9 .Nd IP firewall and traffic shaper control program
16 .Ar macro Ns Op = Ns Ar value
26 .Brq Cm zero | resetlog | delete
42 .Ar pipe-config-options
45 .Brq Cm delete | list | show
51 .Ar queue-config-options
54 .Brq Cm delete | list | show
58 is the user interface for controlling the
65 A firewall configuration is made of a list of numbered rules,
66 which is scanned for each incoming or outgoing IP packet
67 until a match is found and
68 the relevant action is performed.
69 Depending on the action and certain system settings, packets
70 can be reinjected into the firewall at the rule after the
71 matching one for further processing.
72 All rules apply to all interfaces, so it is responsibility
73 of the system administrator to write the ruleset in such a
74 way as to minimize the number of checks.
76 A configuration always includes a
78 rule (numbered 65535) which cannot be modified,
79 and matches all packets.
80 The action associated with the default rule can be either
84 depending on how the kernel is configured.
86 If the ruleset includes one or more rules with the
94 behaviour, i.e. upon a match it will create dynamic rules matching
95 the exact parameters (addresses and ports) of the matching packet.
97 These dynamic rules, which have a limited lifetime, are checked
98 at the first occurrence of a
102 rule, and are typically used to open the firewall on-demand to
103 legitimate traffic only.
108 sections below for more information on the stateful behaviour of
111 All rules (including dynamic ones) have a few associated counters:
112 a packet count, a byte count, a log count and a timestamp
113 indicating the time of the last match.
114 Counters can be displayed or reset with
118 Rules can be added with the
120 command; deleted individually with the
122 command, and globally with the
124 command; displayed, optionally with the content of the
130 Finally, counters can be reset with the
136 The following options are available:
137 .Bl -tag -width indent
139 While listing, show counter values.
142 command just implies this option.
144 While listing, show dynamic rules in addition to static ones.
146 While listing, if the
148 option was specified, also show expired dynamic rules.
150 Don't ask for confirmation for commands that can cause problems
154 if there is no tty associated with the process, this is implied.
162 be quiet about actions
165 This is useful for adjusting rules by executing multiple
169 .Ql sh\ /etc/rc.firewall ) ,
170 or by processing a file of many
173 across a remote login session.
176 is performed in normal (verbose) mode (with the default kernel
177 configuration), it prints a message.
178 Because all rules are flushed, the message cannot be delivered
179 to the login session.
180 This causes the remote login session to be closed and the
181 remainder of the ruleset is not processed.
182 Access to the console is required to recover.
184 While listing, show last match timestamp.
186 Try to resolve addresses and service names in output.
188 While listing pipes, sort according to one of the four
189 counters (total and current packets or bytes).
192 To ease configuration, rules can be put into a file which is
195 as shown in the first synopsis line.
200 will be read line by line and applied as arguments to the
204 Optionally, a preprocessor can be specified using
208 is to be piped through.
209 Useful preprocessors include
215 doesn't start with a slash
217 as its first character, the usual
219 name search is performed.
220 Care should be taken with this in environments where not all
221 filesystems are mounted (yet) by the time
223 is being run (e.g. when they are mounted over NFS).
226 has been specified, optional
230 specifications can follow and will be passed on to the preprocessor.
231 This allows for flexible configuration files (like conditionalizing
232 them on the local hostname) and the use of macros to centralize
233 frequently required arguments like IP addresses.
238 commands are used to configure the traffic shaper, as shown in the
239 .Sx TRAFFIC SHAPER CONFIGURATION
244 rule format is the following:
246 .Op Cm prob Ar match_probability
248 .Op Cm log Op Cm logamount Ar number
252 .Op Ar interface-spec
256 Each packet can be filtered based on the following information that is
259 .Bl -tag -width "Source and destination IP address" -offset indent -compact
261 (TCP, UDP, ICMP, etc.)
262 .It Source and destination IP address
264 .It Source and destination port
265 (lists, ranges or masks)
267 (incoming or outgoing)
268 .It Transmit and receive interface
271 .It IP type of service
272 .It IP datagram length
273 .It IP identification
278 .It TCP sequence number
279 .It TCP acknowledgment number
281 (SYN, FIN, ACK, RST, etc.)
286 .It User/group ID of the socket associated with the packet
289 Note that it may be dangerous to filter on the source IP
290 address or source TCP/UDP port because either or both could
292 .Bl -tag -width indent
293 .It Cm prob Ar match_probability
294 A match is only declared with the specified probability
295 (floating point number between 0 and 1).
296 This can be useful for a number of applications such as
297 random packet drop or
300 to simulate the effect of multiple paths leading to out-of-order
303 .Bl -tag -width indent
305 Allow packets that match rule.
306 The search terminates.
313 Discard packets that match this rule.
314 The search terminates.
320 Discard packets that match this rule, and try to send an ICMP
321 host unreachable notice.
322 The search terminates.
323 .It Cm unreach Ar code
324 Discard packets that match this rule, and try to send an ICMP
325 unreachable notice with code
329 is a number from 0 to 255, or one of these aliases:
330 .Cm net , host , protocol , port ,
331 .Cm needfrag , srcfail , net-unknown , host-unknown ,
332 .Cm isolated , net-prohib , host-prohib , tosnet ,
333 .Cm toshost , filter-prohib , host-precedence
335 .Cm precedence-cutoff .
336 The search terminates.
339 Discard packets that match this rule, and try to send a TCP
341 The search terminates.
343 Update counters for all packets that match rule.
344 The search continues with the next rule.
346 Checks the packet against the dynamic ruleset.
347 If a match is found then the search terminates, otherwise
348 we move to the next rule.
351 rule is found, the dynamic ruleset is checked at the first
354 .It Cm divert Ar port
355 Divert packets that match this rule to the
359 The search terminates.
361 Send a copy of packets matching this rule to the
365 The search terminates and the original packet is accepted
369 .It Cm fwd Ar ipaddr Ns Op , Ns Ar port
370 Change the next-hop on matching packets to
372 which can be an IP address in dotted quad or a host name.
375 is not a directly-reachable address, the route as found in
376 the local routing table for that IP is used instead.
379 is a local address, then on a packet matching a
382 it will be diverted to
384 on the local machine, keeping the local address of the socket
385 set to the original IP address the packet was destined for.
388 entry look rather weird but is intended for
389 use with transparent proxy servers.
390 If the IP is not a local address then the port number
391 (if specified) is ignored.
392 This will also map addresses when packets are
394 The search terminates if this rule matches.
395 If the port number is not given then the port number in the
396 packet is used, so that a packet for an external machine port
397 Y would be forwarded to local port Y.
398 The kernel must have been compiled with the
399 .Dv IPFIREWALL_FORWARD
401 Bridging interferes with forwarding of packets not destined
402 to the local system as they bypass
406 where forwarding is implemented.
409 action does not change the contents of the packet at all so
410 packets forwarded to another system will usually be rejected by that system
411 unless there is a matching rule on that system to capture them.
412 .It Cm pipe Ar pipe_nr
416 (for bandwidth limitation, delay, etc.).
418 .Sx TRAFFIC SHAPER CONFIGURATION
419 section for further information.
420 The search terminates; however, on exit from the pipe and if
424 .Em net.inet.ip.fw.one_pass
425 is not set, the packet is passed again to the firewall code
426 starting from the next rule.
427 .It Cm queue Ar queue_nr
431 (for bandwidth limitation using WF2Q).
432 .It Cm skipto Ar number
433 Skip all subsequent rules numbered less than
435 The search continues with the first rule numbered
439 .It Cm log Op Cm logamount Ar number
440 If the kernel was compiled with
441 .Dv IPFIREWALL_VERBOSE ,
442 then when a packet matches a rule with the
444 keyword a message will be
451 by default, they are appended to the
452 .Pa /var/log/security
454 .Xr syslog.conf 5 ) .
