diff options
Diffstat (limited to 'sbin/ipfw/ipfw.8')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 194 |
1 files changed, 157 insertions, 37 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 1a042ae2bbbf..ddfdc35ce651 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,11 +1,11 @@ .\" -.Dd April 25, 2023 +.Dd April 18, 2025 .Dt IPFW 8 .Os .Sh NAME .Nm ipfw , dnctl .Nd User interface for firewall, traffic shaper, packet scheduler, -in-kernel NAT. +in-kernel NAT.\& .Sh SYNOPSIS .Ss FIREWALL CONFIGURATION .Nm @@ -40,10 +40,10 @@ in-kernel NAT. .Ss SYSCTL SHORTCUTS .Nm .Cm enable -.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive +.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive | skipto_cache .Nm .Cm disable -.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive +.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive | skipto_cache .Ss LOOKUP TABLES .Nm .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options @@ -171,6 +171,8 @@ in-kernel NAT. .Nm .Cm internal iflist .Nm +.Cm internal monitor Op Ar filter-comment +.Nm .Cm internal talist .Nm .Cm internal vlist @@ -331,8 +333,8 @@ When listing, show dynamic rules in addition to static ones. When listing, show only dynamic states. When deleting, delete only dynamic states. .It Fl f -Run without prompting for confirmation for commands that can cause problems if misused, -i.e., +Run without prompting for confirmation for commands that can cause problems +if misused, i.e., .Cm flush . If there is no tty associated with the process, this is implied. The @@ -577,7 +579,7 @@ The format of firewall rules is the following: .Op Cm set Ar set_number .Op Cm prob Ar match_probability .Ar action -.Op Cm log Op Cm logamount Ar number +.Op Cm log Op log_opts .Op Cm altq Ar queue .Oo .Bro Cm tag | untag @@ -694,8 +696,10 @@ side effects. .It Cm log Op Cm logamount Ar number Packets matching a rule with the .Cm log -keyword will be made available for logging in two ways: -if the sysctl variable +keyword will be made available for logging. +Unless per-rule log destination is specified by +.Cm logdst Ar logdst_spec +option (see below), packets are logged in two ways: if the sysctl variable .Va net.inet.ip.fw.verbose is set to 0 (default), one can use .Xr bpf 4 @@ -743,6 +747,47 @@ command. Note: logging is done after all other packet matching conditions have been successfully verified, and before performing the final action (accept, deny, etc.) on the packet. +.It Cm log Oo +.Cm logamount Ar number +.Oc Cm logdst Ar logdst_spec +.Ar logdst_spec +is a comma-separated list of log destinations for logging +packets matching the rule. +Destinations supported are: +.Bl -tag -width indent +.It Ar syslog +Logs a packet to +.Xr syslogd 8 +with a +.Dv LOG_SECURITY +facility. +.It Ar ipfw0 +Logs a packet to the +.Li ipfw0 +pseudo interface. +.It Ar rtsock +Logs a packet to the +.Xr route 4 +socket. +See the comments of +.Fn ipfw_log_rtsock +in ipfw source code for more +information on the message's structure. +.El +.Pp +Note: +.Cm logamount +limits a number of logging events rather than packets being logged. +I.e. A packet matching a rule with +.Bd -ragged -offset indent + ... +.Cm log logamount +100 +.Cm logdst +syslog,ipfw0 ... +.Ed +.Pp +will log upto 50 packets. .It Cm tag Ar number When a packet matches a rule with the .Cm tag @@ -951,7 +996,7 @@ Pass packet to a nat instance (for network address translation, address redirect, etc.): see the -.Sx NETWORK ADDRESS TRANSLATION (NAT) +.Sx NETWORK ADDRESS TRANSLATION (NAT)\& Section for further information. .It Cm nat64lsn Ar name Pass packet to a stateful NAT64 instance (for IPv6/IPv4 network address and @@ -964,14 +1009,14 @@ protocol translation): see the .Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION Section for further information. .It Cm nat64clat Ar name -Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and -protocol translation): see the +Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address +and protocol translation): see the .Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION Section for further information. .It Cm nptv6 Ar name Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation): see the -.Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6) +.Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)\& Section for further information. .It Cm pipe Ar pipe_nr Pass packet to a @@ -1286,7 +1331,7 @@ protocol options, incoming or outgoing interfaces, etc.) that the packet must match in order to be recognised. In general, the patterns are connected by (implicit) .Cm and -operators -- i.e., all must match in order for the +operators \(em i.e., all must match in order for the rule to match. Individual patterns can be prefixed by the .Cm not @@ -1395,11 +1440,21 @@ Matches any IPv4 or IPv6 address for which an entry exists in the lookup table If an optional 32-bit unsigned .Ar value is also specified, an entry will match only if it has this value. +If +.Ar value +is specified in form +.Ar valtype=value , +then specified value type field will be checked. +It can be +.Ar skipto, pipe, fib, nat, dscp, tag, divert, netgraph, limit, nh4 +and +.Ar mark. + See the .Sx LOOKUP TABLES section below for more information on lookup tables. .El -.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list +.It Ar addr-list : ip-addr Ns Op , Ns Ar addr-list .It Ar ip-addr : A host or subnet address specified in one of the following ways: .Bl -tag -width indent @@ -1415,7 +1470,7 @@ and mask width of bits. As an example, 1.2.3.4/25 or 1.2.3.0/25 will match all IP numbers from 1.2.3.0 to 1.2.3.127 . -.It Ar addr Ns : Ns Ar mask +.It Ar addr : Ns Ar mask Matches all addresses with base .Ar addr (specified as an IP address, a network number, or a hostname) @@ -1432,7 +1487,7 @@ format for contiguous masks, which is more compact and less error-prone. .El .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm } -.It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list +.It Ar list : Bro Ar num | num-num Brc Ns Op , Ns Ar list Matches all addresses with base address .Ar addr (specified as an IP address, a network number, or a hostname) @@ -1459,7 +1514,7 @@ or 1.2.3.0/24{128,35-55,89} will match the following IP addresses: .br 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 . -.It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list +.It Ar addr6-list : ip6-addr Ns Op , Ns Ar addr6-list .It Ar ip6-addr : A host or subnet specified one of the following ways: .Bl -tag -width indent @@ -1865,7 +1920,7 @@ One or more of source and destination addresses and ports can be specified. .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid | -.Cm jail | dscp | mark Brc Ar name +.Cm jail | dscp | mark | rulenum Brc Ar name Search an entry in lookup table .Ar name that matches the field specified as argument. @@ -3039,12 +3094,47 @@ needed for some experimental setups where you want to simulate loss or congestion at a remote router. .Pp .It Cm plr Ar packet-loss-rate +.It Cm plr Ar K,p,H,r Packet loss rate. Argument .Ar packet-loss-rate is a floating-point number between 0 and 1, with 0 meaning no loss, 1 meaning 100% loss. -The loss rate is internally represented on 31 bits. +.Pp +When invoked with four arguments, the simple Gilbert-Elliott +channel model with two states (Good and Bad) is used. +.Bd -literal -offset indent + r + .----------------. + v | + .------------. .------------. + | G | | B | + | drop (K) | | drop (H) | + '------------' '------------' + | ^ + '----------------' + p + +.Ed +This has the associated probabilities +.Po Ar K +and +.Ar H Pc +for the loss probability. +This is different from the literature, where this model is described with +probabilities of successful transmission k and h. +However, converting from literature is easy: +.Pp +K = 1 - k ; H = 1 - h +.Pp +This is to retain consistency within the interface and allow the +quick re-use of loss probability when giving only a single argument. +In addition the state change probabilities +.Po Ar p +and +.Ar r Pc +are given. +All of the above probabilities are internally represented on 31 bits. .Pp .It Cm queue Brq Ar slots | size Ns Cm Kbytes Queue size, in @@ -3159,8 +3249,8 @@ delay low. At regular time intervals of .Cm tupdate .Ar time -(15ms by default) a background process (re)calculates the probability based on queue delay -deviations from +(15ms by default) a background process (re)calculates the probability based on +queue delay deviations from .Cm target .Ar time (15ms by default) and queue delay trends. @@ -3179,8 +3269,8 @@ delay deviations that is used in drop probability calculation. 0.125 is the default. .It Cm beta Ar n .Ar n -is a floating point number between 0 and 7 which specifies is the weight of queue -delay trend that is used in drop probability calculation. +is a floating point number between 0 and 7 which specifies is the weight of +queue delay trend that is used in drop probability calculation. 