summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw/ipfw.8
blob: c78c07e65689d59a16222439b3f0bf94d85511f5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
.Dd November 16, 1994
.Dt IPFW 8 SMM
.Os FreeBSD
.Sh NAME
.Nm ipfw
.Nd controlling utility for IP firewall / IP accounting facilities. 
.Sh SYNOPSIS
.Nm
.Oo
.Fl n
.Oc
.Ar entry_action chain_entry_pattern
.Nm ipfw
.Oo
.Fl ans
.Oc
.Ar chain_action chain[s]_type
.\" ipfw [-n]   <entry-action>  <chain entry pattern>
.\" ipfw [-ans] <chain-action>  <chain[s] type>
.Sh DESCRIPTION
In the first synopsis form, 
.Nm
controls the firewall and accounting chains. In the second
synopsis form,
.Nm
sets the global firewall / accounting properties and
show the chain list's contents.
.Pp
The following options are available:
.Bl -tag -width flag
.It Fl a
While listing, show counter values. This option is the only way to see
accounting records. Works only with
.Fl s
.It Fl n
Do not resolve anything. When setting entries, do not try to resolve a
given address. When listing, display addresses in numeric form.
.It Fl s
Short listing form. By default, the listing format is compatible with
.Nm
input string format, so you can save listings to file and then reuse
them. With this option list format is much more short but incompatible
with the
.Nm
syntax.
.El
.Pp
These are the valid
.Ar entry_actions :
.Bl -hang -offset flag -width 1234567890123456
.It Nm addf[irewall]
add entry to firewall chain.
.It Nm delf[irewall]
remove entry from firewall chain.
.It Nm adda[ccounting]
add entry to accounting chain.
.It Nm dela[ccounting]
remove entry from accounting chain.
.It Nm clr[accounting]
clear counters for accounting chain entry.
.El
.Pp
If no
.Ar entry_action
is specified, it will default to
.Nm addf[irewall]
or
.Nm adda[ccounting] ,
depending on the
.Ar chain_entry_pattern
specified.
.Pp
The valid
.Ar chain_actions
are:
.Bl -hang -offset flag -width 123456789
.It Nm f[lush]
remove all entries in firewall / accounting chains.
.It Nm l[ist]
display all entries in firewall / accounting chains.
.It Nm z[ero]
clear chain counters (accounting only).
.It Nm p[olicy]
set default policy properties.
.El
.Pp
The
.Ar chain_entry_pattern
structure is:
.Pp
.Dl [keyword] [protocol] [address pattern]
.Pp
For the firewall chain, valid
.Em keywords
are:
.Bl -hang -offset flag -width 12345678
.It Nm reject
Reject the packet, and send an
.Tn ICMP HOST_UNREACHABLE
packet to the source.
.It Nm lreject
The same as
.Nm reject ,
but also log the packets details.
.It Nm deny
Reject the packet.
.It Nm ldeny
The same as
.Nm deny ,
but also log the packets details.
.It Nm log
Accept the packet, and log it.
.It Nm accept
Accept the packet (obviously).
.It Nm pass
A synonym for accept.
.El

.Pp
For the accounting chain, valid
.Em keywords
are:
.Bl -tag -width flag
.It Nm single
Log packets matching entry.
.It Nm bidirectional
Log packets matching entry and also those going in the
opposite direction (from 
.Dq dst
to
.Dq src ) .
.El
.Pp
Each keyword will be recognized by the shortest unambigious prefix.
.Pp
Recognised
.Em protocols
are:
.Bl -hang -offset flag -width 123456
.It Nm all
Matches any IP packet.
.It Nm icmp
Matches ICMP packets.
.It Nm tcp
Matches TCP packets.
.It Nm udp
Matches UDP packets.
.It Nm syn
Matches the TCP SYN packet used in initiating a TCP connection. It
does not match the packet returned from a destination machine which
has the SYN and ACK bits set.
.El
.Pp
The
.Em address pattern
is:
.Pp
.Dl from <address/mask>[ports] to <address/mask][ports] [via <interface>]
.Pp
You can only specify
.Em ports
with
.Em protocols
which actually have ports (TCP, UDP and SYN).