455 If the kernel was compiled with the
456 .Dv IPFIREWALL_VERBOSE_LIMIT
457 option, then by default logging will cease after the number
458 of packets specified by the option are received for that
459 particular chain entry, and
460 .Em net.inet.ip.fw.verbose_limit
461 will be set to that number.
463 .Cm logamount Ar number
466 will be the logging limit rather than
467 .Em net.inet.ip.fw.verbose_limit ,
470 removes the logging limit.
471 Logging may then be re-enabled by clearing the logging counter
472 or the packet counter for that entry.
474 Console logging and the log limit are adjustable dynamically
477 interface in the MIB base of
480 An IP protocol specified by number or name (for a complete
482 .Pa /etc/protocols ) .
487 keywords mean any protocol will match.
488 .It Ar src No and Ar dst :
489 .Cm any | me | Op Cm not
490 .Aq Ar address Ns / Ns Ar mask
495 makes the rule match any IP address.
499 makes the rule match any IP address configured on an interface in the system.
502 .Aq Ar address Ns / Ns Ar mask
504 .Bl -tag -width "ipno/bits"
506 An IP number of the form 1.2.3.4.
507 Only this exact IP number will match the rule.
508 .It Ar ipno Ns / Ns Ar bits
509 An IP number with a mask width of the form 1.2.3.4/24.
510 In this case all IP numbers from 1.2.3.0 to 1.2.3.255 will match.
511 .It Ar ipno Ns : Ns Ar mask
512 An IP number with a mask of the form 1.2.3.4:255.255.240.0.
513 In this case all IP numbers from 1.2.0.0 to 1.2.15.255 will match.
516 The sense of the match can be inverted by preceding an address with the
518 modifier, causing all other addresses to be matched instead.
519 This does not affect the selection of port numbers.
521 With the TCP and UDP protocols, optional
524 .Bd -ragged -offset indent
526 .Brq Ar port | port No \&- Ar port | port : mask
527 .Op , Ar port Op , Ar ...
533 notation specifies a range of ports (including boundaries).
537 notation specifies a port and a mask, a match is declared if
538 the port number in the packet matches the one in the rule,
539 limited to the bits which are set in the mask.
543 may be used instead of numeric port values.
544 A range may only be specified as the first value, and the
545 length of the port list is limited to
548 .Pa /usr/src/sys/netinet/ip_fw.h ) .
551 can be used to escape the dash
553 character in a service name:
555 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
557 Fragmented packets which have a non-zero offset (i.e. not the first
558 fragment) will never match a rule which has one or more port
562 option for details on matching fragmented packets.
563 .It Ar interface-spec
564 Some combinations of the following specifiers are allowed:
565 .Bl -tag -width "via ipno"
567 Only match incoming packets.
569 Only match outgoing packets.
571 Packet must be going through interface
573 .It Cm via Ar if Ns Cm *
574 Packet must be going through interface
580 Packet must be going through
584 Packet must be going through the interface having IP address
590 keyword causes the interface to always be checked.
597 then only the receive or transmit interface (respectively)
599 By specifying both, it is possible to match packets based on
600 both receive and transmit interface, e.g.:
602 .Dl "ipfw add 100 deny ip from any to any out recv ed0 xmit ed1"
606 interface can be tested on either incoming or outgoing packets,
609 interface can only be tested on outgoing packets.
625 A packet may not have a receive or transmit interface: packets
626 originating from the local host have no receive interface,
627 while packets destined for the local host have no transmit
630 .Bl -tag -width indent
632 Upon a match, the firewall will create a dynamic rule, whose
633 default behaviour is to matching bidirectional traffic between
634 source and destination IP/port using the same protocol.
