | ||||
.Cm add | .Cm add | ||||
.Ar rule | .Ar rule | ||||
▲ Show 20 Lines • Show All 66 Lines • ▼ Show 20 Lines | |||||
.Oo Cm set Ar N Oc Cm table | .Oo Cm set Ar N Oc Cm table | ||||
.Brq Ar name | all | .Brq Ar name | all | ||||
.Cm detail | .Cm detail | ||||
.Nm | .Nm | ||||
.Oo Cm set Ar N Oc Cm table | .Oo Cm set Ar N Oc Cm table | ||||
.Brq Ar name | all | .Brq Ar name | all | ||||
.Cm flush | .Cm flush | ||||
.Ss DUMMYNET CONFIGURATION (TRAFFIC SHAPER AND PACKET SCHEDULER) | .Ss DUMMYNET CONFIGURATION (TRAFFIC SHAPER AND PACKET SCHEDULER) | ||||
.Nm | .Nm dnctl | ||||
.Brq Cm pipe | queue | sched | .Brq Cm pipe | queue | sched | ||||
.Ar number | .Ar number | ||||
.Cm config | .Cm config | ||||
.Ar config-options | .Ar config-options | ||||
.Nm | .Nm dnctl | ||||
.Op Fl s Op Ar field | .Op Fl s Op Ar field | ||||
.Brq Cm pipe | queue | sched | .Brq Cm pipe | queue | sched | ||||
.Brq Cm delete | list | show | .Brq Cm delete | list | show | ||||
.Op Ar number ... | .Op Ar number ... | ||||
.Ss IN-KERNEL NAT | .Ss IN-KERNEL NAT | ||||
.Nm | .Nm | ||||
.Op Fl q | .Op Fl q | ||||
.Cm nat | .Cm nat | ||||
▲ Show 20 Lines • Show All 330 Lines • ▼ Show 20 Lines | |||||
.Fl p | .Fl p | ||||
has been specified, any additional arguments are passed on to the preprocessor | has been specified, any additional arguments are passed on to the preprocessor | ||||
for interpretation. | for interpretation. | ||||
This allows for flexible configuration files (like conditionalizing | This allows for flexible configuration files (like conditionalizing | ||||
them on the local hostname) and the use of macros to centralize | them on the local hostname) and the use of macros to centralize | ||||
frequently required arguments like IP addresses. | frequently required arguments like IP addresses. | ||||
.Ss TRAFFIC SHAPER CONFIGURATION | .Ss TRAFFIC SHAPER CONFIGURATION | ||||
The | The | ||||
.Nm | .Nm dnctl | ||||
.Cm pipe , queue | .Cm pipe , queue | ||||
and | and | ||||
.Cm sched | .Cm sched | ||||
commands are used to configure the traffic shaper and packet scheduler. | commands are used to configure the traffic shaper and packet scheduler. | ||||
See the | See the | ||||
.Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION | .Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION | ||||
Section below for details. | Section below for details. | ||||
.Pp | .Pp | ||||
▲ Show 20 Lines • Show All 2,193 Lines • ▼ Show 20 Lines | |||||
.Sm off | .Sm off | ||||
.Op Cm K | M | G | .Op Cm K | M | G | ||||
.Brq Cm bit/s | Byte/s . | .Brq Cm bit/s | Byte/s . | ||||
.Sm on | .Sm on | ||||
.Pp | .Pp | ||||
A value of 0 (default) means unlimited bandwidth. | A value of 0 (default) means unlimited bandwidth. | ||||
The unit must immediately follow the number, as in | The unit must immediately follow the number, as in | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 300Kbit/s" | .Dl "dnctl pipe 1 config bw 300Kbit/s" | ||||
.Pp | .Pp | ||||
If a device name is specified instead of a numeric value, as in | If a device name is specified instead of a numeric value, as in | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw tun0" | .Dl "dnctl pipe 1 config bw tun0" | ||||
.Pp | .Pp | ||||
then the transmit clock is supplied by the specified device. | then the transmit clock is supplied by the specified device. | ||||
At the moment only the | At the moment only the | ||||
.Xr tun 4 | .Xr tun 4 | ||||
device supports this | device supports this | ||||
functionality, for use in conjunction with | functionality, for use in conjunction with | ||||
.Xr ppp 8 . | .Xr ppp 8 . | ||||
.Pp | .Pp | ||||
▲ Show 20 Lines • Show All 60 Lines • ▼ Show 20 Lines | |||||
Horizontal lines correspond to a discontinuity in the delay | Horizontal lines correspond to a discontinuity in the delay | ||||
