Cross Reference: /freebsd-11-stable/sbin/ipfw/ipfw.8

Deleted Added

sdiff udiff text old ( 163184 ) new ( 165648 )

full compact

ipfw.8 (163184)	ipfw.8 (165648)
1.\"	1.\"
2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 163184 2006-10-09 22:12:08Z trhodes $	2.\" $FreeBSD: head/sbin/ipfw/ipfw.8 165648 2006-12-29 21:59:17Z piso $
3.\" 4.Dd July 25, 2006 5.Dt IPFW 8 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd IP firewall and traffic shaper control program 10.Sh SYNOPSIS --- 2019 unchanged lines hidden (view full) --- 2030.Sh PACKET DIVERSION 2031A 2032.Xr divert 4 2033socket bound to the specified port will receive all packets 2034diverted to that port. 2035If no socket is bound to the destination port, or if the divert module is 2036not loaded, or if the kernel was not compiled with divert socket support, 2037the packets are dropped.	3.\" 4.Dd July 25, 2006 5.Dt IPFW 8 6.Os 7.Sh NAME 8.Nm ipfw 9.Nd IP firewall and traffic shaper control program 10.Sh SYNOPSIS --- 2019 unchanged lines hidden (view full) --- 2030.Sh PACKET DIVERSION 2031A 2032.Xr divert 4 2033socket bound to the specified port will receive all packets 2034diverted to that port. 2035If no socket is bound to the destination port, or if the divert module is 2036not loaded, or if the kernel was not compiled with divert socket support, 2037the packets are dropped.
	2038.Sh NETWORK ADDRESS TRANSLATION (NAT) 2039The nat configuration command is the following: 2040.Bd -ragged -offset indent 2041.Bk -words 2042.Cm nat 2043.Ar nat_number 2044.Cm config 2045.Ar nat-configuration 2046.Ek 2047.Ed 2048.Pp 2049. 2050The following parameters can be configured: 2051.Bl -tag -width indent 2052.It Cm ip Ar ip_address 2053Define an ip address to use for aliasing. 2054.It Cm if Ar nic 2055Use ip addres of NIC for aliasing, dynamically changing 2056it if NIC's ip address change. 2057.It Cm log 2058Enable logging on this nat instance. 2059.It Cm deny_in 2060Deny any incoming connection from outside world. 2061.It Cm same_ports 2062Try to leave the alias port numbers unchanged from 2063the actual local port numbers. 2064.It Cm unreg_only 2065Traffic on the local network not originating from an 2066unregistered address spaces will be ignored. 2067.It Cm reset 2068Reset table of the packet aliasing engine on address change. 2069.It Cm reverse 2070Reverse the way libalias handles aliasing. 2071.It Cm proxy_only 2072Obey transparent proxy rules only, packet aliasing is not performed. 2073.El 2074.Pp 2075To let the packet continue after being (de)aliased, set the sysctl variable 2076.Em net.inet.ip.fw.one_pass 2077to 0. 2078For more information about aliasing modes, refer to 2079.Xr libalias 3 2080. 2081See Section 2082.Sx EXAMPLES 2083for some examples about nat usage. 2084.Sh REDIRECT AND LSNAT SUPPORT IN IPFW 2085Redirect and LSNAT support follow closely the syntax used in 2086.Xr natd 8 2087. 2088See Section 2089.Sx EXAMPLES 2090for some examples on how to do redirect and lsnat.
2038.Sh SYSCTL VARIABLES 2039A set of 2040.Xr sysctl 8 2041variables controls the behaviour of the firewall and 2042associated modules 2043.Pq Nm dummynet , bridge . 2044These are shown below together with their default value 2045(but always check with the --- 372 unchanged lines hidden (view full) --- 2418.Dl "ipfw add NN set 18 ... # repeat as needed" 2419.Dl "ipfw set enable 18; echo done; sleep 30 && ipfw set disable 18" 2420.Pp 2421Here if everything goes well, you press control-C before the "sleep" 2422terminates, and your ruleset will be left active. 2423Otherwise, e.g.\& if 2424you cannot access your box, the ruleset will be disabled after 2425the sleep terminates thus restoring the previous situation.	2091.Sh SYSCTL VARIABLES 2092A set of 2093.Xr sysctl 8 2094variables controls the behaviour of the firewall and 2095associated modules 2096.Pq Nm dummynet , bridge . 2097These are shown below together with their default value 2098(but always check with the --- 372 unchanged lines hidden (view full) --- 2471.Dl "ipfw add NN set 18 ... # repeat as needed" 2472.Dl "ipfw set enable 18; echo done; sleep 30 && ipfw set disable 18" 2473.Pp 2474Here if everything goes well, you press control-C before the "sleep" 2475terminates, and your ruleset will be left active. 2476Otherwise, e.g.\& if 2477you cannot access your box, the ruleset will be disabled after 2478the sleep terminates thus restoring the previous situation.
