Some context, (remotely) relevant links: firewall, ipchains, ipmasq, ip, TCP/IP, port, NAT, router, switch, proxy, subnet mask

Although this writeup will discuss only the computer-centric definition of "ipfw", I should note that IPFW also stands for Indiana University-Perdue University Fort Wayne. See also Fort Wayne, Indiana and Indiana University. Now then, lets get down and dirty, shall we?

Great Walls of Fire!:

ipfw is a software firewall (Internet Protocol FireWall) distributed on many *nixes (BSD variants, Darwin (e.g. Mac OS X), etc. Linux has iptables and ipchains).

Well, technically, it's a "user-land control utility to ipfirewall and dummynet." Bah. Although a rather more in-depth writeup of the operations of firewalls can be found under the node of that title, I'll give a brief catcher-upper for those non-geeks reading this.

A firewall is pretty much anything that stands between your computer and outside computers (e.g. the Internet at large.) All content entering and all requests leaving your computer pass through this firewall. Firewalls are generally responsible for protecting your network/computer from the shady fellers lurking in the Big Bad Woods. Each packet can be filtered based on the following information that is associated with it:

           Transmit and receive interface     (by name or address)
           Direction                          (incoming or outgoing)
           Source and destination IP address  (possibly masked)
           Protocol                           (TCP, UDP, ICMP, etc.)
           Source and destination port        (lists, ranges or masks)
           TCP flags
           IP fragment flag
           IP options
           ICMP types
           User/group ID of the socket associated with the packet

The ipfw rule format is the following:
[prob match_probability] action [log [logamount number]] proto
   from src to dst [interface-spec] [options]

prob is a floating point number between 0 and 1. It dictates how often the following rule will be followed (i.e. you could have the filter drop 10% of all your packets with a rule saying

ipfw add prob 0.1 deny ip from any to any
Translated: 10% of the time, drop a packet of any protocol going anywhere from anywhere. While this may not be desirable for everyday use, it can be useful in certain situations You can use ipfw and its backend dummynet traffic shaper to distribute bandwidth evenly on your network and make sure that no one machine takes too much.
ipfw add pipe 1 ip from to any out
ipfw pipe 1 config bw 100Kbit/s queue 20 KBytes
This will ensure that the machine named pr0nsurfer will never be allowed to suck any more than 100 kilobytes per second worth of bandwidth. What a sick, sick man... I mean, I am so not paying him to do that. I'll bet the damn guy would say that this means he's "self motivated," too. Grrr... Anyways, let's say that now we want to have people go to if they are trying to download a file with FTP, and to be sent to if they are accessing our webserver.
ipfw add fwd httpserver.mynetworkcom,80 ip from any to any in
ipfw add fwd ftpserver.mynetworkcom,21 ip from any to any in
If we did not append that "in" to the end of this rule, all requests coming from inside our network would be sent to our local webserver as well; not good. If you want to see what rules you have currently set up, type
sudo ipfw list
This will show you a list of rules with associated IDs. You will always have one rule that cannot be deleted:
65535 allow ip from any to any

To delete rules individually, use the delete command; to delete all rules but rule 65535, use flush.

This is, of course, by no means a complete display of the power and intricacy of firewalls, but you should have a somewhat better sense of what can be accomplished with just a few commands.

1 I haven't covered stateful filtering in this node for two, perhaps three reasons: One, I really don't understand it well enough to node it. Two, I think there would be a very small number of readers who would really understand it, and three, I think that it's complex/important enough to have it's own node.

Related Resources:

ipfw-grapher 1.4 - Makes a visual graph of network traffic. Shows packets being filtered by rules; shows accumulated stats on which rules are used most.

ipfilter - similar to ipfw, but only one can be run at a time. O'Reilly's OnLAMP article BSD Firewalls mostly discusses how to enable each on FreeBSD.

They had a list of excellent links to firewall articles, tutorials, and FAQs that were not turned up by Google (*gasp!*). You might also want to take a gander at these:

You can read the online man page here:

Log in or register to write something here or to contact authors.