d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Convert manpage to -mandoc macros.

Browse Source 
Submitted by:	Gary Palmer <gary@palmer.demon.co.uk>

Minor cleanup by me in the English.
This commit is contained in:
Nate Williams 1995-10-26 05:36:24 +00:00
parent 90b430e870
commit 01fc1ee969
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=11796
1 changed files with 307 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

437
sbin/ipfw/ipfw.8
View File

@ -1,141 +1,318 @@
.Dd November 16, 1994 .Dd November 16, 1994
.Dt IPFW 8 .Dt IPFW 8 SMM
.Os .Os FreeBSD
.Sh NAME .Sh NAME
ipfw - controlling utility for ipfw/ipacct facilities. .Nm ipfw
.Nd controlling utility for IP firewall / IP accounting facilities.
.Sh SYNOPSIS .Sh SYNOPSIS
.Nm
ipfw [-n] <entry-action> <chain entry pattern> .Oo
ipfw [-ans] <chain-action> <chain[s] type> .Fl n
.Oc
.Ar entry_action chain_entry_pattern
.Nm ipfw
.Oo
.Fl ans
.Oc
.Ar chain_action chain[s]_type
.\" ipfw [-n] <entry-action> <chain entry pattern>
.\" ipfw [-ans] <chain-action> <chain[s] type>
.Sh DESCRIPTION .Sh DESCRIPTION
In the first synopsis form, the ipfw utility allows control of firewall In the first synopsis form,
and accounting chains. .Nm
In the second synopsis form, the ipfw utility allows setting of global controls the firewall and accounting chains. In the second
firewall/accounting properties and listing of chain contents. synopsis form,
.Nm
sets the global firewall / accounting properties and
show the chain list's contents.
.Pp
The following options are available: The following options are available:
.Bl -tag -width flag
.It Fl a
While listing, show counter values. This option is the only way to see
accounting records. Works only with
.Fl s
.It Fl n
Do not resolve anything. When setting entries, do not try to resolve a
given address. When listing, display addresses in numeric form.
.It Fl s
Short listing form. By default, the listing format is compatible with
.Nm
input string format, so you can save listings to file and then reuse
them. With this option list format is much more short but incompatible
with the
.Nm
syntax.
.El
.Pp
These are the valid
.Ar entry_actions :
.Bl -hang -offset flag -width 1234567890123456
.It Nm addf[irewall]
add entry to firewall chain.
.It Nm delf[irewall]
remove entry from firewall chain.
.It Nm adda[ccounting]
add entry to accounting chain.
.It Nm dela[ccounting]
remove entry from accounting chain.
.It Nm clr[accounting]
clear counters for accounting chain entry.
.El
.Pp
If no
.Ar entry_action
is specified, it will default to
.Nm addf[irewall]
or
.Nm adda[ccounting] ,
depending on the
.Ar chain_entry_pattern
specified.
.Pp
The valid
.Ar chain_actions
are:
.Bl -hang -offset flag -width 123456789
.It Nm f[lush]
remove all entries in firewall / accounting chains.
.It Nm l[ist]
display all entries in firewall / accounting chains.
.It Nm z[ero]
clear chain counters (accounting only).
.It Nm p[olicy]
set default policy properties.
.El
.Pp
The
.Ar chain_entry_pattern
structure is:
.Pp
.Dl [keyword] [protocol] [address pattern]
.Pp
For the firewall chain, valid
.Em keywords
are:
.Bl -hang -offset flag -width 12345678
.It Nm reject
Reject the packet, and send an
.Tn ICMP HOST_UNREACHABLE
packet to the source.
.It Nm lreject
The same as
.Nm reject ,
but also log the packets details.
.It Nm deny
Reject the packet.
.It Nm ldeny
The same as
.Nm deny ,
but also log the packets details.
.It Nm log
Accept the packet, and log it.
.It Nm accept
Accept the packet (obviously).
.It Nm pass
A synonym for accept.
.El
-a While listing,show counter values-this option is the only way to .Pp
see accounting records.Works only with -s. For the accounting chain, valid
.Em keywords
-n Do not resolve anything. When setting entries, do not try to resolve are:
a given address. When listing, display addresses in numeric form. .Bl -tag -width flag
.It Nm single
-s Short listing form.By default listing format is compatible with ipfw Log packets matching entry.
input string format,so you can save listings to file and then reuse .It Nm bidirectional
them. With this option list format is much more short but Log packets matching entry and also those going in the
incompatible with ipfw syntacs. opposite direction (from
.Dq dst
These are <entry-actions>: to
.Dq src ) .
addf[irewall] - add entry to firewall chain. .El
delf[irewall] - remove entry from firewall chain. .Pp
adda[ccounting] - add entry to accounting chain.
dela[ccounting] - remove entry from accounting chain.
clr[accounting] - clear counters for accounting chain entry.