635 The rule has a limited lifetime (controlled by a set of
637 variables), and the lifetime is refreshed every time a matching
639 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
640 The firewall will only allow
642 connections with the same
643 set of parameters as specified in the rule.
645 of source and destination addresses and ports can be
648 Matches only bridged packets.
649 This can be useful for multicast or broadcast traffic, which
650 would otherwise pass through the firewall twice: once during
651 bridging, and a second time when the packet is delivered to
654 Apart from a small performance penalty, this would be a problem
657 because the same packet would be accounted for twice in terms
658 of bandwidth, queue occupation, and also counters.
659 .It Cm ipversion Ar ver
660 Match if the IP header version is
662 .It Cm ipprecedence Ar precedence
663 Match if the numeric value of IP datagram's precedence is equal to
666 Match if the IP header contains the comma separated list of
667 service types specified in
669 The supported IP types of service are:
672 .Pq Dv IPTOS_LOWDELAY ,
674 .Pq Dv IPTOS_THROUGHPUT ,
676 .Pq Dv IPTOS_RELIABILITY ,
678 .Pq Dv IPTOS_MINCOST ,
681 The absence of a particular type may be denoted
685 Match if the total length of a packet, including header and data, is
689 Match if the identification of IP datagram is
692 Match if the packet is a fragment and this is not the first
693 fragment of the datagram.
695 may not be used in conjunction with either
697 or TCP/UDP port specifications.
699 Match if the time to live of IP datagram is
701 .It Cm ipoptions Ar spec
702 Match if the IP header contains the comma separated list of
705 The supported IP options are:
708 (strict source route),
710 (loose source route),
712 (record packet route) and
715 The absence of a particular option may be denoted
720 Match if the TCP header sequence number field is set to
724 Match if the TCP header acknowledgment number field is set to
726 .It Cm tcpflags Ar spec
728 Match if the TCP header contains the comma separated list of
731 The supported TCP flags are:
740 The absence of a particular flag may be denoted
743 A rule which contains a
745 specification can never match a fragmented packet which has
749 option for details on matching fragmented packets.
752 Match packets that have the RST or ACK bits set.
755 Match packets that have the SYN bit set but no ACK bit.
756 This is the short form of
757 .Dq Li tcpflags\ syn,!ack .
760 Match if the TCP header window field is set to
762 .It Cm tcpoptions Ar spec
764 Match if the TCP header contains the comma separated list of
767 The supported TCP options are:
770 (maximum segment size),
772 (tcp window advertisement),
776 (rfc1323 timestamp) and
778 (rfc1644 t/tcp connection count).
779 The absence of a particular option may be denoted
782 .It Cm icmptypes Ar types
784 Match if the ICMP type is in the list
786 The list may be specified as any combination of ranges or
787 individual types separated by commas.
788 The supported ICMP types are:
792 destination unreachable
804 time-to-live exceeded
818 and address mask reply
821 Match all TCP or UDP packets sent by or received for a
825 may be matched by name or identification number.
827 Match all TCP or UDP packets sent by or received for a
831 may be matched by name or identification number.
834 .Sh TRAFFIC SHAPER CONFIGURATION
837 utility is also the user interface for the
840 The shaper operates by dividing packets into
842 according to a user-specified mask on different fields
844 Packets belonging to the same flow are then passed to two
845 different objects, named
852 emulates a link with given bandwidth, propagation delay,
853 queue size and packet loss rate.
854 Packets transit through the pipe according to its parameters.
858 is an abstraction used to implement the WF2Q+ (Worst-case Fair Weighted Fair Queueing) policy.
859 The queue associates to each flow a weight and a reference pipe.
860 Then, all flows linked to the same pipe are scheduled at the
861 rate fixed by the pipe according to the WF2Q+ policy.
