diff options
Diffstat (limited to 'sbin/ipfw/ipfw.8')
| -rw-r--r-- | sbin/ipfw/ipfw.8 | 284 |
1 files changed, 235 insertions, 49 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index db8a11525b4d..ddfdc35ce651 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,13 +1,11 @@ .\" -.\" $FreeBSD$ -.\" -.Dd June 4, 2022 +.Dd April 18, 2025 .Dt IPFW 8 .Os .Sh NAME .Nm ipfw , dnctl .Nd User interface for firewall, traffic shaper, packet scheduler, -in-kernel NAT. +in-kernel NAT.\& .Sh SYNOPSIS .Ss FIREWALL CONFIGURATION .Nm @@ -42,10 +40,10 @@ in-kernel NAT. .Ss SYSCTL SHORTCUTS .Nm .Cm enable -.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive +.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive | skipto_cache .Nm .Cm disable -.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive +.Brq Cm firewall | altq | one_pass | debug | verbose | dyn_keepalive | skipto_cache .Ss LOOKUP TABLES .Nm .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options @@ -173,6 +171,8 @@ in-kernel NAT. .Nm .Cm internal iflist .Nm +.Cm internal monitor Op Ar filter-comment +.Nm .Cm internal talist .Nm .Cm internal vlist @@ -333,8 +333,8 @@ When listing, show dynamic rules in addition to static ones. When listing, show only dynamic states. When deleting, delete only dynamic states. .It Fl f -Run without prompting for confirmation for commands that can cause problems if misused, -i.e., +Run without prompting for confirmation for commands that can cause problems +if misused, i.e., .Cm flush . If there is no tty associated with the process, this is implied. The @@ -579,7 +579,7 @@ The format of firewall rules is the following: .Op Cm set Ar set_number .Op Cm prob Ar match_probability .Ar action -.Op Cm log Op Cm logamount Ar number +.Op Cm log Op log_opts .Op Cm altq Ar queue .Oo .Bro Cm tag | untag @@ -696,8 +696,10 @@ side effects. .It Cm log Op Cm logamount Ar number Packets matching a rule with the .Cm log -keyword will be made available for logging in two ways: -if the sysctl variable +keyword will be made available for logging. +Unless per-rule log destination is specified by +.Cm logdst Ar logdst_spec +option (see below), packets are logged in two ways: if the sysctl variable .Va net.inet.ip.fw.verbose is set to 0 (default), one can use .Xr bpf 4 @@ -745,6 +747,47 @@ command. Note: logging is done after all other packet matching conditions have been successfully verified, and before performing the final action (accept, deny, etc.) on the packet. +.It Cm log Oo +.Cm logamount Ar number +.Oc Cm logdst Ar logdst_spec +.Ar logdst_spec +is a comma-separated list of log destinations for logging +packets matching the rule. +Destinations supported are: +.Bl -tag -width indent +.It Ar syslog +Logs a packet to +.Xr syslogd 8 +with a +.Dv LOG_SECURITY +facility. +.It Ar ipfw0 +Logs a packet to the +.Li ipfw0 +pseudo interface. +.It Ar rtsock +Logs a packet to the +.Xr route 4 +socket. +See the comments of +.Fn ipfw_log_rtsock +in ipfw source code for more +information on the message's structure. +.El +.Pp +Note: +.Cm logamount +limits a number of logging events rather than packets being logged. +I.e. A packet matching a rule with +.Bd -ragged -offset indent + ... +.Cm log logamount +100 +.Cm logdst +syslog,ipfw0 ... +.Ed +.Pp +will log upto 50 packets. .It Cm tag Ar number When a packet matches a rule with the .Cm tag @@ -759,7 +802,7 @@ A packet can have multiple tags at the same time. Tags are "sticky", meaning once a tag is applied to a packet by a matching rule it exists until explicit removal. Tags are kept with the packet everywhere within the kernel, but are -lost when packet leaves the kernel, for example, on transmitting +lost when the packet leaves the kernel, for example, on transmitting packet out to the network or sending packet to a .Xr divert 4 socket. @@ -793,6 +836,27 @@ keyword, the tag with the number is searched among the tags attached to this packet and, if found, removed from it. Other tags bound to packet, if present, are left untouched. +.It Cm setmark Ar value | tablearg +When a packet matches a rule with the +.Cm setmark +keyword, a 32-bit numeric mark is assigned to the packet. +The mark is an extension to the tags. +As tags, mark is "sticky" so the value is kept the same within the kernel and +is lost when the packet leaves the kernel. +Unlike tags, mark can be matched as a lookup table key or compared with bitwise +mask applied against another value. +Each packet can have only one mark, so +.Cm setmark +always overwrites the previous mark value. +.Pp +The initial mark value is 0. +To check the current mark value, use the +.Cm mark +rule option. +Mark +.Ar value +can be entered as decimal or hexadecimal (if prefixed by 0x), and they +are always printed as hexadecimal. .It Cm altq Ar queue When a packet matches a rule with the .Cm altq @@ -932,7 +996,7 @@ Pass packet to a nat instance (for network address translation, address redirect, etc.): see the -.Sx NETWORK ADDRESS TRANSLATION (NAT) +.Sx NETWORK ADDRESS TRANSLATION (NAT)\& Section for further information. .It Cm nat64lsn Ar name Pass packet to a stateful NAT64 instance (for IPv6/IPv4 network address and @@ -945,14 +1009,14 @@ protocol translation): see the .Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION Section for further information. .It Cm nat64clat Ar name -Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and -protocol translation): see the +Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address +and protocol translation): see the .Sx IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION Section for further information. .It Cm nptv6 Ar name Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation): see the -.Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6) +.Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)\& Section for further information. .It Cm pipe Ar pipe_nr Pass packet to a @@ -1080,7 +1144,7 @@ Send a copy of packets matching this rule to the socket bound to port .Ar port . The search continues with the next rule. -.It Cm unreach Ar code +.It Cm unreach Ar code Op mtu Discard packets that match this rule, and try to send an ICMP unreachable notice with code .Ar code , @@ -1093,6 +1157,12 @@ is a number from 0 to 255, or one of these aliases: .Cm toshost , filter-prohib , host-precedence or .Cm precedence-cutoff . +The +.Cm needfrag +code may have an optional +.Ar mtu +parameter. +If specified, the MTU value will be put into generated ICMP packet. The search terminates. .It Cm unreach6 Ar code Discard packets that match this rule, and try to send an ICMPv6 @@ -1180,6 +1250,8 @@ Supported values are: .Pq Dv 100100 , .Cm af43 .Pq Dv 100110 , +.Cm va +.Pq Dv 101100 , .Cm ef .Pq Dv 101110 , .Cm be @@ -1259,7 +1331,7 @@ protocol options, incoming or outgoing interfaces, etc.) that the packet must match in order to be recognised. In general, the patterns are connected by (implicit) .Cm and -operators -- i.e., all must match in order for the +operators \(em i.e., all must match in order for the rule to match. Individual patterns can be prefixed by the .Cm not @@ -1368,11 +1440,21 @@ Matches any IPv4 or IPv6 address for which an entry exists in the lookup table If an optional 32-bit unsigned .Ar value is also specified, an entry will match only if it has this value. +If +.Ar value +is specified in form +.Ar valtype=value , +then specified value type field will be checked. +It can be +.Ar skipto, pipe, fib, nat, dscp, tag, divert, netgraph, limit, nh4 +and +.Ar mark. + See the .Sx LOOKUP TABLES section below for more information on lookup tables. .El -.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list +.It Ar addr-list : ip-addr Ns Op , Ns Ar addr-list .It Ar ip-addr : A host or subnet address specified in one of the following ways: .Bl -tag -width indent @@ -1388,7 +1470,7 @@ and mask width of bits. As an example, 1.2.3.4/25 or 1.2.3.0/25 will match all IP numbers from 1.2.3.0 to 1.2.3.127 . -.It Ar addr Ns : Ns Ar mask +.It Ar addr : Ns Ar mask Matches all addresses with base .Ar addr (specified as an IP address, a network number, or a hostname) @@ -1405,7 +1487,7 @@ format for contiguous masks, which is more compact and less error-prone. .El .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm } -.It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list +.It Ar list : Bro Ar num | num-num Brc Ns Op , Ns Ar list Matches all addresses with base address .Ar addr (specified as an IP address, a network number, or a hostname) @@ -1432,7 +1514,7 @@ or 1.2.3.0/24{128,35-55,89} will match the following IP addresses: .br 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 . -.It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list +.It Ar addr6-list : ip6-addr Ns Op , Ns Ar addr6-list .It Ar ip6-addr : A host or subnet specified one of the following ways: .Bl -tag -width indent @@ -1837,7 +1919,8 @@ set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. -.It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid | jail Brc Ar name +.It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid | +.Cm jail | dscp | mark | rulenum Brc Ar name Search an entry in lookup table .Ar name that matches the field specified as argument. @@ -1910,13 +1993,24 @@ However, this option doesn't imply an implicit .Cm check-state in contrast to .Cm keep-state . -.