diff options
Diffstat (limited to 'man/ipfilter.4.mandoc')
-rw-r--r-- | man/ipfilter.4.mandoc | 267 |
1 files changed, 267 insertions, 0 deletions
diff --git a/man/ipfilter.4.mandoc b/man/ipfilter.4.mandoc new file mode 100644 index 0000000..72534a7 --- /dev/null +++ b/man/ipfilter.4.mandoc @@ -0,0 +1,267 @@ +.Dd December 8, 2000 +.Dt IP\ FILTER 4 +.Os +.Sh NAME +.Nm IP Filter +.Nd Introduction to IP packet filtering +.Sh DESCRIPTION +IP Filter is a TCP/IP packet filter, suitable for use in a firewall +environment. To use, it can either be used as a loadable kernel module or +incorporated into your UNIX kernel; use as a loadable kernel module where +possible is highly recommended. Scripts are provided to install and patch +system files, as required. +.Sh FEATURES +The IP packet filter can: +.Bl -bullet -offset indent -compact +.It +explicitly deny/permit any packet from passing through +.It +distinguish between various interfaces +.It +filter by IP networks or hosts +.It +selectively filter any IP protocol +.It +selectively filter fragmented IP packets +.It +selectively filter packets with IP options +.It +send back an ICMP error/TCP reset for blocked packets +.It +keep packet state information for TCP, UDP and ICMP packet flows +.It +keep fragment state information for any IP packet, applying the same rule +to all fragments. +.It +act as a Network Address Translator (NAT) +.It +use redirection to setup true transparent proxy connections +.It +provide packet header details to a user program for authentication +.It +in addition, supports temporary storage of pre-authenticated rules for passing packets through +.El +.Pp +Special provision is made for the three most common Internet protocols, TCP, +UDP and ICMP. The IP Packet filter allows filtering of: +.Bl -bullet -offset indent -compact +.It +Inverted host/net matchingTCP/UDP packets by port number or a port number +range +.It +ICMP packets by type/code +.It +"established" TCP packets +.It +On any arbitrary combination of TCP flags +.It +"short" (fragmented) IP packets with incomplete headers can be filtered +.It +any of the 19 IP options or 8 registered IP security classes TOS (Type of +Service) field in packets +.El +.Pp +To keep track of the performance of the IP packet filter, a logging device +is used which supports logging of: +.Bl -bullet -offset indent -compact +.It +the TCP/UDP/ICMP and IP packet headers +.It +the first 128 bytes of the packet (including headers) +.El +.Pp +A packet can be logged when: +.Bl -bullet -offset indent -compact +.It +it is successfully passed through +.It +it is blocked from passing through +.It +it matches a rule setup to look for suspicious packets +.El +.Pp +IP Filter keeps its own set of statistics on: +.Bl -bullet -offset indent -compact +.It +packets blocked +.It +packets (and bytes!) used for accounting +.It +packets passed +.li +packets logged +.It +attempts to log which failed (buffer full) +.El +and much more, for packets going both in and out. + +.Sh Tools +The current implementation provides a small set of tools, which can easily +be used and integrated with regular unix shells and tools. A brief description +of the tools provided: +.Pp +.Xr ipf 8 +reads in a set of rules, from either stdin or a file, and adds them to +the kernels current list (appending them). It can also be used to flush the +current filter set or delete individual filter rules. The file format is +described in +.Xr ipf 5 . +.Pp +.Xr ipfs 8 +is a utility to temporarily lock the IP Filter kernel tables (state tables +and NAT mappings) and write them to disk. After that the system can be +rebooted, and ipfs can be used to read these tables from disk and restore +them into the kernel. This way the system can be rebooted without the +connections being terminated. +.Pp +.Xr ipfstat 8 +interrogates the kernel for statistics on packet filtering, so +far, and retrieves the list of filters in operation for inbound and outbound +packets. +.Pp +.Xr ipftest 1 +reads in a filter rule file and then applies sample IP packets to +the rule file. This allows for testing of filter list and examination of how +a packet is passed along through it. +.Pp +.Xr ipmon 8 +reads buffered data from the logging device (default is /dev/ipl) +for output to either: +.Bl -bullet -offset indent -compact +.It +screen (standard output) +.It +file +.It +syslog +.El +.Pp +.Xr ipsend 1 +generates arbitary IP packets for ethernet connected machines. +.Pp +.Xr ipresend 1 +reads in a data file of saved IP packets (ie +snoop/tcpdump/etherfind output) and sends it back across the network. +.Pp +.Xr iptest 1 +contains a set of test "programs" which send out a series of IP +packets, aimed at testing the strength of the TCP/IP stack at which it is +aimed at. WARNING: this may crash machine(s) targeted! +.Pp +.Xr ipnat 8 +reads in a set of rules, from either stdin or a file and adds them +to the kernels current list of active NAT rules. NAT rules can also be +deleted using ipnat. The format of the configuration file to be used +with ipnat is described in +.Xr ipnat 5 . +.Pp +For use in your own programs (e.g. for writing of transparent application +proxies), the programming interface and the associated ioctl's are +documented in +.Xr ipf 4 . + +Documentation on ioctl's and the format of data saved +to the logging character device is provided in +.Xr ipl 4 +so that you may develop your own applications to work with or in place of any +of the above. + +Similar, the interface to the NAT code is documented in +.Xr ipnat 4 . + +.Sh PACKET PROCESSING FLOW +The following diagram illustrates the flow of TCP/IP packets through the +various stages introduced by IP Filter. +.Pp +.nf + IN + | + V + +-------------------------+--------------------------+ + | | | + | V | + | Network Address Translation | + | | | + | authenticated | | + | +-------<---------+ | + | | | | + | | V | + | V IP Accounting | + | | | | + | | V | + | | Fragment Cache Check--+ | + | | | | | + | V V V | + | | Packet State Check-->+ | + | | | | | + | | +->--+ | | | + | | | | V | | + | V groups IP Filtering V | + | | | | | | | + | | +--<-+ | | | + | | | | | + | +---------------->|<-----------+ | + | | | + | V | + | +---<----+ | + | | | | + | function | | + | | V | + | +--->----+ | + | | | + | V | + +--|---<--- fast-route ---<--+ | + | | | | + | | V | + | +-------------------------+--------------------------+ + | | + | pass only + | | + | V + V [KERNEL TCP/IP Processing] + | | + | +-------------------------+--------------------------+ + | | | | + | | V | + | | Fragment Cache Check--+ | + | | | | | + | | V V | + | | Packet State Check-->+ | + | | | | | + | | V | | + V | IP Filtering | | + | | | V | + | | |<-----------+ | + | | V | + | | IP Accounting | + | | | | + | | V | + | | Network Address Translation | + | | | | + | | V | + | +-------------------------+--------------------------+ + | | + | pass only + V | + +--------------------------->| + V + OUT +.fi + +.Sh MORE INFORMATION +More information (including pointers to the FAQ and the mailing list) can be +obtained from the sofware's official homepage: www.ipfilter.org + +.Sh SEE ALSO +.Xr ipf 4 , +.Xr ipf 5 , +.Xr ipf 8 , +.Xr ipfilter 5 , +.Xr ipfs 8 , +.Xr ipfstat 8 , +.Xr ipftest 1 , +.Xr ipl 4 , +.Xr ipmon 8 , +.Xr ipnat 4 , +.Xr ipnat 8 , + |