9 .Nd IP packet filter and traffic accounting
13 into the kernel, place the following option in the kernel configuration
15 .Bd -ragged -offset indent
16 .Cd "options IPFIREWALL"
19 Other related kernel options
20 which may also be useful are:
21 .Bd -ragged -offset indent
22 .Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
23 .Cd "options IPDIVERT"
24 .Cd "options IPFIREWALL_NAT"
25 .Cd "options IPFIREWALL_NAT64"
26 .Cd "options IPFIREWALL_NPTV6"
27 .Cd "options IPFIREWALL_PMOD"
28 .Cd "options IPFIREWALL_VERBOSE"
29 .Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
30 .Cd "options LIBALIAS"
35 as a module at boot time, add the following line into the
38 .Bd -literal -offset indent
44 system facility allows filtering,
45 redirecting, and other operations on
47 packets travelling through
50 The default behavior of
52 is to block all incoming and outgoing traffic.
53 This behavior can be modified, to allow all traffic through the
55 firewall by default, by enabling the
56 .Dv IPFIREWALL_DEFAULT_TO_ACCEPT
58 This option may be useful when configuring
63 behavior is to allow everything, it is easier to cope with
64 firewall-tuning mistakes which may accidentally block all traffic.
72 facility, the kernel option
74 enables diverting packets to
78 When using the in-kernel
86 functionality in the kernel.
92 transition mechanisms in
98 methods in the kernel.
102 network prefix translation facility of
106 enables this functionality in the kernel.
108 When using the packet modification facility of
112 enables this functionality in the kernel.
114 To enable logging of packets passing through
117 .Dv IPFIREWALL_VERBOSE
120 .Dv IPFIREWALL_VERBOSE_LIMIT
123 from flooding system logs or causing local Denial of Service.
124 This option may be set to the number of packets which will be logged on
125 a per-entry basis before the entry is rate-limited.
127 When using the in-kernel
135 functionality in the kernel.
136 Full functionality refers to included support for ftp, bbt,
137 skinny, irc, pptp and smedia packets, which are missing in the basic
139 functionality accomplished with the
143 The user interface for
145 is implemented by the
147 utility, so please refer to the
149 man page for a complete description of the
151 capabilities and how to use it.