distribution: the pipe will use the largest delay for a | distribution: the pipe will use the largest delay for a | ||||
given probability. | given probability. | ||||
.Pp | .Pp | ||||
The file format is the following, with whitespace acting as | The file format is the following, with whitespace acting as | ||||
a separator and '#' indicating the beginning a comment: | a separator and '#' indicating the beginning a comment: | ||||
.Bl -tag -width indent | .Bl -tag -width indent | ||||
.It Cm name Ar identifier | .It Cm name Ar identifier | ||||
optional name (listed by "ipfw pipe show") | optional name (listed by "dnctl pipe show") | ||||
to identify the delay distribution; | to identify the delay distribution; | ||||
.It Cm bw Ar value | .It Cm bw Ar value | ||||
the bandwidth used for the pipe. | the bandwidth used for the pipe. | ||||
If not specified here, it must be present | If not specified here, it must be present | ||||
explicitly as a configuration parameter for the pipe; | explicitly as a configuration parameter for the pipe; | ||||
.It Cm loss-level Ar L | .It Cm loss-level Ar L | ||||
the probability above which packets are lost. | the probability above which packets are lost. | ||||
(0.0 <= L <= 1.0, default 1.0 i.e., no loss); | (0.0 <= L <= 1.0, default 1.0 i.e., no loss); | ||||
▲ Show 20 Lines • Show All 1,608 Lines • ▼ Show 20 Lines | |||||
of 5%: | of 5%: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add prob 0.05 deny ip from any to any in" | .Dl "ipfw add prob 0.05 deny ip from any to any in" | ||||
.Pp | .Pp | ||||
A similar effect can be achieved making use of | A similar effect can be achieved making use of | ||||
.Nm dummynet | .Nm dummynet | ||||
pipes: | pipes: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add pipe 10 ip from any to any" | .Dl "dnctl add pipe 10 ip from any to any" | ||||
.Dl "ipfw pipe 10 config plr 0.05" | .Dl "dnctl pipe 10 config plr 0.05" | ||||
.Pp | .Pp | ||||
We can use pipes to artificially limit bandwidth, e.g.\& on a | We can use pipes to artificially limit bandwidth, e.g.\& on a | ||||
machine acting as a router, if we want to limit traffic from | machine acting as a router, if we want to limit traffic from | ||||
local clients on 192.168.2.0/24 we do: | local clients on 192.168.2.0/24 we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out" | .Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out" | ||||
.Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes" | .Dl "dnctl pipe 1 config bw 300Kbit/s queue 50KBytes" | ||||
.Pp | .Pp | ||||
note that we use the | note that we use the | ||||
.Cm out | .Cm out | ||||
modifier so that the rule is not used twice. | modifier so that the rule is not used twice. | ||||
Remember in fact that | Remember in fact that | ||||
.Nm | .Nm | ||||
rules are checked both on incoming and outgoing packets. | rules are checked both on incoming and outgoing packets. | ||||
.Pp | .Pp | ||||
Should we want to simulate a bidirectional link with bandwidth | Should we want to simulate a bidirectional link with bandwidth | ||||
limitations, the correct way is the following: | limitations, the correct way is the following: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add pipe 1 ip from any to any out" | .Dl "ipfw add pipe 1 ip from any to any out" | ||||
.Dl "ipfw add pipe 2 ip from any to any in" | .Dl "ipfw add pipe 2 ip from any to any in" | ||||
.Dl "ipfw pipe 1 config bw 64Kbit/s queue 10Kbytes" | .Dl "dnctl pipe 1 config bw 64Kbit/s queue 10Kbytes" | ||||
.Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes" | .Dl "dnctl pipe 2 config bw 64Kbit/s queue 10Kbytes" | ||||
.Pp | .Pp | ||||
The above can be very useful, e.g.\& if you want to see how | The above can be very useful, e.g.\& if you want to see how | ||||
