- Move available kernel options to SYNOPSIS, describe how to enable ipfw

  from within rc.conf.
- Remove IPDIVERT kernel option
- Add notes about IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_FORWARD

Reviewed by: ru
Approved by: keramida (mentor), trhodes (mentor)
MFC after: 1 week

1 files changed, 63 insertions, 23 deletions

diff --git a/share/man/man4/ipfirewall.4 b/share/man/man4/ipfirewall.4
index 578a42a..928802e 100644
--- a/share/man/man4/ipfirewall.4
+++ b/share/man/man4/ipfirewall.4
@@ -1,12 +1,39 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 28, 2002
+.Dd September 1, 2006
 .Dt IPFW 4
 .Os
 .Sh NAME
 .Nm ipfw
 .Nd IP packet filter and traffic accounting
+.Sh SYNOPSIS
+To compile
+.Ns Nm
+into the kernel, place the following option in the kernel configuration
+file:
+.Bd -ragged -offset indent
+.Cd "options IPFIREWALL"
+.Ed
+.Pp
+Other kernel options related to
+.Ns Nm
+which may also be useful are:
+.Bd -ragged -offset indent
+.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
+.Cd "options IPFIREWALL_FORWARD"
+.Cd "options IPFIREWALL_VERBOSE"
+.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
+.Ed
+.Pp
+To load
+.Ns Nm
+as a module at boot time, add the following line into the
+.Xr rc.conf 5
+file:
+.Bd -literal -offset indent
+ipfirewall_enable="YES"
+.Ed
 .Sh DESCRIPTION
 The
 .Nm
@@ -16,6 +43,41 @@ redirecting, and other operations on
 packets travelling through
 network interfaces.
 .Pp
+The default behavior of
+.Nm
+is to block all incoming and outgoing traffic.
+This behavior can be modified, to allow all traffic through the
+.Nm
+firewall by default, by enabling the
+.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
+kernel option.
+This option may be useful when configuring
+.Nm
+for the first time.
+If the default
+.Nm
+behavior is to allow everything, it is easier to cope with
+firewall-tuning mistakes which may accidentally block all traffic.
+.Pp
+To enable logging of packets passing through
+.Nm ,
+enable the
+.Dv IPFIREWALL_VERBOSE
+kernel option.
+The
+.Dv IPFIREWALL_VERBOSE_LIMIT
+option will prevent
+.Xr syslogd 8
+from flooding system logs or causing local Denial of Service.
+This option may be set to the number of packets which will be logged on
+a per-entry basis before the entry is rate-limited.
+.Pp
+Policy routing and transparent forwarding features of
+.Nm
+can be enabled by
+.Dv IPFIREWALL_FORWARD
+kernel option.
+.Pp
 The user interface for
 .Nm
 is implemented by the
@@ -25,28 +87,6 @@ utility, so please refer to the
 manpage for a complete description of the
 .Nm
 capabilities and how to use it.
-.Ss Kernel Options
-The following options in the kernel configuration file are related to
-.Nm
-operation:
-.Pp
-.Bl -tag -width ".Dv IPFIREWALL_VERBOSE_LIMIT" -compact
-.It Dv IPFIREWALL
-enable
-.Nm
-.It Dv IPFIREWALL_VERBOSE
-enable
-.Nm
-logging
-.It Dv IPFIREWALL_VERBOSE_LIMIT
-limit
-.Nm
-logging
-.It Dv IPDIVERT
-enable
-.Xr divert 4
-sockets
-.El
 .Sh SEE ALSO
 .Xr setsockopt 2 ,
 .Xr divert 4 ,