summaryrefslogtreecommitdiffstats
path: root/contrib/ipfilter/man/ipfilter.4
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ipfilter/man/ipfilter.4')
-rw-r--r--contrib/ipfilter/man/ipfilter.4241
1 files changed, 241 insertions, 0 deletions
diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4
new file mode 100644
index 0000000..cf8ca9f
--- /dev/null
+++ b/contrib/ipfilter/man/ipfilter.4
@@ -0,0 +1,241 @@
+.\" $NetBSD$
+.\"
+.TH IP\ FILTER 4
+.SH NAME
+ipfilter \- Introduction to IP packet filtering
+.SH DESCRIPTION
+IP Filter is a TCP/IP packet filter, suitable for use in a firewall
+environment. To use, it can either be used as a loadable kernel module or
+incorporated into your UNIX kernel; use as a loadable kernel module where
+possible is highly recommended. Scripts are provided to install and patch
+system files, as required.
+.SH FEATURES
+The IP packet filter can:
+.IP
+explicitly deny/permit any packet from passing through
+.IP
+distinguish between various interfaces
+.IP
+filter by IP networks or hosts
+.IP
+selectively filter any IP protocol
+.IP
+selectively filter fragmented IP packets
+.IP
+selectively filter packets with IP options
+.IP
+send back an ICMP error/TCP reset for blocked packets
+.IP
+keep packet state information for TCP, UDP and ICMP packet flows
+.IP
+keep fragment state information for any IP packet, applying the same rule
+to all fragments.
+.IP
+act as a Network Address Translator (NAT)
+.IP
+use redirection to setup true transparent proxy connections
+.IP
+provide packet header details to a user program for authentication
+.IP
+in addition, supports temporary storage of pre-authenticated rules for passing packets through
+.PP
+Special provision is made for the three most common Internet protocols, TCP,
+UDP and ICMP. The IP Packet filter allows filtering of:
+.IP
+Inverted host/net matchingTCP/UDP packets by port number or a port number
+range
+.IP
+ICMP packets by type/code
+.IP
+"established" TCP packets
+.IP
+On any arbitrary combination of TCP flags
+.IP
+"short" (fragmented) IP packets with incomplete headers can be filtered
+.IP
+any of the 19 IP options or 8 registered IP security classes TOS (Type of
+Service) field in packets
+.PP
+To keep track of the performance of the IP packet filter, a logging device
+is used which supports logging of:
+.IP
+the TCP/UDP/ICMP and IP packet headers
+.IP
+the first 128 bytes of the packet (including headers)
+.PP
+A packet can be logged when:
+.IP
+it is successfully passed through
+.IP
+it is blocked from passing through
+.IP
+it matches a rule setup to look for suspicious packets
+.PP
+IP Filter keeps its own set of statistics on:
+.IP
+packets blocked
+.IP
+packets (and bytes!) used for accounting
+.IP
+packets passed
+.lP
+packets logged
+.IP
+attempts to log which failed (buffer full)
+.IP
+and much more, for packets going both in and out.
+
+.SH Tools
+The current implementation provides a small set of tools, which can easily
+be used and integrated with regular unix shells and tools. A brief description
+of the tools provided:
+.PP
+ipf(8)
+reads in a set of rules, from either stdin or a file, and adds them to
+the kernels current list (appending them). It can also be used to flush the
+current filter set or delete individual filter rules. The file format is
+described in ipf(5).
+.PP
+ipfs(8)
+is a utility to temporarily lock the IP Filter kernel tables (state tables
+and NAT mappings) and write them to disk. After that the system can be
+rebooted, and ipfs can be used to read these tables from disk and restore
+them into the kernel. This way the system can be rebooted without the
+connections being terminated.
+.PP
+ipfstat(8)
+interrogates the kernel for statistics on packet filtering, so
+far, and retrieves the list of filters in operation for inbound and outbound
+packets.
+.PP
+ipftest(1)
+reads in a filter rule file and then applies sample IP packets to
+the rule file. This allows for testing of filter list and examination of how
+a packet is passed along through it.
+.PP
+ipmon(8)
+reads buffered data from the logging device (default is /dev/ipl)
+for output to either:
+.IP
+screen (standard output)
+.IP
+file
+.IP
+syslog
+.PP
+ipsend(1)
+generates arbitary IP packets for ethernet connected machines.
+.PP
+ipresend(1)
+reads in a data file of saved IP packets (ie
+snoop/tcpdump/etherfind output) and sends it back across the network.
+.PP
+iptest(1)
+contains a set of test "programs" which send out a series of IP
+packets, aimed at testing the strength of the TCP/IP stack at which it is
+aimed at. WARNING: this may crash machine(s) targeted!
+.PP
+ipnat(8)
+reads in a set of rules, from either stdin or a file and adds them
+to the kernels current list of active NAT rules. NAT rules can also be
+deleted using ipnat. The format of the configuration file to be used
+with ipnat is described in ipnat(5).
+.PP
+For use in your own programs (e.g. for writing of transparent application
+proxies), the programming interface and the associated ioctl's are
+documented in ipf(4).
+
+Documentation on ioctl's and the format of data saved
+to the logging character device is provided in ipl(4)
+so that you may develop your own applications to work with or in place of any
+of the above.
+
+Similar, the interface to the NAT code is documented in ipnat(4).
+
+.SH PACKET PROCESSING FLOW
+The following diagram illustrates the flow of TCP/IP packets through the
+various stages introduced by IP Filter.
+.PP
+.nf
+ IN
+ |
+ V
+ +-------------------------+--------------------------+
+ | | |
+ | V |
+ | Network Address Translation |
+ | | |
+ | authenticated | |
+ | +-------<---------+ |
+ | | | |
+ | | V |
+ | V IP Accounting |
+ | | | |
+ | | V |
+ | | Fragment Cache Check--+ |
+ | | | | |
+ | V V V |
+ | | Packet State Check-->+ |
+ | | | | |
+ | | +->--+ | | |
+ | | | | V | |
+ | V groups IP Filtering V |
+ | | | | | | |
+ | | +--<-+ | | |
+ | | | | |
+ | +---------------->|<-----------+ |
+ | | |
+ | V |
+ | +---<----+ |
+ | | | |
+ | function | |
+ | | V |
+ | +--->----+ |
+ | | |
+ | V |
+ +--|---<--- fast-route ---<--+ |
+ | | | |
+ | | V |
+ | +-------------------------+--------------------------+
+ | |
+ | pass only
+ | |
+ | V
+ V [KERNEL TCP/IP Processing]
+ | |
+ | +-------------------------+--------------------------+
+ | | | |
+ | | V |
+ | | Fragment Cache Check--+ |
+ | | | | |
+ | | V V |
+ | | Packet State Check-->+ |
+ | | | | |
+ | | V | |
+ V | IP Filtering | |
+ | | | V |
+ | | |<-----------+ |
+ | | V |
+ | | IP Accounting |
+ | | | |
+ | | V |
+ | | Network Address Translation |
+ | | | |
+ | | V |
+ | +-------------------------+--------------------------+
+ | |
+ | pass only
+ V |
+ +--------------------------->|
+ V
+ OUT
+.fi
+
+.SH MORE INFORMATION
+More information (including pointers to the FAQ and the mailing list) can be
+obtained from the sofware's official homepage: www.ipfilter.org
+
+.SH SEE ALSO
+ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1),
+ipl(4), ipmon(8), ipnat(8), ipnat(4),
+
OpenPOWER on IntegriCloud