> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-31-firewalls/di-31.1-jie-fang-huo-qiang-gai-lun.md). # 31.1 Overview of Firewalls A firewall is deployed between two networks. It controls and filters all cross-network data traffic based on predefined rules, thereby protecting a specific network or network segment from unauthorized access. Specifically, a firewall uses one or more sets of "rules" to inspect network packets, deciding whether to allow or block them as they enter or leave a network connection. Rules can inspect one or more characteristics of a packet, such as protocol type, source and destination addresses, and source and destination ports. Therefore, it can be seen that a firewall mainly consists of four components: service access rules, authentication tools, packet filtering, and application gateways (connecting two different computer networks). Firewalls can enhance the security of a host or network. They can perform one or more of the following operations: * Protect and isolate applications, services, and hosts on the internal network from undesirable traffic on the public Internet. * Restrict or disable access from hosts on the internal network to public Internet services. * Support Network Address Translation (NAT), allowing the internal network to use private IP addresses and connect to the public Internet through a single IP address or public addresses from a shared address pool. FreeBSD includes three built-in firewalls: PF, IPFW, and IPFILTER (also known as IPF). It also provides two traffic shaping tools for bandwidth control: altq(4) and dummynet(4). Traffic Shaping aims to optimize or guarantee network performance, with its core being the active regulation of network traffic characteristics. Specifically, it rate-limits and buffers certain packets, reshaping irregular traffic into a smooth output stream, thereby ensuring that network transmission strictly conforms to the Quality of Service (QoS) standards defined by preset applications in terms of rate, latency, and jitter. Quality of Service (QoS) standards represent a commitment by a computer network regarding the quality of packet transmission, typically measured by performance indicators such as bandwidth, latency, and packet loss rate. However, the modern Internet is architecturally designed with a "Best-Effort" delivery model. This means that network nodes make their best effort to forward every packet, but do not provide any absolute guarantee of delivery or performance. Alternate Queuing (ALTQ) is typically closely associated with PF, while dummynet is closely associated with IPFW. All three firewalls control packet access to and from the FreeBSD system through rules, but their implementations differ and their rule syntax is not the same. FreeBSD provides multiple firewalls, and users should choose based on their own needs. > **Note** > > All firewalls work by inspecting the values of packet control fields, so rule set writers need to understand how TCP/IP works, the meaning of each value in the packet control fields, and how these values are used in normal sessions. A rule set contains a group of rules that determine whether to allow or block packets based on the values contained within them. The two-way packet exchange between hosts constitutes a session. A firewall rule set handles both packets from the public Internet and response packets generated by the system. Each TCP/IP service is defined by its protocol and listening port. Packets directed to a specific service originate from unprivileged ports and are destined for the service port on a specific address. The above parameters can all serve as selection criteria for creating rules to allow or block services. To look up unknown port numbers, refer to **/etc/services** (source code located at **usr.sbin/services\_mkdb/services**). Additionally, Trojan horses may also use unknown ports, which requires extra attention. Firewall rule sets can be classified into two types: "exclusive" and "inclusive." An exclusive firewall allows all traffic to pass unless it matches the rule set. An inclusive firewall does the opposite: it only allows traffic that matches the rules and blocks all other traffic. An inclusive firewall provides better control over outbound traffic and is a more appropriate choice for systems that provide public Internet services. It also controls traffic from the public Internet, determining which traffic can access the private network. All traffic that does not match the rules is blocked and logged. Inclusive firewalls are generally more secure than exclusive firewalls because they reduce the risk of allowing undesirable traffic. > **Note** > > Unless otherwise stated, all configurations and example rule sets in this chapter use inclusive firewall rule sets. Stateful firewalls enhance security. A stateful firewall tracks open connections and only allows traffic that matches an existing connection or packets used to establish new connections. Stateful filtering treats traffic as a session consisting of a two-way packet exchange. When a state is specified in a rule, the firewall dynamically generates internal rules for each expected packet, enabling it to match and determine whether a packet belongs to that session. If a packet does not conform to the session template, it is automatically rejected. When the session is completed, it is removed from the dynamic state table. Stateful filtering allows users to focus on blocking or allowing new sessions. Once a new session is allowed, all subsequent packets are automatically permitted, and any forged packets are automatically rejected; if a new session is blocked, no subsequent packets will be allowed through. Stateful filtering has powerful matching capabilities and can defend against various attack methods. NAT (Network Address Translation) is a core network routing technology whose primary function is to perform dynamic mapping and packet header replacement between private IP addresses on a local area network and public IP addresses on the Internet. NAT enables a private LAN behind the firewall to share a single IP address assigned by an ISP (the Internet service provider), even if that address is dynamically assigned. NAT allows every computer on the LAN to access the Internet without the need for multiple Internet accounts or IP addresses. When packets are sent through the firewall to the public Internet, NAT automatically translates each system's private LAN IP address to a single public IP address. Returning packets undergo the reverse translation. According to RFC 1918, the following IP address ranges are reserved for private network use. These addresses are never directly routed to the public Internet and can therefore be used in conjunction with NAT: | Address Range | Note | | ---------------- | ------------------------ | | `10.0.0.0/8` | RFC 1918 private address | | `172.16.0.0/12` | RFC 1918 private address | | `192.168.0.0/16` | RFC 1918 private address | > **Warning** > > Exercise **caution** when using firewall rules. Certain configurations may prevent the administrator from logging into the server. As a safety precaution, it is recommended to perform the initial firewall configuration via the local console rather than remotely via SSH. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.bsdcn.org/ask/flat/chapter-31-firewalls/di-31.1-jie-fang-huo-qiang-gai-lun.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.