your fancy Web page will look for a residential user who | your fancy Web page will look for a residential user who | ||||
is connected only through a slow link. | is connected only through a slow link. | ||||
You should not use only one pipe for both directions, unless | You should not use only one pipe for both directions, unless | ||||
you want to simulate a half-duplex medium (e.g.\& AppleTalk, | you want to simulate a half-duplex medium (e.g.\& AppleTalk, | ||||
Ethernet, IRDA). | Ethernet, IRDA). | ||||
It is not necessary that both pipes have the same configuration, | It is not necessary that both pipes have the same configuration, | ||||
so we can also simulate asymmetric links. | so we can also simulate asymmetric links. | ||||
.Pp | .Pp | ||||
Should we want to verify network performance with the RED queue | Should we want to verify network performance with the RED queue | ||||
management algorithm: | management algorithm: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add pipe 1 ip from any to any" | .Dl "ipfw add pipe 1 ip from any to any" | ||||
.Dl "ipfw pipe 1 config bw 500Kbit/s queue 100 red 0.002/30/80/0.1" | .Dl "dnctl pipe 1 config bw 500Kbit/s queue 100 red 0.002/30/80/0.1" | ||||
.Pp | .Pp | ||||
Another typical application of the traffic shaper is to | Another typical application of the traffic shaper is to | ||||
introduce some delay in the communication. | introduce some delay in the communication. | ||||
This can significantly affect applications which do a lot of Remote | This can significantly affect applications which do a lot of Remote | ||||
Procedure Calls, and where the round-trip-time of the | Procedure Calls, and where the round-trip-time of the | ||||
connection often becomes a limiting factor much more than | connection often becomes a limiting factor much more than | ||||
bandwidth: | bandwidth: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add pipe 1 ip from any to any out" | .Dl "ipfw add pipe 1 ip from any to any out" | ||||
.Dl "ipfw add pipe 2 ip from any to any in" | .Dl "ipfw add pipe 2 ip from any to any in" | ||||
.Dl "ipfw pipe 1 config delay 250ms bw 1Mbit/s" | .Dl "dnctl pipe 1 config delay 250ms bw 1Mbit/s" | ||||
.Dl "ipfw pipe 2 config delay 250ms bw 1Mbit/s" | .Dl "dnctl pipe 2 config delay 250ms bw 1Mbit/s" | ||||
.Pp | .Pp | ||||
Per-flow queueing can be useful for a variety of purposes. | Per-flow queueing can be useful for a variety of purposes. | ||||
A very simple one is counting traffic: | A very simple one is counting traffic: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add pipe 1 tcp from any to any" | .Dl "ipfw add pipe 1 tcp from any to any" | ||||
.Dl "ipfw add pipe 1 udp from any to any" | .Dl "ipfw add pipe 1 udp from any to any" | ||||
.Dl "ipfw add pipe 1 ip from any to any" | .Dl "ipfw add pipe 1 ip from any to any" | ||||
.Dl "ipfw pipe 1 config mask all" | .Dl "dnctl pipe 1 config mask all" | ||||
.Pp | .Pp | ||||
The above set of rules will create queues (and collect | The above set of rules will create queues (and collect | ||||
statistics) for all traffic. | statistics) for all traffic. | ||||
Because the pipes have no limitations, the only effect is | Because the pipes have no limitations, the only effect is | ||||
collecting statistics. | collecting statistics. | ||||
Note that we need 3 rules, not just the last one, because | Note that we need 3 rules, not just the last one, because | ||||
when | when | ||||
.Nm | .Nm | ||||
tries to match IP packets it will not consider ports, so we | tries to match IP packets it will not consider ports, so we | ||||
would not see connections on separate ports as different | would not see connections on separate ports as different | ||||
ones. | ones. | ||||
.Pp | .Pp | ||||
A more sophisticated example is limiting the outbound traffic | A more sophisticated example is limiting the outbound traffic | ||||