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any +.It Cm recv | xmit | via Brq Ar ifX | Ar ifmask | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any Matches packets received, transmitted or going through, respectively, the interface specified by exact name .Po Ar ifX Pc , -by device name -.Po Ar if* Pc , +by device mask +.Po Ar ifmask Pc , by IP address, or through some interface. +.Pp +Interface +name may be matched against +.Ar ifmask +with +.Xr fnmatch 3 +according to the rules used by the shell (f.e. tun*). +See also the +.Sx EXAMPLES +section. +.Pp Table .Ar name may be used to match interface by its kernel ifindex. @@ -1998,6 +2092,23 @@ specified in the same way as Tags can be applied to the packet using .Cm tag rule action parameter (see it's description for details on tags). +.It Cm mark Ar value[:bitmask] | tablearg[:bitmask] +Matches packets whose mark is equal to +.Ar value +with optional +.Ar bitmask +applied to it. +.Cm tablearg +can also be used instead of an explicit +.Ar value +to match a value supplied by the last table lookup. +.Pp +Both +.Ar value +and +.Ar bitmask +can be entered as decimal or hexadecimal (if prefixed by 0x), and they +are always printed as hexadecimal. .It Cm tcpack Ar ack TCP packets only. Match if the TCP header acknowledgment number field is set to @@ -2340,7 +2451,7 @@ The following value types are supported: .Bl -tag -width indent .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert | -.Ar netgraph | limit | ipv4 +.Ar netgraph | limit | ipv4 | ipv6 | mark .It Cm skipto rule number to jump to. .It Cm pipe @@ -2363,16 +2474,19 @@ maximum number of connections. IPv4 nexthop to fwd packets to. .It Cm ipv6 IPv6 nexthop to fwd packets to. +.It Cm mark +mark value to match/set. .El .Pp The .Cm tablearg argument can be used with the following actions: .Cm nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib , +.Cm setmark , action parameters: .Cm tag, untag , rule options: -.Cm limit, tagged . +.Cm limit, tagged, mark . .Pp When used with the .Cm skipto @@ -2980,12 +3094,47 @@ needed for some experimental setups where you want to simulate loss or congestion at a remote router. .Pp .It Cm plr Ar packet-loss-rate +.It Cm plr Ar K,p,H,r Packet loss rate. Argument .Ar packet-loss-rate is a floating-point number between 0 and 1, with 0 meaning no loss, 1 meaning 100% loss. -The loss rate is internally represented on 31 bits. +.Pp +When invoked with four arguments, the simple Gilbert-Elliott +channel model with two states (Good and Bad) is used. +.Bd -literal -offset indent + r + .----------------. + v | + .------------. .------------. + | G | | B | + | drop (K) | | drop (H) | + '------------' '------------' + | ^ + '----------------' + p + +.Ed +This has the associated probabilities +.Po Ar K +and +.Ar H Pc +for the loss probability. +This is different from the literature, where this model is described with +probabilities of successful transmission k and h. +However, converting from literature is easy: +.Pp +K = 1 - k ; H = 1 - h +.Pp +This is to retain consistency within the interface and allow the +quick re-use of loss probability when giving only a single argument. +In addition the state change probabilities +.Po Ar p +and +.Ar r Pc +are given. +All of the above probabilities are internally represented on 31 bits. .Pp .It Cm queue Brq Ar slots | size Ns Cm Kbytes Queue size, in @@ -3100,8 +3249,8 @@ delay low. At regular time intervals of .Cm tupdate .Ar time -(15ms by default) a background process (re)calculates the probability based on queue delay -deviations from +(15ms by default) a background process (re)calculates the probability based on +queue delay deviations from .Cm target .Ar time (15ms by default) and queue delay trends. @@ -3120,8 +3269,8 @@ delay deviations that is used in drop probability calculation. 0.125 is the default. .It Cm beta Ar n .Ar n -is a floating point number between 0 and 7 which specifies is the weight of queue -delay trend that is used in drop probability calculation. +is a floating point number between 0 and 7 which specifies is the weight of +queue delay trend that is used in drop probability calculation. 1.25 is the default. .It Cm max_burst Ar time The maximum period of time that PIE does not drop/mark packets. @@ -3307,8 +3456,28 @@ Obey transparent proxy rules only, packet aliasing is not performed. .It Cm skip_global Skip instance in case of global state lookup (see below). .It Cm port_range Ar lower-upper -Set the aliasing ports between the ranges given. Upper port has to be greater -than lower. +Set the aliasing ports between the ranges given. +Upper port has to be greater than lower. +.It Cm udp_eim +When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787 +("full cone" NAT of RFC 3489). +All packets from the same internal address:port are mapped to the same NAT +address:port, regardless of their destination address:port. +If filtering rules allow, and if +.Em deny_in +is unset, any other external address:port can +also send to the internal address:port through its mapped NAT address:port. +This is more compatible