diff options
Diffstat (limited to 'contrib/ipfilter/man')
24 files changed, 0 insertions, 3379 deletions
diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile deleted file mode 100644 index 3f12ccb..0000000 --- a/contrib/ipfilter/man/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -# -# Copyright (C) 1993-1998 by Darren Reed. -# -# See the IPFILTER.LICENCE file for details on licencing. -# - -all: - -install: - $(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1 - $(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipfilter.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipfilter.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipfs.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipmon.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ippool.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ippool.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipscan.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipscan.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8 - @echo "Remember to rebuild the whatis database." diff --git a/contrib/ipfilter/man/ipf.1 b/contrib/ipfilter/man/ipf.1 deleted file mode 100644 index 5ea06fa..0000000 --- a/contrib/ipfilter/man/ipf.1 +++ /dev/null @@ -1,109 +0,0 @@ -.TH IPF 1 -.SH NAME -ipf \- alters packet filtering lists for IP packet input and ouput -.SH SYNOPSIS -.B ipf -[ -.B \-AdDEInorsUvyzZ -] [ -.B \-l -<block|pass|nomatch> -] [ -.B \-F -<i|o|a> -] -.B \-f -<\fIfilename\fP> -[ -.B \-f -<\fIfilename\fP> -[...]] -.SH DESCRIPTION -.PP -\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the -file for a set of rules which are to be added or removed from the packet -filter rule set. -.PP -Each rule processed by \fBipf\fP -is added to the kernel's internal lists if there are no parsing problems. -Rules are added to the end of the internal lists, matching the order in -which they appear when given to \fBipf\fP. -.SH OPTIONS -.TP -.B \-A -Set the list to make changes to the active list (default). -.TP -.B \-d -Turn debug mode on. Causes a hexdump of filter rules to be generated as -it processes each one. -.TP -.B \-D -Disable the filter (if enabled). Not effective for loadable kernel versions. -.TP -.B \-E -Enable the filter (if disabled). Not effective for loadable kernel versions. -.TP -.BR \-F \0<param> -This option specifies which filter list to flush. The parameter should -either be "i" (input), "o" (output) or "a" (remove all filter rules). -Either a single letter or an entire word starting with the appropriate -letter maybe used. This option maybe before, or after, any other with -the order on the command line being that used to execute options. -.TP -.BR \-f \0<filename> -This option specifies which files -\fBipf\fP should use to get input from for modifying the packet filter rule -lists. -.TP -.B \-I -Set the list to make changes to the inactive list. -.TP -.B \-l \0<param> -Use of the \fB-l\fP flag toggles default logging of packets. Valid -arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP. -When an option is set, any packet which exits filtering and matches the -set category is logged. This is most useful for causing all packets -which don't match any of the loaded rules to be logged. -.TP -.B \-n -This flag (no-change) prevents \fBipf\fP from actually making any ioctl -calls or doing anything which would alter the currently running kernel. -.TP -.B \-o -Force rules by default to be added/deleted to/from the output list, rather -than the (default) input list. -.TP -.B \-r -Remove matching filter rules rather than add them to the internal lists -.TP -.B \-s -Swap the active filter list in use to be the "other" one. -.TP -.B \-U -(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't -recognised as IP packets. They will be printed out on the console. -.TP -.B \-v -Turn verbose mode on. Displays information relating to rule processing. -.TP -.B \-y -(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained -by IP Filter with the current interface status list. -.TP -.B \-z -For each rule in the input file, reset the statistics for it to zero and -display the statistics prior to them being zero'd. -.TP -.B \-Z -Zero global statistics held in the kernel for filtering only (this doesn't -affect fragment or state statistics). -.DT -.SH SEE ALSO -ipfstat(1), ipftest(1), ipf(5), mkfilters(1) -.SH DIAGNOSTICS -.PP -Needs to be run as root for the packet filtering lists to actually -be affected inside the kernel. -.SH BUGS -.PP -If you find any, please send email to me at darrenr@cyber.com.au diff --git a/contrib/ipfilter/man/ipf.4 b/contrib/ipfilter/man/ipf.4 deleted file mode 100644 index e2e5b5b..0000000 --- a/contrib/ipfilter/man/ipf.4 +++ /dev/null @@ -1,255 +0,0 @@ -.TH IPF 4 -.SH NAME -ipf \- packet filtering kernel interface -.SH SYNOPSIS -#include <netinet/ip_compat.h> -.br -#include <netinet/ip_fil.h> -.SH IOCTLS -.PP -To add and delete rules to the filter list, three 'basic' ioctls are provided -for use. The ioctl's are called as: -.LP -.nf - ioctl(fd, SIOCADDFR, struct frentry **) - ioctl(fd, SIOCDELFR, struct frentry **) - ioctl(fd, SIOCIPFFL, int *) -.fi -.PP -However, the full complement is as follows: -.LP -.nf - ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR) - ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR) - ioctl(fd, SIOCADIFR, struct frentry **) - ioctl(fd, SIOCRMIFR, struct frentry **) - ioctl(fd, SIOCINAFR, struct frentry **) - ioctl(fd, SIOCINIFR, struct frentry **) - ioctl(fd, SIOCSETFF, u_int *) - ioctl(fd, SIOGGETFF, u_int *) - ioctl(fd, SIOCGETFS, struct friostat **) - ioctl(fd, SIOCIPFFL, int *) - ioctl(fd, SIOCIPFFB, int *) - ioctl(fd, SIOCSWAPA, u_int *) - ioctl(fd, SIOCFRENB, u_int *) - ioctl(fd, SIOCFRSYN, u_int *) - ioctl(fd, SIOCFRZST, struct friostat **) - ioctl(fd, SIOCZRLST, struct frentry **) - ioctl(fd, SIOCAUTHW, struct fr_info **) - ioctl(fd, SIOCAUTHR, struct fr_info **) - ioctl(fd, SIOCATHST, struct fr_authstat **) -.fi -.PP -The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists, -active and inactive, respectively. All of these ioctl's are implemented -as being routing ioctls and thus the same rules for the various routing -ioctls and the file descriptor are employed, mainly being that the fd must -be that of the device associated with the module (i.e., /dev/ipl). -.LP -.PP -The three groups of ioctls above perform adding rules to the end of the -list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*) -and insertion of a rule into the list (SIOCIN*). The rule place into -which it is inserted is stored in the "fr_hits" field, below. -.LP -.nf -typedef struct frentry { - struct frentry *fr_next; - u_short fr_group; /* group to which this rule belongs */ - u_short fr_grhead; /* group # which this rule starts */ - struct frentry *fr_grp; - int fr_ref; /* reference count - for grouping */ - void *fr_ifa; -#if BSD >= 199306 - void *fr_oifa; -#endif - /* - * These are only incremented when a packet matches this rule and - * it is the last match - */ - U_QUAD_T fr_hits; - U_QUAD_T fr_bytes; - /* - * Fields after this may not change whilst in the kernel. - */ - struct fr_ip fr_ip; - struct fr_ip fr_mip; /* mask structure */ - - u_char fr_tcpfm; /* tcp flags mask */ - u_char fr_tcpf; /* tcp flags */ - - u_short fr_icmpm; /* data for ICMP packets (mask) */ - u_short fr_icmp; - - u_char fr_scmp; /* data for port comparisons */ - u_char fr_dcmp; - u_short fr_dport; - u_short fr_sport; - u_short fr_stop; /* top port for <> and >< */ - u_short fr_dtop; /* top port for <> and >< */ - u_32_t fr_flags; /* per-rule flags && options (see below) */ - u_short fr_skip; /* # of rules to skip */ - u_short fr_loglevel; /* syslog log facility + priority */ - int (*fr_func) __P((int, ip_t *, fr_info_t *)); - char fr_icode; /* return ICMP code */ - char fr_ifname[IFNAMSIZ]; -#if BSD > 199306 - char fr_oifname[IFNAMSIZ]; -#endif - struct frdest fr_tif; /* "to" interface */ - struct frdest fr_dif; /* duplicate packet interfaces */ -} frentry_t; -.fi -.PP -When adding a new rule, all unused fields (in the filter rule) should be -initialised to be zero. To insert a rule, at a particular position in the -filter list, the number of the rule which it is to be inserted before must -be put in the "fr_hits" field (the first rule is number 0). -.LP -.PP -Flags which are recognised in fr_flags: -.nf - - FR_BLOCK 0x000001 /* do not allow packet to pass */ - FR_PASS 0x000002 /* allow packet to pass */ - FR_OUTQUE 0x000004 /* outgoing packets */ - FR_INQUE 0x000008 /* ingoing packets */ - FR_LOG 0x000010 /* Log */ - FR_LOGB 0x000011 /* Log-fail */ - FR_LOGP 0x000012 /* Log-pass */ - FR_LOGBODY 0x000020 /* log the body of packets too */ - FR_LOGFIRST 0x000040 /* log only the first packet to match */ - FR_RETRST 0x000080 /* return a TCP RST packet if blocked */ - FR_RETICMP 0x000100 /* return an ICMP packet if blocked */ - FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ - FR_NOMATCH 0x000200 /* no match occured */ - FR_ACCOUNT 0x000400 /* count packet bytes */ - FR_KEEPFRAG 0x000800 /* keep fragment information */ - FR_KEEPSTATE 0x001000 /* keep `connection' state information */ - FR_INACTIVE 0x002000 - FR_QUICK 0x004000 /* match & stop processing list */ - FR_FASTROUTE 0x008000 /* bypass normal routing */ - FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */ - FR_DUP 0x020000 /* duplicate the packet */ - FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */ - FR_NOTSRCIP 0x080000 /* not the src IP# */ - FR_NOTDSTIP 0x100000 /* not the dst IP# */ - FR_AUTH 0x200000 /* use authentication */ - FR_PREAUTH 0x400000 /* require preauthentication */ - -.fi -.PP -Values for fr_scomp and fr_dcomp (source and destination port value -comparisons) : -.LP -.nf - FR_NONE 0 - FR_EQUAL 1 - FR_NEQUAL 2 - FR_LESST 3 - FR_GREATERT 4 - FR_LESSTE 5 - FR_GREATERTE 6 - FR_OUTRANGE 7 - FR_INRANGE 8 -.fi -.PP -The third ioctl, SIOCIPFFL, flushes either the input filter list, the -output filter list or both and it returns the number of filters removed -from the list(s). The values which it will take and recognise are FR_INQUE -and FR_OUTQUE (see above). This ioctl is also implemented for -\fB/dev/ipstate\fP and will flush all state tables entries if passed 0 -or just all those which are not established if passed 1. - -.IP "\fBGeneral Logging Flags\fP" 0 -There are two flags which can be set to log packets independently of the -rules used. These allow for packets which are either passed or blocked -to be logged. To set (and clear)/get these flags, two ioctls are -provided: -.IP SIOCSETFF 16 -Takes an unsigned integer as the parameter. The flags are then set to -those provided (clearing/setting all in one). -.nf - - FF_LOGPASS 0x10000000 - FF_LOGBLOCK 0x20000000 - FF_LOGNOMATCH 0x40000000 - FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */ -.fi -.IP SIOCGETFF 16 -Takes a pointer to an unsigned integer as the parameter. A copy of the -flags currently in used is copied to user space. -.IP "\fBFilter statistics\fP" 0 -Statistics on the various operations performed by this package on packets -is kept inside the kernel. These statistics apply to packets traversing -through the kernel. To retrieve this structure, use this ioctl: -.nf - - ioctl(fd, SIOCGETFS, struct friostat *) - -struct friostat { - struct filterstats f_st[2]; - struct frentry *f_fin[2]; - struct frentry *f_fout[2]; - struct frentry *f_acctin[2]; - struct frentry *f_acctout[2]; - struct frentry *f_auth; - u_long f_froute[2]; - int f_active; /* 1 or 0 - active rule set */ - int f_defpass; /* default pass - from fr_pass */ - int f_running; /* 1 if running, else 0 */ - int f_logging; /* 1 if enabled, else 0 */ - char f_version[32]; /* version string */ -}; - -struct filterstats { - u_long fr_pass; /* packets allowed */ - u_long fr_block; /* packets denied */ - u_long fr_nom; /* packets which don't match any rule */ - u_long fr_ppkl; /* packets allowed and logged */ - u_long fr_bpkl; /* packets denied and logged */ - u_long fr_npkl; /* packets unmatched and logged */ - u_long fr_pkl; /* packets logged */ - u_long fr_skip; /* packets to be logged but buffer full */ - u_long fr_ret; /* packets for which a return is sent */ - u_long fr_acct; /* packets for which counting was performed */ - u_long fr_bnfr; /* bad attempts to allocate fragment state */ - u_long fr_nfr; /* new fragment state kept */ - u_long fr_cfr; /* add new fragment state but complete pkt */ - u_long fr_bads; /* bad attempts to allocate packet state */ - u_long fr_ads; /* new packet state kept */ - u_long fr_chit; /* cached hit */ - u_long fr_pull[2]; /* good and bad pullup attempts */ -#if SOLARIS - u_long fr_notdata; /* PROTO/PCPROTO that have no data */ - u_long fr_nodata; /* mblks that have no data */ - u_long fr_bad; /* bad IP packets to the filter */ - u_long fr_notip; /* packets passed through no on ip queue */ - u_long fr_drop; /* packets dropped - no info for them! */ -#endif -}; -.fi -If we wanted to retrieve all the statistics and reset the counters back to -0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS. -In addition to the statistics above, each rule keeps a hit count, counting -both number of packets and bytes. To reset these counters for a rule, -load the various rule information into a frentry structure and call -SIOCZRLST. -.IP "Swapping Active lists" 0 -IP Filter supports two lists of rules for filtering and accounting: an -active list and an inactive list. This allows for large scale rule base -changes to be put in place atomically with otherwise minimal interruption. -Which of the two is active can be changed using the SIOCSWAPA ioctl. It -is important to note that no passed argument is recognised and that the -value returned is that of the list which is now inactive. -.br -.SH FILES -/dev/ipauth -.br -/dev/ipl -.br -/dev/ipnat -.br -/dev/ipstate -.SH SEE ALSO -ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 deleted file mode 100644 index 3fd9e94..0000000 --- a/contrib/ipfilter/man/ipf.5 +++ /dev/null @@ -1,556 +0,0 @@ -.TH IPF 5 -.SH NAME -ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax -.SH DESCRIPTION -.PP -A rule file for \fBipf\fP may have any name or even be stdin. As -\fBipfstat\fP produces parsable rules as output when displaying the internal -kernel filter lists, it is quite plausible to use its output to feed back -into \fBipf\fP. Thus, to remove all filters on input packets, the following -could be done: -.nf - -\fC# ipfstat \-i | ipf \-rf \-\fP -.fi -.SH GRAMMAR -.PP -The format used by \fBipf\fP for construction of filtering rules can be -described using the following grammar in BNF: -\fC -.nf -filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] - [ proto ] ip [ group ]. - -insert = "@" decnumber . -action = block | "pass" | log | "count" | skip | auth | call . -in-out = "in" | "out" . -options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ] - [ froute ] [ replyto ] ] . -tos = "tos" decnumber | "tos" hexnumber . -ttl = "ttl" decnumber . -proto = "proto" protocol . -ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . -group = [ "head" decnumber ] [ "group" decnumber ] . - -block = "block" [ return-icmp[return-code] | "return-rst" ] . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . -tag = "tag" tagid . -skip = "skip" decnumber . -auth = "auth" | "preauth" . -call = "call" [ "now" ] function-name . -dup = "dup-to" interface-name [ ":" ipaddr ] . -froute = "fastroute" | "to" interface-name [ ":" ipaddr ] . -replyto = "reply-to" interface-name [ ":" ipaddr ] . -protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . -srcdst = "all" | fromto . -fromto = "from" [ "!" ] object "to" [ "!" ] object . - -return-icmp = "return-icmp" | "return-icmp-as-dest" . -return-code = "(" icmp-code ")" . -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -addr = "any" | "<thishost>" | nummask | - host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . -flags = "flags" flag { flag } [ "/" flag { flag } ] . -with = "with" | "and" . -icmp = "icmp-type" icmp-type [ "code" decnumber ] . -return-code = "(" icmp-code ")" . -keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" . -loglevel = facility"."priority | priority . - -nummask = host-name [ "/" decnumber ] . -host-name = ipaddr | hostname | "any" . -ipaddr = host-num "." host-num "." host-num "." host-num . -host-num = digit [ digit [ digit ] ] . -port-num = service-name | decnumber . -state-options = state-opts [ "," state-options ] . - -state-opts = "age" decnumber [ "/" decnumber ] | "strict" | - "no-icmp-err" | "limit" decnumber | "newisn" | "sync" . -withopt = [ "not" | "no" ] opttype [ withopt ] . -opttype = "ipopts" | "short" | "frag" | "opt" optname . -optname = ipopts [ "," optname ] . -ipopts = optlist | "sec-class" [ secname ] . -secname = seclvl [ "," secname ] . -seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | - "reserv-4" | "secret" | "topsecret" . -icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" | - "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | - "inforep" | "maskreq" | "maskrep" | decnumber . -icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | - "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | - "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | - "filter-prohib" | "host-preced" | "cutoff-preced" . -optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | - "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | - "addext" | "visa" | "imitd" | "eip" | "finn" . -facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | - "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | - "audit" | "logalert" | "local0" | "local1" | "local2" | - "local3" | "local4" | "local5" | "local6" | "local7" . -priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | - "info" | "debug" . - -hexnumber = "0" "x" hexstring . -hexstring = hexdigit [ hexstring ] . -decnumber = digit [ decnumber ] . - -compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | - "gt" | "le" | "ge" . -range = "<>" | "><" . -hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" . -digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . -flag = "F" | "S" | "R" | "P" | "A" | "U" . -.fi -.PP -This syntax is somewhat simplified for readability, some combinations -that match this grammar are disallowed by the software because they do -not make sense (such as tcp \fBflags\fP for non-TCP packets). -.SH FILTER RULES -.PP -The "briefest" valid rules are (currently) no-ops and are of the form: -.nf - block in all - pass in all - log out all - count in all -.fi -.PP -Filter rules are checked in order, with the last matching rule -determining the fate of the packet (but see the \fBquick\fP option, -below). -.PP -Filters are installed by default at the end of the kernel's filter -lists, prepending the rule with \fB@n\fP will cause it to be inserted -as the n'th entry in the current list. This is especially useful when -modifying and testing active filter rulesets. See ipf(8) for more -information. -.SH ACTIONS -.PP -The action indicates what to do with the packet if it matches the rest -of the filter rule. Each rule MUST have an action. The following -actions are recognised: -.TP -.B block -indicates that the packet should be flagged to be dropped. In response -to blocking a packet, the filter may be instructed to send a reply -packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet -masquerading as being from the original packet's destination -(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An -ICMP packet may be generated in response to any IP packet, and its -type may optionally be specified, but a TCP reset may only be used -with a rule which is being applied to TCP packets. When using -\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify -the actual unreachable `type'. That is, whether it is a network -unreachable, port unreachable or even administratively -prohibited. This is done by enclosing the ICMP code associated with -it in parenthesis directly following \fBreturn-icmp\fP or -\fBreturn-icmp-as-dest\fP as follows: -.nf - block return-icmp(11) ... -.fi -.PP -Would return a Type-Of-Service (TOS) ICMP unreachable error. -.TP -.B pass -will flag the packet to be let through the filter. -.TP -.B log -causes the packet to be logged (as described in the LOGGING section -below) and has no effect on whether the packet will be allowed through -the filter. -.TP -.B count -causes the packet to be included in the accounting statistics kept by -the filter, and has no effect on whether the packet will be allowed through -the filter. These statistics are viewable with ipfstat(8). -.TP -.B call -this action is used to invoke the named function in the kernel, which -must conform to a specific calling interface. Customised actions and -semantics can thus be implemented to supplement those available. This -feature is for use by knowledgeable hackers, and is not currently -documented. -.TP -.B "skip <n>" -causes the filter to skip over the next \fIn\fP filter rules. If a rule is -inserted or deleted inside the region being skipped over, then the value of -\fIn\fP is adjusted appropriately. -.TP -.B auth -this allows authentication to be performed by a user-space program running -and waiting for packet information to validate. The packet is held for a -period of time in an internal buffer whilst it waits for the program to return -to the kernel the \fIreal\fP flags for whether it should be allowed through -or not. Such a program might look at the source address and request some sort -of authentication from the user (such as a password) before allowing the -packet through or telling the kernel to drop it if from an unrecognised source. -.TP -.B preauth -tells the filter that for packets of this class, it should look in the -pre-authenticated list for further clarification. If no further matching -rule is found, the packet will be dropped (the FR_PREAUTH is not the same -as FR_PASS). If a further matching rule is found, the result from that is -used in its instead. This might be used in a situation where a person -\fIlogs in\fP to the firewall and it sets up some temporary rules defining -the access for that person. -.PP -The next word must be either \fBin\fP or \fBout\fP. Each packet -moving through the kernel is either inbound (just been received on an -interface, and moving towards the kernel's protocol processing) or -outbound (transmitted or forwarded by the stack, and on its way to an -interface). There is a requirement that each filter rule explicitly -state which side of the I/O it is to be used on. -.SH OPTIONS -.PP -The list of options is brief, and all are indeed optional. Where -options are used, they must be present in the order shown here. These -are the currently supported options: -.TP -.B log -indicates that, should this be the last matching rule, the packet -header will be written to the \fBipl\fP log (as described in the -LOGGING section below). -.TP -.B tag tagid -indicates that, if this rule causes the packet to be logged or entered -in the state table, the tagid will be logged as part of the log entry. -This can be used to quickly match "similar" rules in scripts that post -process the log files for e.g. generation of security reports or accounting -purposes. The tagid is a 32 bit unsigned integer. -.TP -.B quick -allows "short-cut" rules in order to speed up the filter or override -later rules. If a packet matches a filter rule which is marked as -\fBquick\fP, this rule will be the last rule checked, allowing a -"short-circuit" path to avoid processing later rules for this -packet. The current status of the packet (after any effects of the -current rule) will determine whether it is passed or blocked. -.IP -If this option is missing, the rule is taken to be a "fall-through" -rule, meaning that the result of the match (block/pass) is saved and -that processing will continue to see if there are any more matches. -.TP -.B on -allows an interface name to be incorporated into the matching -procedure. Interface names are as printed by "netstat \-i". If this -option is used, the rule will only match if the packet is going -through that interface in the specified direction (in/out). If this -option is absent, the rule is taken to be applied to a packet -regardless of the interface it is present on (i.e. on all interfaces). -Filter rulesets are common to all interfaces, rather than having a -filter list for each interface. -.IP -This option is especially useful for simple IP-spoofing protection: -packets should only be allowed to pass inbound on the interface from -which the specified source address would be expected, others may be -logged and/or dropped. -.TP -.B dup-to -causes the packet to be copied, and the duplicate packet to be sent -outbound on the specified interface, optionally with the destination -IP address changed to that specified. This is useful for off-host -logging, using a network sniffer. -.TP -.B to -causes the packet to be moved to the outbound queue on the -specified interface. This can be used to circumvent kernel routing -decisions, and even to bypass the rest of the kernel processing of the -packet (if applied to an inbound rule). It is thus possible to -construct a firewall that behaves transparently, like a filtering hub -or switch, rather than a router. The \fBfastroute\fP keyword is a -synonym for this option. -.SH MATCHING PARAMETERS -.PP -The keywords described in this section are used to describe attributes -of the packet to be used when determining whether rules match or don't -match. The following general-purpose attributes are provided for -matching, and must be used in this order: -.TP -.B tos -packets with different Type-Of-Service values can be filtered. -Individual service levels or combinations can be filtered upon. The -value for the TOS mask can either be represented as a hex number or a -decimal integer value. -.TP -.B ttl -packets may also be selected by their Time-To-Live value. The value given in -the filter rule must exactly match that in the packet for a match to occur. -This value can only be given as a decimal integer value. -.TP -.B proto -allows a specific protocol to be matched against. All protocol names -found in \fB/etc/protocols\fP are recognised and may be used. -However, the protocol may also be given as a DECIMAL number, allowing -for rules to match your own protocols, or new ones which would -out-date any attempted listing. -.IP -The special protocol keyword \fBtcp/udp\fP may be used to match either -a TCP or a UDP packet, and has been added as a convenience to save -duplication of otherwise-identical rules. -.\" XXX grammar should reflect this (/etc/protocols) -.PP -The \fBfrom\fP and \fBto\fP keywords are used to match against IP -addresses (and optionally port numbers). Rules must specify BOTH -source and destination parameters. -.PP -IP addresses may be specified in one of two ways: as a numerical -address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname -may either be a valid hostname, from either the hosts file or DNS -(depending on your configuration and library) or of the dotted numeric -form. There is no special designation for networks but network names -are recognised. Note that having your filter rules depend on DNS -results can introduce an avenue of attack, and is discouraged. -.PP -There is a special case for the hostname \fBany\fP which is taken to -be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses. -Only the presence of "any" has an implied mask, in all other -situations, a hostname MUST be accompanied by a mask. It is possible -to give "any" a hostmask, but in the context of this language, it is -non-sensical. -.PP -The numerical format "x\fB/\fPy" indicates that a mask of y -consecutive 1 bits set is generated, starting with the MSB, so a y value -of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates -that the mask y is in dotted IP notation or a hexadecimal number of -the form 0x12345678. Note that all the bits of the IP address -indicated by the bitmask must match the address on the packet exactly; -there isn't currently a way to invert the sense of the match, or to -match ranges of IP addresses which do not express themselves easily as -bitmasks (anthropomorphization; it's not just for breakfast anymore). -.PP -If a \fBport\fP match is included, for either or both of source and -destination, then it is only applied to -.