on a net with per-host limits, rather than per-network limits: | on a net with per-host limits, rather than per-network limits: | ||||
.Pp | .Pp | ||||
.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out" | .Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out" | ||||
.Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in" | .Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in" | ||||
.Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" | .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" | ||||
.Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" | .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" | ||||
.Ss LOOKUP TABLES | .Ss LOOKUP TABLES | ||||
In the following example, we need to create several traffic bandwidth | In the following example, we need to create several traffic bandwidth | ||||
classes and we need different hosts/networks to fall into different classes. | classes and we need different hosts/networks to fall into different classes. | ||||
We create one pipe for each class and configure them accordingly. | We create one pipe for each class and configure them accordingly. | ||||
Then we create a single table and fill it with IP subnets and addresses. | Then we create a single table and fill it with IP subnets and addresses. | ||||
For each subnet/host we set the argument equal to the number of the pipe | For each subnet/host we set the argument equal to the number of the pipe | ||||
that it should use. | that it should use. | ||||
Then we classify traffic using a single rule: | Then we classify traffic using a single rule: | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 1000Kbyte/s" | .Dl "dnctl pipe 1 config bw 1000Kbyte/s" | ||||
.Dl "ipfw pipe 4 config bw 4000Kbyte/s" | .Dl "dnctl pipe 4 config bw 4000Kbyte/s" | ||||
.Dl "..." | .Dl "..." | ||||
.Dl "ipfw table T1 create type addr" | .Dl "ipfw table T1 create type addr" | ||||
.Dl "ipfw table T1 add 192.168.2.0/24 1" | .Dl "ipfw table T1 add 192.168.2.0/24 1" | ||||
.Dl "ipfw table T1 add 192.168.0.0/27 4" | .Dl "ipfw table T1 add 192.168.0.0/27 4" | ||||
.Dl "ipfw table T1 add 192.168.0.2 1" | .Dl "ipfw table T1 add 192.168.0.2 1" | ||||
.Dl "..." | .Dl "..." | ||||
.Dl "ipfw add pipe tablearg ip from 'table(T1)' to any" | .Dl "ipfw add pipe tablearg ip from 'table(T1)' to any" | ||||
.Pp | .Pp | ||||
▲ Show 20 Lines • Show All 165 Lines • ▼ Show 20 Lines | |||||
.Pp | .Pp | ||||
To configure a | To configure a | ||||
.Cm pipe | .Cm pipe | ||||
with | with | ||||
.Cm codel | .Cm codel | ||||
AQM using default configuration for traffic from 192.168.0.0/24 and 1Mbits/s | AQM using default configuration for traffic from 192.168.0.0/24 and 1Mbits/s | ||||
rate limit, we do: | rate limit, we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 1mbits/s codel" | .Dl "dnctl pipe 1 config bw 1mbits/s codel" | ||||
.Dl "ipfw add 100 pipe 1 ip from 192.168.0.0/24 to any" | .Dl "ipfw add 100 pipe 1 ip from 192.168.0.0/24 to any" | ||||
.Pp | .Pp | ||||
To configure a | To configure a | ||||
.Cm queue | .Cm queue | ||||
with | with | ||||
.Cm codel | .Cm codel | ||||
AQM using different configurations parameters for traffic from | AQM using different configurations parameters for traffic from | ||||
192.168.0.0/24 and 1Mbits/s rate limit, we do: | 192.168.0.0/24 and 1Mbits/s rate limit, we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 1mbits/s" | .Dl "dnctl pipe 1 config bw 1mbits/s" | ||||
.Dl "ipfw queue 1 config pipe 1 codel target 8ms interval 160ms ecn" | .Dl "dnctl queue 1 config pipe 1 codel target 8ms interval 160ms ecn" | ||||
.Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | .Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | ||||
.Pp | .Pp | ||||
To configure a | To configure a | ||||
.Cm pipe | .Cm pipe | ||||
with | with | ||||
.Cm pie | .Cm pie | ||||
AQM using default configuration for traffic from 192.168.0.0/24 and 1Mbits/s | AQM using default configuration for traffic from 192.168.0.0/24 and 1Mbits/s | ||||
rate limit, we do: | rate limit, we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 1mbits/s pie" | .Dl "dnctl pipe 1 config bw 1mbits/s pie" | ||||
.Dl "ipfw add 100 pipe 1 ip from 192.168.0.0/24 to any" | .Dl "ipfw add 100 pipe 1 ip from 192.168.0.0/24 to any" | ||||
.Pp | .Pp | ||||
To configure a | To configure a | ||||
.Cm queue | .Cm queue | ||||
with | with | ||||
.Cm pie | .Cm pie | ||||
AQM using different configuration parameters for traffic from | AQM using different configuration parameters for traffic from | ||||
192.168.0.0/24 and 1Mbits/s rate limit, we do: | 192.168.0.0/24 and 1Mbits/s rate limit, we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 1mbits/s" | .Dl "dnctl pipe 1 config bw 1mbits/s" | ||||
.Dl "ipfw queue 1 config pipe 1 pie target 20ms tupdate 30ms ecn" | .Dl "dnctl queue 1 config pipe 1 pie target 20ms tupdate 30ms ecn" | ||||
.Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | .Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | ||||
.Pp | .Pp | ||||
.Cm fq_codel | .Cm fq_codel | ||||
and | and | ||||
.Cm fq_pie | .Cm fq_pie | ||||
AQM can be configured for | AQM can be configured for | ||||
.Nm dummynet | .Nm dummynet | ||||
schedulers. | schedulers. | ||||
.Pp | .Pp | ||||
To configure | To configure | ||||
.Cm fq_codel | .Cm fq_codel | ||||
scheduler using different configurations parameters for traffic from | scheduler using different configurations parameters for traffic from | ||||
192.168.0.0/24 and 1Mbits/s rate limit, we do: | 192.168.0.0/24 and 1Mbits/s rate limit, we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 1mbits/s" | .Dl "dnctl pipe 1 config bw 1mbits/s" | ||||
.Dl "ipfw sched 1 config pipe 1 type fq_codel" | .Dl "dnctl sched 1 config pipe 1 type fq_codel" | ||||
.Dl "ipfw queue 1 config sched 1" | .Dl "dnctl queue 1 config sched 1" | ||||
.Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | .Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | ||||
.Pp | .Pp | ||||
To change | To change | ||||
.Cm fq_codel | .Cm fq_codel | ||||
default configuration for a | default configuration for a | ||||
.Cm sched | .Cm sched | ||||
such as disable ECN and change the | such as disable ECN and change the | ||||
.Ar target | .Ar target | ||||
to 10ms, we do: | to 10ms, we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw sched 1 config pipe 1 type fq_codel target 10ms noecn" | .Dl "dnctl sched 1 config pipe 1 type fq_codel target 10ms noecn" | ||||
.Pp | .Pp | ||||
Similar to | Similar to | ||||
.Cm fq_codel , | .Cm fq_codel , | ||||
to configure | to configure | ||||
.Cm fq_pie | .Cm fq_pie | ||||
scheduler using different configurations parameters for traffic from | scheduler using different configurations parameters for traffic from | ||||
192.168.0.0/24 and 1Mbits/s rate limit, we do: | 192.168.0.0/24 and 1Mbits/s rate limit, we do: | ||||
.Pp | .Pp | ||||
.Dl "ipfw pipe 1 config bw 1mbits/s" | .Dl "dnctl pipe 1 config bw 1mbits/s" | ||||
.Dl "ipfw sched 1 config pipe 1 type fq_pie" | .Dl "dnctl sched 1 config pipe 1 type fq_pie" | ||||
.Dl "ipfw queue 1 config sched 1" | .Dl "dnctl queue 1 config sched 1" | ||||
.Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | .Dl "ipfw add 100 queue 1 ip from 192.168.0.0/24 to any" | ||||
.Pp | .Pp | ||||
The configurations of | The configurations of | ||||
.Cm fq_pie | .Cm fq_pie | ||||
.Cm sched | .Cm sched | ||||
can be changed in a similar way as for | can be changed in a similar way as for | ||||
.Cm fq_codel | .Cm fq_codel | ||||
.Sh SEE ALSO | .Sh SEE ALSO | ||||
▲ Show 20 Lines • Show All 152 Lines • Show Last 20 Lines |