	2479.Ss NAT, REDIRECT AND LSNAT 2480First redirect all the traffic to nat instance 123: 2481.Pp 2482.Dl "ipfw add nat 123 all from any to any" 2483.Pp 2484Then to configure nat instance 123 to alias all the outgoing traffic with ip 2485192.168.0.123, blocking all incoming connections, trying to keep 2486same ports on both sides, clearing aliasing table on address change 2487and keeping a log of traffic/link statistics: 2488.Pp 2489.Dl "ipfw nat 123 config ip 192.168.0.123 log deny_in reset same_ports" 2490.Pp 2491Or to change address of instance 123, aliasing table will be cleared (see 2492reset option): 2493.Pp 2494.Dl "ipfw nat 123 config ip 10.0.0.1" 2495.Pp 2496To see configuration of nat instance 123: 2497.Pp 2498.Dl "ipfw nat 123 show config" 2499.Pp 2500To show logs of all the instances in range 111-999: 2501.Pp 2502.Dl "ipfw nat 111-999 show" 2503.Pp 2504To see configurations of all instances: 2505.Pp 2506.Dl "ipfw nat show config" 2507.Pp 2508Or a redirect rule with mixed modes could looks like: 2509.Pp 2510.Dl "ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66" 2511.Dl " redirect_port tcp 192.168.0.1:80 500" 2512.Dl " redirect_proto udp 192.168.1.43 192.168.1.1" 2513.Dl " redirect_addr 192.168.0.10,192.168.0.11" 2514.Dl " 10.0.0.100 # LSNAT" 2515.Dl " redirect_port tcp 192.168.0.1:80,192.168.0.10:22" 2516.Dl " 500 # LSNAT" 2517.Pp 2518or it could be splitted in: 2519.Pp 2520.Dl "ipfw nat 1 config redirect_addr 10.0.0.1 10.0.0.66" 2521.Dl "ipfw nat 2 config redirect_port tcp 192.168.0.1:80 500" 2522.Dl "ipfw nat 3 config redirect_proto udp 192.168.1.43 192.168.1.1" 2523.Dl "ipfw nat 4 config redirect_addr 192.168.0.10,192.168.0.11,192.168.0.12" 2524.Dl " 10.0.0.100" 2525.Dl "ipfw nat 5 config redirect_port tcp" 2526.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" 2527.Pp
2426.Sh SEE ALSO 2427.Xr cpp 1 , 2428.Xr m4 1 , 2429.Xr altq 4 , 2430.Xr divert 4 , 2431.Xr dummynet 4 , 2432.Xr if_bridge 4 , 2433.Xr ip 4 , --- 25 unchanged lines hidden (view full) --- 2459.An Archie Cobbs , 2460.An Luigi Rizzo . 2461.Pp 2462.An -nosplit 2463API based upon code written by 2464.An Daniel Boulet 2465for BSDI. 2466.Pp	2528.Sh SEE ALSO 2529.Xr cpp 1 , 2530.Xr m4 1 , 2531.Xr altq 4 , 2532.Xr divert 4 , 2533.Xr dummynet 4 , 2534.Xr if_bridge 4 , 2535.Xr ip 4 , --- 25 unchanged lines hidden (view full) --- 2561.An Archie Cobbs , 2562.An Luigi Rizzo . 2563.Pp 2564.An -nosplit 2565API based upon code written by 2566.An Daniel Boulet 2567for BSDI. 2568.Pp
	2569.An -nosplit 2570In-kernel NAT support written by 2571.An Paolo Pisati Aq piso@FreeBSD.org 2572as part of a Summer of Code 2005 project. 2573.Pp
2467Work on 2468.Xr dummynet 4 2469traffic shaper supported by Akamba Corp. 2470.Sh BUGS 2471Use of dummynet with IPv6 requires that debug.mpsafenet be set to 0. 2472.Pp 2473The syntax has grown over the years and sometimes it might be confusing. 2474Unfortunately, backward compatibility prevents cleaning up mistakes --- 40 unchanged lines hidden (view full) --- 2515.Pp 2516Rules which use uid, gid or jail based matching should be used only 2517if debug.mpsafenet=0 to avoid possible deadlocks due to layering 2518violations in its implementation. 2519.Pp 2520Rule syntax is subject to the command line environment and some patterns 2521may need to be escaped with the backslash character 2522or quoted appropriately.	2574Work on 2575.Xr dummynet 4 2576traffic shaper supported by Akamba Corp. 2577.Sh BUGS 2578Use of dummynet with IPv6 requires that debug.mpsafenet be set to 0. 2579.Pp 2580The syntax has grown over the years and sometimes it might be confusing. 2581Unfortunately, backward compatibility prevents cleaning up mistakes --- 40 unchanged lines hidden (view full) --- 2622.Pp 2623Rules which use uid, gid or jail based matching should be used only 2624if debug.mpsafenet=0 to avoid possible deadlocks due to layering 2625violations in its implementation. 2626.Pp 2627Rule syntax is subject to the command line environment and some patterns 2628may need to be escaped with the backslash character 2629or quoted appropriately.
	2630.Pp 2631Due to the architecture of 2632.Xr libalias 3 , 2633ipfw nat is not compatible with the tcp segmentation offloading 2634(TSO). Thus, to reliably nat your network traffic, please disable TSO 2635on your NICs using 2636.Xr ifconfig 8 .