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored? -TCP and UDP packets. If there is no \fBproto\fP match parameter, -packets from both protocols are compared. This is equivalent to "proto -tcp/udp". When composing \fBport\fP comparisons, either the service -name or an integer port number may be used. Port comparisons may be -done in a number of forms, with a number of comparison operators, or -port ranges may be specified. When the port appears as part of the -\fBfrom\fP object, it matches the source port number, when it appears -as part of the \fBto\fP object, it matches the destination port number. -See the examples for more information. -.PP -The \fBall\fP keyword is essentially a synonym for "from any to any" -with no other match parameters. -.PP -Following the source and destination matching parameters, the -following additional parameters may be used: -.TP -.B with -is used to match irregular attributes that some packets may have -associated with them. To match the presence of IP options in general, -use \fBwith ipopts\fP. To match packets that are too short to contain -a complete header, use \fBwith short\fP. To match fragmented packets, -use \fBwith frag\fP. For more specific filtering on IP options, -individual options can be listed. -.IP -Before any parameter used after the \fBwith\fP keyword, the word -\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only -match if the option(s) is not present. -.IP -Multiple consecutive \fBwith\fP clauses are allowed. Alternatively, -the keyword \fBand\fP may be used in place of \fBwith\fP, this is -provided purely to make the rules more readable ("with ... and ..."). -When multiple clauses are listed, all those must match to cause a -match of the rule. -.\" XXX describe the options more specifically in a separate section -.TP -.B flags -is only effective for TCP filtering. Each of the letters possible -represents one of the possible flags that can be set in the TCP -header. The association is as follows: -.LP -.nf - F - FIN - S - SYN - R - RST - P - PUSH - A - ACK - U - URG -.fi -.IP -The various flag symbols may be used in combination, so that "SA" -would represent a SYN-ACK combination present in a packet. There is -nothing preventing the specification of combinations, such as "SFR", -that would not normally be generated by law-abiding TCP -implementations. However, to guard against weird aberrations, it is -necessary to state which flags you are filtering against. To allow -this, it is possible to set a mask indicating which TCP flags you wish -to compare (i.e., those you deem significant). This is done by -appending "/<flags>" to the set of TCP flags you wish to match -against, e.g.: -.LP -.nf - ... flags S - # becomes "flags S/AUPRFS" and will match - # packets with ONLY the SYN flag set. - - ... flags SA - # becomes "flags SA/AUPRFS" and will match any - # packet with only the SYN and ACK flags set. - - ... flags S/SA - # will match any packet with just the SYN flag set - # out of the SYN-ACK pair; the common "establish" - # keyword action. "S/SA" will NOT match a packet - # with BOTH SYN and ACK set, but WILL match "SFP". -.fi -.TP -.B icmp-type -is only effective when used with \fBproto icmp\fP and must NOT be used -in conjunction with \fBflags\fP. There are a number of types, which can be -referred to by an abbreviation recognised by this language, or the numbers -with which they are associated can be used. The most important from -a security point of view is the ICMP redirect. -.SH KEEP HISTORY -.PP -The second last parameter which can be set for a filter rule is whether or not -to record historical information for that packet, and what sort to keep. The -following information can be kept: -.TP -.B state -keeps information about the flow of a communication session. State can -be kept for TCP, UDP, and ICMP packets. -.TP -.B frags -keeps information on fragmented packets, to be applied to later -fragments. -.PP -allowing packets which match these to flow straight through, rather -than going through the access control list. -.SH GROUPS -The last pair of parameters control filter rule "grouping". By default, all -filter rules are placed in group 0 if no other group is specified. To add a -rule to a non-default group, the group must first be started by creating a -group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a -group, the filter processing then switches to the group, using that rule as -the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule -processing isn't stopped until it has returned from processing the group. -.PP -A rule may be both the head for a new group and a member of a non-default -group (\fBhead\fP and \fBgroup\fP may be used together in a rule). -.TP -.B "head <n>" -indicates that a new group (number n) should be created. -.TP -.B "group <n>" -indicates that the rule should be put in group (number n) rather than group 0. -.SH LOGGING -.PP -When a packet is logged, with either the \fBlog\fP action or option, -the headers of the packet are written to the \fBipl\fP packet logging -pseudo-device. Immediately following the \fBlog\fP keyword, the -following qualifiers may be used (in order): -.TP -.B body -indicates that the first 128 bytes of the packet contents will be -logged after the headers. -.TP -.B first -If log is being used in conjunction with a "keep" option, it is recommended -that this option is also applied so that only the triggering packet is logged -and not every packet which thereafter matches state information. -.TP -.B or-block -indicates that, if for some reason the filter is unable to log the -packet (such as the log reader being too slow) then the rule should be -interpreted as if the action was \fBblock\fP for this packet. -.TP -.B "level <loglevel>" -indicates what logging facility and priority, or just priority with -the default facility being used, will be used to log information about -this packet using ipmon's -s option. -.PP -See ipl(4) for the format of records written -to this device. The ipmon(8) program can be used to read and format -this log. -.SH EXAMPLES -.PP -The \fBquick\fP option is good for rules such as: -\fC -.nf -block in quick from any to any with ipopts -.fi -.PP -which will match any packet with a non-standard header length (IP -options present) and abort further processing of later rules, -recording a match and also that the packet should be blocked. -.PP -The "fall-through" rule parsing allows for effects such as this: -.LP -.nf - block in from any to any port < 6000 - pass in from any to any port >= 6000 - block in from any to any port > 6003 -.fi -.PP -which sets up the range 6000-6003 as being permitted and all others being -denied. Note that the effect of the first rule is overridden by subsequent -rules. Another (easier) way to do the same is: -.LP -.nf - block in from any to any port 6000 <> 6003 - pass in from any to any port 5999 >< 6004 -.fi -.PP -Note that both the "block" and "pass" are needed here to effect a -result as a failed match on the "block" action does not imply a pass, -only that the rule hasn't taken effect. To then allow ports < 1024, a -rule such as: -.LP -.nf - pass in quick from any to any port < 1024 -.fi -.PP -would be needed before the first block. To create a new group for -processing all inbound packets on le0/le1/lo0, with the default being to block -all inbound packets, we would do something like: -.LP -.nf - block in all - block in quick on le0 all head 100 - block in quick on le1 all head 200 - block in quick on lo0 all head 300 -.fi -.PP - -and to then allow ICMP packets in on le0, only, we would do: -.LP -.nf - pass in proto icmp all group 100 -.fi -.PP -Note that because only inbound packets on le0 are used processed by group 100, -there is no need to respecify the interface name. Likewise, we could further -breakup processing of TCP, etc, as follows: -.LP -.nf - block in proto tcp all head 110 group 100 - pass in from any to any port = 23 group 110 -.fi -.PP -and so on. The last line, if written without the groups would be: -.LP -.nf - pass in on le0 proto tcp from any to any port = telnet -.fi -.PP -Note, that if we wanted to say "port = telnet", "proto tcp" would -need to be specified as the parser interprets each rule on its own and -qualifies all service/port names with the protocol specified. -.SH FILES -/dev/ipauth -.br -/dev/ipl -.br -/dev/ipstate -.br -/etc/hosts -.br -/etc/services -.SH SEE ALSO -ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipf.8 b/contrib/ipfilter/man/ipf.8 deleted file mode 100644 index a438415..0000000 --- a/contrib/ipfilter/man/ipf.8 +++ /dev/null @@ -1,171 +0,0 @@ -.TH IPF 8 -.SH NAME -ipf \- alters packet filtering lists for IP packet input and output -.SH SYNOPSIS -.B ipf -[ -.B \-6AcdDEInoPrsvVyzZ -] [ -.B \-l -<block|pass|nomatch> -] [ -.B \-T -<optionlist> -] [ -.B \-F -<i|o|a|s|S> -] -.B \-f -<\fIfilename\fP> -[ -.B \-f -<\fIfilename\fP> -[...]] -.SH DESCRIPTION -.PP -\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the -file for a set of rules which are to be added or removed from the packet -filter rule set. -.PP -Each rule processed by \fBipf\fP -is added to the kernel's internal lists if there are no parsing problems. -Rules are added to the end of the internal lists, matching the order in -which they appear when given to \fBipf\fP. -.SH OPTIONS -.TP -.B \-6 -This option is required to parse IPv6 rules and to have them loaded. -.TP -.B \-A -Set the list to make changes to the active list (default). -.TP -.B \-c <language> -This option causes \fBipf\fP to generate output files for a compiler that -supports \fBlanguage\fI. At present, the only target language supported is -\fBC\fB (-cc) for which two files - \fBip_rules.c\fP -and \fBip_rules.h\fP are generated in the \fBCURRENT DIRECTORY\fP when -\fBipf\fP is being run. These files can be used with the -\fBIPFILTER_COMPILED\fP kernel option to build filter rules staticly into -the kernel. -.TP -.B \-d -Turn debug mode on. Causes a hexdump of filter rules to be generated as -it processes each one. -.TP -.B \-D -Disable the filter (if enabled). Not effective for loadable kernel versions. -.TP -.B \-E -Enable the filter (if disabled). Not effective for loadable kernel versions. -.TP -.BR \-F \0<i|o|a> -This option specifies which filter list to flush. The parameter should -either be "i" (input), "o" (output) or "a" (remove all filter rules). -Either a single letter or an entire word starting with the appropriate -letter maybe used. This option maybe before, or after, any other with -the order on the command line being that used to execute options. -.TP -.BR \-F \0<s|S> -To flush entries from the state table, the \fB-F\fP option is used in -conjunction with either "s" (removes state information about any non-fully -established connections) or "S" (deletes the entire state table). Only -one of the two options may be given. A fully established connection -will show up in \fBipfstat -s\fP output as 5/5, with deviations either -way indicating it is not fully established any more. -.TP -.BR \-F <5|6|7|8|9|10|11> -For the TCP states that represent the closing of a connection has begun, -be it only one side or the complete connection, it is possible to flush -those states directly using the number corresponding to that state. -The numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1, -7 = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed. -.TP -.BR \-F <number> -If the argument supplied to \fB-F\fP is greater than 30, then state table -entries that have been idle for more than this many seconds will be flushed. -.TP -.BR \-f \0<filename> -This option specifies which files -\fBipf\fP should use to get input from for modifying the packet filter rule -lists. -.TP -.B \-I -Set the list to make changes to the inactive list. -.TP -.B \-l \0<pass|block|nomatch> -Use of the \fB-l\fP flag toggles default logging of packets. Valid -arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP. -When an option is set, any packet which exits filtering and matches the -set category is logged. This is most useful for causing all packets -which don't match any of the loaded rules to be logged. -.TP -.B \-n -This flag (no-change) prevents \fBipf\fP from actually making any ioctl -calls or doing anything which would alter the currently running kernel. -.TP -.B \-o -Force rules by default to be added/deleted to/from the output list, rather -than the (default) input list. -.TP -.B \-P -Add rules as temporary entries in the authentication rule table. -.TP -.B \-r -Remove matching filter rules rather than add them to the internal lists -.TP -.B \-s -Swap the active filter list in use to be the "other" one. -.TP -.B \-T <optionlist> -This option allows run-time changing of IPFilter kernel variables. Some -variables require IPFilter to be in a disabled state (\fB-D\fP) for changing, -others do not. The optionlist parameter is a comma separated list of tuning -commands. A tuning command is either "list" (retrieve a list of all variables -in the kernel, their maximum, minimum and current value), a single variable -name (retrieve its current value) and a variable name with a following -assignment to set a new value. Some examples follow. -.nf -# Print out all IPFilter kernel tunable parameters -ipf -T list -# Display the current TCP idle timeout and then set it to 3600 -ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E -# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1. -ipf -T fr_pass,fr_chksrc,fr_chksrc=1 -.fi -.TP -.B \-v -Turn verbose mode on. Displays information relating to rule processing. -.TP -.B \-V -Show version information. This will display the version information compiled -into the ipf binary and retrieve it from the kernel code (if running/present). -If it is present in the kernel, information about its current state will be -displayed (whether logging is active, default filtering, etc). -.TP -.B \-y -Manually resync the in-kernel interface list maintained by IP Filter with -the current interface status list. -.TP -.B \-z -For each rule in the input file, reset the statistics for it to zero and -display the statistics prior to them being zeroed. -.TP -.B \-Z -Zero global statistics held in the kernel for filtering only (this doesn't -affect fragment or state statistics). -.DT -.SH FILES -/dev/ipauth -.br -/dev/ipl -.br -/dev/ipstate -.SH SEE ALSO -ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8) -.SH DIAGNOSTICS -.PP -Needs to be run as root for the packet filtering lists to actually -be affected inside the kernel. -.SH BUGS -.PP -If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/man/ipfilter.4 b/contrib/ipfilter/man/ipfilter.4 deleted file mode 100644 index b2d2f2a..0000000 --- a/contrib/ipfilter/man/ipfilter.4 +++ /dev/null @@ -1,239 +0,0 @@ -.TH IP\ FILTER 4 -.SH NAME -ipfilter \- Introduction to IP packet filtering -.SH DESCRIPTION -IP Filter is a TCP/IP packet filter, suitable for use in a firewall -environment. To use, it can either be used as a loadable kernel module or -incorporated into your UNIX kernel; use as a loadable kernel module where -possible is highly recommended. Scripts are provided to install and patch -system files, as required. -.SH FEATURES -The IP packet filter can: -.IP -explicitly deny/permit any packet from passing through -.IP -distinguish between various interfaces -.IP -filter by IP networks or hosts -.IP -selectively filter any IP protocol -.IP -selectively filter fragmented IP packets -.IP -selectively filter packets with IP options -.IP -send back an ICMP error/TCP reset for blocked packets -.IP -keep packet state information for TCP, UDP and ICMP packet flows -.IP -keep fragment state information for any IP packet, applying the same rule -to all fragments. -.IP -act as a Network Address Translator (NAT) -.IP -use redirection to setup true transparent proxy connections -.IP -provide packet header details to a user program for authentication -.IP -in addition, supports temporary storage of pre-authenticated rules for passing packets through -.PP -Special provision is made for the three most common Internet protocols, TCP, -UDP and ICMP. The IP Packet filter allows filtering of: -.IP -Inverted host/net matchingTCP/UDP packets by port number or a port number -range -.IP -ICMP packets by type/code -.IP -"established" TCP packets -.IP -On any arbitrary combination of TCP flags -.IP -"short" (fragmented) IP packets with incomplete headers can be filtered -.IP -any of the 19 IP options or 8 registered IP security classes TOS (Type of -Service) field in packets -.PP -To keep track of the performance of the IP packet filter, a logging device -is used which supports logging of: -.IP -the TCP/UDP/ICMP and IP packet headers -.IP -the first 128 bytes of the packet (including headers) -.PP -A packet can be logged when: -.IP -it is successfully passed through -.IP -it is blocked from passing through -.IP -it matches a rule setup to look for suspicious packets -.PP -IP Filter keeps its own set of statistics on: -.IP -packets blocked -.IP -packets (and bytes!) used for accounting -.IP -packets passed -.lP -packets logged -.IP -attempts to log which failed (buffer full) -.IP -and much more, for packets going both in and out. - -.SH Tools -The current implementation provides a small set of tools, which can easily -be used and integrated with regular unix shells and tools. A brief description -of the tools provided: -.PP -ipf(8) -reads in a set of rules, from either stdin or a file, and adds them to -the kernels current list (appending them). It can also be used to flush the -current filter set or delete individual filter rules. The file format is -described in ipf(5). -.PP -ipfs(8) -is a utility to temporarily lock the IP Filter kernel tables (state tables -and NAT mappings) and write them to disk. After that the system can be -rebooted, and ipfs can be used to read these tables from disk and restore -them into the kernel. This way the system can be rebooted without the -connections being terminated. -.PP -ipfstat(8) -interrogates the kernel for statistics on packet filtering, so -far, and retrieves the list of filters in operation for inbound and outbound -packets. -.PP -ipftest(1) -reads in a filter rule file and then applies sample IP packets to -the rule file. This allows for testing of filter list and examination of how -a packet is passed along through it. -.PP -ipmon(8) -reads buffered data from the logging device (default is /dev/ipl) -for output to either: -.IP -screen (standard output) -.IP -file -.IP -syslog -.PP -ipsend(1) -generates arbitary IP packets for ethernet connected machines. -.PP -ipresend(1) -reads in a data file of saved IP packets (ie -snoop/tcpdump/etherfind output) and sends it back across the network. -.PP -iptest(1) -contains a set of test "programs" which send out a series of IP -packets, aimed at testing the strength of the TCP/IP stack at which it is -aimed at. WARNING: this may crash machine(s) targeted! -.PP -ipnat(8) -reads in a set of rules, from either stdin or a file and adds them -to the kernels current list of active NAT rules. NAT rules can also be -deleted using ipnat. The format of the configuration file to be used -with ipnat is described in ipnat(5). -.PP -For use in your own programs (e.g. for writing of transparent application -proxies), the programming interface and the associated ioctl's are -documented in ipf(4). - -Documentation on ioctl's and the format of data saved -to the logging character device is provided in ipl(4) -so that you may develop your own applications to work with or in place of any -of the above. - -Similar, the interface to the NAT code is documented in ipnat(4). - -.SH PACKET PROCESSING FLOW -The following diagram illustrates the flow of TCP/IP packets through the -various stages introduced by IP Filter. -.PP -.nf - IN - | - V - +-------------------------+--------------------------+ - | | | - | V | - | Network Address Translation | - | | | - | authenticated | | - | +-------<---------+ | - | | | | - | | V | - | V IP Accounting | - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | V V V | - | | Packet State Check-->+ | - | | | | | - | | +->--+ | | | - | | | | V | | - | V groups IP Filtering V | - | | | | | | | - | | +--<-+ | | | - | | | | | - | +---------------->|<-----------+ | - | | | - | V | - | +---<----+ | - | | | | - | function | | - | | V | - | +--->----+ | - | | | - | V | - +--|---<--- fast-route ---<--+ | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - | | - | V - V [KERNEL TCP/IP Processing] - | | - | +-------------------------+--------------------------+ - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | | V V | - | | Packet State Check-->+ | - | | | | | - | | V | | - V | IP Filtering | | - | | | V | - | | |<-----------+ | - | | V | - | | IP Accounting | - | | | | - | | V | - | | Network Address Translation | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - V | - +--------------------------->| - V - OUT -.fi - -.SH MORE INFORMATION -More information (including pointers to the FAQ and the mailing list) can be -obtained from the sofware's official homepage: www.ipfilter.org - -.SH SEE ALSO -ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1), -ipl(4), ipmon(8), ipnat(8), ipnat(4), - diff --git a/contrib/ipfilter/man/ipfilter.4.mandoc b/contrib/ipfilter/man/ipfilter.4.mandoc deleted file mode 100644 index 72534a7..0000000 --- a/contrib/ipfilter/man/ipfilter.4.mandoc +++ /dev/null @@ -1,267 +0,0 @@ -.Dd December 8, 2000 -.Dt IP\ FILTER 4 -.Os -.Sh NAME -.Nm IP Filter -.Nd Introduction to IP packet filtering -.Sh DESCRIPTION -IP Filter is a TCP/IP packet filter, suitable for use in a firewall -environment. To use, it can either be used as a loadable kernel module or -incorporated into your UNIX kernel; use as a loadable kernel module where -possible is highly recommended. Scripts are provided to install and patch -system files, as required. -.Sh FEATURES -The IP packet filter can: -.Bl -bullet -offset indent -compact -.It -explicitly deny/permit any packet from passing through -.It -distinguish between various interfaces -.It -filter by IP networks or hosts -.It -selectively filter any IP protocol -.It -selectively filter fragmented IP packets -.It -selectively filter packets with IP options -.It -send back an ICMP error/TCP reset for blocked packets -.It -keep packet state information for TCP, UDP and ICMP packet flows -.It -keep fragment state information for any IP packet, applying the same rule -to all fragments. -.It -act as a Network Address Translator (NAT) -.It -use redirection to setup true transparent proxy connections -.It -provide packet header details to a user program for authentication -.It -in addition, supports temporary storage of pre-authenticated rules for passing packets through -.El -.Pp -Special provision is made for the three most common Internet protocols, TCP, -UDP and ICMP. The IP Packet filter allows filtering of: -.Bl -bullet -offset indent -compact -.It -Inverted host/net matchingTCP/UDP packets by port number or a port number -range -.It -ICMP packets by type/code -.It -"established" TCP packets -.It -On any arbitrary combination of TCP flags -.It -"short" (fragmented) IP packets with incomplete headers can be filtered -.It -any of the 19 IP options or 8 registered IP security classes TOS (Type of -Service) field in packets -.El -.Pp -To keep track of the performance of the IP packet filter, a logging device -is used which supports logging of: -.Bl -bullet -offset indent -compact -.It -the TCP/UDP/ICMP and IP packet headers -.It -the first 128 bytes of the packet (including headers) -.El -.Pp -A packet can be logged when: -.Bl -bullet -offset indent -compact -.It -it is successfully passed through -.It -it is blocked from passing through -.It -it matches a rule setup to look for suspicious packets -.El -.Pp -IP Filter keeps its own set of statistics on: -.Bl -bullet -offset indent -compact -.It -packets blocked -.It -packets (and bytes!) used for accounting -.It -packets passed -.li -packets logged -.It -attempts to log which failed (buffer full) -.El -and much more, for packets going both in and out. - -.Sh Tools -The current implementation provides a small set of tools, which can easily -be used and integrated with regular unix shells and tools. A brief description -of the tools provided: -.Pp -.Xr ipf 8 -reads in a set of rules, from either stdin or a file, and adds them to -the kernels current list (appending them). It can also be used to flush the -current filter set or delete individual filter rules. The file format is -described in -.Xr ipf 5 . -.Pp -.Xr ipfs 8 -is a utility to temporarily lock the IP Filter kernel tables (state tables -and NAT mappings) and write them to disk. After that the system can be -rebooted, and ipfs can be used to read these tables from disk and restore -them into the kernel. This way the system can be rebooted without the -connections being terminated. -.Pp -.Xr ipfstat 8 -interrogates the kernel for statistics on packet filtering, so -far, and retrieves the list of filters in operation for inbound and outbound -packets. -.Pp -.Xr ipftest 1 -reads in a filter rule file and then applies sample IP packets to -the rule file. This allows for testing of filter list and examination of how -a packet is passed along through it. -.Pp -.Xr ipmon 8 -reads buffered data from the logging device (default is /dev/ipl) -for output to either: -.Bl -bullet -offset indent -compact -.It -screen (standard output) -.It -file -.It -syslog -.El -.Pp -.Xr ipsend 1 -generates arbitary IP packets for ethernet connected machines. -.Pp -.Xr ipresend 1 -reads in a data file of saved IP packets (ie -snoop/tcpdump/etherfind output) and sends it back across the network. -.Pp -.Xr iptest 1 -contains a set of test "programs" which send out a series of IP -packets, aimed at testing the strength of the TCP/IP stack at which it is -aimed at. WARNING: this may crash machine(s) targeted! -.Pp -.Xr ipnat 8 -reads in a set of rules, from either stdin or a file and adds them -to the kernels current list of active NAT rules. NAT rules can also be -deleted using ipnat. The format of the configuration file to be used -with ipnat is described in -.Xr ipnat 5 . -.Pp -For use in your own programs (e.g. for writing of transparent application -proxies), the programming interface and the associated ioctl's are -documented in -.Xr ipf 4 . - -Documentation on ioctl's and the format of data saved -to the logging character device is provided in -.Xr ipl 4 -so that you may develop your own applications to work with or in place of any -of the above. - -Similar, the interface to the NAT code is documented in -.Xr ipnat 4 . - -.Sh PACKET PROCESSING FLOW -The following diagram illustrates the flow of TCP/IP packets through the -various stages introduced by IP Filter. -.Pp -.nf - IN - | - V - +-------------------------+--------------------------+ - | | | - | V | - | Network Address Translation | - | | | - | authenticated | | - | +-------<---------+ | - | | | | - | | V | - | V IP Accounting | - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | V V V | - | | Packet State Check-->+ | - | | | | | - | | +->--+ | | | - | | | | V | | - | V groups IP Filtering V | - | | | | | | | - | | +--<-+ | | | - | | | | | - | +---------------->|<-----------+ | - | | | - | V | - | +---<----+ | - | | | | - | function | | - | | V | - | +--->----+ | - | | | - | V | - +--|---<--- fast-route ---<--+ | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - | | - | V - V [KERNEL TCP/IP Processing] - | | - | +-------------------------+--------------------------+ - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | | V V | - | | Packet State Check-->+ | - | | | | | - | | V | | - V | IP Filtering | | - | | | V | - | | |<-----------+ | - | | V | - | | IP Accounting | - | | | | - | | V | - | | Network Address Translation | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - V | - +--------------------------->| - V - OUT -.fi - -.Sh MORE INFORMATION -More information (including pointers to the FAQ and the mailing list) can be -obtained from the sofware's official homepage: www.ipfilter.org - -.Sh SEE ALSO -.Xr ipf 4 , -.Xr ipf 5 , -.Xr ipf 8 , -.Xr ipfilter 5 , -.Xr ipfs 8 , -.Xr ipfstat 8 , -.Xr ipftest 1 , -.Xr ipl 4 , -.Xr ipmon 8 , -.Xr ipnat 4 , -.Xr ipnat 8 , - diff --git a/contrib/ipfilter/man/ipfilter.5 b/contrib/ipfilter/man/ipfilter.5 deleted file mode 100644 index 0bba0f4..0000000 --- a/contrib/ipfilter/man/ipfilter.5 +++ /dev/null @@ -1,10 +0,0 @@ -.TH IPFILTER 1 -.SH NAME -IP Filter -.SH DESCRIPTION -.PP -IP Filter is a package providing packet filtering capabilities for a variety -of operating systems. On a properly setup system, it can be used to build a -firewall. -.SH SEE ALSO -ipf(8), ipf(1), ipf(5), ipnat(8), ipnat(5), mkfilters(1) diff --git a/contrib/ipfilter/man/ipfs.8 b/contrib/ipfilter/man/ipfs.8 deleted file mode 100644 index d5bf460..0000000 --- a/contrib/ipfilter/man/ipfs.8 +++ /dev/null @@ -1,125 +0,0 @@ -.TH IPFS 8 -.SH NAME -ipfs \- saves and restores information for NAT and state tables. -.SH SYNOPSIS -.B ipfs -[-nv] -l -.PP -.B ipfs -[-nv] -u -.PP -.B ipfs -[-nv] [ -.B \-d -<\fIdirname\fP> -] -R -.PP -.B ipfs -[-nv] [ -.B \-d -<\fIdirname\fP> -] -W -.PP -.B ipfs -[-nNSv] [ -.B \-f -<\fIfilename\fP> -] -r -.PP -.B ipfs -[-nNSv] [ -.B \-f -<\fIfilename\fP> -] -w -.PP -.B ipfs -[-nNSv] -.B \-f -<\fIfilename\fP> -.B \-i -<if1>,<if2> -.SH DESCRIPTION -.PP -\fBipfs\fP allows state information created for NAT entries and rules using -\fIkeep state\fP to be locked (modification prevented) and then saved to disk, -allowing for the system to experience a reboot, followed by the restoration -of that information, resulting in connections not being interrupted. -.SH OPTIONS -.TP -.B \-d -Change the default directory used with -.B \-R -and -.B \-W -options for saving state information. -.TP -.B \-n -Don't actually take any action that would affect information stored in -the kernel or on disk. -.TP -.B \-v -Provides a verbose description of what's being done. -.TP -.B \-i <ifname1>,<ifname2> -Change all instances of interface name ifname1 in the state save file to -ifname2. Useful if you're restoring state information after a hardware -reconfiguration or change. -.TP -.B \-N -Operate on NAT information. -.TP -.B \-S -Operate on filtering state information. -.TP -.B \-u -Unlock state tables in the kernel. -.TP -.B \-l -Lock state tables in the kernel. -.TP -.B \-r -Read information in from the specified file and load it into the -kernel. This requires the state tables to have already been locked -and does not change the lock once complete. -.TP -.B \-w -Write information out to the specified file and from the kernel. -This requires the state tables to have already been locked -and does not change the lock once complete. -.TP -.B \-R -Restores all saved state information, if any, from two files, -\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP -directory unless otherwise specified by the -.B \-d -option. The state tables are locked at the beginning of this -operation and unlocked once complete. -.TP -.B \-W -Saves in-kernel state information, if any, out to two files, -\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP -directory unless otherwise specified by the -.B \-d -option. The state tables are locked at the beginning of this -operation and unlocked once complete. -.DT -.SH FILES -/var/db/ipf/ipstate.ipf -.br -/var/db/ipf/ipnat.ipf -.br -/dev/ipl -.br -/dev/ipstate -.br -/dev/ipnat -.SH SEE ALSO -ipf(8), ipl(4), ipmon(8), ipnat(8) -.SH DIAGNOSTICS -.PP -Perhaps the -W and -R operations should set the locking but rather than -undo it, restore it to what it was previously. Fragment table information -is currently not saved. -.SH BUGS -.PP -If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 deleted file mode 100644 index 95cf6f3..0000000 --- a/contrib/ipfilter/man/ipfstat.8 +++ /dev/null @@ -1,193 +0,0 @@ -.TH ipfstat 8 -.SH NAME -ipfstat \- reports on packet filter statistics and filter list -.SH SYNOPSIS -.B ipfstat -[ -.B \-6aAdfghIilnoRsv -] -.br -.B ipfstat -t -[ -.B \-6C -] [ -.B \-D -<addrport> -] [ -.B \-P -<protocol> -] [ -.B \-S -<addrport> -] [ -.B \-T -<refresh time> -] -.SH DESCRIPTION -\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP, -\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP. -To run and work, it needs to be able to read both /dev/kmem and the -kernel itself. The kernel name defaults to \fB/vmunix\fP. -.PP -The default behaviour of \fBipfstat\fP -is to retrieve and display the accumulated statistics which have been -accumulated over time as the kernel has put packets through the filter. -.SH OPTIONS -.TP -.B \-6 -Display filter lists and states for IPv6, if available. -.TP -.B \-a -Display the accounting filter list and show bytes counted against each rule. -.TP -.B \-A -Display packet authentication statistics. -.TP -.B \-C -This option is only valid in combination with \fB\-t\fP. -Display "closed" states as well in the top. Normally, a TCP connection is -not displayed when it reaches the CLOSE_WAIT protocol state. With this -option enabled, all state entries are displayed. -.TP -.BR \-d -Produce debugging output when displaying data. -.TP -.BR \-D \0<addrport> -This option is only valid in combination with \fB\-t\fP. Limit the state top -display to show only state entries whose destination IP address and port -match the addrport argument. The addrport specification is of the form -ipaddress[,port]. The ipaddress and port should be either numerical or the -string "any" (specifying any IP address resp. any port). If the \fB\-D\fP -option is not specified, it defaults to "\fB\-D\fP any,any". -.TP -.B \-f -Show fragment state information (statistics) and held state information (in -the kernel) if any is present. -.TP -.B \-g -Show groups currently configured (both active and inactive). -.TP -.B \-h -Show per-rule the number of times each one scores a "hit". For use in -combination with \fB\-i\fP. -.TP -.B \-i -Display the filter list used for the input side of the kernel IP processing. -.TP -.B \-I -Swap between retrieving "inactive"/"active" filter list details. For use -in combination with \fB\-i\fP. -.TP -.B \-n -Show the "rule number" for each rule as it is printed. -.TP -.B \-o -Display the filter list used for the output side of the kernel IP processing. -.TP -.BR \-P \0<protocol> -This option is only valid in combination with \fB\-t\fP. Limit the state top -display to show only state entries that match a specific protocol. The -argument can be a protocol name (as defined in \fB/etc/protocols\fP) or a -protocol number. If this option is not specified, state entries for any -protocol are specified. -.TP -.BR \-R -Don't try to resolve addresses to hostnames and ports to services while -printing statistics. -.TP -.B \-s -Show packet/flow state information (statistics only). -.TP -.B \-sl -Show held state information (in the kernel) if any is present (no statistics). -.TP -.BR \-S \0<addrport> -This option is only valid in combination with \fB\-t\fP. Limit the state top -display to show only state entries whose source IP address and port match -the addrport argument. The addrport specification is of the form -ipaddress[,port]. The ipaddress and port should be either numerical or the -string "any" (specifying any IP address resp. any port). If the \fB\-S\fP -option is not specified, it defaults to "\fB\-S\fP any,any". -.TP -.B \-t -Show the state table in a way similar to the way \fBtop(1)\fP shows the process -table. States can be sorted using a number of different ways. This option -requires \fBcurses(3)\fP and needs to be compiled in. It may not be available on -all operating systems. See below, for more information on the keys that can -be used while ipfstat is in top mode. -.TP -.BR \-T \0<refreshtime> -This option is only valid in combination with \fB\-t\fP. Specifies how often -the state top display should be updated. The refresh time is the number of -seconds between an update. Any positive integer can be used. The default (and -minimal update time) is 1. -.TP -.B \-v -Turn verbose mode on. Displays more debugging information. When used with -either \fB-i\fP or \fB-o\fP, counters associated with the rule, such as the -number of times it has been matched and the number of bytes from such packets -is displayed. For "keep state" rules, a count of the number of state sessions -active against the rule is also displayed. -.SH SYNOPSIS -The role of \fBipfstat\fP is to display current kernel statistics gathered -as a result of applying the filters in place (if any) to packets going in and -out of the kernel. This is the default operation when no command line -parameters are present. -.PP -When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display -the appropriate list of filter rules currently installed and in use by the -kernel. -.PP -One of the statistics that \fBipfstat\fP shows is \fBticks\fP. -This number indicates how long the filter has been enabled. -The number is incremented every half\-second. -.SH STATE TOP -Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In -this mode the state table is displayed similar to the way \fBtop\fP displays -the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP -command line options can be used to restrict the state entries that will be -shown and to specify the frequency of display updates. -.PP -In state top mode, the following keys can be used to influence the displayed -information: -.TP -\fBb\fP show packets/bytes from backward direction. -.TP -\fBf\fP show packets/bytes from forward direction. (default) -.TP -\fBl\fP redraw the screen. -.TP -\fBq\fP quit the program. -.TP -\fBs\fP switch between different sorting criterion. -.TP -\fBr\fP reverse the sorting criterion. -.PP -States can be sorted by protocol number, by number of IP packets, by number -of bytes and by time-to-live of the state entry. The default is to sort by -the number of bytes. States are sorted in descending order, but you can use -the \fBr\fP key to sort them in ascending order. -.SH STATE TOP LIMITATIONS -It is currently not possible to interactively change the source, destination -and protocol filters or the refresh frequency. This must be done from the -command line. -.PP -The screen must have at least 80 columns. This is however not checked. -When running state top in IPv6 mode, the screen must be much wider to display -the very long IPv6 addresses. -.PP -Only the first X-5 entries that match the sort and filter criteria are -displayed (where X is the number of rows on the display. The only way to see -more entries is to resize the screen. -.SH FILES -/dev/kmem -.br -/dev/ipl -.br -/dev/ipstate -.br -/vmunix -.SH SEE ALSO -ipf(8) -.SH BUGS -none known. diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1 deleted file mode 100644 index 5153687..0000000 --- a/contrib/ipfilter/man/ipftest.1 +++ /dev/null @@ -1,205 +0,0 @@ -.TH ipftest 1 -.SH NAME -ipftest \- test packet filter rules with arbitrary input. -.SH SYNOPSIS -.B ipftest -[ -.B \-6bCdDoRvx -] [ -.B \-F -input-format -] [ -.B \-i -<filename> -] [ -.B \-I -interface -] [ -.B \-l -<filename> -] [ -.B \-N -<filename> -] [ -.B \-P -<filename> -] [ -.B \-r -<filename> -] [ -.B \-S -<ip_address> -] [ -.B \-T -<optionlist> -] -.SH DESCRIPTION -.PP -\fBipftest\fP is provided for the purpose of being able to test a set of -filter rules without having to put them in place, in operation and proceed -to test their effectiveness. The hope is that this minimises disruptions -in providing a secure IP environment. -.PP -\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP, -\fBipnat\fP and/or \fBippool\fP -and apply input, returning output as to the result. However, \fBipftest\fP -will return one of three values for packets passed through the filter: -pass, block or nomatch. This is intended to give the operator a better -idea of what is happening with packets passing through their filter -ruleset. -.PP -At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified. -.SH OPTIONS -.TP -.B \-6 -Use IPv6. -.TP -.B \-b -Cause the output to be a brief summary (one-word) of the result of passing -the packet through the filter; either "pass", "block" or "nomatch". -This is used in the regression testing. -.TP -.B \-C -Force the checksums to be (re)calculated for all packets being input into -\fBipftest\fP. This may be necessary if pcap files from tcpdump are being -fed in where there are partial checksums present due to hardware offloading. -.TP -.B \-d -Turn on filter rule debugging. Currently, this only shows you what caused -the rule to not match in the IP header checking (addresses/netmasks, etc). -.TP -.B \-D -Dump internal tables before exiting. -This excludes log messages. -.TP -.B \-F -This option is used to select which input format the input file is in. -The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text. -.RS -.TP -.B etherfind -The input file is to be text output from etherfind. The text formats which -are currently supported are those which result from the following etherfind -option combinations: -.PP -.nf - etherfind -n - etherfind -n -t -.fi -.TP -.B hex -The input file is to be hex digits, representing the binary makeup of the -packet. No length correction is made, if an incorrect length is put in -the IP header. A packet may be broken up over several lines of hex digits, -a blank line indicating the end of the packet. It is possible to specify -both the interface name and direction of the packet (for filtering purposes) -at the start of the line using this format: [direction,interface] To define -a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required -and part of the input syntax. -.HP -.B pcap -The input file specified by \fB\-i\fP is a binary file produced using libpcap -(i.e., tcpdump version 3). Packets are read from this file as being input -(for rule purposes). An interface maybe specified using \fB\-I\fP. -.TP -.B snoop -The input file is to be in "snoop" format (see RFC 1761). Packets are read -from this file and used as input from any interface. This is perhaps the -most useful input type, currently. -.TP -.B tcpdump -The input file is to be text output from tcpdump. The text formats which -are currently supported are those which result from the following tcpdump -option combinations: -.PP -.nf - tcpdump -n - tcpdump -nq - tcpdump -nqt - tcpdump -nqtt - tcpdump -nqte -.fi -.TP -.B text -The input file is in \fBipftest\fP text input format. -This is the default if no \fB\-F\fP argument is specified. -The format used is as follows: -.nf - "in"|"out" "on" if ["tcp"|"udp"|"icmp"] - srchost[,srcport] dsthost[,destport] [FSRPAU] -.fi -.PP -This allows for a packet going "in" or "out" of an interface (if) to be -generated, being one of the three main protocols (optionally), and if -either TCP or UDP, a port parameter is also expected. If TCP is selected, -it is possible to (optionally) supply TCP flags at the end. Some examples -are: -.nf - # a UDP packet coming in on le0 - in on le0 udp 10.1.1.1,2210 10.2.1.5,23 - # an IP packet coming in on le0 from localhost - hmm :) - in on le0 localhost 10.4.12.1 - # a TCP packet going out of le0 with the SYN flag set. - out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S -.fi -.LP -.RE -.DT -.TP -.BR \-i \0<filename> -Specify the filename from which to take input. Default is stdin. -.TP -.BR \-I \0<interface> -Set the interface name (used in rule matching) to be the name supplied. -This is useful where it is -not otherwise possible