summaryrefslogtreecommitdiffstats
path: root/man/ipfilter.4.mandoc
diff options
context:
space:
mode:
Diffstat (limited to 'man/ipfilter.4.mandoc')
-rw-r--r--man/ipfilter.4.mandoc267
1 files changed, 267 insertions, 0 deletions
diff --git a/man/ipfilter.4.mandoc b/man/ipfilter.4.mandoc
new file mode 100644
index 0000000..72534a7
--- /dev/null
+++ b/man/ipfilter.4.mandoc
@@ -0,0 +1,267 @@
+.Dd December 8, 2000
+.Dt IP\ FILTER 4
+.Os
+.Sh NAME
+.Nm IP Filter
+.Nd Introduction to IP packet filtering
+.Sh DESCRIPTION
+IP Filter is a TCP/IP packet filter, suitable for use in a firewall
+environment. To use, it can either be used as a loadable kernel module or
+incorporated into your UNIX kernel; use as a loadable kernel module where
+possible is highly recommended. Scripts are provided to install and patch
+system files, as required.
+.Sh FEATURES
+The IP packet filter can:
+.Bl -bullet -offset indent -compact
+.It
+explicitly deny/permit any packet from passing through
+.It
+distinguish between various interfaces
+.It
+filter by IP networks or hosts
+.It
+selectively filter any IP protocol
+.It
+selectively filter fragmented IP packets
+.It
+selectively filter packets with IP options
+.It
+send back an ICMP error/TCP reset for blocked packets
+.It
+keep packet state information for TCP, UDP and ICMP packet flows
+.It
+keep fragment state information for any IP packet, applying the same rule
+to all fragments.
+.It
+act as a Network Address Translator (NAT)
+.It
+use redirection to setup true transparent proxy connections
+.It
+provide packet header details to a user program for authentication
+.It
+in addition, supports temporary storage of pre-authenticated rules for passing packets through
+.El
+.Pp
+Special provision is made for the three most common Internet protocols, TCP,
+UDP and ICMP. The IP Packet filter allows filtering of:
+.Bl -bullet -offset indent -compact
+.It
+Inverted host/net matchingTCP/UDP packets by port number or a port number
+range
+.It
+ICMP packets by type/code
+.It
+"established" TCP packets
+.It
+On any arbitrary combination of TCP flags
+.It
+"short" (fragmented) IP packets with incomplete headers can be filtered
+.It
+any of the 19 IP options or 8 registered IP security classes TOS (Type of
+Service) field in packets
+.El
+.Pp
+To keep track of the performance of the IP packet filter, a logging device
+is used which supports logging of:
+.Bl -bullet -offset indent -compact
+.It
+the TCP/UDP/ICMP and IP packet headers
+.It
+the first 128 bytes of the packet (including headers)
+.El
+.Pp
+A packet can be logged when:
+.Bl -bullet -offset indent -compact
+.It
+it is successfully passed through
+.It
+it is blocked from passing through
+.It
+it matches a rule setup to look for suspicious packets
+.El
+.Pp
+IP Filter keeps its own set of statistics on:
+.Bl -bullet -offset indent -compact
+.It
+packets blocked
+.It
+packets (and bytes!) used for accounting
+.It
+packets passed
+.li
+packets logged
+.It
+attempts to log which failed (buffer full)
+.El
+and much more, for packets going both in and out.
+
+.Sh Tools
+The current implementation provides a small set of tools, which can easily
+be used and integrated with regular unix shells and tools. A brief description
+of the tools provided:
+.Pp
+.Xr ipf 8
+reads in a set of rules, from either stdin or a file, and adds them to
+the kernels current list (appending them). It can also be used to flush the
+current filter set or delete individual filter rules. The file format is
+described in
+.Xr ipf 5 .
+.Pp
+.Xr ipfs 8
+is a utility to temporarily lock the IP Filter kernel tables (state tables
+and NAT mappings) and write them to disk. After that the system can be
+rebooted, and ipfs can be used to read these tables from disk and restore
+them into the kernel. This way the system can be rebooted without the
+connections being terminated.
+.Pp
+.Xr ipfstat 8
+interrogates the kernel for statistics on packet filtering, so
+far, and retrieves the list of filters in operation for inbound and outbound
+packets.
