summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
diff options
context:
space:
mode:
authorru <ru@FreeBSD.org>2000-10-06 11:17:06 +0000
committerru <ru@FreeBSD.org>2000-10-06 11:17:06 +0000
commitdba872611a63d734339bc2d35ccfaa9315682596 (patch)
tree3234c89b7be83e76c757e9374aa0626c6b70e319 /sbin/ipfw
parent8f0f96dea9dc47833fdd05cb2876ec59d379efb9 (diff)
downloadFreeBSD-src-dba872611a63d734339bc2d35ccfaa9315682596.zip
FreeBSD-src-dba872611a63d734339bc2d35ccfaa9315682596.tar.gz
Document the latest firewall knobs.
Diffstat (limited to 'sbin/ipfw')
-rw-r--r--sbin/ipfw/ipfw.8121
-rw-r--r--sbin/ipfw/ipfw.c2
2 files changed, 91 insertions, 32 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index df4532d..234c1d3 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -269,20 +269,32 @@ Each packet can be filtered based on the following information that is
associated with it:
.Pp
.Bl -tag -width "Source and destination IP address" -offset indent -compact
-.It Transmit and receive interface
-(by name or address)
-.It Direction
-(incoming or outgoing)
-.It Source and destination IP address
-(possibly masked)
.It Protocol
(TCP, UDP, ICMP, etc.)
+.It Source and destination IP address
+(possibly masked)
.It Source and destination port
(lists, ranges or masks)
-.It TCP flags
+.It Direction
+(incoming or outgoing)
+.It Transmit and receive interface
+(by name or address)
+.It IP version
+.It IP type of service
+.It IP datagram length
+.It IP identification
.It IP fragment flag
+(non-zero IP offset)
+.It IP time to live
.It IP options
+.It TCP sequence number
+.It TCP acknowledgment number
+.It TCP flags
+(SYN, FIN, ACK, RST, etc.)
+.It TCP window
+.It TCP options
.It ICMP types
+(for ICMP packets)
.It User/group ID of the socket associated with the packet
.El
.Pp
@@ -473,7 +485,7 @@ keywords mean any protocol will match.
The
.Aq Ar address Ns / Ns Ar mask
may be specified as:
-.Bl -tag -width indent
+.Bl -tag -width "ipno/bits"
.It Ar ipno
An IP number of the form 1.2.3.4.
Only this exact IP number will match the rule.
@@ -627,6 +639,35 @@ when using
.Em pipes
because the same packet would be accounted for twice in terms
of bandwidth, queue occupation, and also counters.
+.It Cm ipversion Ar ver
+Match if the IP header version is
+.Ar ver .
+.It Cm iptos Ar spec
+Match if the IP header contains the comma separated list of
+service types specified in
+.Ar spec .
+The supported IP types of service are:
+.Pp
+.Cm lowdelay
+.Pq Dv IPTOS_LOWDELAY ,
+.Cm throughput
+.Pq Dv IPTOS_THROUGHPUT ,
+.Cm reliability
+.Pq Dv IPTOS_RELIABILITY ,
+.Cm mincost
+.Pq Dv IPTOS_MINCOST ,
+.Cm congestion
+.Pq Dv IPTOS_CE .
+The absence of a particular type may be denoted
+with a
+.Ql ! .
+.It Cm iplen Ar len
+Match if the total length of a packet, including header and data, is
+.Ar len
+bytes.
+.It Cm ipid Ar id
+Match if the identification of IP datagram is
+.Ar id .
.It Cm frag
Match if the packet is a fragment and this is not the first
fragment of the datagram.
@@ -634,6 +675,9 @@ fragment of the datagram.
may not be used in conjunction with either
.Cm tcpflags
or TCP/UDP port specifications.
+.It Cm ipttl Ar ttl
+Match if the time to live of IP datagram is
+.Ar ttl .
.It Cm ipoptions Ar spec
Match if the IP header contains the comma separated list of
options specified in
@@ -651,31 +695,14 @@ The supported IP options are:
The absence of a particular option may be denoted
with a
.Ql ! .
-.It Cm tcpoptions Ar spec
-Match if the TCP header contains the comma separated list of
-options specified in
-.Ar spec .
-The supported TCP options are:
-.Pp
-.Cm mss
-(maximum segment size),
-.Cm window
-(tcp window advertisement),
-.Cm sack
-(selective ack),
-.Cm ts
-(rfc1323 timestamp) and
-.Cm cc
-(rfc1644 t/tcp connection count).
-The absence of a particular option may be denoted
-with a
-.Ql ! .
-.It Cm established
+.It Cm tcpseq Ar seq
TCP packets only.
-Match packets that have the RST or ACK bits set.
-.It Cm setup
+Match if the TCP header sequence number field is set to
+.Ar seq .
+.It Cm tcpack Ar ack
TCP packets only.
-Match packets that have the SYN bit set but no ACK bit.
+Match if the TCP header acknowledgment number field is set to
+.Ar ack .
.It Cm tcpflags Ar spec
TCP packets only.
Match if the TCP header contains the comma separated list of
@@ -700,6 +727,38 @@ a non-zero offset.
See the
.Cm frag
option for details on matching fragmented packets.
+.It Cm established
+TCP packets only.
+Match packets that have the RST or ACK bits set.
+.It Cm setup
+TCP packets only.
+Match packets that have the SYN bit set but no ACK bit.
+This is the short form of
+.Dq Li tcpflags\ syn,!ack .
+.It Cm tcpwin Ar win
+TCP packets only.
+Match if the TCP header window field is set to
+.Ar win .
+.It Cm tcpoptions Ar spec
+TCP packets only.
+Match if the TCP header contains the comma separated list of
+options specified in
+.Ar spec .
+The supported TCP options are:
+.Pp
+.Cm mss
+(maximum segment size),
+.Cm window
+(tcp window advertisement),
+.Cm sack
+(selective ack),
+.Cm ts
+(rfc1323 timestamp) and
+.Cm cc
+(rfc1644 t/tcp connection count).
+The absence of a particular option may be denoted
+with a
+.Ql ! .
.It Cm icmptypes Ar types
ICMP packets only.
Match if the ICMP type is in the list
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index 84b4d93..27012eb 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -873,7 +873,7 @@ show_usage(const char *fmt, ...)
" ipoptions [!]{ssrr|lsrr|rr|ts},...\n"
" iplen {length}\n"
" ipid {identification number}\n"
-" iptos [!]{lowdelay|throughput|reliability|mincost|congestion}\n"
+" iptos [!]{lowdelay|throughput|reliability|mincost|congestion},...\n"
" ipttl {time to live}\n"
" ipversion {version number}\n"
" tcpoptions [!]{mss|window|sack|ts|cc},...\n"
OpenPOWER on IntegriCloud