to associate a packet with an interface. Normal -"text packets" can override this setting. -.TP -.BR \-l \0<filename> -Dump log messages generated during testing to the specified file. -.TP -.BR \-N \0<filename> -Specify the filename from which to read NAT rules in \fBipnat\fP(5) format. -.TP -.B \-o -Save output packets that would have been written to each interface in -a file /tmp/\fIinterface_name\fP in raw format. -.TP -.BR \-P \0<filename> -Read IP pool configuration information in \fBippool\fP(5) format from the -specified file. -.TP -.BR \-r \0<filename> -Specify the filename from which to read filter rules in \fBipf\fP(5) format. -.TP -.B \-R -Don't attempt to convert IP addresses to hostnames. -.TP -.BR \-S \0<ip_address> -The IP address specifived with this option is used by ipftest to determine -whether a packet should be treated as "input" or "output". If the source -address in an IP packet matches then it is considered to be inbound. If it -does not match then it is considered to be outbound. This is primarily -for use with tcpdump (pcap) files where there is no in/out information -saved with each packet. -.TP -.BR \-T \0<optionlist> -This option simulates the run-time changing of IPFilter kernel variables -available with the \fB\-T\fP option of \fBipf\fP. -The optionlist parameter is a comma separated list of tuning -commands. A tuning command is either "list" (retrieve a list of all variables -in the kernel, their maximum, minimum and current value), a single variable -name (retrieve its current value) and a variable name with a following -assignment to set a new value. See \fBipf\fP(8) for examples. -.TP -.B \-v -Verbose mode. This provides more information about which parts of rule -matching the input packet passes and fails. -.TP -.B \-x -Print a hex dump of each packet before printing the decoded contents. -.SH SEE ALSO -ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) -.SH BUGS -Not all of the input formats are sufficiently capable of introducing a -wide enough variety of packets for them to be all useful in testing. diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4 deleted file mode 100644 index d8106cc..0000000 --- a/contrib/ipfilter/man/ipl.4 +++ /dev/null @@ -1,79 +0,0 @@ -.TH IPL 4 -.SH NAME -ipl \- IP packet log device -.SH DESCRIPTION -The \fBipl\fP pseudo device's purpose is to provide an easy way to gather -packet headers of packets you wish to log. If a packet header is to be -logged, the entire header is logged (including any IP options \- TCP/UDP -options are not included when it calculates header size) or not at all. -The packet contents are also logged after the header. If the log reader -is busy or otherwise unable to read log records, up to IPLLOGSIZE (8192 is the -default) bytes of data are stored. -.PP -Prepending every packet header logged is a structure containing information -relevant to the packet following and why it was logged. The structure's -format is as follows: -.LP -.nf -/* - * Log structure. Each packet header logged is prepended by one of these. - * Following this in the log records read from the device will be an ipflog - * structure which is then followed by any packet data. - */ -typedef struct iplog { - u_long ipl_sec; - u_long ipl_usec; - u_int ipl_len; - u_int ipl_count; - size_t ipl_dsize; - struct iplog *ipl_next; -} iplog_t; - - -typedef struct ipflog { -#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) - u_char fl_ifname[IFNAMSIZ]; -#else - u_int fl_unit; - u_char fl_ifname[4]; -#endif - u_char fl_plen; /* extra data after hlen */ - u_char fl_hlen; /* length of IP headers saved */ - u_short fl_rule; /* assume never more than 64k rules, total */ - u_32_t fl_flags; -} ipflog_t; - -.fi -.PP -When reading from the \fBipl\fP device, it is necessary to call read(2) with -a buffer big enough to hold at least 1 complete log record - reading of partial -log records is not supported. -.PP -If the packet contents are more than 128 bytes when \fBlog body\fP is used, -then only 128 bytes of the packet contents are logged. -.PP -Although it is only possible to read from the \fBipl\fP device, opening it -for writing is required when using an ioctl which changes any kernel data. -.PP -The ioctls which are loaded with this device can be found under \fBipf(4)\fP. -The ioctls which are for use with logging and don't affect the filter are: -.LP -.nf - ioctl(fd, SIOCIPFFB, int *) - ioctl(fd, FIONREAD, int *) -.fi -.PP -The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes -flushed. FIONREAD returns the number of bytes currently used for storing -log data. If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not -available and FIONREAD will return but not do anything. -.PP -There is currently no support for non-blocking IO with this device, meaning -all read operations should be considered blocking in nature (if there is no -data to read, it will sleep until some is made available). -.SH SEE ALSO -ipf(4) -.SH BUGS -Packet headers are dropped when the internal buffer (static size) fills. -.SH FILES -/dev/ipl0 diff --git a/contrib/ipfilter/man/ipmon.5 b/contrib/ipfilter/man/ipmon.5 deleted file mode 100644 index 2e3eebd..0000000 --- a/contrib/ipfilter/man/ipmon.5 +++ /dev/null @@ -1,67 +0,0 @@ -.TH IPMON 5 -.SH NAME -ipmon, ipmon.conf \- ipmon configuration file format -.SH DESCRIPTION -The format for files accepted by ipmon is described by the following grammar: -.LP -.nf -"match" "{" matchlist "}" "do" "{" doing "}" ";" - -matchlist ::= matching [ "," matching ] . -matching ::= direction | dstip | dstport | every | group | interface | - logtag | nattag | protocol | result | rule | srcip | srcport . - -dolist ::= doing [ "," doing ] . -doing ::= execute | save | syslog . - -direction ::= "in" | "out" . -dstip ::= "dstip" "=" ipv4 "/" number . -dstport ::= "dstport" "=" number . -every ::= "every" every-options . -execute ::= "execute" "=" string . -group ::= "group" "=" string | "group" "=" number . -interface ::= "interface" "=" string . -logtag ::= "logtag" "=" string | "logtag" "=" number . -nattag ::= "nattag" "=" string . -protocol ::= "protocol" "=" string | "protocol" "=" number . -result ::= "result" "=" result-option . -rule ::= "rule" "=" number . -srcip ::= "srcip" "=" ipv4 "/" number . -srcport ::= "srcport" "=" number . -type ::= "type" "=" ipftype . -ipv4 ::= number "." number "." number "." number . - -every-options ::= "second" | number "seconds" | "packet" | number "packets" . -result-option ::= "pass" | "block" | "short" | "nomatch" | "log" . -ipftype ::= "ipf" | "nat" | "state" . - -.fi -.PP -In addition, lines that start with a # are considered to be comments. -.TP -.SH OVERVIEW -.PP -The ipmon configuration file is used for defining rules to be executed when -logging records are read from -.B /dev/ipl. -.PP -At present, only IPv4 matching is available for source/destination address -matching. -.SH MATCHING -.PP -Each rule for ipmon consists of two primary segments: the first describes how -the log record is to be matched, the second defines what action to take if -there is a positive match. All entries of the rules present in the file are -compared for matches - there is no first or last rule match. -.SH FILES -/dev/ipl -.br -/dev/ipf -.br -/dev/ipnat -.br -/dev/ipstate -.br -/etc/ipmon.conf -.SH SEE ALSO -ipmon(8), ipl(4) diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 deleted file mode 100644 index 905a9c8..0000000 --- a/contrib/ipfilter/man/ipmon.8 +++ /dev/null @@ -1,185 +0,0 @@ -.TH ipmon 8 -.SH NAME -ipmon \- monitors /dev/ipl for logged packets -.SH SYNOPSIS -.B ipmon -[ -.B \-abBDFhnpstvxX -] [ -.B "\-N <device>" -] [ -.B "\-L <facility>" -] [ -.B "\-o [NSI]" -] [ -.B "\-O [NSI]" -] [ -.B "\-P <pidfile>" -] [ -.B "\-S <device>" -] [ -.B "\-f <device>" -] [ -.B <filename> -] -.SH DESCRIPTION -.LP -\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from -the packet filter. The binary data read from the device is reprinted in -human readable for, however, IP#'s are not mapped back to hostnames, nor are -ports mapped back to service names. The output goes to standard output by -default or a filename, if given on the command line. Should the \fB\-s\fP -option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent -via syslog have the day, month and year removed from the message, but the -time (including microseconds), as recorded in the log, is still included. -.LP -Messages generated by ipmon consist of whitespace separated fields. -Fields common to all messages are: -.LP -1. The date of packet receipt. This is suppressed when the message is -sent to syslog. -.LP -2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours, -minutes seconds, and fractions of a second (which can be several digits -long). -.LP -3. The name of the interface the packet was processed on, e.g., \fBwe1\fP. -.LP -4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be -viewed with \fBipfstat -n\fP. -.LP -5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short -packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. -.LP -6. The addresses. -This is actually three fields: the source address and port -(separated by a comma), the \fB->\fP symbol, and the destination address -and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP. -.LP -7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP. -.LP -8. \fBlen\fP followed by the header length and total length of the packet, -e.g., \fBlen 20 40\fP. -.LP -If the packet is a TCP packet, there will be an additional field starting -with a hyphen followed by letters corresponding to any flags that were set. -See the ipf.conf manual page for a list of letters and their flags. -.LP -If the packet is an ICMP packet, there will be two fields at the end, -the first always being `icmp', and the next being the ICMP message and -submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port -unreachable message. -.LP -In order for \fBipmon\fP to properly work, the kernel option -\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see -\fBoptions(4)\fP for more details. -.LP -\fBipmon\fP reopens its log file(s) and rereads its configuration file -when it receives a SIGHUP signal. -.SH OPTIONS -.TP -.B \-a -Open all of the device logfiles for reading log entries from. All entries -are displayed to the same output 'device' (stderr or syslog). -.TP -.B \-b -For rules which log the body of a packet, generate hex output representing -the packet contents after the headers. -.TP -.B \-B <binarylogfilename> -Enable logging of the raw, unformatted binary data to the specified -\fI<binarylogfilename>\fP file. This can be read, later, using \fBipmon\fP -with the \fB-f\fP option. -.TP -.B \-D -Cause ipmon to turn itself into a daemon. Using subshells or backgrounding -of ipmon is not required to turn it into an orphan so it can run indefinitely. -.TP -.B "\-f <device>" -specify an alternative device/file from which to read the log information -for normal IP Filter log records. -.TP -.B \-F -Flush the current packet log buffer. The number of bytes flushed is displayed, -even should the result be zero. -.TP -.B \-L <facility> -Using this option allows you to change the default syslog facility that -ipmon uses for syslog messages. The default is local0. -.TP -.B \-n -IP addresses and port numbers will be mapped, where possible, back into -hostnames and service names. -.TP -.B "\-N <device>" -Set the logfile to be opened for reading NAT log records from to <device>. -.TP -.B \-o -Specify which log files to actually read data from. N - NAT logfile, -S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is -equivalent to using \fB-o NSI\fP. -.TP -.B \-O -Specify which log files you do not wish to read from. This is most sensibly -used with the \fB-a\fP. Letters available as parameters to this are the same -as for \fB-o\fP. -.TP -.B \-p -Cause the port number in log messages to always be printed as a number and -never attempt to look it up as from \fI/etc/services\fP, etc. -.TP -.B \-P <pidfile> -Write the pid of the ipmon process to a file. By default this is -\fI//etc/opt/ipf/ipmon.pid\fP (Solaris), \fI/var/run/ipmon.pid\fP (44BSD -or later) or \fI/etc/ipmon.pid\fP for all others. -.TP -.B \-s -Packet information read in will be sent through syslogd rather than -saved to a file. The default facility when compiled and installed is -\fBlocal0\fP. The following levels are used: -.IP -.B LOG_INFO -\- packets logged using the "log" keyword as the action rather -than pass or block. -.IP -.B LOG_NOTICE -\- packets logged which are also passed -.IP -.B LOG_WARNING -\- packets logged which are also blocked -.IP -.B LOG_ERR -\- packets which have been logged and which can be considered -"short". -.TP -.B "\-S <device>" -Set the logfile to be opened for reading state log records from to <device>. -.TP -.B \-t -read the input file/device in a manner akin to tail(1). -.TP -.B \-v -show tcp window, ack and sequence fields. -.TP -.B \-x -show the packet data in hex. -.TP -.B \-X -show the log header record data in hex. -.SH DIAGNOSTICS -\fBipmon\fP expects data that it reads to be consistent with how it should be -saved and will abort if it fails an assertion which detects an anomaly in the -recorded data. -.SH FILES -/dev/ipl -.br -/dev/ipnat -.br -/dev/ipstate -.br -/etc/services -.SH SEE ALSO -ipl(4), ipf(8), ipfstat(8), ipnat(8) -.SH BUGS -.PP -If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/man/ipnat.1 b/contrib/ipfilter/man/ipnat.1 deleted file mode 100644 index f241415..0000000 --- a/contrib/ipfilter/man/ipnat.1 +++ /dev/null @@ -1,48 +0,0 @@ -.TH IPNAT 1 -.SH NAME -ipnat \- user interface to the NAT -.SH SYNOPSIS -.B ipnat -[ -.B \-lnrsvCF -] -.B \-f <\fIfilename\fP> -.SH DESCRIPTION -.PP -\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the -file for a set of rules which are to be added or removed from the IP NAT. -.PP -Each rule processed by \fBipnat\fP -is added to the kernels internal lists if there are no parsing problems. -Rules are added to the end of the internal lists, matching the order in -which they appear when given to \fBipnat\fP. -.SH OPTIONS -.TP -.B \-C -delete all entries in the current NAT rule listing (NAT rules) -.TP -.B \-F -delete all active entries in the current NAT translation table (currently -active NAT mappings) -.TP -.B \-l -Show the list of current NAT table entry mappings. -.TP -.B \-n -This flag (no-change) prevents \fBipf\fP from actually making any ioctl -calls or doing anything which would alter the currently running kernel. -.TP -.B \-s -Retrieve and display NAT statistics -.TP -.B \-r -Remove matching NAT rules rather than add them to the internal lists -.TP -.B \-v -Turn verbose mode on. Displays information relating to rule processing -and active rules/table entries. -.DT -.SH FILES -/dev/ipnat -.SH SEE ALSO -ipnat(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4 deleted file mode 100644 index 54f55d3..0000000 --- a/contrib/ipfilter/man/ipnat.4 +++ /dev/null @@ -1,98 +0,0 @@ -.TH IPNAT 4 -.SH NAME -ipnat \- Network Address Translation kernel interface -.SH SYNOPSIS -#include <netinet/ip_compat.h> -.br -#include <netinet/ip_fil.h> -.br -#include <netinet/ip_proxy.h> -.br -#include <netinet/ip_nat.h> -.SH IOCTLS -.PP -To add and delete rules to the NAT list, two 'basic' ioctls are provided -for use. The ioctl's are called as: -.LP -.nf - ioctl(fd, SIOCADNAT, struct ipnat **) - ioctl(fd, SIOCRMNAT, struct ipnat **) - ioctl(fd, SIOCGNATS, struct natstat **) - ioctl(fd, SIOCGNATL, struct natlookup **) -.fi -.PP -Unlike \fBipf(4)\fP, there is only a single list supported by the kernel NAT -interface. An inactive list which can be swapped to is not currently -supported. - -These ioctl's are implemented as being routing ioctls and thus the same rules -for the various routing ioctls and the file descriptor are employed, mainly -being that the fd must be that of the device associated with the module -(i.e., /dev/ipl). -.LP -.PP -The structure used with the NAT interface is described below: -.LP -.nf -typedef struct ipnat { - struct ipnat *in_next; - void *in_ifp; - u_short in_flags; - u_short in_pnext; - u_short in_port[2]; - struct in_addr in_in[2]; - struct in_addr in_out[2]; - struct in_addr in_nextip; - int in_space; - int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */ - char in_ifname[IFNAMSIZ]; -} ipnat_t; - -#define in_pmin in_port[0] /* Also holds static redir port */ -#define in_pmax in_port[1] -#define in_nip in_nextip.s_addr -#define in_inip in_in[0].s_addr -#define in_inmsk in_in[1].s_addr -#define in_outip in_out[0].s_addr -#define in_outmsk in_out[1].s_addr - -.fi -.PP -Recognised values for in_redir: -.LP -.nf -#define NAT_MAP 0 -#define NAT_REDIRECT 1 -.fi -.PP -.LP -\fBNAT statistics\fP -Statistics on the number of packets mapped, going in and out are kept, -the number of times a new entry is added and deleted (through expiration) to -the NAT table and the current usage level of the NAT table. -.PP -Pointers to the NAT table inside the kernel, as well as to the top of the -internal NAT lists constructed with the \fBSIOCADNAT\fP ioctls. The table -itself is a hash table of size NAT_SIZE (default size is 367). -.PP -To retrieve the statistics, the \fBSIOCGNATS\fP ioctl must be used, with -the appropriate structure passed by reference, as follows: -.nf - ioctl(fd, SIOCGNATS, struct natstat *) - -typedef struct natstat { - u_long ns_mapped[2]; - u_long ns_added; - u_long ns_expire; - u_long ns_inuse; - nat_t ***ns_table; - ipnat_t *ns_list; -} natstat_t; -.fi -.SH BUGS -It would be nice if there were more flexibility when adding and deleting -filter rules. -.SH FILES -/dev/ipnat -.SH SEE ALSO -ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 deleted file mode 100644 index 2d76a46..0000000 --- a/contrib/ipfilter/man/ipnat.5 +++ /dev/null @@ -1,293 +0,0 @@ -.TH IPNAT 5 -.SH NAME -ipnat, ipnat.conf \- IP NAT file format -.SH DESCRIPTION -The format for files accepted by ipnat is described by the following grammar: -.LP -.nf -ipmap :: = mapblock | redir | map . - -map ::= mapit ifname lhs "->" dstipmask [ mapicmp | mapport | mapproxy ] - mapoptions . -mapblock ::= "map-block" ifname lhs "->" ipmask [ ports ] mapoptions . -redir ::= "rdr" ifname rlhs "->" ip [ "," ip ] rdrport rdroptions . - -lhs ::= ipmask | fromto . -rlhs ::= ipmask dport | fromto . -dport ::= "port" portnum [ "-" portnum ] . -ports ::= "ports" numports | "auto" . -rdrport ::= "port" portnum . -mapit ::= "map" | "bimap" . -fromto ::= "from" object "to" object . -ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . -dstipmask ::= ipmask | "range" ip "-" ip . -mapicmp ::= "icmpidmap" "icmp" number ":" number . -mapport ::= "portmap" tcpudp portspec . -mapoptions ::= [ tcpudp ] [ "frag" ] [ age ] [ clamp ] . -rdroptions ::= rdrproto [ rr ] [ "frag" ] [ age ] [ clamp ] [ rdrproxy ] . - -object :: = addr [ port-comp | port-range ] . -addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp :: = "port" compare port-num . -port-range :: = "port" port-num range port-num . -rdrproto ::= tcpudp | protocol . - -rr ::= "round-robin" . -age ::= "age" decnumber [ "/" decnumber ] . -clamp ::= "mssclamp" decnumber . -tcpudp ::= "tcp/udp" | protocol . -mapproxy ::= "proxy" "port" port proxy-name '/' protocol -rdrproxy ::= "proxy" proxy-name . - -protocol ::= protocol-name | decnumber . -nummask ::= host-name [ "/" decnumber ] . -portspec ::= "auto" | portnumber ":" portnumber . -port ::= portnumber | port-name . -portnumber ::= number { numbers } . -ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . - -numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . -.fi -.PP -For standard NAT functionality, a rule should start with \fBmap\fP and then -proceeds to specify the interface for which outgoing packets will have their -source address rewritten. -.PP -Packets which will be rewritten can only be selected by matching the original -source address. A netmask must be specified with the IP address. -.PP -The address selected for replacing the original is chosen from an IP#/netmask -pair. A netmask of all 1's indicating a hostname is valid. A netmask of -31 1's (255.255.255.254) is considered invalid as there is no space for -allocating host IP#'s after consideration for broadcast and network -addresses. -.PP -When remapping TCP and UDP packets, it is also possible to change the source -port number. Either TCP or UDP or both can be selected by each rule, with a -range of port numbers to remap into given as \fBport-number:port-number\fP. -.SH COMMANDS -There are four commands recognised by IP Filter's NAT code: -.TP -.B map -that is used for mapping one address or network to another in an unregulated -round robin fashion; -.TP -.B rdr -that is used for redirecting packets to one IP address and port pair to -another; -.TP -.B bimap -for setting up bidirectional NAT between an external IP address and an internal -IP address and -.TP -.B map-block -which sets up static IP address based translation, based on a algorithm to -squeeze the addresses to be translated into the destination range. -.SH MATCHING -.PP -For basic NAT and redirection of packets, the address subject to change is used -along with its protocol to check if a packet should be altered. The packet -\fImatching\fP part of the rule is to the left of the "->" in each rule. -.PP -Matching of packets has now been extended to allow more complex compares. -In place of the address which is to be translated, an IP address and port -number comparison can be made using the same expressions available with -\fBipf\fP. A simple NAT rule could be written as: -.LP -.nf -map de0 10.1.0.0/16 -> 201.2.3.4/32 -.fi -.LP -or as -.LP -.nf -map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 -.fi -.LP -Only IP address and port numbers can be compared against. This is available -with all NAT rules. -.SH TRANSLATION -.PP -To the right of the "->" is the address and port specification which will be -written into the packet providing it has already successfully matched the -prior constraints. The case of redirections (\fBrdr\fP) is the simplest: -the new destination address is that specified in the rule. For \fBmap\fP -rules, the destination address will be one for which the tuple combining -the new source and destination is known to be unique. If the packet is -either a TCP or UDP packet, the destination and source ports come into the -equation too. If the tuple already exists, IP Filter will increment the -port number first, within the available range specified with \fBportmap\fP -and if there exists no unique tuple, the source address will be incremented -within the specified netmask. If a unique tuple cannot be determined, then -the packet will not be translated. The \fBmap-block\fP is more limited in -how it searches for a new, free and unique tuple, in that it will used an -algorithm to determine what the new source address should be, along with the -range of available ports - the IP address is never changed and nor does the -port number ever exceed its allotted range. -.SH ICMPIDMAP -.PP -ICMP messages can be divided into two groups: "errors" and "queries". ICMP -errors are generated as a response of another IP packet. IP Filter will take -care that ICMP errors that are the response of a NAT-ed IP packet are -handled properly. -.PP -For 4 types of ICMP queries (echo request, timestamp request, information -request and address mask request) IP Filter supports an additional mapping -called "ICMP id mapping". All these 4 types of ICMP queries use a unique -identifier called the ICMP id. This id is set by the process sending the -ICMP query and it is usually equal to the process id. The receiver of the -ICMP query will use the same id in its response, thus enabling the -sender to recognize that the incoming ICMP reply is intended for him and is -an answer to a query that he made. The "ICMP id mapping" feature modifies -these ICMP id in a way identical to \fBportmap\fP for TCP or UDP. -.PP -The reason that you might want this, is that using this feature you don't -need an IP address per host behind the NAT box, that wants to do ICMP queries. -The two numbers behind the \fBicmpidmap\fP keyword are the first and the -last icmp id number that can be used. There is one important caveat: if you -map to an IP address that belongs to the NAT box itself (notably if you have -only a single public IP address), then you must ensure that the NAT box does -not use the \fBicmpidmap\fP range that you specified in the \fBmap\fP rule. -Since the ICMP id is usually the process id, it is wise to restrict the -largest permittable process id (PID) on your operating system to e.g. 63999 and -use the range 64000:65535 for ICMP id mapping. Changing the maximal PID is -system dependent. For most BSD derived systems can be done by changing -PID_MAX in /usr/include/sys/proc.h and then rebuild the system. -.SH KERNEL PROXIES -.PP -IP Filter comes with a few, simple, proxies built into the code that is loaded -into the kernel to allow secondary channels to be opened without forcing the -packets through a user program. The current state of the proxies is listed -below, as one of three states: -.HP -Aging - protocol is roughly understood from -the time at which the proxy was written but it is not well tested or -maintained; -.HP -Developmental - basic functionality exists, works most of the time but -may be problematic in extended real use; -.HP -Experimental - rough support for the protocol at best, may or may not -work as testing has been at best sporadic, possible large scale changes -to the code in order to properly support the protocol. -.HP -Mature - well tested, protocol is properly -understood by the proxy; -.PP -The currently compiled in proxy list is as follows: -.HP -FTP - Mature -.HP -IRC - Experimental -.HP -rpcbind - Experimental -.HP -H.323 - Experimental -.HP -Real Audio (PNA) - Aging -.HP -IPsec - Developmental -.HP -netbios - Experimental -.HP -R-command - Mature - -.SH TRANSPARENT PROXIES -.PP -True transparent proxying should be performed using the redirect (\fBrdr\fP) -rules directing ports to localhost (127.0.0.1) with the proxy program doing -a lookup through \fB/dev/ipnat\fP to determine the real source and address -of the connection. -.SH LOAD-BALANCING -.PP -Two options for use with \fBrdr\fP are available to support primitive, -\fIround-robin\fP based load balancing. The first option allows for a -\fBrdr\fP to specify a second destination, as follows: -.LP -.nf -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp -.fi -.LP -This would send alternate connections to either 203.1.2.3 or 203.1.2.4. -In scenarios where the load is being spread amongst a larger set of -servers, you can use: -.LP -.nf -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin -.fi -.LP -In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4 -and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this, -the rule is removed from the top of the list and added to the end, -automatically, as required. This will not effect the display of rules -using "ipnat -l", only the internal application order. -.SH EXAMPLES -.PP -This section deals with the \fBmap\fP command and its variations. -.PP -To change IP#'s used internally from network 10 into an ISP provided 8 bit -subnet at 209.1.2.0 through the ppp0 interface, the following would be used: -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.fi -.PP -The obvious problem here is we're trying to squeeze over 16,000,000 IP -addresses into a 254 address space. To increase the scope, remapping for TCP -and/or UDP, port remapping can be used; -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -.fi -.PP -which falls only 527,566 `addresses' short of the space available in network -10. If we were to combine these rules, they would need to be specified as -follows: -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.fi -.PP -so that all TCP/UDP packets were port mapped and only other protocols, such as -ICMP, only have their IP# changed. In some instances, it is more appropriate -to use the keyword \fBauto\fP in place of an actual range of port numbers if -you want to guarantee simultaneous access to all within the given range. -However, in the above case, it would default to 1 port per IP address, since -we need to squeeze 24 bits of address space into 8. A good example of how -this is used might be: -.LP -.nf -map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto -.fi -.PP -which would result in each IP address being given a small range of ports to -use (252). In all cases, the new port number that is used is deterministic. -That is, port X will always map to port Y. -WARNING: It is not advisable to use the \fBauto\fP feature if you are map'ing -to a /32 (i.e. 0/32) because the NAT code will try to map