Some context, (remotely) relevant links:
firewall,
ipchains,
ipmasq,
ip,
TCP/IP,
port,
NAT,
router,
switch,
proxy,
subnet mask
Although this writeup will discuss only the computer-centric definition of "ipfw", I should note that IPFW also stands for Indiana University-Perdue University Fort Wayne. http://www.ipfw.edu. See also Fort Wayne, Indiana and Indiana University. Now then, lets get down and dirty, shall we?
Great Walls of Fire!:
ipfw is a software firewall (Internet Protocol FireWall) distributed on many *nixes (BSD variants, Darwin (e.g. Mac OS X), etc. Linux has iptables and ipchains).
Well, technically, it's a "user-land control utility to ipfirewall and dummynet." Bah. Although a rather more in-depth writeup of the operations of firewalls can be found under the node of that title, I'll give a brief catcher-upper for those non-geeks reading this.
A firewall is pretty much anything that stands between your computer and outside computers (e.g. the Internet at large.) All content entering and all requests leaving your computer pass through this firewall. Firewalls are generally responsible for protecting your network/computer from the shady fellers lurking in the Big Bad Woods.
Each packet can be filtered based on the following information that is
associated with it:
Transmit and receive interface (by name or address)
Direction (incoming or outgoing)
Source and destination IP address (possibly masked)
Protocol (TCP, UDP, ICMP, etc.)
Source and destination port (lists, ranges or masks)
TCP flags
IP fragment flag
IP options
ICMP types
User/group ID of the socket associated with the packet
The ipfw rule format is the following:
[prob match_probability] action [log [logamount number]] proto
from src to dst [interface-spec] [options]
Examples:
prob is a floating point number between 0 and 1. It dictates how often the following rule will be followed (i.e. you could have the filter drop 10% of all your packets with a rule saying
ipfw add prob 0.1 deny ip from any to any
Translated: 10% of the time, drop a packet of any
protocol going anywhere from anywhere. While this may not be desirable for everyday use, it can be useful in
certain situations
You can use ipfw and its backend dummynet
traffic shaper to distribute
bandwidth evenly on your network and make sure that no one machine takes too much.
ipfw add pipe 1 ip from pr0nsurfer.mynetwork.com to any out
ipfw pipe 1 config bw 100Kbit/s queue 20 KBytes
This will ensure that the machine named
pr0nsurfer will never be allowed to
suck any more than 100 kilobytes per second worth of bandwidth. What a sick, sick man... I mean, I am
so not paying him to do
that. I'll bet the damn guy would say that this means he's "
self motivated," too. Grrr...
Anyways, let's say that now we want to have people go to ftpserver.mynetwork.com if they are trying to download a file with
FTP, and to be sent to httpserver.mynetwork.com if they are accessing our webserver.
ipfw add fwd httpserver.mynetworkcom,80 ip from any to any in
ipfw add fwd ftpserver.mynetworkcom,21 ip from any to any in
If we did not append that "in" to the end of this rule, all requests coming from inside our network would be sent to our
local webserver as well; not good.
If you want to see what rules you have currently set up, type
sudo ipfw list
This will show you a list of rules with associated
IDs.
You will always have one rule that cannot be deleted: 65535 allow ip from any to any
To delete rules individually, use the delete command; to delete all rules but rule 65535, use flush.
This is, of course, by no means a complete display of the power and intricacy of firewalls, but you should have a somewhat better sense of what can be accomplished with just a few commands.
1 I haven't covered stateful filtering in this node for two, perhaps three reasons: One, I really don't understand it well enough to node it. Two, I think there would be a very small number of readers who would really understand it, and three, I think that it's complex/important enough to have it's own node.
Related Resources:
ipfw-grapher 1.4 - Makes a visual graph of network traffic. Shows packets being filtered by rules; shows accumulated stats on which rules are used most. http://www.mavetju.org/networking/tools.php
ipfilter - similar to ipfw, but only one can be run at a time.
O'Reilly's OnLAMP article BSD Firewalls mostly discusses how to enable each on FreeBSD. http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html
They had a list of excellent links to firewall articles, tutorials, and FAQs that were not turned up by Google (*gasp!*). You might also want to take a gander at these:
http://www.robertgraham.com/pubs/firewall-seen.html
http://www.defcon1.org//html/Networking_Articles/Firewall-Ipfw/firewall-ipfw
http://www.interhack.net/pubs/fwfaq/
http://www.freebsddiary.org/firewall.html
http://www.bsdtoday.com/2000/December/Features359.html
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
http://www.daemonnews.org/200103/firewall.html
You can read the online man page here: http://www.gsp.com/cgi-bin/man.cgi?section=8&topic=ipfw