summaryrefslogtreecommitdiffstats
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rw-r--r--share/man/man4/ipfirewall.486
1 files changed, 63 insertions, 23 deletions
diff --git a/share/man/man4/ipfirewall.4 b/share/man/man4/ipfirewall.4
index 578a42a..928802e 100644
--- a/share/man/man4/ipfirewall.4
+++ b/share/man/man4/ipfirewall.4
@@ -1,12 +1,39 @@
.\"
.\" $FreeBSD$
.\"
-.Dd October 28, 2002
+.Dd September 1, 2006
.Dt IPFW 4
.Os
.Sh NAME
.Nm ipfw
.Nd IP packet filter and traffic accounting
+.Sh SYNOPSIS
+To compile
+.Ns Nm
+into the kernel, place the following option in the kernel configuration
+file:
+.Bd -ragged -offset indent
+.Cd "options IPFIREWALL"
+.Ed
+.Pp
+Other kernel options related to
+.Ns Nm
+which may also be useful are:
+.Bd -ragged -offset indent
+.Cd "options IPFIREWALL_DEFAULT_TO_ACCEPT"
+.Cd "options IPFIREWALL_FORWARD"
+.Cd "options IPFIREWALL_VERBOSE"
+.Cd "options IPFIREWALL_VERBOSE_LIMIT=100"
+.Ed
+.Pp
+To load
+.Ns Nm
+as a module at boot time, add the following line into the
+.Xr rc.conf 5
+file:
+.Bd -literal -offset indent
+ipfirewall_enable="YES"
+.Ed
.Sh DESCRIPTION
The
.Nm
@@ -16,6 +43,41 @@ redirecting, and other operations on
packets travelling through
network interfaces.
.Pp
+The default behavior of
+.Nm
+is to block all incoming and outgoing traffic.
+This behavior can be modified, to allow all traffic through the
+.Nm
+firewall by default, by enabling the
+.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
+kernel option.
+This option may be useful when configuring
+.Nm
+for the first time.
+If the default
+.Nm
+behavior is to allow everything, it is easier to cope with
+firewall-tuning mistakes which may accidentally block all traffic.
+.Pp
+To enable logging of packets passing through
+.Nm ,
+enable the
+.Dv IPFIREWALL_VERBOSE
+kernel option.
+The
+.Dv IPFIREWALL_VERBOSE_LIMIT
+option will prevent
+.Xr syslogd 8
+from flooding system logs or causing local Denial of Service.
+This option may be set to the number of packets which will be logged on
+a per-entry basis before the entry is rate-limited.
+.Pp
+Policy routing and transparent forwarding features of
+.Nm
+can be enabled by
+.Dv IPFIREWALL_FORWARD
+kernel option.
+.Pp
The user interface for
.Nm
is implemented by the
@@ -25,28 +87,6 @@ utility, so please refer to the
manpage for a complete description of the
.Nm
capabilities and how to use it.
-.Ss Kernel Options
-The following options in the kernel configuration file are related to
-.Nm
-operation:
-.Pp
-.Bl -tag -width ".Dv IPFIREWALL_VERBOSE_LIMIT" -compact
-.It Dv IPFIREWALL
-enable
-.Nm
-.It Dv IPFIREWALL_VERBOSE
-enable
-.Nm
-logging
-.It Dv IPFIREWALL_VERBOSE_LIMIT
-limit
-.Nm
-logging
-.It Dv IPDIVERT
-enable
-.Xr divert 4
-sockets
-.El
.Sh SEE ALSO
.Xr setsockopt 2 ,
.Xr divert 4 ,
OpenPOWER on IntegriCloud