1.25 is the default. .It Cm max_burst Ar time The maximum period of time that PIE does not drop/mark packets. @@ -3368,6 +3458,26 @@ Skip instance in case of global state lookup (see below). .It Cm port_range Ar lower-upper Set the aliasing ports between the ranges given. Upper port has to be greater than lower. +.It Cm udp_eim +When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787 +("full cone" NAT of RFC 3489). +All packets from the same internal address:port are mapped to the same NAT +address:port, regardless of their destination address:port. +If filtering rules allow, and if +.Em deny_in +is unset, any other external address:port can +also send to the internal address:port through its mapped NAT address:port. +This is more compatible with applications, and can reduce the need for port +forwarding, but less scalable as each NAT address:port can only be +concurrently used by at most one internal address:port. +.Pp +When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric" +NAT). +Each connection from a particular internal address:port to different +external addresses:ports is mapped to a random and unpredictable NAT +address:port. +Two appplications behind EDM NATs can only connect to each other +by port forwarding on the NAT, or tunnelling through an in-between server. .El .Pp Some special values can be supplied instead of @@ -3519,7 +3629,8 @@ The NAT64 instance will determine a destination IPv4 address from prefix .It Cm states_chunks Ar number The number of states chunks in single ports group. Each ports group by default can keep 64 state entries in single chunk. -The above value affects the maximum number of states that can be associated with single IPv4 alias address and port. +The above value affects the maximum number of states that can be associated with +a single IPv4 alias address and port. The value must be power of 2, and up to 128. .It Cm host_del_age Ar seconds The number of seconds until the host entry for a IPv6 client will be deleted @@ -3761,6 +3872,16 @@ or .Xr kenv 1 before ipfw module gets loaded. .Bl -tag -width indent +.It Va net.inet.ip.fw.enable : No 1 +Enables the firewall. +Setting this variable to 0 lets you run your machine without +firewall even if compiled in. +.It Va net.inet6.ip6.fw.enable : No 1 +provides the same functionality as above for the IPv6 case. +.It Va net.link.ether.ipfw : No 0 +Controls whether layer2 packets are passed to +.Nm . +Default is no. .It Va net.inet.ip.fw.default_to_accept : No 0 Defines ipfw last rule behavior. This value overrides @@ -4154,12 +4275,6 @@ Keep dynamic states on rule/set deletion. States are relinked to default rule (65535). This can be handly for ruleset reload. Turned off by default. -.It Va net.inet.ip.fw.enable : No 1 -Enables the firewall. -Setting this variable to 0 lets you run your machine without -firewall even if compiled in. -.It Va net.inet6.ip6.fw.enable : No 1 -provides the same functionality as above for the IPv6 case. .It Va net.inet.ip.fw.one_pass : No 1 When set, the packet exiting from the .Nm dummynet @@ -4176,10 +4291,6 @@ Enables verbose messages. Limits the number of messages produced by a verbose firewall. .It Va net.inet6.ip6.fw.deny_unknown_exthdrs : No 1 If enabled packets with unknown IPv6 Extension Headers will be denied. -.It Va net.link.ether.ipfw : No 0 -Controls whether layer2 packets are passed to -.Nm . -Default is no. .It Va net.link.bridge.ipfw : No 0 Controls whether bridged packets are passed to .Nm . @@ -4223,6 +4334,15 @@ sub-options: Lists all interface which are currently tracked by .Nm with their in-kernel status. +.It Cm monitor Op Ar filter-comment +Capture messages from +.Xr route 4 +socket, that were logged using rules with +.Cm log Cm logdst Ar rtsock +opcode. Optional +.Ar filter-comment +can be specified to show only those messages, that were logged +by rules with specific rule comment. .It Cm talist List all table lookup algorithms currently available. .El @@ -4395,7 +4515,7 @@ and .Cm defer-action can be used to precisely control creation and checking of dynamic rules. Example of usage of these options are provided in -.Sx NETWORK ADDRESS TRANSLATION (NAT) +.Sx NETWORK ADDRESS TRANSLATION (NAT)\& Section. .Pp To limit the number of connections a user can open @@ -4884,7 +5004,7 @@ The syntax has grown over the years and sometimes it might be confusing. Unfortunately, backward compatibility prevents cleaning up mistakes made in the definition of the syntax. .Pp -.Em !!! WARNING !!! +.Em !!! WARNING !!!\& .Pp Misconfiguring the firewall can put your computer in an unusable state, possibly shutting down network services and requiring console access to |