+.Pp
+.Xr ipftest 1
+reads in a filter rule file and then applies sample IP packets to
+the rule file. This allows for testing of filter list and examination of how
+a packet is passed along through it.
+.Pp
+.Xr ipmon 8
+reads buffered data from the logging device (default is /dev/ipl)
+for output to either:
+.Bl -bullet -offset indent -compact
+.It
+screen (standard output)
+.It
+file
+.It
+syslog
+.El
+.Pp
+.Xr ipsend 1
+generates arbitary IP packets for ethernet connected machines.
+.Pp
+.Xr ipresend 1
+reads in a data file of saved IP packets (ie
+snoop/tcpdump/etherfind output) and sends it back across the network.
+.Pp
+.Xr iptest 1
+contains a set of test "programs" which send out a series of IP
+packets, aimed at testing the strength of the TCP/IP stack at which it is
+aimed at. WARNING: this may crash machine(s) targeted!
+.Pp
+.Xr ipnat 8
+reads in a set of rules, from either stdin or a file and adds them
+to the kernels current list of active NAT rules. NAT rules can also be
+deleted using ipnat. The format of the configuration file to be used
+with ipnat is described in
+.Xr ipnat 5 .
+.Pp
+For use in your own programs (e.g. for writing of transparent application
+proxies), the programming interface and the associated ioctl's are
+documented in
+.Xr ipf 4 .
+
+Documentation on ioctl's and the format of data saved
+to the logging character device is provided in
+.Xr ipl 4
+so that you may develop your own applications to work with or in place of any
+of the above.
+
+Similar, the interface to the NAT code is documented in
+.Xr ipnat 4 .
+
+.Sh PACKET PROCESSING FLOW
+The following diagram illustrates the flow of TCP/IP packets through the
+various stages introduced by IP Filter.
+.Pp
+.nf
+ IN
+ |
+ V
+ +-------------------------+--------------------------+
+ | | |
+ | V |
+ | Network Address Translation |
+ | | |
+ | authenticated | |
+ | +-------<---------+ |
+ | | | |
+ | | V |
+ | V IP Accounting |
+ | | | |
+ | | V |
+ | | Fragment Cache Check--+ |
+ | | | | |
+ | V V V |
+ | | Packet State Check-->+ |
+ | | | | |
+ | | +->--+ | | |
+ | | | | V | |
+ | V groups IP Filtering V |
+ | | | | | | |
+ | | +--<-+ | | |
+ | | | | |
+ | +---------------->|<-----------+ |
+ | | |
+ | V |
+ | +---<----+ |
+ | | | |
+ | function | |
+ | | V |
+ | +--->----+ |
+ | | |
+ | V |
+ +--|---<--- fast-route ---<--+ |
+ | | | |
+ | | V |
+ | +-------------------------+--------------------------+
+ | |
+ | pass only
+ | |
+ | V
+ V [KERNEL TCP/IP Processing]
+ | |
+ | +-------------------------+--------------------------+
+ | | | |
+ | | V |
+ | | Fragment Cache Check--+ |
+ | | | | |
+ | | V V |
+ | | Packet State Check-->+ |
+ | | | | |
+ | | V | |
+ V | IP Filtering | |
+ | | | V |
+ | | |<-----------+ |
+ | | V |
+ | | IP Accounting |
+ | | | |
+ | | V |
+ | | Network Address Translation |
+ | | | |
+ | | V |
+ | +-------------------------+--------------------------+
+ | |
+ | pass only
+ V |
+ +--------------------------->|
+ V
+ OUT
+.fi
+
+.Sh MORE INFORMATION
+More information (including pointers to the FAQ and the mailing list) can be
+obtained from the sofware's official homepage: www.ipfilter.org
+
+.Sh SEE ALSO
+.Xr ipf 4 ,
+.Xr ipf 5 ,
+.Xr ipf 8 ,
+.Xr ipfilter 5 ,
+.Xr ipfs 8 ,
+.Xr ipfstat 8 ,
+.Xr ipftest 1 ,
+.Xr ipl 4 ,
+.Xr ipmon 8 ,
+.Xr ipnat 4 ,
+.Xr ipnat 8 ,
+
OpenPOWER on IntegriCloud