summaryrefslogtreecommitdiffstats
path: root/contrib/ipfilter/man/ipfilter.4
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ipfilter/man/ipfilter.4')
-rw-r--r--contrib/ipfilter/man/ipfilter.4239
1 files changed, 0 insertions, 239 deletions
diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4
deleted file mode 100644
index b2d2f2a..0000000
--- a/contrib/ipfilter/man/ipfilter.4
+++ /dev/null
@@ -1,239 +0,0 @@
-.TH IP\ FILTER 4
-.SH NAME
-ipfilter \- Introduction to IP packet filtering
-.SH DESCRIPTION
-IP Filter is a TCP/IP packet filter, suitable for use in a firewall
-environment. To use, it can either be used as a loadable kernel module or
-incorporated into your UNIX kernel; use as a loadable kernel module where
-possible is highly recommended. Scripts are provided to install and patch
-system files, as required.
-.SH FEATURES
-The IP packet filter can:
-.IP
-explicitly deny/permit any packet from passing through
-.IP
-distinguish between various interfaces
-.IP
-filter by IP networks or hosts
-.IP
-selectively filter any IP protocol
-.IP
-selectively filter fragmented IP packets
-.IP
-selectively filter packets with IP options
-.IP
-send back an ICMP error/TCP reset for blocked packets
-.IP
-keep packet state information for TCP, UDP and ICMP packet flows
-.IP
-keep fragment state information for any IP packet, applying the same rule
-to all fragments.
-.IP
-act as a Network Address Translator (NAT)
-.IP
-use redirection to setup true transparent proxy connections
-.IP
-provide packet header details to a user program for authentication
-.IP
-in addition, supports temporary storage of pre-authenticated rules for passing packets through
-.PP
-Special provision is made for the three most common Internet protocols, TCP,
-UDP and ICMP. The IP Packet filter allows filtering of:
-.IP
-Inverted host/net matchingTCP/UDP packets by port number or a port number
-range
-.IP
-ICMP packets by type/code
-.IP
-"established" TCP packets
-.IP
-On any arbitrary combination of TCP flags
-.IP
-"short" (fragmented) IP packets with incomplete headers can be filtered
-.IP
-any of the 19 IP options or 8 registered IP security classes TOS (Type of
-Service) field in packets
-.PP
-To keep track of the performance of the IP packet filter, a logging device
-is used which supports logging of:
-.IP
-the TCP/UDP/ICMP and IP packet headers
-.IP
-the first 128 bytes of the packet (including headers)
-.PP
-A packet can be logged when:
-.IP
-it is successfully passed through
-.IP
-it is blocked from passing through
-.IP
-it matches a rule setup to look for suspicious packets
-.PP
-IP Filter keeps its own set of statistics on:
-.IP
-packets blocked
-.IP
-packets (and bytes!) used for accounting
-.IP
-packets passed
-.lP
-packets logged
-.IP
-attempts to log which failed (buffer full)
-.IP
-and much more, for packets going both in and out.
-
-.SH Tools
-The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description
-of the tools provided:
-.PP
-ipf(8)
-reads in a set of rules, from either stdin or a file, and adds them to
-the kernels current list (appending them). It can also be used to flush the
-current filter set or delete individual filter rules. The file format is
-described in ipf(5).
-.PP
-ipfs(8)
-is a utility to temporarily lock the IP Filter kernel tables (state tables
-and NAT mappings) and write them to disk. After that the system can be
-rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the
-connections being terminated.
-.PP
-ipfstat(8)
-interrogates the kernel for statistics on packet filtering, so
-far, and retrieves the list of filters in operation for inbound and outbound
-packets.
-.PP
-ipftest(1)
-reads in a filter rule file and then applies sample IP packets to
-the rule file. This allows for testing of filter list and examination of how
-a packet is passed along through it.
-.PP
-ipmon(8)
-reads buffered data from the logging device (default is /dev/ipl)
-for output to either:
-.IP
-screen (standard output)
-.IP
-file
-.IP
-syslog
-.PP
-ipsend(1)
-generates arbitary IP packets for ethernet connected machines.
-.PP
-ipresend(1)
-reads in a data file of saved IP packets (ie
-snoop/tcpdump/etherfind output) and sends it back across the network.
-.PP
-iptest(1)
-contains a set of test "programs" which send out a series of IP
-packets, aimed at testing the strength of the TCP/IP stack at which it is
-aimed at. WARNING: this may crash machine(s) targeted!
-.PP
-ipnat(8)
-reads in a set of rules, from either stdin or a file and adds them
-to the kernels current list of active NAT rules. NAT rules can also be
-deleted using ipnat. The format of the configuration file to be used
-with ipnat is described in ipnat(5).
-.PP
-For use in your own programs (e.g. for writing of transparent application
-proxies), the programming interface and the associated ioctl's are
-documented in ipf(4).
-
-Documentation on ioctl's and the format of data saved
-to the logging character device is provided in ipl(4)
-so that you may develop your own applications to work with or in place of any
-of the above.
-
-Similar, the interface to the NAT code is documented in ipnat(4).
-
-.SH PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the
-various stages introduced by IP Filter.
-.PP
-.nf
- IN
- |
- V
- +-------------------------+--------------------------+
- | | |
- | V |
- | Network Address Translation |
- | | |
- | authenticated | |
- | +-------<---------+ |
- | | | |
- | | V |
- | V IP Accounting |
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | V V V |
- | | Packet State Check-->+ |
- | | | | |
- | | +->--+ | | |
- | | | | V | |
- | V groups IP Filtering V |
- | | | | | | |
- | | +--<-+ | | |
- | | | | |
- | +---------------->|<-----------+ |
- | | |
- | V |
- | +---<----+ |
- | | | |
- | function | |
- | | V |
- | +--->----+ |
- | | |
- | V |
- +--|---<--- fast-route ---<--+ |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- | |
- | V
- V [KERNEL TCP/IP Processing]
- | |
- | +-------------------------+--------------------------+
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | | V V |
- | | Packet State Check-->+ |
- | | | | |
- | | V | |
- V | IP Filtering | |
- | | | V |
- | | |<-----------+ |
- | | V |
- | | IP Accounting |
- | | | |
- | | V |
- | | Network Address Translation |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- V |
- +--------------------------->|
- V
- OUT
-.fi
-
-.SH MORE INFORMATION
-More information (including pointers to the FAQ and the mailing list) can be
-obtained from the sofware's official homepage: www.ipfilter.org
-
-.SH SEE ALSO
-ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1),
-ipl(4), ipmon(8), ipnat(8), ipnat(4),
-
OpenPOWER on IntegriCloud