.Pp
The order of
.Sq from/to/via
keywords is unimportant. You can skip any of them, which will be
then substituted by default entry matching any
.Sq from/to/via
packet kind.
.Pp
The
.Em <address/mask>
is defined as:
.Pp
.Dl <address|name>[/mask_bits|:mask_pattern]
.Pp
.Em mask bits
is the decimal number of bits set in the address mask.
.Em mask pattern
has the form of an IP address to be AND'ed logically with the address
given. The keyword
.Em any
can be used to specify 
.Dq any IP .
The IP address or name given is
.Em NOT
checked, and the wrong value
causes the entry to not match anything.
.Pp
The
.Em ports
to be blocked are specified as:
.Dl Ns port Ns Op ,port Ns Op ,...
or:
.Dl port:port
.Pp
to specify a range of ports. The name of a service (from 
.Pa /etc/services )
can be used instead of
a numeric port value.
.Pp 
The
.Em via <interface>
entry is optional and may specify IP address/domain name of local IP
interface, or interface name (e.g.
.Em ed0 )
to match only packets coming
through this interface. The keyword
.Em via
can be substituted by
.Em on ,
for readability reasons.
.Pp
The
.Em l[ist]
command may be passed:
.Pp
.Dl f[irewall] | a[ccounting]
.Pp
to list specific chain or none to list all of chains. The long output
format (default) is compatible with the syntax used by the
.Nm
utility.
.Pp
The
.Em f[lush]
command may be passed:
.Pp
.Dl f[irewall] | a[ccounting]
.Pp
to remove all entries from firewall or from accounting chain. Without
an argument it will remove all entries from both chains.
.Pp
The
.Em z[ero]
command needs no arguments. This command clears all counters for the
entire accounting chain.
.Pp
The
.Em p[olicy]
command can be given
.Pp
.Dl a[ccept] | d[eny]
.Pp
to set default policy as denial/acceptance. Without an angument, the
current policy status is displayed.
.Sh EXAMPLES
This command adds an entry which denies all tcp packets from
.Em hacker.evil.org
to the telnet port of
.Em wolf.tambov.su
from being forwarded by the host:
.Pp
.Dl ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
.Pp 
This one disallows any connection from the entire hackers network to
my host:
.Pp
.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
.Pp
Here is good usage of list command to see accounting records:
.Pp
.Dl ipfw -sa list accounting
.Pp
or in short form
.Pp
.Dl ipfw -sa l a
.Pp
Many more examples can be found in the file:
.Dl Pa /usr/share/FAQ/ipfw.FAQ
(missing for the moment)
.Sh SEE ALSO
.Xr gethostbyname 3 ,
.Xr getservbyport 3 ,
.Xr ip 4 ,
.Xr ipfirewall 4 ,
.Xr ipaccounting 4 ,
.Xr reboot 8 ,
.Xr syslogd 8
.Sh BUGS
Currently there is no method for filtering out specific types of ICMP
packets. Either you don't filter ICMP at all, or all ICMP packets are
filtered.
.Pp
The system has a rule weighting system for the firewall chain. This
means that rules are not used in the order that they are specified. To
see what rule ordering is used, use the
.Em list
command.
.Pp
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
.Pp
This program can put your computer in rather unusable state. When
using it for the first time, work on the console of the computer, and
do
.Em NOT
do anything you don't understand.
.Pp
Remember that 
.Dq ipfw flush
can solve all the problems.  Bear in mind that 
.Dq ipfw policy deny
combined with some wrong chain entry (possible the only entry, which
is designed to deny some external packets), can close your computer
from the outer world for good (or at least until you can get to the
console).
.Sh HISTORY
Initially this utility was written for BSDI by:
.Pp
.Dl Daniel Boulet <danny@BouletFermat.ab.ca>
.Pp
The FreeBSD version is written completely by:
.Pp
.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG>
.Pp
while the synopsis is partially compatible with the old one.
OpenPOWER on IntegriCloud