diff options
Diffstat (limited to 'sbin/ipfw/ipfw.8')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 358 |
1 files changed, 358 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 new file mode 100644 index 0000000..8f65213a --- /dev/null +++ b/sbin/ipfw/ipfw.8 @@ -0,0 +1,358 @@ +.Dd July 20, 1996 +.Dt IPFW 8 SMM +.Os FreeBSD +.Sh NAME +.Nm ipfw +.Nd controlling utility for IP firewall +.Sh SYNOPSIS +.Nm +.Ar file +.Nm ipfw +flush +.Nm ipfw +zero +.Oo +.Ar number +.Oc +.Nm ipfw +delete +.Ar number +.Nm ipfw +.Oo +.Fl aftN +.Oc +list +.Nm ipfw +add +.Oo +.Ar number +.Oc +.Ar action +.Oo +log +.Oc +.Ar proto +from +.Ar src +to +.Ar dst +.Oo +via +.Ar name|ipno +.Oc +.Oo +.Ar options +.Oc +.Sh DESCRIPTION +If used as shown in the first synopsis line, the +.Ar file +will be read line by line and applied as arguments to the +.Nm +command. +.Pp +The +.Nm +code works by going through the rule-list for each packet, +until a match is found. +All rules have two associated counters, a packet count and +a byte count. +These counters are updated when a packet matches the rule. +.Pp +The rules are ordered by a ``line-number'' from 1 to 65534 that is used +to order and delete rules. Rules are tried in increasing order, and the +first rule that matches a packet applies. +Multiple rules may share the same number and apply in +the order in which they were added. +.Pp +If a rule is added without a number, it numbered 100 higher +than the previous rule. If the highest defined rule number is +greater than 65434, new rules are appended to the last rule. +.Pp +The delete operation deletes the first rule with number +.Ar number , +if any. +.Pp +The list command prints out the current rule set. +.Pp +The zero operation zeroes the counters associated with rule number +.Ar number . +.Pp +The flush operation removes all rules. +.Pp +One rule is always present: +.Bd -literal -offset center +65535 deny all from any to any +.Ed + +This rule is the default policy, i.e., don't allow anything at all. +Your job in setting up rules is to modify this policy to match your needs. +.Pp +The following options are available: +.Bl -tag -width flag +.It Fl a +While listing, show counter values. This option is the only way to see +accounting records. +.It Fl f +Don't ask for confirmation for commands that can cause problems if misused +(ie; flush). +.Ar Note , +if there is no tty associated with the process, this is implied. +.It Fl t +While listing, show last match timestamp. +.It Fl N +Try to resolve addresses and service names in output. +.El +.Pp +.Ar action : +.Bl -hang -offset flag -width 1234567890123456 +.It Nm allow +Allow packets that match rule. +The search terminates. +.It Nm pass +Same as allow. +.It Nm accept +Same as allow. +.It Nm count +Update counters for all packets that match rule. +The search continues with the next rule. +.It Nm deny +Discard packets that match this rule. +The search terminates. +.It Nm reject +Discard packets that match this rule, and try to send an ICMP notice. +The search terminates. +.It Nm divert port +Divert packets that match this rule to the divert socket bound to port +.Ar port . +The search terminates. +.El +.Pp +When a packet matches a rule with the +.Nm log +keyword, a message will be printed on the console. +If the kernel was compiled with the +.Nm IP_FIREWALL_VERBOSE_LIMIT +option, then logging will cease after the number of packets +specified by the option are received for that particular +chain entry. Logging may then be re-enabled by clearing +the packet counter for that entry. +.Pp +.Ar proto : +.Bl -hang -offset flag -width 1234567890123456 +.It Nm ip +All packets match. +.It Nm all +All packets match. +.It Nm tcp +Only TCP packets match. +.It Nm udp +Only UDP packets match. +.It Nm icmp +Only ICMP packets match. +.It Nm <number|name> +Only packets for the specified protocol matches (see +.Pa /etc/protocols +for a complete list). +.El +.Pp +.Ar src +and +.Ar dst : +.Pp +.Bl -hang -offset flag +.It <address/mask> [ports] +.El +.Pp +The +.Em <address/mask> +may be specified as: +.Bl -hang -offset flag -width 1234567890123456 +.It Ar ipno +An ipnumber of the form 1.2.3.4. +Only this exact ip number match the rule. +.It Ar ipno/bits +An ipnumber with a mask width of the form 1.2.3.4/24. +In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. +.It Ar ipno:mask +An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. +In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. +.El +.Pp +With the TCP and UDP +.Em protocols , +an optional +.Em port +may