865 pipe configuration format is the following:
867 .Cm pipe Ar number Cm config
868 .Op Cm bw Ar bandwidth | device
869 .Op Cm delay Ar ms-delay
874 .Op Cm plr Ar loss-probability
875 .Op Cm mask Ar mask-specifier
876 .Op Cm buckets Ar hash-table-size
880 .Ar w_q No / Ar min_th No / Ar max_th No / Ar max_p
887 queue configuration format is the following:
889 .Cm queue Ar number Cm config
890 .Op Cm pipe Ar pipe_nr
891 .Op Cm weight Ar weight
896 .Op Cm plr Ar loss-probability
897 .Op Cm mask Ar mask-specifier
898 .Op Cm buckets Ar hash-table-size
902 .Ar w_q No / Ar min_th No / Ar max_th No / Ar max_p
907 The following parameters can be configured for a pipe:
908 .Bl -tag -width indent
909 .It Cm bw Ar bandwidth | device
910 Bandwidth, measured in
913 .Brq Cm bit/s | Byte/s .
916 A value of 0 (default) means unlimited bandwidth.
917 The unit must follow immediately the number, as in
919 .Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes"
921 If a device name is specified instead of a numeric
922 value, then the transmit clock is supplied by the specified
924 At the moment only the
927 functionality, for use in conjunction with
929 .It Cm delay Ar ms-delay
930 Propagation delay, measured in milliseconds.
931 The value is rounded to the next multiple of the clock tick
932 (typically 10ms, but it is a good practice to run kernels
934 .Dq "options HZ=1000"
936 the granularity to 1ms or less).
937 Default value is 0, meaning no delay.
938 .It Cm queue Brq Ar slots | size Ns Cm Kbytes
943 Default value is 50 slots, which
944 is the typical queue size for Ethernet devices.
945 Note that for slow speed links you should keep the queue
946 size short or your traffic might be affected by a significant
948 E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit
949 or 20s of queue on a 30Kbit/s pipe.
950 Even worse effect can result if you get packets from an
951 interface with a much larger MTU, e.g. the loopback interface
952 with its 16KB packets.
953 .It Cm plr Ar packet-loss-rate
957 is a floating-point number between 0 and 1, with 0 meaning no
958 loss, 1 meaning 100% loss.
959 The loss rate is internally represented on 31 bits.
960 .It Cm mask Ar mask-specifier
963 lets you to create per-flow queues.
964 A flow identifier is constructed by masking the IP addresses,
965 ports and protocol types as specified in the pipe configuration.
966 Packets with the same identifier after masking fall into the
968 Available mask specifiers are a combination of the following:
971 .Cm dst-port Ar mask ,
972 .Cm src-port Ar mask ,
976 where the latter means all bits in all fields are significant.
979 configuration, each flow is assigned a rate equal
980 to the rate of the pipe.
983 configuration, each flow is assigned a weight equal to the
984 weight of the queue, and all flows insisting on the same pipe
985 share bandwidth proportionally to their weight.
986 .It Cm buckets Ar hash-table-size
987 Specifies the size of the hash table used for storing the
989 Default value is 64 controlled by the
992 .Em net.inet.ip.dummynet.hash_size ,
993 allowed range is 16 to 1024.
994 .It Cm pipe Ar pipe_nr
995 Connects a queue to the specified pipe.
996 Multiple queues (usually
997 with different weights) can be connected to the same pipe, which
998 specifies the aggregate rate for the set of queues.
999 .It Cm weight Ar weight
1000 Specifies the weight to be used for flows matching this queue.
1001 The weight must be in the range 1..100, and defaults to 1.
1002 .It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p
1003 Make use of the RED (Random Early Detection) queue management algorithm.
1008 point numbers between 0 and 1 (0 not included), while
1012 are integer numbers specifying thresholds for queue management
1013 (thresholds are computed in bytes if the queue has been defined
1014 in bytes, in slots otherwise).
1017 also supports the gentle RED variant (gred).
