Deleted Added
full compact
ipfw.8 (129629) ipfw.8 (130281)
1.\"
1.\"
2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 129629 2004-05-23 19:05:59Z maxim $
2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 130281 2004-06-09 20:10:38Z ru $
3.\"
3.\"
4.Dd December 1, 2003
4.Dd June 9, 2004
5.Dt IPFW 8
6.Os
7.Sh NAME
8.Nm ipfw
9.Nd IP firewall and traffic shaper control program
10.Sh SYNOPSIS
11.Nm
12.Op Fl cq

--- 25 unchanged lines hidden (view full) ---

38.Op Cm rule
39.Ar number Cm to Ar number
40.Nm
41.Cm set swap Ar number number
42.Nm
43.Cm set show
44.Pp
45.Nm
5.Dt IPFW 8
6.Os
7.Sh NAME
8.Nm ipfw
9.Nd IP firewall and traffic shaper control program
10.Sh SYNOPSIS
11.Nm
12.Op Fl cq

--- 25 unchanged lines hidden (view full) ---

38.Op Cm rule
39.Ar number Cm to Ar number
40.Nm
41.Cm set swap Ar number number
42.Nm
43.Cm set show
44.Pp
45.Nm
46.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Op Ar value
47.Nm
48.Cm table Ar number Cm delete Ar addr Ns Op / Ns Ar masklen
49.Nm
50.Cm table Ar number Cm flush
51.Nm
52.Cm table Ar number Cm list
53.Pp
54.Nm
46.Brq Cm pipe | queue
47.Ar number
48.Cm config
49.Ar config-options
50.Nm
51.Op Fl s Op Ar field
52.Brq Cm pipe | queue
53.Brq Cm delete | list | show

--- 699 unchanged lines hidden (view full) ---

753optionally followed by
754.Ar ports
755specifiers.
756.Pp
757The second format (
758.Em or-block
759with multiple addresses) is provided for convenience only and
760its use is discouraged.
55.Brq Cm pipe | queue
56.Ar number
57.Cm config
58.Ar config-options
59.Nm
60.Op Fl s Op Ar field
61.Brq Cm pipe | queue
62.Brq Cm delete | list | show

--- 699 unchanged lines hidden (view full) ---

762optionally followed by
763.Ar ports
764specifiers.
765.Pp
766The second format (
767.Em or-block
768with multiple addresses) is provided for convenience only and
769its use is discouraged.
761.It Ar addr : Oo Cm not Oc Brq Cm any | me | Ar addr-list | Ar addr-set
770.It Ar addr : Oo Cm not Oc Bro
771.Cm any | me |
772.Cm table Ns Pq Ar number Ns Op , Ns Ar value
773.Ar | addr-list | addr-set
774.Brc
762.It Cm any
763matches any IP address.
764.It Cm me
765matches any IP address configured on an interface in the system.
766The address list is evaluated at the time the packet is
767analysed.
775.It Cm any
776matches any IP address.
777.It Cm me
778matches any IP address configured on an interface in the system.
779The address list is evaluated at the time the packet is
780analysed.
781.It Cm table Ns Pq Ar number Ns Op , Ns Ar value
782Matches any IP address for which an entry exists in the lookup table
783.Ar number .
784If an optional 32-bit unsigned
785.Ar value
786is also specified, an entry will match only if it has this value.
787See the
788.Sx LOOKUP TABLES
789section below for more information on lookup tables.
768.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
769.It Ar ip-addr :
770A host or subnet address specified in one of the following ways:
771.Bl -tag -width indent
772.It Ar numeric-ip | hostname
773Matches a single IPv4 address, specified as dotted-quad or a hostname.
774Hostnames are resolved at the time the rule is added to the firewall list.
775.It Ar addr Ns / Ns Ar masklen

--- 467 unchanged lines hidden (view full) ---

1243The name and functionality of the option is intentionally similar to
1244the Cisco IOS command:
1245.Pp
1246.Dl ip verify unicast source reachable-via any
1247.Pp
1248This option can be used to make anti-spoofing rules to reject all
1249packets whose source address is unreachable.
1250.El
790.It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
791.It Ar ip-addr :
792A host or subnet address specified in one of the following ways:
793.Bl -tag -width indent
794.It Ar numeric-ip | hostname
795Matches a single IPv4 address, specified as dotted-quad or a hostname.
796Hostnames are resolved at the time the rule is added to the firewall list.
797.It Ar addr Ns / Ns Ar masklen

--- 467 unchanged lines hidden (view full) ---

1265The name and functionality of the option is intentionally similar to
1266the Cisco IOS command:
1267.Pp
1268.Dl ip verify unicast source reachable-via any
1269.Pp
1270This option can be used to make anti-spoofing rules to reject all
1271packets whose source address is unreachable.
1272.El
1273.Sh LOOKUP TABLES
1274Lookup tables are useful to handle large sparse address sets,
1275typically from a hundred to several thousands of entries.
1276There could be 128 different lookup tables, numbered 0 to 127.
1277.Pp
1278Each entry is represented by an
1279.Ar addr Ns Op / Ns Ar masklen
1280and will match all addresses with base
1281.Ar addr
1282(specified as a dotted quad or a hostname)
1283and mask width of
1284.Ar masklen
1285bits.
1286If
1287.Ar masklen
1288is not specified, it defaults to 32.
1289When looking up an IP address in a table, the most specific
1290entry will match.
1291Associated with each entry is a 32-bit unsigned
1292.Ar value ,
1293which can optionally be checked by a rule matching code.
1294When adding an entry, if
1295.Ar value
1296is not specified, it defaults to 0.
1297.Pp
1298An entry can be added to a table
1299.Pq Cm add ,
1300removed from a table
1301.Pq Cm delete ,
1302a table can be examined
1303.Pq Cm list
1304or flushed
1305.Pq Cm flush .
1306.Pp
1307Internally, each table is stored in a Radix tree, the same way as
1308the routing table (see
1309.Xr route 4 ) .
1251.Sh SETS OF RULES
1252Each rule belongs to one of 32 different
1253.Em sets
1254, numbered 0 to 31.
1255Set 31 is reserved for the default rule.
1256.Pp
1257By default, rules are put in set 0, unless you use the
1258.Cm set N

--- 975 unchanged lines hidden ---
1310.Sh SETS OF RULES
1311Each rule belongs to one of 32 different
1312.Em sets
1313, numbered 0 to 31.
1314Set 31 is reserved for the default rule.
1315.Pp
1316By default, rules are put in set 0, unless you use the
1317.Cm set N

--- 975 unchanged lines hidden ---