with applications, and can reduce the need for port +forwarding, but less scalable as each NAT address:port can only be +concurrently used by at most one internal address:port. +.Pp +When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric" +NAT). +Each connection from a particular internal address:port to different +external addresses:ports is mapped to a random and unpredictable NAT +address:port. +Two appplications behind EDM NATs can only connect to each other +by port forwarding on the NAT, or tunnelling through an in-between server. .El .Pp Some special values can be supplied instead of @@ -3460,7 +3629,8 @@ The NAT64 instance will determine a destination IPv4 address from prefix .It Cm states_chunks Ar number The number of states chunks in single ports group. Each ports group by default can keep 64 state entries in single chunk. -The above value affects the maximum number of states that can be associated with single IPv4 alias address and port. +The above value affects the maximum number of states that can be associated with +a single IPv4 alias address and port. The value must be power of 2, and up to 128. .It Cm host_del_age Ar seconds The number of seconds until the host entry for a IPv6 client will be deleted @@ -3702,6 +3872,16 @@ or .Xr kenv 1 before ipfw module gets loaded. .Bl -tag -width indent +.It Va net.inet.ip.fw.enable : No 1 +Enables the firewall. +Setting this variable to 0 lets you run your machine without +firewall even if compiled in. +.It Va net.inet6.ip6.fw.enable : No 1 +provides the same functionality as above for the IPv6 case. +.It Va net.link.ether.ipfw : No 0 +Controls whether layer2 packets are passed to +.Nm . +Default is no. .It Va net.inet.ip.fw.default_to_accept : No 0 Defines ipfw last rule behavior. This value overrides @@ -4095,12 +4275,6 @@ Keep dynamic states on rule/set deletion. States are relinked to default rule (65535). This can be handly for ruleset reload. Turned off by default. -.It Va net.inet.ip.fw.enable : No 1 -Enables the firewall. -Setting this variable to 0 lets you run your machine without -firewall even if compiled in. -.It Va net.inet6.ip6.fw.enable : No 1 -provides the same functionality as above for the IPv6 case. .It Va net.inet.ip.fw.one_pass : No 1 When set, the packet exiting from the .Nm dummynet @@ -4117,10 +4291,6 @@ Enables verbose messages. Limits the number of messages produced by a verbose firewall. .It Va net.inet6.ip6.fw.deny_unknown_exthdrs : No 1 If enabled packets with unknown IPv6 Extension Headers will be denied. -.It Va net.link.ether.ipfw : No 0 -Controls whether layer2 packets are passed to -.Nm . -Default is no. .It Va net.link.bridge.ipfw : No 0 Controls whether bridged packets are passed to .Nm . @@ -4164,6 +4334,15 @@ sub-options: Lists all interface which are currently tracked by .Nm with their in-kernel status. +.It Cm monitor Op Ar filter-comment +Capture messages from +.Xr route 4 +socket, that were logged using rules with +.Cm log Cm logdst Ar rtsock +opcode. Optional +.Ar filter-comment +can be specified to show only those messages, that were logged +by rules with specific rule comment. .It Cm talist List all table lookup algorithms currently available. .El @@ -4215,6 +4394,12 @@ of clients, as below: .Dl "ipfw add deny ip from ${badguys} to any" .Dl "... normal policies ..." .Pp +Allow any transit packets coming from single vlan 10 and +going out to vlans 100-1000: +.Pp +.Dl "ipfw add 10 allow out recv vlan10 \e" +.Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }" +.Pp The .Cm verrevpath option could be used to do automated anti-spoofing by adding the @@ -4330,7 +4515,7 @@ and .Cm defer-action can be used to precisely control creation and checking of dynamic rules. Example of usage of these options are provided in -.Sx NETWORK ADDRESS TRANSLATION (NAT) +.Sx NETWORK ADDRESS TRANSLATION (NAT)\& Section. .Pp To limit the number of connections a user can open @@ -4623,7 +4808,7 @@ Bear in mind that this is example only and it is not very useful by itself. .Pp On way out, after all checks place this rules: .Pp -.Dl "ipfw add allow record-state skip-action" +.Dl "ipfw add allow record-state defer-action" .Dl "ipfw add nat 1" .Pp And on way in there should be something like this: @@ -4738,6 +4923,7 @@ can be changed in a similar way as for .Sh SEE ALSO .Xr cpp 1 , .Xr m4 1 , +.Xr fnmatch 3 , .Xr altq 4 , .Xr divert 4 , .Xr dummynet 4 , @@ -4818,7 +5004,7 @@ The syntax has grown over the years and sometimes it might be confusing. Unfortunately, backward compatibility prevents cleaning up mistakes made in the definition of the syntax. .Pp -.Em !!! WARNING !!! +.Em !!! WARNING !!!\& .Pp Misconfiguring the firewall can put your computer in an unusable state, possibly shutting down network services and requiring console access to |