diff options
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/ipfw/ipfw.8 | 437 |
1 files changed, 307 insertions, 130 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 17201d8..c78c07e 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,141 +1,318 @@ .Dd November 16, 1994 -.Dt IPFW 8 -.Os +.Dt IPFW 8 SMM +.Os FreeBSD .Sh NAME -ipfw - controlling utility for ipfw/ipacct facilities. - +.Nm ipfw +.Nd controlling utility for IP firewall / IP accounting facilities. .Sh SYNOPSIS - - ipfw [-n] <entry-action> <chain entry pattern> - ipfw [-ans] <chain-action> <chain[s] type> - +.Nm +.Oo +.Fl n +.Oc +.Ar entry_action chain_entry_pattern +.Nm ipfw +.Oo +.Fl ans +.Oc +.Ar chain_action chain[s]_type +.\" ipfw [-n] <entry-action> <chain entry pattern> +.\" ipfw [-ans] <chain-action> <chain[s] type> .Sh DESCRIPTION - In the first synopsis form, the ipfw utility allows control of firewall -and accounting chains. - In the second synopsis form, the ipfw utility allows setting of global -firewall/accounting properties and listing of chain contents. - +In the first synopsis form, +.Nm +controls the firewall and accounting chains. In the second +synopsis form, +.Nm +sets the global firewall / accounting properties and +show the chain list's contents. +.Pp The following options are available: +.Bl -tag -width flag +.It Fl a +While listing, show counter values. This option is the only way to see +accounting records. Works only with +.Fl s +.It Fl n +Do not resolve anything. When setting entries, do not try to resolve a +given address. When listing, display addresses in numeric form. +.It Fl s +Short listing form. By default, the listing format is compatible with +.Nm +input string format, so you can save listings to file and then reuse +them. With this option list format is much more short but incompatible +with the +.Nm +syntax. +.El +.Pp +These are the valid +.Ar entry_actions : +.Bl -hang -offset flag -width 1234567890123456 +.It Nm addf[irewall] +add entry to firewall chain. +.It Nm delf[irewall] +remove entry from firewall chain. +.It Nm adda[ccounting] +add entry to accounting chain. +.It Nm dela[ccounting] +remove entry from accounting chain. +.It Nm clr[accounting] +clear counters for accounting chain entry. +.El +.Pp +If no +.Ar entry_action +is specified, it will default to +.Nm addf[irewall] +or +.Nm adda[ccounting] , +depending on the +.Ar chain_entry_pattern +specified. +.Pp +The valid +.Ar chain_actions +are: +.Bl -hang -offset flag -width 123456789 +.It Nm f[lush] +remove all entries in firewall / accounting chains. +.It Nm l[ist] +display all entries in firewall / accounting chains. +.It Nm z[ero] +clear chain counters (accounting only). +.It Nm p[olicy] +set default policy properties. +.El +.Pp +The +.Ar chain_entry_pattern +structure is: +.Pp +.Dl [keyword] [protocol] [address pattern] +.Pp +For the firewall chain, valid +.Em keywords +are: +.Bl -hang -offset flag -width 12345678 +.It Nm reject +Reject the packet, and send an +.Tn ICMP HOST_UNREACHABLE +packet to the source. +.It Nm lreject +The same as +.Nm reject , +but also log the packets details. +.It Nm deny +Reject the packet. +.It Nm ldeny +The same as +.Nm deny , +but also log the packets details. +.It Nm log +Accept the packet, and log it. +.It Nm accept +Accept the packet (obviously). +.It Nm pass +A synonym for accept. +.El --a While listing,show counter values-this option is the only way to - see accounting records.Works only with -s. - --n Do not resolve anything. When setting entries, do not try to resolve - a given address. When listing, display addresses in numeric form. - --s Short listing form.By default listing format is compatible with ipfw - input string format,so you can save listings to file and then reuse - them. With this option list format is much more short but - incompatible with ipfw syntacs. - -These are <entry-actions>: - - addf[irewall] - add entry to firewall chain. - delf[irewall] - remove entry from firewall chain. - adda[ccounting] - add entry to accounting chain. - dela[ccounting] - remove entry from accounting chain. - clr[accounting] - clear counters for accounting chain entry. - -If no <entry-action> specified,default addf[irewall] or add[accounting] -will be used,depending on <chain-entry pattern> specified. - -These are <chain-actions>: - f[lush] - remove all entries in firewall/accounting chains. - l[ist] - show all entries in