Sidebar: About ipfw

The source for ipfw is available from a number of ftp sites, for instance :

ftp://sunacm.swan.ac.uk/pub/Linux.old/Networking/ \
PROGRAMS/NetTools/net- tools*.gz

However, this is an old source and might have moved its archive to another site. Use Archie to locate the most recent source.

You'll need to use a version of ipfw that matches your kernel. The firewall code in the kernel has changed a few times, so not all implementations of ipfw may work with your kernel. Recompile the program so that you can be absolutely sure it will work.

The ipfw program can be used to configure the firewall in two different ways, as a blocking firewall and as a forwarding firewall. The difference lies in the default behavior. A blocking firewall will block all traffic it is not explicitly told to forward; a forwarding firewall will forward all traffic it is not explicitly told to block. For an Internet server the best choice is a blocking firewall.

The ipfw program enables you to add rules to a blocking firewall (the add blocking command) or to a forwarding gateway (add forwarding). You'll next specify the protocol for which you are adding a rule (ICMP, UDP, TCP), then give the source address and possibly the destination address. Each of these addresses may be specified with a mask which denotes the bits in the address that are actually tested.