multiple hosts to -the same port number, outgoing and ultimately this will only succeed for one -of them. -The problem here is that the \fBmap\fP directive tells the NAT -code to use the next address/port pair available for an outgoing connection, -resulting in no easily discernible relation between external addresses/ports -and internal ones. This is overcome by using \fBmap-block\fP as follows: -.LP -.nf -map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto -.fi -.PP -For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 -with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its -own. As opposed to the above use of \fBmap\fP, if for some reason the user -of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would -be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next -IP address with the \fBmap\fP command. -/dev/ipnat -.br -/etc/services -.br -/etc/hosts -.SH SEE ALSO -ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8) diff --git a/contrib/ipfilter/man/ipnat.8 b/contrib/ipfilter/man/ipnat.8 deleted file mode 100644 index 683e8f1..0000000 --- a/contrib/ipfilter/man/ipnat.8 +++ /dev/null @@ -1,69 +0,0 @@ -.TH IPNAT 8 -.SH NAME -ipnat \- user interface to the NAT subsystem -.SH SYNOPSIS -.B ipnat -[ -.B \-dhlnrsvCF -] -[ -.B \-M core -] -[ -.B \-N system -] -.B \-f <\fIfilename\fP> -.SH DESCRIPTION -.PP -\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the -file for a set of rules which are to be added or removed from the IP NAT. -.PP -Each rule processed by \fBipnat\fP -is added to the kernels internal lists if there are no parsing problems. -Rules are added to the end of the internal lists, matching the order in -which they appear when given to \fBipnat\fP. -.PP -Note that if -\fBipf(8)\fP -is not enabled when NAT is configured, it will be enabled -automatically, as the same kernel facilities are used for -NAT functionality. In addition, packet forwarding must be -enabled. -.SH OPTIONS -.TP -.B \-C -delete all entries in the current NAT rule listing (NAT rules) -.TP -.B \-d -Enable printing of some extra debugging information. -.TP -.B \-F -delete all active entries in the current NAT translation table (currently -active NAT mappings) -.TP -.B \-h -Print number of hits for each MAP/Redirect filter. -.TP -.B \-l -Show the list of current NAT table entry mappings. -.TP -.B \-n -This flag (no-change) prevents \fBipf\fP from actually making any ioctl -calls or doing anything which would alter the currently running kernel. -.TP -.B \-r -Remove matching NAT rules rather than add them to the internal lists. -.TP -.B \-s -Retrieve and display NAT statistics. -.TP -.B \-v -Turn verbose mode on. Displays information relating to rule processing -and active rules/table entries. -.DT -.SH FILES -/dev/ipnat -.br -/usr/share/examples/ipf Directory with examples. -.SH SEE ALSO -ipnat(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ippool.5 b/contrib/ipfilter/man/ippool.5 deleted file mode 100644 index aeff3c8..0000000 --- a/contrib/ipfilter/man/ippool.5 +++ /dev/null @@ -1,153 +0,0 @@ -.TH IPPOOL 5 -.SH NAME -ippool, ippool.conf \- IP Pool file format -.SH DESCRIPTION -The format for files accepted by ippool is described by the following grammar: -.LP -.nf -line ::= table | groupmap . -table ::= "table" role tabletype . -groupmap ::= "group-map" inout role number ipfgroup -tabletype ::= ipftree | ipfhash . - -role ::= "role" "=" "ipf" . -inout ::= "in" | "out" . - -ipftree ::= "type" "=" "tree" number "{" addrlist "}" . -ipfhash ::= "type" "=" "hash" number hashopts "{" hashlist "}" . - -ipfgroup ::= setgroup hashopts "{" grouplist "}" | - hashopts "{" setgrouplist "}" . -setgroup ::= "group" "=" groupname . - -hashopts ::= size [ seed ] | seed . - -size ::= "size" number . -seed ::= "seed" number . - -addrlist ::= [ "!" ] addrmask ";" [ addrlist ] . -grouplist ::= groupentry ";" [ grouplist ] | addrmask ";" [ grouplist ] . - -setgrouplist ::= groupentry ";" [ setgrouplist ] . - -groupentry ::= addrmask "," setgroup . - -hashlist ::= hashentry ";" [ hashlist ] . -hashentry ::= addrmask . - -addrmask ::= ipaddr | ipaddr "/" mask . - -mask ::= number | ipaddr . - -groupname ::= number | name . - -number ::= digit { digit } . - -ipaddr = host-num "." host-num "." host-num "." host-num . -host-num = digit [ digit [ digit ] ] . - -digit ::= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . -name ::= letter { letter | digit } . -.fi -.PP -The IP pool configuration file is used for defining a single object that -contains a reference to multiple IP address/netmask pairs. A pool may consist -of a mixture of netmask sizes, from 0 to 32. -.PP -At this point in time, only IPv4 addressing is supported. -.TP -.SH OVERVIEW -.PP -The IP pool configuration file provides for defining two different mechanisms -for improving speed in matching IP addresses with rules. -The first, -.B table -, defines a lookup -.I table -to provide a single reference in a -filter rule to multiple targets and the second, -.B group-map -, provides a mechanism to target multiple groups from a single filter line. -.PP -The -.B group-map -command can only be used with filter rules that use the -.B call -command to invoke either -.B fr_srcgrpmap -or -.B fr_dstgrpmap -, to use the source or destination address, -respectively, for determining which filter group to jump to next for -continuation of filter packet processing. -.SH POOL TYPES -.PP -Two storage formats are provided: hash tables and tree structure. The hash -table is intended for use with objects all containing the same netmask or a -few different sized netmasks of non-overlapping address space and the tree -is designed for being able to support exceptions to a covering mask, in -addition to normal searching as you would do with a table. It is not possible -to use the tree data storage type with -.B group-map -configuration entries. -.SH POOL ROLES -.PP -When a pool is defined in the configuration file, it must have an associated -role. At present the only supported role is -.B ipf. -Future development will see futher expansion of their use by other sections -of IPFilter code. -.SH EXAMPLES -The following examples show how the pool configuration file is used with -the ipf configuration file to enhance the ability for the ipf configuration -file to be succinct in meaning. -.TP -1 -The first example shows how a filter rule makes reference to a specific -pool for matching of the source address. -.nf -pass in from pool/100 to any -.fi -.PP -The pool configuration, which matches IP addresses 1.1.1.1 and any -in 2.2.0.0/16, except for those in 2.2.2.0/24. -.PP -.nf -table role = ipf type = tree number = 100 - { 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24 }; -.fi -.TP -2 -The following ipf.conf extract uses the -fr_srcgrpmap/fr_dstgrpmap lookups to use the -.B group-map -facility to lookup the next group to use for filter processing, providing -the -.B call -filter rule is matched. -.nf -call now fr_srcgrpmap/1010 in all -call now fr_dstgrpmap/2010 out all -pass in all group 1020 -block in all group 1030 -pass out all group 2020 -block out all group 2040 -.fi -.PP -A ippool configuration to work with the above ipf.conf file might -look like this: -.PP -.nf -group-map in role = ipf number = 1010 - { 1.1.1.1/32, group = 1020; 3.3.0.0/16, group = 1030; }; -group-map out role = ipf number = 2010 group = 2020 - { 2.2.2.2/32; 4.4.0.0/16; 5.0.0.0/8, group = 2040; }; -.fi -.SH FILES -/dev/iplookup -.br -/etc/ippool.conf -.br -/etc/hosts -.SH SEE ALSO -ippool(8), hosts(5), ipf(5), ipf(8), ipnat(8) diff --git a/contrib/ipfilter/man/ippool.8 b/contrib/ipfilter/man/ippool.8 deleted file mode 100644 index e27cb92..0000000 --- a/contrib/ipfilter/man/ippool.8 +++ /dev/null @@ -1,124 +0,0 @@ -.TH IPPOOL 8 -.SH NAME -ippool \- user interface to the IPFilter pools -.SH SYNOPSIS -.br -.B ippool --a [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>] -.br -.B ippool --A [-dnv] [-m <name>] [-o <role>] [-S <seed>] [-t <type>] -.br -.B ippool --f <file> [-dnuv] -.br -.B ippool --F [-dv] [-o <role>] [-t <type>] -.br -.B ippool --l [-dv] [-m <name>] [-t <type>] -.br -.B ippool --r [-dnv] [-m <name>] [-o <role>] -i <ipaddr>[/<netmask>] -.br -.B ippool --R [-dnv] [-m <name>] [-o <role>] [-t <type>] -.br -.B ippool --s [-dtv] [-M <core>] [-N <namelist>] -.SH DESCRIPTION -.PP -.B Ippool -is used to manage information stored in the IP pools subsystem of IPFilter. -Configuration file information may be parsed and loaded into the kernel, -currently configured pools removed or changed as well as inspected. -.PP -The command line options used are broken into two sections: the global -options and the instance specific options. -.SH GLOBAL OPTIONS -.TP -.B \-d -Toggle debugging of processing the configuration file. -.TP -.B \-n -This flag (no-change) prevents -.B ippool -from actually making any ioctl -calls or doing anything which would alter the currently running kernel. -.TP -.B \-v -Turn verbose mode on. -.SH COMMAND OPTIONS -.TP -.B -a -Add a new data node to an existing pool in the kernel. -.TP -.B -A -Add a new (empty) pool to the kernel. -.TP -.B -f <file> -Read in IP pool configuration information from the file and load it into -the kernel. -.TP -.B -F -Flush loaded pools from the kernel. -.TP -.B -l -Display a list of pools currently loaded into the kernel. -.TP -.B -r -Remove an existing data node from a pool in the kernel. -.TP -.B -R -Remove an existing pool from within the kernel. -.TP -.B -s -Display IP pool statistical information. -.SH OPTIONS -.TP -.B -i <ipaddr>[/<netmask>] -Sets the IP address for the operation being undertaken with an -all-one's mask or, optionally, a specific netmask given in either -the dotted-quad notation or a single integer. -.TP -.B -m <name> -Sets the pool name for the current operation. -.TP -.B -M <core> -Specify an alternative path to /dev/kmem to retrieve statistical information -from. -.TP -.B -N <namelist> -Specify an alternative path to lookup symbol name information from when -retrieving statistical information. -.TP -.B -o <role> -Sets the role with which this pool is to be used. Currently only -.B ipf, -.B auth -and -.B count -are accepted as arguments to this option. -.TP -.B -S <seed> -Sets the hashing seed to the number specified. Only for use with -.B hash -type pools. -.TP -.B -t <type> -Sets the type of pool being defined. Myst be one of -.B tree, -.B hash, -.B group-map. -.TP -.B -u -When parsing a configuration file, rather than load new pool data into the -kernel, unload it. -.DT -.SH FILES -.br -/dev/iplookup -.br -/etc/ippool.conf -.SH SEE ALSO -ippool(5), ipf(8), ipfstat(8) diff --git a/contrib/ipfilter/man/ipscan.5 b/contrib/ipfilter/man/ipscan.5 deleted file mode 100644 index cc12ca3..0000000 --- a/contrib/ipfilter/man/ipscan.5 +++ /dev/null @@ -1,50 +0,0 @@ -.TH IPSCAN 5 -.SH NAME -ipscan, ipscan.conf \- ipscan file format -.SH DESCRIPTION -.PP -WARNING: This feature is to be considered experimental and may change -significantly until a final implementation is drawn up. -.PP -The format for files accept by ipscan currently follow this rough grammar: -.LP -.nf -line ::= name ":" matchup [ "," matchup ] "=" action . -matchup ::= "(" ")" | "(" literal ")" | "(" literal "," match ")" . -action ::= result | result "else" result . -result ::= "close" | "track" | redirect . -redirect ::= "redirect" ip-address [ "(" "," port-number ")" ] . -match ::= { match-char } -match-char ::= "*" | "?" | "." -.fi -.PP -In this example an ip-address is a dotted-quad IPv4 address and a port-number -is a number betwee 1 and 65535, inclusive. The match string is must be of -same length as the literal string that it is matching (literal). The length -of either string is limited to 16 bytes. -.PP -Currently, the redirect option is not yet been implemented. -.LP -.nf -# -# * = match any character, . = exact match, ? = case insensitive -# -# Scan for anything that looks like HTTP and redirect it to the local -# proxy. One catch - this feature (redirect) is not yet implemented. -# -http : ("GET ", "???." ) = redirect(127.0.0.1) -# -# Track ssh connections (i.e do nothing) -# -ssh : (), ("SSH-") = track -# -# Things which look like smtp to be tracked else closed. -# Client can start with EHLO (ESMTP) or HELO (SMTP). -# -smtp : ("HELO ", "**??."), ("220 ", "....") = track else close -# -.fi -.SH FILES -/etc/ipscan.conf -.SH SEE ALSO -ipscan(8) diff --git a/contrib/ipfilter/man/ipscan.8 b/contrib/ipfilter/man/ipscan.8 deleted file mode 100644 index 958c456..0000000 --- a/contrib/ipfilter/man/ipscan.8 +++ /dev/null @@ -1,42 +0,0 @@ -.TH IPSCAN 8 -.SH NAME -ipscan \- user interface to the IPFilter content scanning -.SH SYNOPSIS -.B ipscan -[ -.B \-dlnrsv -] [ -] -.B \-f <\fIfilename\fP> -.SH DESCRIPTION -.PP -\fBipscan\fP opens the filename given (treating "\-" as stdin) and parses the -file to build up a content scanning configuration to load into the kernel. -Currently only the first 16 bytes of a connection can be compared. -.SH OPTIONS -.TP -.B \-d -Toggle debugging of processing the configuration file. -.TP -.B \-l -Show the list of currently configured content scanning entries. -.TP -.B \-n -This flag (no-change) prevents \fBipscan\fP from actually making any ioctl -calls or doing anything which would alter the currently running kernel. -.TP -.B \-r -Remove commands from kernel configuration as they are read from the -configuration file rather than adding new ones. -.TP -.B \-s -Retrieve and display content scanning statistics -.TP -.B \-v -Turn verbose mode on. -.DT -.SH FILES -/dev/ipscan -/etc/ipscan.conf -.SH SEE ALSO -ipscan(5), ipf(8) diff --git a/contrib/ipfilter/man/man.sed b/contrib/ipfilter/man/man.sed deleted file mode 100644 index 0be8dab..0000000 --- a/contrib/ipfilter/man/man.sed +++ /dev/null @@ -1 +0,0 @@ -DF. ..CVSD~MakefileDipf.1Dipf.4Dipf.5D diff --git a/contrib/ipfilter/man/mkfilters.1 b/contrib/ipfilter/man/mkfilters.1 deleted file mode 100644 index b5fd9dc..0000000 --- a/contrib/ipfilter/man/mkfilters.1 +++ /dev/null @@ -1,12 +0,0 @@ -.TH MKFILTERS 1 -.SH NAME -mkfilters \- generate a minimal firewall ruleset for ipfilter -.SH SYNOPSIS -.B mkfilters -.SH DESCRIPTION -.PP -\fBmkfilters\fP is a perl script that generates a minimal filter rule set for -use with \fBipfilter\fP by parsing the output of \fBifconfig\fP. -.DT -.SH SEE ALSO -ipf(8), ipf(5), ipfilter(5), ifconfig(8) |