firewall/accounting chains. - z[ero] - clear chain counters(accounting only). - p[olicy] - set default policy properties. - -This is <chain-entry pattern> structure: - For forwarding/blocking chains: - lreject <proto/addr pattern> reject packet,send ICMP unreachable and log. - reject <proto/addr pattern> reject packet,send ICMP unreachable. - ldeny <proto/addr pattern> reject packet,log it. - deny <proto/addr pattern> reject packet. - log <proto/addr pattern> allow packet,log it. - accept <proto/addr pattern> allow packet. - pass <proto/addr pattern> allow packet. - For accounting chain: - single <proto/addr pattern> log packets matching entry. - bidirectional <proto/addr pattern> log packets matching entry and - those going in opposite direction (from entry - "dst" to "src"). - +.Pp +For the accounting chain, valid +.Em keywords +are: +.Bl -tag -width flag +.It Nm single +Log packets matching entry. +.It Nm bidirectional +Log packets matching entry and also those going in the +opposite direction (from +.Dq dst +to +.Dq src ) . +.El +.Pp Each keyword will be recognized by the shortest unambigious prefix. - -The <proto/addr pattern> is: - all|icmp from <src addr/mask> to <dst addr/mask> [via <via>] - tcp[syn]|udp from <src addr/mask>[ports] to <dst addr/mask>[ports][via <via>] - all matches any IP packet. - icmp,tcp and udp - packets for corresponding protocols. - syn - tcp SYN packets (which used when initiating connection). - - -The order of from/to/via keywords is unimportant.You can skip any -of them,which will be then substituted by default entry matching -any from/to/via packet kind. - -The <src addr/mask>: - <INET IP addr | domain name> [/mask bits | :mask pattern] - Mask bits is a decimal number of bits set in the address mask. - Mask pattern has form of IP address and AND'ed logically with address given. - Keyword "any" can be used to specify 'any IP'. - [ports]: [ port,port....|port:port] - Name of service can be used instead of port numeric value. - -The via <via> is optional and may specify IP address/domain name of local - IP interface, or interface name (e.g. ed0) to match only packets coming - through this interface.The IP or name given is NOT checked, and wrong - value of IP causes entry to not match anything. - Keyword 'via' can be substituted by 'on',for readability reasons. - -To l[ist] command may be passed: - f[irewall] | a[ccounting] to list specific chain or none to list -all of chains.Long output format compatible with utility input syntacs. - -To f[lush] command may be passed: - f[irewall] | a[ccounting] to remove all entries from firewall or -from accounting chain.Without arguments removes all chain entries. - -To z[ero] command no arguments needed,this command clears counters for -whole accounting chain. - -The p[olicy] command can be given a[ccept]|d[eny] to set default policy -as denial/accepting.Without arguments current default policy displayed. - +.Pp +Recognised +.Em protocols +are: +.Bl -hang -offset flag -width 123456 +.It Nm all +Matches any IP packet. +.It Nm icmp +Matches ICMP packets. +.It Nm tcp +Matches TCP packets. +.It Nm udp +Matches UDP packets. +.It Nm syn +Matches the TCP SYN packet used in initiating a TCP connection. It +does not match the packet returned from a destination machine which +has the SYN and ACK bits set. +.El +.Pp +The +.Em address pattern +is: +.Pp +.Dl from <address/mask>[ports] to <address/mask][ports] [via <interface>] +.Pp +You can only specify +.Em ports +with +.Em protocols +which actually have ports (TCP, UDP and SYN). +.Pp +The order of +.Sq from/to/via +keywords is unimportant. You can skip any of them, which will be +then substituted by default entry matching any +.Sq from/to/via +packet kind. +.Pp +The +.Em <address/mask> +is defined as: +.Pp +.Dl <address|name>[/mask_bits|:mask_pattern] +.Pp +.Em mask bits +is the decimal number of bits set in the address mask. +.Em mask pattern +has the form of an IP address to be AND'ed logically with the address +given. The keyword +.Em any +can be used to specify +.Dq any IP . +The IP address or name given is +.Em NOT +checked, and the wrong value +causes the entry to not match anything. +.Pp +The +.Em ports +to be blocked are specified as: +.Dl Ns port Ns Op ,port Ns Op ,... +or: +.Dl port:port +.Pp +to specify a range of ports. The name of a service (from +.Pa /etc/services ) +can be used instead of +a numeric port value. +.Pp +The +.Em via <interface> +entry is optional and may specify IP address/domain name of local IP +interface, or interface name (e.g. +.Em ed0 ) +to match only packets coming +through this interface. The keyword +.Em via +can be substituted by +.Em on , +for readability reasons. +.Pp +The +.Em l[ist] +command may be passed: +.Pp +.Dl f[irewall] | a[ccounting] +.Pp +to list specific chain or none to list all of chains. The long output +format (default) is compatible with the syntax used by the +.Nm +utility. +.Pp +The +.Em f[lush] +command may be passed: +.Pp +.Dl f[irewall] | a[ccounting] +.Pp +to remove all entries from firewall or from accounting chain. Without +an argument it will remove all entries from both chains. +.Pp +The +.Em z[ero] +command needs no arguments. This command clears all counters for the +entire accounting chain. +.Pp +The +.Em p[olicy] +command can be given +.Pp +.Dl a[ccept] | d[eny] +.Pp +to set default policy as denial/acceptance. Without an angument, the +current policy status is displayed. .Sh EXAMPLES - - This command add entry which denies all tcp packets from -hacker.evil.org to telnet port of wolf.tambov.su from being -forwarded by the host: - ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet - - This one disallows any connection from entire hackers network -to my host: - ipfw addf deny all from 123.45.67.8/24 to my.host.org - - Here is good usage of list command to see accounting records: - ipfw -sa list accounting (or in short form ipfw -sa l a ). - - Much more examples can be found in files: - /usr/share/FAQ/ipfw.FAQ (missing for the moment) - +This command adds an entry which denies all tcp packets from +.Em hacker.evil.org +to the telnet port of +.Em wolf.tambov.su +from being forwarded by the host: +.Pp +.Dl ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet +.Pp +This one disallows any connection from the entire hackers network to +my host: +.Pp +.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org +.Pp +Here is good usage of list command to see accounting records: +.Pp +.Dl ipfw -sa list accounting +.Pp +or in short form +.Pp +.Dl ipfw -sa l a +.Pp +Many more examples can be found in the file: +.Dl Pa /usr/share/FAQ/ipfw.FAQ +(missing for the moment) .Sh SEE ALSO -ip(4),ipfirewall(4),ipaccounting(4),reboot(8) - +.Xr gethostbyname 3 , +.Xr getservbyport 3 , +.Xr ip 4 , +.Xr ipfirewall 4 , +.Xr ipaccounting 4 , +.Xr reboot 8 , +.Xr syslogd 8 .Sh BUGS - WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! - This programm can put your computer in rather unusable state. -First time try using it from console and do *NOT* do anything -you don't understand. - Remember that "ipfw flush" can solve all the problemms. -Also take in your mind that "ipfw policy deny" combined with -some wrong chain entry(possible the only entry which designed -to deny some external packets), can close your computer from -outer world for good. - +Currently there is no method for filtering out specific types of ICMP +packets. Either you don't filter ICMP at all, or all ICMP packets are +filtered. +.Pp +The system has a rule weighting system for the firewall chain. This +means that rules are not used in the order that they are specified. To +see what rule ordering is used, use the +.Em list +command. +.Pp +.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! +.Pp +This program can put your computer in rather unusable state. When +using it for the first time, work on the console of the computer, and +do +.Em NOT +do anything you don't understand. +.Pp +Remember that +.Dq ipfw flush +can solve all the problems. Bear in mind that +.Dq ipfw policy deny +combined with some wrong chain entry (possible the only entry, which +is designed to deny some external packets), can close your computer +from the outer world for good (or at least until you can get to the +console). .Sh HISTORY - Initially this utility was written for BSDI by: - Daniel Boulet <danny@BouletFermat.ab.ca> - The FreeBSD version is written completely by: - Ugen J.S.Antsilevich <ugen@NetVision.net.il> - while synopsis partially compatible with old one. +Initially this utility was written for BSDI by: +.Pp +.Dl Daniel Boulet <danny@BouletFermat.ab.ca> +.Pp +The FreeBSD version is written completely by: +.Pp +.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG> +.Pp +while the synopsis is partially compatible with the old one. |