Translation

(itstool) path: sect2/indexterm
<primary><application>IPFW</application></primary> <secondary>kernel options</secondary>
0/880
Context English Spanish State
Building a Rule Script
Most experienced <application>IPFW</application> users create a file containing the rules and code them in a manner compatible with running them as a script. The major benefit of doing this is the firewall rules can be refreshed in mass without the need of rebooting the system to activate them. This method is convenient in testing new rules as the procedure can be executed as many times as needed. Being a script, symbolic substitution can be used for frequently used values to be substituted into multiple rules.
This example script is compatible with the syntax used by the <citerefentry><refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>csh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, and <citerefentry><refentrytitle>tcsh</refentrytitle><manvolnum>1</manvolnum></citerefentry> shells. Symbolic substitution fields are prefixed with a dollar sign ($). Symbolic fields do not have the $ prefix. The value to populate the symbolic field must be enclosed in double quotes ("").
Start the rules file like this:
############### start of example ipfw rules script #############
#
ipfw -q -f flush # Delete all rules
# Set defaults
oif="tun0" # out interface
odns="192.0.2.11" # ISP's DNS server IP address
cmd="ipfw -q add " # build rule prefix
ks="keep-state" # just too lazy to key this each time
$cmd 00500 check-state
$cmd 00502 deny all from any to any frag
$cmd 00501 deny tcp from any to any established
$cmd 00600 allow tcp from any to any 80 out via $oif setup $ks
$cmd 00610 allow tcp from any to $odns 53 out via $oif setup $ks
$cmd 00611 allow udp from any to $odns 53 out via $oif $ks
################### End of example ipfw rules script ############
The rules are not important as the focus of this example is how the symbolic substitution fields are populated.
If the above example was in <filename>/etc/ipfw.rules</filename>, the rules could be reloaded by the following command:
<prompt>#</prompt> <userinput>sh /etc/ipfw.rules</userinput>
<filename>/etc/ipfw.rules</filename> can be located anywhere and the file can have any name.
The same thing could be accomplished by running these commands by hand:
<prompt>#</prompt> <userinput>ipfw -q -f flush</userinput>
<prompt>#</prompt> <userinput>ipfw -q add check-state</userinput>
<prompt>#</prompt> <userinput>ipfw -q add deny all from any to any frag</userinput>
<prompt>#</prompt> <userinput>ipfw -q add deny tcp from any to any established</userinput>
<prompt>#</prompt> <userinput>ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state</userinput>
<prompt>#</prompt> <userinput>ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state</userinput>
<prompt>#</prompt> <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput>
<application>IPFW</application> Kernel Options
<primary>kernel options</primary> <secondary>IPFIREWALL</secondary>
<primary>kernel options</primary> <secondary>IPFIREWALL_VERBOSE</secondary>
<primary>kernel options</primary> <secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
<primary><application>IPFW</application></primary> <secondary>kernel options</secondary>
In order to statically compile <application>IPFW</application> support into a custom kernel, refer to the instructions in <xref linkend="kernelconfig"/>. The following options are available for the custom kernel configuration file:
options IPFIREWALL # enables IPFW
options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
options IPFIREWALL_NAT # enables basic in-kernel NAT support
options LIBALIAS # enables full in-kernel NAT support
options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
options IPFIREWALL_PMOD # enables protocols modification module support
options IPDIVERT # enables NAT through natd(8)
<application>IPFW</application> can be loaded as a kernel module: options above are built by default as modules or can be set at runtime using tunables.
IPFILTER (IPF)
<primary>firewall</primary> <secondary><application>IPFILTER</application></secondary>
<application>IPFILTER</application>, also known as <application>IPF</application>, is a cross-platform, open source firewall which has been ported to several operating systems, including FreeBSD, NetBSD, OpenBSD, and <trademark>Solaris</trademark>.
<application>IPFILTER</application> is a kernel-side firewall and <acronym>NAT</acronym> mechanism that can be controlled and monitored by userland programs. Firewall rules can be set or deleted using <application>ipf</application>, <acronym>NAT</acronym> rules can be set or deleted using <application>ipnat</application>, run-time statistics for the kernel parts of <application>IPFILTER</application> can be printed using <application>ipfstat</application>, and <application>ipmon</application> can be used to log <application>IPFILTER</application> actions to the system log files.
<application>IPF</application> was originally written using a rule processing logic of <quote>the last matching rule wins</quote> and only used stateless rules. Since then, <application>IPF</application> has been enhanced to include the <literal>quick</literal> and <literal>keep state</literal> options.
The <application>IPF</application> FAQ is at <uri xlink:href="http://www.phildev.net/ipf/index.html">http://www.phildev.net/ipf/index.html</uri>. A searchable archive of the IPFilter mailing list is available at <uri xlink:href="http://marc.info/?l=ipfilter">http://marc.info/?l=ipfilter</uri>.
This section of the Handbook focuses on <application>IPF</application> as it pertains to FreeBSD. It provides examples of rules that contain the <literal>quick</literal> and <literal>keep state</literal> options.
Enabling <application>IPF</application>
<primary><application>IPFILTER</application></primary> <secondary>enabling</secondary>
<application>IPF</application> is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable <application>IPF</application>.
<primary>kernel options</primary> <secondary><application>IPFILTER</application></secondary>
<primary>kernel options</primary> <secondary>IPFILTER_LOG</secondary>

Loading…

User avatar None

New source string

FreeBSD Doc / books_handbookSpanish

New source string a year ago
Browse all component changes

Glossary

English Spanish
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/indexterm
Source string location
book.translate.xml:62549
String age
a year ago
Source string age
a year ago
Translation file
books/es_ES/handbook.po, string 10269