ipfw

ipfw or IPFIREWALL is an Internet Protocol - firewall of the operating system FreeBSD .

architecture

ipfw consists of 7 components:

• Packet filter
• Logging
• Network Address Translation
• Traffic shaping
• Forwarding
• bridge
• Stealth

There is also a user interface of the same name that receives commands.

history

ipfw was originally programmed by Daniel Boulet for Berkeley Software Design Incorporated . Ugen J.S. Antsilevich rewrote the software for FreeBSD. FreeBSD 2.0 was the first version with ipfw. With FreeBSD 2.2.8 ipfw was supplemented by the component dummynet for traffic shaping, which Luigi Rizzo had programmed.

Since FreeBSD 4.0 ipfw also supports stateful packet inspection .

In 2002 ipfw2 replaced the first generation with a redesigned core. The second generation was included for the first time in FreeBSD 4.7 and also combined the separate user interfaces for IPv4 and IPv6 .

Network Address Translation was implemented in 2005.

Since FreeBSD 6.2 can ipfw as needed when boats are loaded as modules and must only for Network Address Translation permanently in the compilation of the kernel are involved.

Ipfw was part of Mac OS X up to version 10.9, it was replaced by pf .

application

In the basic setting ipfw prevents any network contact. The central configuration takes place in the files /etc/rc.conf and /etc/rc.firewall. There ipfw can be activated and a basic configuration can be selected or a reference can be made to a file with rules that you have created yourself. Alternatively, reference can be made to a script that can contain all commands of the user interface and thus opens up a wide range of possibilities. Preprocessors can also be called in order to generate rules using programming languages such as C.

Despite the many possibilities, a command sequence for a complete configuration can be clear:

ipfw add allow tcp in 80
ipfw add allow from 192.0.2.0/24 to me
ipfw add allow out
ipfw add deny

This example allows incoming connections on port 80 for the Hypertext Transfer Protocol , all incoming connections from a certain range of IP addresses , and all outgoing connections, but no other connections.

The rules are run through until the first without any unsuitable condition, after which the relevant approval or rejection becomes effective. A configuration can contain up to 65535 rules. Each rule is given a number that is set manually or automatically and can serve as a jump label .

Porting to Linux

The first Linux packet filter was a port from ipfw. The original user interface was later replaced by ipfwadm . ipfw with ipfwadm was then replaced by ipchains and ultimately by netfilter with iptables .

Porting to Windows

wipfw is a port from ipfw to Microsoft Windows NT . Since the end of 2006 it has also directly supported 64-bit architectures . For the time being, however, only Windows NT 5 is supported and Windows NT 6.1 is experimentally supported. Traffic shaping and changing of data packets is not implemented in wipfw.

See also

• pf (packet filter)
• IP filter

Individual evidence

1. ↑ IPFW . In: FreeBSD Handbook . FreeBSD Foundation. Retrieved September 12, 2011.
2. ↑ ipfw (4) . FreeBSD Foundation. Retrieved September 12, 2011.
3. ↑ ipfw (8) . FreeBSD Foundation. November 16, 1994. Retrieved September 12, 2011.
4. ↑ ipfw (8) . FreeBSD Foundation. July 27, 2010. Retrieved September 12, 2011.
5. ↑ The original IP firewall (2.0 kernel) . In: Linux - Guide for Networkers . O'Reilly Publishing House . Retrieved September 12, 2011.
6. ↑ Ipfwadm - Functional overview . X / OS Experts in Open Systems BV. Retrieved September 12, 2011.
7. ↑ wipw in windows 2008 r2? . Geeknet . June 20, 2011. Retrieved September 12, 2011.
8. ↑ new release . Geeknet. August 15, 2011. Retrieved September 12, 2011.
9. ↑ Frequently Asked Questions . Geeknet. Retrieved September 12, 2011.