If no <entry-action> specified,default addf[irewall] or add[accounting]
will be used,depending on <chain-entry pattern> specified.
These are <chain-actions>:
f[lush] - remove all entries in firewall/accounting chains.
l[ist] - show all entries in firewall/accounting chains.
z[ero] - clear chain counters(accounting only).
p[olicy] - set default policy properties.
This is <chain-entry pattern> structure:
For forwarding/blocking chains:
lreject <proto/addr pattern> reject packet,send ICMP unreachable and log.
reject <proto/addr pattern> reject packet,send ICMP unreachable.
ldeny <proto/addr pattern> reject packet,log it.
deny <proto/addr pattern> reject packet.
log <proto/addr pattern> allow packet,log it.
accept <proto/addr pattern> allow packet.
pass <proto/addr pattern> allow packet.
For accounting chain:
single <proto/addr pattern> log packets matching entry.
bidirectional <proto/addr pattern> log packets matching entry and
those going in opposite direction (from entry
"dst" to "src").
Each keyword will be recognized by the shortest unambigious prefix. Each keyword will be recognized by the shortest unambigious prefix.
.Pp
The <proto/addr pattern> is: Recognised
all|icmp from <src addr/mask> to <dst addr/mask> [via <via>] .Em protocols
tcp[syn]|udp from <src addr/mask>[ports] to <dst addr/mask>[ports][via <via>] are:
all matches any IP packet. .Bl -hang -offset flag -width 123456
icmp,tcp and udp - packets for corresponding protocols. .It Nm all
syn - tcp SYN packets (which used when initiating connection). Matches any IP packet.
.It Nm icmp
Matches ICMP packets.
The order of from/to/via keywords is unimportant.You can skip any .It Nm tcp
of them,which will be then substituted by default entry matching Matches TCP packets.
any from/to/via packet kind. .It Nm udp
Matches UDP packets.
The <src addr/mask>: .It Nm syn
<INET IP addr | domain name> [/mask bits | :mask pattern] Matches the TCP SYN packet used in initiating a TCP connection. It
Mask bits is a decimal number of bits set in the address mask. does not match the packet returned from a destination machine which
Mask pattern has form of IP address and AND'ed logically with address given. has the SYN and ACK bits set.
Keyword "any" can be used to specify 'any IP'. .El
[ports]: [ port,port....|port:port] .Pp
Name of service can be used instead of port numeric value. The
.Em address pattern
The via <via> is optional and may specify IP address/domain name of local is:
IP interface, or interface name (e.g. ed0) to match only packets coming .Pp
through this interface.The IP or name given is NOT checked, and wrong .Dl from <address/mask>[ports] to <address/mask][ports] [via <interface>]
value of IP causes entry to not match anything. .Pp
Keyword 'via' can be substituted by 'on',for readability reasons. You can only specify
.Em ports
To l[ist] command may be passed: with
f[irewall] | a[ccounting] to list specific chain or none to list .Em protocols
all of chains.Long output format compatible with utility input syntacs. which actually have ports (TCP, UDP and SYN).
.Pp
To f[lush] command may be passed: The order of
f[irewall] | a[ccounting] to remove all entries from firewall or .Sq from/to/via
from accounting chain.Without arguments removes all chain entries. keywords is unimportant. You can skip any of them, which will be
then substituted by default entry matching any
To z[ero] command no arguments needed,this command clears counters for .Sq from/to/via
whole accounting chain. packet kind.
.Pp
The p[olicy] command can be given a[ccept]|d[eny] to set default policy The
as denial/accepting.Without arguments current default policy displayed. .Em <address/mask>
is defined as:
.Pp
.Dl <address|name>[/mask_bits|:mask_pattern]
.Pp
.Em mask bits
is the decimal number of bits set in the address mask.
.Em mask pattern
has the form of an IP address to be AND'ed logically with the address
given. The keyword
.Em any
can be used to specify
.Dq any IP .
The IP address or name given is
.Em NOT
checked, and the wrong value
causes the entry to not match anything.
