Ipfw

From Hackepedia
Jump to navigationJump to search

ipfw is one of the first, if not _the_ first firewall in Open Source software. It was written first on FreeBSD and has been ported to NetBSD and Apple Mac OS X. It is a first-match-wins firewall meaning the first rule that matches a packet will be used in the pass/deny policy. At first it was not stateful, this has been added at a later time.


AUTHORS

The following people implemented ipfw:

    Ugen J. S. Antsilevich,
    Poul-Henning Kamp,
    Alex Nash,
    Archie Cobbs,
    Luigi Rizzo.


Userland API

The ipfw command is used to add, delete, show rules.

To add a rule you would type the following:

# ipfw add 1 deny IP from 10.0.0.1 to any 
00001 deny ip from 10.0.0.1 to any

To see the rules added to the system you would type the following (also note dynamic rules, these are open states):

# ipfw show
00001     0       0 deny ip from 10.0.0.1 to any
...
01400    46    3816 allow udp from me to any keep-state out
...
## Dynamic rules:
01400 1 80 (T 0, # 160) ty 0 udp, 85.74.45.248 49169 <-> xxx.xxx.173.124 53
01400 1 84 (T 0, # 161) ty 0 udp, 85.74.45.248 49168 <-> xxx.xxx.173.124 53
...

To delete a rule you would type:

# ipfw delete 1
# ipfw show 1
ipfw: rule 1 does not exist


To flush the entire firewall rules you would type:

# ipfw flush
Are you sure? [yn] n


If you are scripting a flush you may want to add the -q flag to ipfw, this will not prompt to flush the rules anymore and just flushes. Be very careful with this by default ipfw will deny all traffic unless the kernel is compiled with the IPFIREWALL_DEFAULT_TO_ACCEPT kernel option. When reloading rules in a script it's important to run it in the background or else the script will not complete loading the rules after the flush.

natd

natd stands for network address translation daemon. It reads from an ipfw divert socket, does the translation and injects the translated packet back into the next firewall rule that processed it. Natd runs in userland not in kernel.