summaryrefslogtreecommitdiffstats
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/ipfw/ipfw.829
1 files changed, 21 insertions, 8 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index e0c14cb..8c777c1 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -36,6 +36,9 @@ These are <entry-actions>:
dela[ccounting] - remove entry from accounting chain.
clr[accounting] - clear counters for accounting chain entry.
+If no <entry-action> specified,default addf[irewall] or add[accounting]
+will be used,depending on <chain-entry pattern> specified.
+
These are <chain-actions>:
f[lush] - remove all entries in firewall/accounting chains.
l[ist] - show all entries in firewall/accounting chains.
@@ -44,17 +47,20 @@ These are <chain-actions>:
This is <chain-entry pattern> structure:
For forwarding/blocking chains:
- lr[eject] <proto/addr pattern> reject packet,send ICMP unreachable and log.
- r[eject] <proto/addr pattern> reject packet,send ICMP unreachable.
- ld[eny] <proto/addr pattern> reject packet,log it.
- d[eny] <proto/addr pattern> reject packet.
- l[og] <proto/addr pattern> allow packet,log it.
- a[ccept] <proto/addr pattern> allow packet.
+ lreject <proto/addr pattern> reject packet,send ICMP unreachable and log.
+ reject <proto/addr pattern> reject packet,send ICMP unreachable.
+ ldeny <proto/addr pattern> reject packet,log it.
+ deny <proto/addr pattern> reject packet.
+ log <proto/addr pattern> allow packet,log it.
+ accept <proto/addr pattern> allow packet.
+ pass <proto/addr pattern> allow packet.
For accounting chain:
- s[ingle] <proto/addr pattern> log packets matching entry.
- b[idirectional] <proto/addr pattern> log packets matching entry and
+ single <proto/addr pattern> log packets matching entry.
+ bidirectional <proto/addr pattern> log packets matching entry and
those going in opposite direction (from entry
"dst" to "src").
+
+Each keyword will be recognized by the shortest unambigious prefix.
The <proto/addr pattern> is:
all|icmp from <src addr/mask> to <dst addr/mask> [via <via>]
@@ -62,11 +68,17 @@ The <proto/addr pattern> is:
all matches any IP packet.
icmp,tcp and udp - packets for corresponding protocols.
tcpsyn - tcp SYN packets (which used when initiating connection).
+
+
+The order of from/to/via keywords is unimportant.You can skip any
+of them,which will be then substituted by default entry matching
+any from/to/via packet kind.
The <src addr/mask>:
<INET IP addr | domain name> [/mask bits | :mask pattern]
Mask bits is a decimal number of bits set in the address mask.
Mask pattern has form of IP address and AND'ed logically with address given.
+ Keyword "any" can be used to specify 'any IP'.
[ports]: [ port,port....|port:port]
Name of service can be used instead of port numeric value.
@@ -74,6 +86,7 @@ The via <via> is optional and may specify IP address/domain name of local
IP interface, or interface name (e.g. ed0) to match only packets coming
through this interface.The IP or name given is NOT checked, and wrong
value of IP causes entry to not match anything.
+ Keyword 'via' can be substituted by 'on',for readability reasons.
To l[ist] command may be passed:
f[irewall] | a[ccounting] to list specific chain or none to list
OpenPOWER on IntegriCloud