aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw/ipfw.8
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipfw/ipfw.8')
-rw-r--r--sbin/ipfw/ipfw.8109
1 files changed, 82 insertions, 27 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 348e9a58f2ce..ddfdc35ce651 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -1,11 +1,11 @@
.\"
-.Dd March 3, 2025
+.Dd April 18, 2025
.Dt IPFW 8
.Os
.Sh NAME
.Nm ipfw , dnctl
.Nd User interface for firewall, traffic shaper, packet scheduler,
-in-kernel NAT.
+in-kernel NAT.\&
.Sh SYNOPSIS
.Ss FIREWALL CONFIGURATION
.Nm
@@ -171,6 +171,8 @@ in-kernel NAT.
.Nm
.Cm internal iflist
.Nm
+.Cm internal monitor Op Ar filter-comment
+.Nm
.Cm internal talist
.Nm
.Cm internal vlist
@@ -331,8 +333,8 @@ When listing, show dynamic rules in addition to static ones.
When listing, show only dynamic states.
When deleting, delete only dynamic states.
.It Fl f
-Run without prompting for confirmation for commands that can cause problems if misused,
-i.e.,
+Run without prompting for confirmation for commands that can cause problems
+if misused, i.e.,
.Cm flush .
If there is no tty associated with the process, this is implied.
The
@@ -577,7 +579,7 @@ The format of firewall rules is the following:
.Op Cm set Ar set_number
.Op Cm prob Ar match_probability
.Ar action
-.Op Cm log Op Cm logamount Ar number
+.Op Cm log Op log_opts
.Op Cm altq Ar queue
.Oo
.Bro Cm tag | untag
@@ -694,8 +696,10 @@ side effects.
.It Cm log Op Cm logamount Ar number
Packets matching a rule with the
.Cm log
-keyword will be made available for logging in two ways:
-if the sysctl variable
+keyword will be made available for logging.
+Unless per-rule log destination is specified by
+.Cm logdst Ar logdst_spec
+option (see below), packets are logged in two ways: if the sysctl variable
.Va net.inet.ip.fw.verbose
is set to 0 (default), one can use
.Xr bpf 4
@@ -743,6 +747,47 @@ command.
Note: logging is done after all other packet matching conditions
have been successfully verified, and before performing the final
action (accept, deny, etc.) on the packet.
+.It Cm log Oo
+.Cm logamount Ar number
+.Oc Cm logdst Ar logdst_spec
+.Ar logdst_spec
+is a comma-separated list of log destinations for logging
+packets matching the rule.
+Destinations supported are:
+.Bl -tag -width indent
+.It Ar syslog
+Logs a packet to
+.Xr syslogd 8
+with a
+.Dv LOG_SECURITY
+facility.
+.It Ar ipfw0
+Logs a packet to the
+.Li ipfw0
+pseudo interface.
+.It Ar rtsock
+Logs a packet to the
+.Xr route 4
+socket.
+See the comments of
+.Fn ipfw_log_rtsock
+in ipfw source code for more
+information on the message's structure.
+.El
+.Pp
+Note:
+.Cm logamount
+limits a number of logging events rather than packets being logged.
+I.e. A packet matching a rule with
+.Bd -ragged -offset indent
+ ...
+.Cm log logamount
+100
+.Cm logdst
+syslog,ipfw0 ...
+.Ed
+.Pp
+will log upto 50 packets.
.It Cm tag Ar number
When a packet matches a rule with the
.Cm tag
@@ -951,7 +996,7 @@ Pass packet to a
nat instance
(for network address translation, address redirect, etc.):
see the
-.Sx NETWORK ADDRESS TRANSLATION (NAT)
+.Sx NETWORK ADDRESS TRANSLATION (NAT)\&
Section for further information.
.It Cm nat64lsn Ar name
Pass packet to a stateful NAT64 instance (for IPv6/IPv4 network address and
@@ -964,14 +1009,14 @@ protocol translation): see the
.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
Section for further information.
.It Cm nat64clat Ar name
-Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and
-protocol translation): see the
+Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address
+and protocol translation): see the
.Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
Section for further information.
.It Cm nptv6 Ar name
Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
see the
-.Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
+.Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)\&
Section for further information.
.It Cm pipe Ar pipe_nr
Pass packet to a
@@ -1286,7 +1331,7 @@ protocol options, incoming or outgoing interfaces, etc.)
that the packet must match in order to be recognised.
In general, the patterns are connected by (implicit)
.Cm and
-operators -- i.e., all must match in order for the
+operators \(em i.e., all must match in order for the
rule to match.
