diff options
Diffstat (limited to 'contrib/ipfilter/man/ipfilter.4')
-rw-r--r-- | contrib/ipfilter/man/ipfilter.4 | 239 |
1 files changed, 0 insertions, 239 deletions
diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4 deleted file mode 100644 index b2d2f2a..0000000 --- a/contrib/ipfilter/man/ipfilter.4 +++ /dev/null @@ -1,239 +0,0 @@ -.TH IP\ FILTER 4 -.SH NAME -ipfilter \- Introduction to IP packet filtering -.SH DESCRIPTION -IP Filter is a TCP/IP packet filter, suitable for use in a firewall -environment. To use, it can either be used as a loadable kernel module or -incorporated into your UNIX kernel; use as a loadable kernel module where -possible is highly recommended. Scripts are provided to install and patch -system files, as required. -.SH FEATURES -The IP packet filter can: -.IP -explicitly deny/permit any packet from passing through -.IP -distinguish between various interfaces -.IP -filter by IP networks or hosts -.IP -selectively filter any IP protocol -.IP -selectively filter fragmented IP packets -.IP -selectively filter packets with IP options -.IP -send back an ICMP error/TCP reset for blocked packets -.IP -keep packet state information for TCP, UDP and ICMP packet flows -.IP -keep fragment state information for any IP packet, applying the same rule -to all fragments. -.IP -act as a Network Address Translator (NAT) -.IP -use redirection to setup true transparent proxy connections -.IP -provide packet header details to a user program for authentication -.IP -in addition, supports temporary storage of pre-authenticated rules for passing packets through -.PP -Special provision is made for the three most common Internet protocols, TCP, -UDP and ICMP. The IP Packet filter allows filtering of: -.IP -Inverted host/net matchingTCP/UDP packets by port number or a port number -range -.IP -ICMP packets by type/code -.IP -"established" TCP packets -.IP -On any arbitrary combination of TCP flags -.IP -"short" (fragmented) IP packets with incomplete headers can be filtered -.IP -any of the 19 IP options or 8 registered IP security classes TOS (Type of -Service) field in packets -.PP -To keep track of the performance of the IP packet filter, a logging device -is used which supports logging of: -.IP -the TCP/UDP/ICMP and IP packet headers -.IP -the first 128 bytes of the packet (including headers) -.PP -A packet can be logged when: -.IP -it is successfully passed through -.IP -it is blocked from passing through -.IP -it matches a rule setup to look for suspicious packets -.PP -IP Filter keeps its own set of statistics on: -.IP -packets blocked -.IP -packets (and bytes!) used for accounting -.IP -packets passed -.lP -packets logged -.IP -attempts to log which failed (buffer full) -.IP -and much more, for packets going both in and out. - -.SH Tools -The current implementation provides a small set of tools, which can easily -be used and integrated with regular unix shells and tools. A brief description -of the tools provided: -.PP -ipf(8) -reads in a set of rules, from either stdin or a file, and adds them to -the kernels current list (appending them). It can also be used to flush the -current filter set or delete individual filter rules. The file format is -described in ipf(5). -.PP -ipfs(8) -is a utility to temporarily lock the IP Filter kernel tables (state tables -and NAT mappings) and write them to disk. After that the system can be -rebooted, and ipfs can be used to read these tables from disk and restore -them into the kernel. This way the system can be rebooted without the -connections being terminated. -.PP -ipfstat(8) -interrogates the kernel for statistics on packet filtering, so -far, and retrieves the list of filters in operation for inbound and outbound -packets. -.PP -ipftest(1) -reads in a filter rule file and then applies sample IP packets to -the rule file. This allows for testing of filter list and examination of how -a packet is passed along through it. -.PP -ipmon(8) -reads buffered data from the logging device (default is /dev/ipl) -for output to either: -.IP -screen (standard output) -.IP -file -.IP -syslog -.PP -ipsend(1) -generates arbitary IP packets for ethernet connected machines. -.PP -ipresend(1) -reads in a data file of saved IP packets (ie -snoop/tcpdump/etherfind output) and sends it back across the network. -.PP -iptest(1) -contains a set of test "programs" which send out a series of IP -packets, aimed at testing the strength of the TCP/IP stack at which it is -aimed at. WARNING: this may crash machine(s) targeted! -.PP -ipnat(8) -reads in a set of rules, from either stdin or a file and adds them -to the kernels current list of active NAT rules. NAT rules can also be -deleted using ipnat. The format of the configuration file to be used -with ipnat is described in ipnat(5). -.PP -For use in your own programs (e.g. for writing of transparent application -proxies), the programming interface and the associated ioctl's are -documented in ipf(4). - -Documentation on ioctl's and the format of data saved -to the logging character device is provided in ipl(4) -so that you may develop your own applications to work with or in place of any -of the above. - -Similar, the interface to the NAT code is documented in ipnat(4). - -.SH PACKET PROCESSING FLOW -The following diagram illustrates the flow of TCP/IP packets through the -various stages introduced by IP Filter. -.PP -.nf - IN - | - V - +-------------------------+--------------------------+ - | | | - | V | - | Network Address Translation | - | | | - | authenticated | | - | +-------<---------+ | - | | | | - | | V | - | V IP Accounting | - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | V V V | - | | Packet State Check-->+ | - | | | | | - | | +->--+ | | | - | | | | V | | - | V groups IP Filtering V | - | | | | | | | - | | +--<-+ | | | - | | | | | - | +---------------->|<-----------+ | - | | | - | V | - | +---<----+ | - | | | | - | function | | - | | V | - | +--->----+ | - | | | - | V | - +--|---<--- fast-route ---<--+ | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - | | - | V - V [KERNEL TCP/IP Processing] - | | - | +-------------------------+--------------------------+ - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | | V V | - | | Packet State Check-->+ | - | | | | | - | | V | | - V | IP Filtering | | - | | | V | - | | |<-----------+ | - | | V | - | | IP Accounting | - | | | | - | | V | - | | Network Address Translation | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - V | - +--------------------------->| - V - OUT -.fi - -.SH MORE INFORMATION -More information (including pointers to the FAQ and the mailing list) can be -obtained from the sofware's official homepage: www.ipfilter.org - -.SH SEE ALSO -ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1), -ipl(4), ipmon(8), ipnat(8), ipnat(4), - |