ipfw.8 (129629) | ipfw.8 (130281) |
---|---|
1.\" | 1.\" |
2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 129629 2004-05-23 19:05:59Z maxim $ | 2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 130281 2004-06-09 20:10:38Z ru $ |
3.\" | 3.\" |
4.Dd December 1, 2003 | 4.Dd June 9, 2004 |
5.Dt IPFW 8 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd IP firewall and traffic shaper control program 10.Sh SYNOPSIS 11.Nm 12.Op Fl cq --- 25 unchanged lines hidden (view full) --- 38.Op Cm rule 39.Ar number Cm to Ar number 40.Nm 41.Cm set swap Ar number number 42.Nm 43.Cm set show 44.Pp 45.Nm | 5.Dt IPFW 8 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd IP firewall and traffic shaper control program 10.Sh SYNOPSIS 11.Nm 12.Op Fl cq --- 25 unchanged lines hidden (view full) --- 38.Op Cm rule 39.Ar number Cm to Ar number 40.Nm 41.Cm set swap Ar number number 42.Nm 43.Cm set show 44.Pp 45.Nm |
46.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Op Ar value 47.Nm 48.Cm table Ar number Cm delete Ar addr Ns Op / Ns Ar masklen 49.Nm 50.Cm table Ar number Cm flush 51.Nm 52.Cm table Ar number Cm list 53.Pp 54.Nm |
|
46.Brq Cm pipe | queue 47.Ar number 48.Cm config 49.Ar config-options 50.Nm 51.Op Fl s Op Ar field 52.Brq Cm pipe | queue 53.Brq Cm delete | list | show --- 699 unchanged lines hidden (view full) --- 753optionally followed by 754.Ar ports 755specifiers. 756.Pp 757The second format ( 758.Em or-block 759with multiple addresses) is provided for convenience only and 760its use is discouraged. | 55.Brq Cm pipe | queue 56.Ar number 57.Cm config 58.Ar config-options 59.Nm 60.Op Fl s Op Ar field 61.Brq Cm pipe | queue 62.Brq Cm delete | list | show --- 699 unchanged lines hidden (view full) --- 762optionally followed by 763.Ar ports 764specifiers. 765.Pp 766The second format ( 767.Em or-block 768with multiple addresses) is provided for convenience only and 769its use is discouraged. |
761.It Ar addr : Oo Cm not Oc Brq Cm any | me | Ar addr-list | Ar addr-set | 770.It Ar addr : Oo Cm not Oc Bro 771.Cm any | me | 772.Cm table Ns Pq Ar number Ns Op , Ns Ar value 773.Ar | addr-list | addr-set 774.Brc |
762.It Cm any 763matches any IP address. 764.It Cm me 765matches any IP address configured on an interface in the system. 766The address list is evaluated at the time the packet is 767analysed. | 775.It Cm any 776matches any IP address. 777.It Cm me 778matches any IP address configured on an interface in the system. 779The address list is evaluated at the time the packet is 780analysed. |
781.It Cm table Ns Pq Ar number Ns Op , Ns Ar value 782Matches any IP address for which an entry exists in the lookup table 783.Ar number . 784If an optional 32-bit unsigned 785.Ar value 786is also specified, an entry will match only if it has this value. 787See the 788.Sx LOOKUP TABLES 789section below for more information on lookup tables. |
|
768.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list 769.It Ar ip-addr : 770A host or subnet address specified in one of the following ways: 771.Bl -tag -width indent 772.It Ar numeric-ip | hostname 773Matches a single IPv4 address, specified as dotted-quad or a hostname. 774Hostnames are resolved at the time the rule is added to the firewall list. 775.It Ar addr Ns / Ns Ar masklen --- 467 unchanged lines hidden (view full) --- 1243The name and functionality of the option is intentionally similar to 1244the Cisco IOS command: 1245.Pp 1246.Dl ip verify unicast source reachable-via any 1247.Pp 1248This option can be used to make anti-spoofing rules to reject all 1249packets whose source address is unreachable. 1250.El | 790.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list 791.It Ar ip-addr : 792A host or subnet address specified in one of the following ways: 793.Bl -tag -width indent 794.It Ar numeric-ip | hostname 795Matches a single IPv4 address, specified as dotted-quad or a hostname. 796Hostnames are resolved at the time the rule is added to the firewall list. 797.It Ar addr Ns / Ns Ar masklen --- 467 unchanged lines hidden (view full) --- 1265The name and functionality of the option is intentionally similar to 1266the Cisco IOS command: 1267.Pp 1268.Dl ip verify unicast source reachable-via any 1269.Pp 1270This option can be used to make anti-spoofing rules to reject all 1271packets whose source address is unreachable. 1272.El |
1273.Sh LOOKUP TABLES 1274Lookup tables are useful to handle large sparse address sets, 1275typically from a hundred to several thousands of entries. 1276There could be 128 different lookup tables, numbered 0 to 127. 1277.Pp 1278Each entry is represented by an 1279.Ar addr Ns Op / Ns Ar masklen 1280and will match all addresses with base 1281.Ar addr 1282(specified as a dotted quad or a hostname) 1283and mask width of 1284.Ar masklen 1285bits. 1286If 1287.Ar masklen 1288is not specified, it defaults to 32. 1289When looking up an IP address in a table, the most specific 1290entry will match. 1291Associated with each entry is a 32-bit unsigned 1292.Ar value , 1293which can optionally be checked by a rule matching code. 1294When adding an entry, if 1295.Ar value 1296is not specified, it defaults to 0. 1297.Pp 1298An entry can be added to a table 1299.Pq Cm add , 1300removed from a table 1301.Pq Cm delete , 1302a table can be examined 1303.Pq Cm list 1304or flushed 1305.Pq Cm flush . 1306.Pp 1307Internally, each table is stored in a Radix tree, the same way as 1308the routing table (see 1309.Xr route 4 ) . |
|
1251.Sh SETS OF RULES 1252Each rule belongs to one of 32 different 1253.Em sets 1254, numbered 0 to 31. 1255Set 31 is reserved for the default rule. 1256.Pp 1257By default, rules are put in set 0, unless you use the 1258.Cm set N --- 975 unchanged lines hidden --- | 1310.Sh SETS OF RULES 1311Each rule belongs to one of 32 different 1312.Em sets 1313, numbered 0 to 31. 1314Set 31 is reserved for the default rule. 1315.Pp 1316By default, rules are put in set 0, unless you use the 1317.Cm set N --- 975 unchanged lines hidden --- |