Individual patterns can be prefixed by the
.Cm not
@@ -1409,7 +1454,7 @@ See the
.Sx LOOKUP TABLES
section below for more information on lookup tables.
.El
-.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
+.It Ar addr-list : ip-addr Ns Op , Ns Ar addr-list
.It Ar ip-addr :
A host or subnet address specified in one of the following ways:
.Bl -tag -width indent
@@ -1425,7 +1470,7 @@ and mask width of
bits.
As an example, 1.2.3.4/25 or 1.2.3.0/25 will match
all IP numbers from 1.2.3.0 to 1.2.3.127 .
-.It Ar addr Ns : Ns Ar mask
+.It Ar addr : Ns Ar mask
Matches all addresses with base
.Ar addr
(specified as an IP address, a network number, or a hostname)
@@ -1442,7 +1487,7 @@ format for contiguous masks, which is more compact and less
error-prone.
.El
.It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
-.It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
+.It Ar list : Bro Ar num | num-num Brc Ns Op , Ns Ar list
Matches all addresses with base address
.Ar addr
(specified as an IP address, a network number, or a hostname)
@@ -1469,7 +1514,7 @@ or 1.2.3.0/24{128,35-55,89}
will match the following IP addresses:
.br
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
-.It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list
+.It Ar addr6-list : ip6-addr Ns Op , Ns Ar addr6-list
.It Ar ip6-addr :
A host or subnet specified one of the following ways:
.Bl -tag -width indent
@@ -3075,10 +3120,10 @@ This has the associated probabilities
.Po Ar K
and
.Ar H Pc
-for the loss probability. This is different from the literature,
-where this model is described with probabilities of successful
-transmission k and h. However, converting from literature is
-easy:
+for the loss probability.
+This is different from the literature, where this model is described with
+probabilities of successful transmission k and h.
+However, converting from literature is easy:
.Pp
K = 1 - k ; H = 1 - h
.Pp
@@ -3204,8 +3249,8 @@ delay low.
At regular time intervals of
.Cm tupdate
.Ar time
-(15ms by default) a background process (re)calculates the probability based on queue delay
-deviations from
+(15ms by default) a background process (re)calculates the probability based on
+queue delay deviations from
.Cm target
.Ar time
(15ms by default) and queue delay trends.
@@ -3224,8 +3269,8 @@ delay deviations that is used in drop probability calculation.
0.125 is the default.
.It Cm beta Ar n
.Ar n
-is a floating point number between 0 and 7 which specifies is the weight of queue
-delay trend that is used in drop probability calculation.
+is a floating point number between 0 and 7 which specifies is the weight of
+queue delay trend that is used in drop probability calculation.
1.25 is the default.
.It Cm max_burst Ar time
The maximum period of time that PIE does not drop/mark packets.
@@ -3584,7 +3629,8 @@ The NAT64 instance will determine a destination IPv4 address from prefix
.It Cm states_chunks Ar number
The number of states chunks in single ports group.
Each ports group by default can keep 64 state entries in single chunk.
-The above value affects the maximum number of states that can be associated with single IPv4 alias address and port.
+The above value affects the maximum number of states that can be associated with
+a single IPv4 alias address and port.
The value must be power of 2, and up to 128.
.It Cm host_del_age Ar seconds
The number of seconds until the host entry for a IPv6 client will be deleted
@@ -4288,6 +4334,15 @@ sub-options:
Lists all interface which are currently tracked by
.Nm
with their in-kernel status.
+.It Cm monitor Op Ar filter-comment
+Capture messages from
+.Xr route 4
+socket, that were logged using rules with
+.Cm log Cm logdst Ar rtsock
+opcode. Optional
+.Ar filter-comment
+can be specified to show only those messages, that were logged
+by rules with specific rule comment.
.It Cm talist
List all table lookup algorithms currently available.
.El
@@ -4460,7 +4515,7 @@ and
.Cm defer-action
can be used to precisely control creation and checking of dynamic rules.
Example of usage of these options are provided in
-.Sx NETWORK ADDRESS TRANSLATION (NAT)
+.Sx NETWORK ADDRESS TRANSLATION (NAT)\&
Section.
.Pp
To limit the number of connections a user can open
@@ -4949,7 +5004,7 @@ The syntax has grown over the years and sometimes it might be confusing.
Unfortunately, backward compatibility prevents cleaning up mistakes
made in the definition of the syntax.
.Pp
-.Em !!! WARNING !!!
+.Em !!! WARNING !!!\&
.Pp
Misconfiguring the firewall can put your computer in an unusable state,
possibly shutting down network services and requiring console access to
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-25 09:19:36 +0000