be specified as: +.Pp +.Bl -hang -offset flag +.It Ns {port|port-port} Ns Op ,port Ns Op ,... +.El +.Pp +Service names (from +.Pa /etc/services ) +may not be used instead of a numeric port value. +Also, note that a range may only be specified as the first value, +and the port list is limited to +.Nm IP_FW_MAX_PORTS +(as defined in /usr/src/sys/netinet/ip_fw.h) +ports. +.Pp +If ``via'' +.Ar name +is specified, only packets received via or on their way out of an interface +matching +.Ar name +will match this rule. +.Pp +If ``via'' +.Ar ipno +is specified, only packets received via or on their way out of an interface +having the address +.Ar ipno +will match this rule. +.Pp +.Ar options : +.Bl -hang -offset flag -width 1234567890123456 +.It frag +Matches if the packet is a fragment and this is not the first fragment +of the datagram. +.It in +Matches if this packet was on the way in. +.It out +Matches if this packet was on the way out. +.It ipoptions Ar spec +Matches if the IP header contains the comma separated list of +options specified in +.Ar spec . +The supported IP options are: +.Nm ssrr +(strict source route), +.Nm lsrr +(loose source route), +.Nm rr +(record packet route), and +.Nm ts +(timestamp). +The absence of a particular option may be denoted +with a ``!''. +.It established +Matches packets that have the RST or ACK bits set. +TCP packets only. +.It setup +Matches packets that have the SYN bit set but no ACK bit. +TCP packets only. +.It tcpflags Ar spec +Matches if the TCP header contains the comma separated list of +flags specified in +.Ar spec . +The supported TCP flags are: +.Nm fin , +.Nm syn , +.Nm rst , +.Nm psh , +.Nm ack , +and +.Nm urg . +The absence of a particular flag may be denoted +with a ``!''. +.It icmptypes Ar types +Matches if the ICMP type is in the list +.Ar types . +The list may be specified as any combination of ranges +or individual types separated by commas. +.El +.Sh CHECKLIST +Here are some important points to consider when designing your +rules: +.Bl -bullet -hang -offset flag -width 1234567890123456 +.It +Remember that you filter both packets going in and out. +Most connections need packets going in both directions. +.It +Remember to test very carefully. +It is a good idea to be near the console when doing this. +.It +Don't forget the loopback interface. +.El +.Sh FINE POINTS +There is one kind of packet that the firewall will always discard, +that is an IP fragment with a fragment offset of one. +This is a valid packet, but it only has one use, to try to circumvent +firewalls. +.Pp +If you are logged in over a network, loading the LKM version of +.Nm +is probably not as straightforward as you would think. +I recommend this command line: +.Bd -literal -offset center +modload /lkm/ipfw_mod.o && \e +ipfw add 32000 allow all from any to any +.Ed + +Along the same lines, doing an +.Bd -literal -offset center +ipfw flush +.Ed + +in similar surroundings is also a bad idea. +.Sh PACKET DIVERSION +A divert socket bound to the specified port will receive all packets diverted +to that port; see +.Xr divert 4 . +If no socket is bound to the destination port, or if the kernel +wasn't compiled with divert socket support, diverted packets are dropped. +.Sh EXAMPLES +This command adds an entry which denies all tcp packets from +.Em hacker.evil.org +to the telnet port of +.Em wolf.tambov.su +from being forwarded by the host: +.Pp +.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 +.Pp +This one disallows any connection from the entire hackers network to +my host: +.Pp +.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org +.Pp +Here is good usage of list command to see accounting records: +.Pp +.Dl ipfw -at l +.Pp +or in short form +.Pp +.Dl ipfw -a l +.Pp +This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: +.Pp +.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in +.Sh SEE ALSO +.Xr divert 4 , +.Xr ip 4 , +.Xr ipfirewall 4 , +.Xr protocols 5 , +.Xr services 5 , +.Xr reboot 8 , +.Xr syslogd 8 +.Sh BUGS +.Pp +.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! +.Pp +This program can put your computer in rather unusable state. When +using it for the first time, work on the console of the computer, and +do +.Em NOT +do anything you don't understand. +.Pp +When manipulating/adding chain entries, service and protocol names are +not accepted. +.Sh AUTHORS +Ugen J. S. Antsilevich, +Poul-Henning Kamp, +Alex Nash, +Archie Cobbs. +API based upon code written by Daniel Boulet for BSDI. +.Sh HISTORY +.Nm +first appeared in +.Fx 2.0 . |