1020 variables can be used to control the RED behaviour:
1021 .Bl -tag -width indent
1022 .It Em net.inet.ip.dummynet.red_lookup_depth
1023 specifies the accuracy in computing the average queue
1024 when the link is idle (defaults to 256, must be greater than zero)
1025 .It Em net.inet.ip.dummynet.red_avg_pkt_size
1026 specifies the expected average packet size (defaults to 512, must be
1028 .It Em net.inet.ip.dummynet.red_max_pkt_size
1029 specifies the expected maximum packet size, only used when queue
1030 thresholds are in bytes (defaults to 1500, must be greater than zero).
1034 Here are some important points to consider when designing your
1038 Remember that you filter both packets going
1042 Most connections need packets going in both directions.
1044 Remember to test very carefully.
1045 It is a good idea to be near the console when doing this.
1046 If you cannot be near the console,
1047 use an auto-recovery script such as the one in
1048 .Pa /usr/share/examples/ipfw/change_rules.sh .
1050 Don't forget the loopback interface.
1055 There are circumstances where fragmented datagrams are unconditionally
1057 TCP packets are dropped if they do not contain at least 20 bytes of
1058 TCP header, UDP packets are dropped if they do not contain a full 8
1059 byte UDP header, and ICMP packets are dropped if they do not contain
1060 4 bytes of ICMP header, enough to specify the ICMP type, code, and
1062 These packets are simply logged as
1064 since there may not be enough good data in the packet to produce a
1065 meaningful log entry.
1067 Another type of packet is unconditionally dropped, a TCP packet with a
1068 fragment offset of one.
1069 This is a valid packet, but it only has one use, to try
1070 to circumvent firewalls.
1071 When logging is enabled, these packets are
1072 reported as being dropped by rule -1.
1074 If you are logged in over a network, loading the
1078 is probably not as straightforward as you would think.
1079 I recommend the following command line:
1080 .Bd -literal -offset indent
1081 kldload /modules/ipfw.ko && \e
1082 ipfw add 32000 allow ip from any to any
1085 Along the same lines, doing an
1086 .Bd -literal -offset indent
1090 in similar surroundings is also a bad idea.
1094 filter list may not be modified if the system security level
1095 is set to 3 or higher
1098 for information on system security levels).
1100 .Sh PACKET DIVERSION
1103 socket bound to the specified port will receive all packets
1104 diverted to that port.
1105 If no socket is bound to the destination port, or if the kernel
1106 wasn't compiled with divert socket support, the packets are
1108 .Sh SYSCTL VARIABLES
1111 variables controls the behaviour of the firewall.
1112 These are shown below together with their default value
1113 (but always check with the
1115 command what value is actually in use) and meaning:
1116 .Bl -tag -width indent
1117 .It Em net.inet.ip.fw.debug : No 1
1118 Controls debugging messages produced by
1120 .It Em net.inet.ip.fw.one_pass : No 1
1121 When set, the packet exiting from the
1123 pipe is not passed though the firewall again.
1124 Otherwise, after a pipe action, the packet is
1125 reinjected into the firewall at the next rule.
1126 .It Em net.inet.ip.fw.verbose : No 1
1127 Enables verbose messages.
1128 .It Em net.inet.ip.fw.enable : No 1
1129 Enables the firewall.
1130 Setting this variable to 0 lets you run your machine without
1131 firewall even if compiled in.
1132 .It Em net.inet.ip.fw.verbose_limit : No 0
1133 Limits the number of messages produced by a verbose firewall.
1134 .It Em net.inet.ip.fw.dyn_buckets : No 256
1135 .It Em net.inet.ip.fw.curr_dyn_buckets : No 256
1136 The configured and current size of the hash table used to
1138 This must be a power of 2.
1139 The table can only be resized when empty, so in order to
1140 resize it on the fly you will probably have to
1142 and reload the ruleset.
1143 .It Em net.inet.ip.fw.dyn_count : No 3
1144 Current number of dynamic rules
1146 .It Em net.inet.ip.fw.dyn_max : No 1000
1147 Maximum number of dynamic rules.
1148 When you hit this limit, no more dynamic rules can be
1149 installed until old ones expire.
1150 .It Em net.inet.ip.fw.dyn_ack_lifetime : No 300
1151 .It Em net.inet.ip.fw.dyn_syn_lifetime : No 20
1152 .It Em net.inet.ip.fw.dyn_fin_lifetime : No 1
1153 .It Em net.inet.ip.fw.dyn_rst_lifetime : No 1
1154 .It Em net.inet.ip.fw.dyn_udp_lifetime : No 5
1155 .It Em net.inet.ip.fw.dyn_short_lifetime : No 30
1156 These variables control the lifetime, in seconds, of dynamic
1158 Upon the initial SYN exchange the lifetime is kept short,
1159 then increased after both SYN have been seen, then decreased
1160 again during the final FIN exchange or when a RST
1163 This command adds an entry which denies all tcp packets from
1164 .Em cracker.evil.org
1165 to the telnet port of
1167 from being forwarded by the host:
1169 .Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet"
1171 This one disallows any connection from the entire crackers
1174 .Dl "ipfw add deny ip from 123.45.67.0/24 to my.host.org"
1176 A first and efficient way to limit access (not using dynamic rules)
1177 is the use of the following rules:
1179 .Dl "ipfw add allow tcp from any to any established"
1180 .Dl "ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup"
1181 .Dl "ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup"
1183 .Dl "ipfw add deny tcp from any to any"
1185 The first rule will be a quick match for normal TCP packets,
1186 but it will not match the initial SYN packet, which will be
1189 rules only for selected source/destination pairs.
1190 All other SYN packets will be rejected by the final
1194 In order to protect a site from flood attacks involving fake
1195 TCP packets, it is safer to use dynamic rules:
1197 .Dl "ipfw add check-state"
1198 .Dl "ipfw add deny tcp from any to any established"
1199 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
1201 This will let the firewall install dynamic rules only for
1202 those connection which start with a regular SYN packet coming
1203 from the inside of our network.
1204 Dynamic rules are checked when encountering the first
1211 rule should be usually placed near the beginning of the
1212 ruleset to minimize the amount of work scanning the ruleset.
1213 Your mileage may vary.
1215 To limit the number of connections a user can open
1216 you can use the following type of rules:
1218 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
1219 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
1221 The former (assuming it runs on a gateway) will allow each host
1222 on a /24 network to open at most 10 TCP connections.
1223 The latter can be placed on a server to make sure that a single
1224 client does not use more than 4 simultaneous connections.
1227 stateful rules can be subject to denial-of-service attacks
1228 by a SYN-flood which opens a huge number of dynamic rules.
1229 The effects of such attacks can be partially limited by
1232 variables which control the operation of the firewall.
1234 Here is a good usage of the
1236 command to see accounting records and timestamp information:
1240 or in short form without timestamps:
1244 which is equivalent to:
1248 Next rule diverts all incoming packets from 192.168.2.0/24
1249 to divert port 5000:
1251 .Dl ipfw divert 5000 ip from 192.168.2.0/24 to any in
1253 The following rules show some of the applications of
1257 for simulations and the like.
1259 This rule drops random incoming packets with a probability
1262 .Dl "ipfw add prob 0.05 deny ip from any to any in"
1264 A similar effect can be achieved making use of dummynet pipes:
1266 .Dl "ipfw add pipe 10 ip from any to any"
1267 .Dl "ipfw pipe 10 config plr 0.05"
1269 We can use pipes to artificially limit bandwidth, e.g. on a
1270 machine acting as a router, if we want to limit traffic from
1271 local clients on 192.168.2.0/24 we do:
1273 .Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out"
1274 .Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes"
1276 note that we use the
1278 modifier so that the rule is not used twice.
1279 Remember in fact that
1281 rules are checked both on incoming and outgoing packets.
1283 Should we like to simulate a bidirectional link with bandwidth
1284 limitations, the correct way is the following:
1286 .Dl "ipfw add pipe 1 ip from any to any out"
1287 .Dl "ipfw add pipe 2 ip from any to any in"
1288 .Dl "ipfw pipe 1 config bw 64Kbit/s queue 10Kbytes"
1289 .Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes"
1291 The above can be very useful, e.g. if you want to see how
1292 your fancy Web page will look for a residential user which
1293 is connected only through a slow link.
1294 You should not use only one pipe for both directions, unless
1295 you want to simulate a half-duplex medium (e.g. AppleTalk,
1297 It is not necessary that both pipes have the same configuration,
1298 so we can also simulate asymmetric links.
1300 Should we like to verify network performance with the RED queue
1301 management algorithm:
1303 .Dl "ipfw add pipe 1 ip from any to any"
1304 .Dl "ipfw pipe 1 config bw 500Kbit/s queue 100 red 0.002/30/80/0.1"
1306 Another typical application of the traffic shaper is to
1307 introduce some delay in the communication.
1308 This can affect a lot applications which do a lot of Remote
1309 Procedure Calls, and where the round-trip-time of the
1310 connection often becomes a limiting factor much more than
1313 .Dl "ipfw add pipe 1 ip from any to any out"
1314 .Dl "ipfw add pipe 2 ip from any to any in"
1315 .Dl "ipfw pipe 1 config delay 250ms bw 1Mbit/s"
1316 .Dl "ipfw pipe 2 config delay 250ms bw 1Mbit/s"
1318 Per-flow queueing can be useful for a variety of purposes.
1319 A very simple one is counting traffic:
1321 .Dl "ipfw add pipe 1 tcp from any to any"
1322 .Dl "ipfw add pipe 1 udp from any to any"
1323 .Dl "ipfw add pipe 1 ip from any to any"
1324 .Dl "ipfw pipe 1 config mask all"
1326 The above set of rules will create queues (and collect
1327 statistics) for all traffic.
1328 Because the pipes have no limitations, the only effect is
1329 collecting statistics.
1330 Note that we need 3 rules, not just the last one, because
1333 tries to match IP packets it will not consider ports, so we
1334 would not see connections on separate ports as different
1337 A more sophisticated example is limiting the outbound traffic
1338 on a net with per-host limits, rather than per-network limits:
1340 .Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out"
1341 .Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in"
1342 .Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
1343 .Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
1344 .Sh IMPLEMENTATION NOTES
1345 The number of times a packet is processed by
1347 varies \(em basically,
1349 is invoked every time the kernel functions
1355 This means that packets are processed once for connections having
1356 only one endpoint on the local host, twice for connections with
1357 both endpoints on the local host, or for packet routed by the host
1358 (acting as a gateway), and once for packets bridged by the host
1359 (acting as a bridge).
1376 The syntax has grown over the years and it is not very clean.
1378 .Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
1380 This program can put your computer in rather unusable state.
1381 When using it for the first time, work on the console of the
1384 do anything you don't understand.
1386 When manipulating/adding chain entries, service and protocol names
1389 Incoming packet fragments diverted by
1393 are reassembled before delivery to the socket.
1395 Packets that match a
1397 rule should not be immediately accepted, but should continue
1398 going through the rule list.
1399 This may be fixed in a later version.
1401 Packets diverted to userland, and then reinserted by a userland process
1404 will lose various packet attributes, including their source interface.
1405 If a packet is reinserted in this manner, later rules may be incorrectly
1406 applied, making the order of
1408 rules in the rule sequence very important.
1410 .An Ugen J. S. Antsilevich ,
1411 .An Poul-Henning Kamp ,
1417 API based upon code written by
1423 traffic shaper supported by Akamba Corp.
1427 utility first appeared in
1432 Stateful extensions were introduced in