From Hackepedia
Jump to: navigation, search

ipfw is one of the first, if not _the_ first firewall in Open Source software. It was written first on FreeBSD and has been ported to NetBSD and Apple Mac OS X. It is a first-match-wins firewall meaning the first rule that matches a packet will be used in the pass/deny policy. At first it was not stateful, this has been added at a later time.


The following people implemented ipfw:

    Ugen J. S. Antsilevich,
    Poul-Henning Kamp,
    Alex Nash,
    Archie Cobbs,
    Luigi Rizzo.

Userland API

The ipfw command is used to add, delete, show rules.

To add a rule you would type the following:

# ipfw add 1 deny IP from to any 
00001 deny ip from to any

To see the rules added to the system you would type the following (also note dynamic rules, these are open states):

# ipfw show
00001     0       0 deny ip from to any
01400    46    3816 allow udp from me to any keep-state out
## Dynamic rules:
01400 1 80 (T 0, # 160) ty 0 udp, 49169 <-> xxx.xxx.173.124 53
01400 1 84 (T 0, # 161) ty 0 udp, 49168 <-> xxx.xxx.173.124 53

To delete a rule you would type:

# ipfw delete 1
# ipfw show 1
ipfw: rule 1 does not exist

To flush the entire firewall rules you would type:

# ipfw flush
Are you sure? [yn] n

If you are scripting a flush you may want to add the -q flag to ipfw, this will not prompt to flush the rules anymore and just flushes. Be very careful with this by default ipfw will deny all traffic unless the kernel is compiled with the IPFIREWALL_DEFAULT_TO_ACCEPT kernel option. When reloading rules in a script it's important to run it in the background or else the script will not complete loading the rules after the flush.


natd stands for network address translation daemon. It reads from an ipfw divert socket, does the translation and injects the translated packet back into the next firewall rule that processed it. Natd runs in userland not in kernel.