1 files changed, 35 insertions, 0 deletions

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 1c60e619..5016dd7e 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -5128,6 +5128,41 @@ protocol static {
 </code>
 
 
+<sect>Firewall
+
+<p>Firewall protocol doesn't communicate with any network devices,
+but instead it allows you to add announced prefixes to given firewall table.
+At the moment IPFW and PF are supported. One can also specify special integer tag
+that can be passed as argument to IPFW table. Any number of instances can be configured.
+
+<p>Firewall protocol does not have many configuration options.
+
+<descrip>
+	<tag>fwtype pf|ipfw</tag> Select firewall type.
+	<tag>fwtable <m/name/</tag> Specifies firewall table name.
+	<tag>flush on startup|shutdown</tag>Perform table flush on protocol startup or shutdown.
+	<tag>flush always</tag>Perform table flush on protocol startup and shutdown.
+</descrip>
+
+<p>Firewall defines single route attribute:
+
+<descrip>
+	<tag>int <cf/fw_value/</tag> Value that can be passed with prefix.
+	Value is signed 4-byte integer. It can be set when importing routes from the other
+	protocols or on protocol export.
+</descrip>
+
+<p>Example firewall config might look like this:
+
+<p><code>
+protocol firewall {
+	table testable;			 # Connect to a non-default routing table
+	fwtype ipfw;			 # Use IPFW as backend
+	fwtable "2";			 # Use table 2
+	flush always;			 # Flush table on both startup and shutdown
+	export filter { fw_value = 125; accept; }; # Set value 125 for all prefixes
+}
+</code>
 <chapt>Conclusions
 <label id="conclusion">