diff options
author | luigi <luigi@FreeBSD.org> | 2002-10-28 07:24:58 +0000 |
---|---|---|
committer | luigi <luigi@FreeBSD.org> | 2002-10-28 07:24:58 +0000 |
commit | c7d5ab33a3ae1e59f9a7594070cdbf98edfc5a2b (patch) | |
tree | 2039c0912cd5ef9fb515e51a74018181c77364ec /share/man/man4/ipfirewall.4 | |
parent | aec5e7f4658744e50172f4eef28be00b0c011654 (diff) | |
download | FreeBSD-src-c7d5ab33a3ae1e59f9a7594070cdbf98edfc5a2b.zip FreeBSD-src-c7d5ab33a3ae1e59f9a7594070cdbf98edfc5a2b.tar.gz |
Remove stale information from these two manpage, and point the readers
to the one up-to-date page which is ipfw(8).
MFC after: 3 days
Diffstat (limited to 'share/man/man4/ipfirewall.4')
-rw-r--r-- | share/man/man4/ipfirewall.4 | 183 |
1 files changed, 17 insertions, 166 deletions
diff --git a/share/man/man4/ipfirewall.4 b/share/man/man4/ipfirewall.4 index 14c714c..3b4a6a6 100644 --- a/share/man/man4/ipfirewall.4 +++ b/share/man/man4/ipfirewall.4 @@ -2,121 +2,31 @@ .\" $FreeBSD$ .\" .Dd June 22, 1997 -.Dt IPFIREWALL 4 +.Dt IPFW 4 .Os .Sh NAME -.Nm ipfirewall +.Nm ipfw .Nd IP packet filter and traffic accounting -.Sh SYNOPSIS -.In sys/types.h -.In sys/queue.h -.In netinet/in.h -.In netinet/ip_fw.h -.Ft int -.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size .Sh DESCRIPTION -Ipfirewall (alias ipfw) is a system facility which allows filtering, +.Em ipfw +is a system facility which allows filtering, redirecting, and other operations on IP packets travelling through system interfaces. -Packets are matched by applying an ordered list -of pattern rules against each packet until a match is found, at -which point the corresponding action is taken. -Rules are numbered -from 1 to 65534; multiple rules may share the same number. .Pp -There is one rule that always exists, rule number 65535. -This rule -normally causes all packets to be dropped. -Hence, any packet which does not -match a lower numbered rule will be dropped. However, a kernel compile -time option -.Dv IPFIREWALL_DEFAULT_TO_ACCEPT -allows the administrator to change this fixed rule to permit everything. +The user interface for +.Em ipfw +is implemented by the +.Nm ipfw +program, so the reader is referred to the +.Xr ipfw 8 +manpage for a complete description of the capabilities of +.Em ipfw +and how to use it. .Pp -The value passed to -.Fn setsockopt -is a struct ip_fw describing the rule (see below). -In some cases -(such as -.Dv IP_FW_DEL ) , -only the rule number is significant. -.Ss Commands -The following socket options are used to manage the rule list: -.Bl -tag -width "IP_FW_FLUSH" -.It Dv IP_FW_ADD -inserts the rule into the rule list -.It Dv IP_FW_DEL -deletes all rules having the matching rule number -.It Dv IP_FW_GET -returns the (first) rule having the matching rule number -.It Dv IP_FW_ZERO -zeros the statistics associated with all rules having the -matching rule number. -If the rule number is zero, all rules are zeroed. -.It Dv IP_FW_FLUSH -removes all rules (except 65535). -.El -.Pp -When the kernel security level is greater than 2, only -.Dv IP_FW_GET -is allowed. -.Ss Rule Structure -Rules are described by the structures in ip_fw.h. -.Ss Rule Actions -Each rule has an action described by the IP_FW_F_COMMAND bits in the -flags word: -.Bl -tag -width "IP_FW_F_DIVERT" -.It Dv IP_FW_F_DENY -Drop packet and stop processing. -.It Dv IP_FW_F_REJECT -drop packet; send rejection via ICMP or TCP and stop processing. -.It Dv IP_FW_F_ACCEPT -accept packet and stop processing. -.It Dv IP_FW_F_COUNT -increment counters; continue matching -.It Dv IP_FW_F_DIVERT -divert packet to a -.Xr divert 4 -socket and stop processing. -.It Dv IP_FW_F_TEE -Send a copy of this packet to a -.Xr divert 4 -socket and continue processing the original packet at the next rule. -.It Dv IP_FW_F_SKIPTO -skip to rule number -.Va fu_skipto_rule -At this time the target rule number must be greater than the active rule number. -.It Dv IP_FW_F_PIPE -The packet is marked for the use of -.Xr dummynet 4 , -and processing stopped. -.It Dv IP_FW_F_QUEUE -The packet is marked for the use of -.Xr dummynet 4 , -and processing stopped. -.It Dv IP_FW_F_FWD -The packet is accepted but the destination is hijacked. (see -.Xr ipfw 8 ) -.El -.Pp -In the case of -.Dv IP_FW_F_REJECT , -if the -.Va fu_reject_code -is a number -from 0 to 255, then an ICMP unreachable packet is sent back to the -original packet's source IP address, with the corresponding code. -Otherwise, the value must be 256 and the protocol -.Dv IPPROTO_TCP , -in which case a TCP reset packet is sent instead. -.Pp -With -.Dv IP_FW_F_SKIPTO , -all succeeding rules having rule number less -than -.Va fu_skipto_rule -are skipped. -.Ss Kernel Options +.Sh KERNEL OPTIONS +The following options in the kernel configuration file are related to +.Em ipfw +operation: Options in the kernel configuration file: .Bl -tag -width "options IPFIREWALL_VERBOSE_LIMIT" .It Cd options IPFIREWALL @@ -132,49 +42,6 @@ enable sockets .El .Pp -When packets match a rule with the -.Dv IP_FW_F_PRN -bit set, and if -.Dv IPFIREWALL_VERBOSE -has been enabled, -a message is written to -.Pa /dev/klog -with the -.Dv LOG_SECURITY -facility -(see -.Xr syslog 3 ) -for further logging by -.Xr syslogd 8 ; -.Dv IPFIREWALL_VERBOSE_LIMIT -limits the maximum number of times each -rule can cause a log message. -These variables are also -available via the -.Xr sysctl 3 -interface. -.Sh RETURN VALUES -The -.Fn setsockopt -function returns 0 on success. -Otherwise, -1 is returned and the global variable -.Va errno -is set to indicate the error. -.Sh ERRORS -The -.Fn setsockopt -function will fail if: -.Bl -tag -width Er -.It Bq Er EINVAL -The IP option field was improperly formed; -an option field was shorter than the minimum value -or longer than the option buffer provided. -.It Bq Er EINVAL -A structural error in ip_fw structure occurred -(n_src_p+n_dst_p too big, ports set for ALL/ICMP protocols etc.). -.It Bq Er EINVAL -An invalid rule number was used. -.El .Sh SEE ALSO .Xr setsockopt 2 , .Xr divert 4 , @@ -182,19 +49,3 @@ An invalid rule number was used. .Xr ipfw 8 , .Xr sysctl 8 , .Xr syslogd 8 -.Sh BUGS -This man page still needs work. -.Sh HISTORY -The ipfw facility was initially written as package to BSDI -by -.An Daniel Boulet -.Aq danny@BouletFermat.ab.ca . -It has been heavily modified and ported to -.Fx -by -.An Ugen J.S. Antsilevich -.Aq ugen@NetVision.net.il . -.Pp -Several enhancements added by -.An Archie Cobbs -.Aq archie@FreeBSD.org . |