.Pp
The
.Em ports
to be blocked are specified as:
.Dl Ns port Ns Op ,port Ns Op ,...
or:
.Dl port:port
.Pp
to specify a range of ports. The name of a service (from
.Pa /etc/services )
can be used instead of
a numeric port value.
.Pp
The
.Em via <interface>
entry is optional and may specify IP address/domain name of local IP
interface, or interface name (e.g.
.Em ed0 )
to match only packets coming
through this interface. The keyword
.Em via
can be substituted by
.Em on ,
for readability reasons.
.Pp
The
.Em l[ist]
command may be passed:
.Pp
.Dl f[irewall] | a[ccounting]
.Pp
to list specific chain or none to list all of chains. The long output
format (default) is compatible with the syntax used by the
.Nm
utility.
.Pp
The
.Em f[lush]
command may be passed:
.Pp
.Dl f[irewall] | a[ccounting]
.Pp
to remove all entries from firewall or from accounting chain. Without
an argument it will remove all entries from both chains.
.Pp
The
.Em z[ero]
command needs no arguments. This command clears all counters for the
entire accounting chain.
.Pp
The
.Em p[olicy]
command can be given
.Pp
.Dl a[ccept] | d[eny]
.Pp
to set default policy as denial/acceptance. Without an angument, the
current policy status is displayed.
.Sh EXAMPLES .Sh EXAMPLES
This command adds an entry which denies all tcp packets from
This command add entry which denies all tcp packets from .Em hacker.evil.org
hacker.evil.org to telnet port of wolf.tambov.su from being to the telnet port of
forwarded by the host: .Em wolf.tambov.su
ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet from being forwarded by the host:
.Pp
This one disallows any connection from entire hackers network .Dl ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
to my host: .Pp
ipfw addf deny all from 123.45.67.8/24 to my.host.org This one disallows any connection from the entire hackers network to
my host:
Here is good usage of list command to see accounting records: .Pp
ipfw -sa list accounting (or in short form ipfw -sa l a ). .Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
.Pp
Much more examples can be found in files: Here is good usage of list command to see accounting records:
/usr/share/FAQ/ipfw.FAQ (missing for the moment) .Pp
.Dl ipfw -sa list accounting
.Pp
or in short form
.Pp
.Dl ipfw -sa l a
.Pp
Many more examples can be found in the file:
.Dl Pa /usr/share/FAQ/ipfw.FAQ
(missing for the moment)
.Sh SEE ALSO .Sh SEE ALSO
ip(4),ipfirewall(4),ipaccounting(4),reboot(8) .Xr gethostbyname 3 ,
.Xr getservbyport 3 ,
.Xr ip 4 ,
.Xr ipfirewall 4 ,
.Xr ipaccounting 4 ,
.Xr reboot 8 ,
.Xr syslogd 8
.Sh BUGS .Sh BUGS
WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! Currently there is no method for filtering out specific types of ICMP
This programm can put your computer in rather unusable state. packets. Either you don't filter ICMP at all, or all ICMP packets are
First time try using it from console and do *NOT* do anything filtered.
you don't understand. .Pp
Remember that "ipfw flush" can solve all the problemms. The system has a rule weighting system for the firewall chain. This
Also take in your mind that "ipfw policy deny" combined with means that rules are not used in the order that they are specified. To
some wrong chain entry(possible the only entry which designed see what rule ordering is used, use the
to deny some external packets), can close your computer from .Em list
outer world for good. command.
.Pp
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
.Pp
This program can put your computer in rather unusable state. When
using it for the first time, work on the console of the computer, and
do
.Em NOT
do anything you don't understand.
.Pp
Remember that
.Dq ipfw flush
can solve all the problems. Bear in mind that
.Dq ipfw policy deny
combined with some wrong chain entry (possible the only entry, which
is designed to deny some external packets), can close your computer
from the outer world for good (or at least until you can get to the
console).
.Sh HISTORY .Sh HISTORY
Initially this utility was written for BSDI by: Initially this utility was written for BSDI by:
Daniel Boulet <danny@BouletFermat.ab.ca> .Pp
The FreeBSD version is written completely by: .Dl Daniel Boulet <danny@BouletFermat.ab.ca>
Ugen J.S.Antsilevich <ugen@NetVision.net.il> .Pp
while synopsis partially compatible with old one. The FreeBSD version is written completely by:
.Pp
.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG>
.Pp
while the synopsis is partially compatible with the old one.