From 742d9f28f751f0b060a5f7b6ca457bbbb3505191 Mon Sep 17 00:00:00 2001 From: "Ugen J.S. Antsilevich" Date: Thu, 9 Feb 1995 13:13:18 +0000 Subject: [PATCH] Ok..at least this man page is up to date now To be continued.. --- sbin/ipfw/ipfw.8 | 128 +++++++++++++++++++++++------------------------ 1 file changed, 62 insertions(+), 66 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index c1f099218d31..c7159e597835 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -6,84 +6,84 @@ ipfw - controlling utility for ipfw/ipacct facilities. .Sh SYNOPSIS - ipfw [-vn] - ipfw [-vn] - ipfw [-vn] + ipfw [-n] + ipfw [-ans] .Sh DESCRIPTION - In the first synopsis form, the ipfw utility allows adding/removing of -entries of blocking/forwarding/accounting chains. - In the second synopsis form, the ipfw utility checks whenever a given -IP packet type is accepted or denied by a blocking/forwarding firewall. - In the third synopsis form, the ipfw utility allows global actions -on chain-zeroing of counters, and flushing or listing of chain entries -and their counter values. + In the first synopsis form, the ipfw utility allows control of firewall +and accounting chains. + In the second synopsis form, the ipfw utility allows setting of global +firewall/accounting properties and listing of chain contents. The following options are available: --v be verbose. The meaning of this option varies depending on ipfw - usage. +-a While listing,show counter values-this option is the only way to + see accounting records.Works only with -s. --n do not resolve anything. When setting entries, do not try to resolve +-n Do not resolve anything. When setting entries, do not try to resolve a given address. When listing, display addresses in numeric form. +-s Short listing form.By default listing format is compatible with ipfw + input string format,so you can save listings to file and then reuse + them. With this option list format is much more short but + incompatible with ipfw syntacs. + These are : - addb[locking] - add entry to blocking firewall. - delb[locking] - remove entry from blocking firewall. - addf[orwarding] - add entry to forwarding firewall. - delf[orwarding] - remove entry from forwarding firewall. + addf[irewall] - add entry to firewall chain. + delf[irewall] - remove entry from firewall chain. adda[ccounting] - add entry to accounting chain. dela[ccounting] - remove entry from accounting chain. - -These are : - checkb[locking] - check packet against blocking firewall. - checkf[orwarding] - check packet against forwarding firewall. + clr[accounting] - clear counters for accounting chain entry. These are : f[lush] - remove all entries in firewall/accounting chains. - l[ist] - show all entries in blocking/forwarding/accounting chains. - z[ero] - clear chain counters(for now accounting only). - p[olicy] - define default firewall policy. + l[ist] - show all entries in firewall/accounting chains. + z[ero] - clear chain counters(accounting only). + p[olicy] - set default policy properties. - The build like this: +This is structure: For forwarding/blocking chains: - d[eny] - a[ccept] + vr[eject] reject packet,send ICMP unreachable and log. + r[eject] reject packet,send ICMP unreachable. + vd[eny] reject packet,log it. + d[eny] reject packet. + l[og] allow packet,log it. + va[ccept] allow packet,log it. + a[ccept] allow packet. For accounting chain: - s[ingle] - b[idirectional] + s[ingle] log packets matching entry. + b[idirectional] log packets matching entry and + those going in opposite direction (from entry + "dst" to "src"). + +The is: + all|icmp from to + tcp|tcpsyn|udp from [ports] to [ports] +all matches any IP packet. +icmp,tcp and udp - packets for corresponding protocols. +tcpsyn - tcp SYN packets (which used when initiating connection). - The is: - all|icmp from to - tcp|udp from [ports] to [ports] - - : - [/mask bits | :mask pattern] - [ports]: - [ port,port....|port:port] where name of service can be - used instead of port numeric value. +The : + [/mask bits | :mask pattern] + Mask bits is a decimal number of bits set in the address mask. + Mask pattern has form of IP address and AND'ed logically with address given. + [ports]: [ port,port....|port:port] + Name of service can be used instead of port numeric value. + +To l[ist] command may be passed: + f[irewall] | a[ccounting] to list specific chain or none to list +all of chains.Long output format compatible with utility input syntacs. -When entry added to chain and -v option used,entry added with -PRN flag set. - -The build exactly like . - - To l[ist] command may be passed: -f[orwarding]|b[locking]|a[ccounting] to list specific chain or none -to list all of them.Option -v causes output format to change so that -packet/bytes counters printed.Standart output format fully suitable -to be used as . - - To f[lush] command may be passed: -f[irewall]|a[ccounting] to remove all entries from forwarding/blocking -chains or from accounting chain.No arguments removes all chain entries. +To f[lush] command may be passed: + f[irewall] | a[ccounting] to remove all entries from firewall or +from accounting chain.Without arguments removes all chain entries. - To z[ero] command no arguments needed,and all counters of accounting -chain zeroed. +To z[ero] command no arguments needed,this command clears counters for +whole accounting chain. - To p[olicy] command accepts a[ccept]|d[eny] to define default policy -as denial/accepting.Withno arguments current default policy displayed. +The p[olicy] command can be given a[ccept]|d[eny] to set default policy +as denial/accepting.Without arguments current default policy displayed. .Sh EXAMPLES @@ -94,17 +94,16 @@ forwarded by the host: This one disallows any connection from entire hackers network to my host: - ipfw addb deny all from 123.45.67.8/24 to my.host.org + ipfw addf deny all from 123.45.67.8/24 to my.host.org - Here is useful usage of lt] command to see accounting records: - ipfw -v list accounting (or in short form ipfw -v l a ). + Here is good usage of list command to see accounting records: + ipfw -sa list accounting (or in short form ipfw -sa l a ). Much more examples can be found in files: - /usr/share/misc/ipfw.samp.filters - /usr/share/misc/ipfw.samp.scripts + /usr/share/FAQ/ipfw.FAQ (missing for the moment) .Sh SEE ALSO -ipfirewall(4),ipaccounting(4),reboot(8) +ip(4),ipfirewall(4),ipaccounting(4),reboot(8) .Sh BUGS WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! @@ -114,11 +113,8 @@ you don't understand. Remember that "ipfw flush" can solve all the problemms. Also take in your mind that "ipfw policy deny" combined with some wrong chain entry(possible the only entry which designed -to deny some external packets) can close your computer from +to deny some external packets), can close your computer from outer world for good. - Besides of misuse the only known bug is that entry added -with -v option set should be deleted with same option, -but there is no way to see this in list command. .Sh HISTORY Initially this utility was written for BSDI by: