diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 5b419ee2fc82..1b3832b9da43 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -10,6 +10,46 @@ .Sh SYNOPSIS .Nm .Op Fl q +.Cm add +.Ar rule +.Nm +.Op Fl q +.Cm delete +.Op Cm set +.Op Ar number ... +.Nm +.Op Fl adeftNS +.Brq Cm list | show +.Op Ar number ... +.Nm +.Op Fl f | q +.Cm flush +.Nm +.Op Fl q +.Brq Cm zero | resetlog +.Op Cm set +.Op Ar number ... +.Nm +.Op Fl q +.Brq Cm disable | enable +.Cm set +.Op Ar number ... +.Nm +.Cm show sets +.Pp +.Nm +.Brq Cm pipe | queue +.Ar number +.Cm config +.Ar config-options +.Nm +.Op Fl s Op Ar field +.Brq Cm pipe | queue +.Brq Cm delete | list | show +.Op Ar number ... +.Pp +.Nm +.Op Fl q .Oo .Fl p Ar preproc .Oo Fl D @@ -18,67 +58,49 @@ .Op Fl U Ar macro .Oc .Ar pathname -.Nm -.Op Fl f | q -.Cm flush -.Nm -.Op Fl q -.Brq Cm zero | resetlog | delete -.Op Ar number ... -.Nm -.Op Fl s Op Ar field -.Op Fl adeftN -.Brq Cm list | show -.Op Ar number ... -.Nm -.Op Fl q -.Cm add -.Op Ar number -.Ar rule-body -.Nm -.Cm pipe -.Ar number -.Cm config -.Ar pipe-config-options -.Nm -.Cm pipe -.Brq Cm delete | list | show -.Op Ar number ... -.Nm -.Cm queue -.Ar number -.Cm config -.Ar queue-config-options -.Nm -.Cm queue -.Brq Cm delete | list | show -.Op Ar number ... .Sh DESCRIPTION The .Nm utility is the user interface for controlling the -.Xr ipfirewall 4 -and the +.Xr ipfw 4 +firewall and the .Xr dummynet 4 traffic shaper in .Fx . .Pp -A firewall configuration is made of a list of numbered rules, -which is scanned for each incoming or outgoing IP packet -until a match is found and -the relevant action is performed. -Depending on the action and certain system settings, packets -can be reinjected into the firewall at the rule after the -matching one for further processing. -All rules apply to all interfaces, so it is responsibility -of the system administrator to write the ruleset in such a -way as to minimize the number of checks. +An +.Nm +configuration, or +.Em ruleset , +is made of a list of +.Em rules +numbered from 1 to 65535. +Packets are passed to +.Nm +in a number of different places in the protocol stack +(depending on the source and destination of the packet, +it is possible that +.Nm +is invoked multiple times on the same packet). +The packet passed to the firewall is compared +against each of the rules in the firewall +.Em ruleset . +When a match is found, the action corresponding to the +matching rule is performed. .Pp -A configuration always includes a -.Em DEFAULT +Depending on the action and certain system settings, packets +can be reinjected into the firewall at some rule after the +matching one for further processing. +.Pp +An +.Nm +ruleset always includes a +.Em default rule (numbered 65535) which cannot be modified, and matches all packets. -The action associated with the default rule can be either +The action associated with the +.Em default +rule can be either .Cm deny or .Cm allow @@ -97,9 +119,10 @@ the exact parameters (addresses and ports) of the matching packet. .Pp These dynamic rules, which have a limited lifetime, are checked at the first occurrence of a -.Cm check-state -or +.Cm check-state , .Cm keep-state +or +.Cm limit rule, and are typically used to open the firewall on-demand to legitimate traffic only. See the @@ -118,7 +141,7 @@ commands. .Pp Rules can be added with the .Cm add -command; deleted individually with the +command; deleted individually or in groups with the .Cm delete command, and globally with the .Cm flush @@ -153,6 +176,8 @@ if misused, .No i.e. Cm flush . .Em Note , if there is no tty associated with the process, this is implied. +.It Fl N +Try to resolve addresses and service names in output. .It Fl q While .Cm add Ns ing , @@ -176,18 +201,19 @@ If a .Cm flush is performed in normal (verbose) mode (with the default kernel configuration), it prints a message. -Because all rules are flushed, the message cannot be delivered -to the login session. -This causes the remote login session to be closed and the -remainder of the ruleset is not processed. -Access to the console is required to recover. -.It Fl t -While listing, show last match timestamp. -.It Fl N -Try to resolve addresses and service names in output. +Because all rules are flushed, the message might not be delivered +to the login session, causing the remote login session to be closed +and the remainder of the ruleset is not processed. +Access to the console would then be required to recover. +.It Fl S +While listing rules, show the set each rule belongs to. +If this flag is not specified, disabled rules will not be +listed. .It Fl s Op Ar field While listing pipes, sort according to one of the four counters (total and current packets or bytes). +.It Fl t +While listing, show last match timestamp. .El .Pp To ease configuration, rules can be put into a file which is @@ -197,8 +223,7 @@ as shown in the first synopsis line. An absolute .Ar pathname must be used. -The file -will be read line by line and applied as arguments to the +The file will be read line by line and applied as arguments to the .Nm utility. .Pp @@ -236,61 +261,160 @@ frequently required arguments like IP addresses. The .Nm .Cm pipe +and +.Cm queue commands are used to configure the traffic shaper, as shown in the .Sx TRAFFIC SHAPER CONFIGURATION section below. -.Sh RULE FORMAT -The +.Sh PACKET FLOW .Nm -rule format is the following: -.Bd -ragged -.Op Cm prob Ar match_probability -.Ar action -.Op Cm log Op Cm logamount Ar number -.Ar proto -.Cm from Ar src -.Cm to Ar dst -.Op Ar interface-spec -.Op Ar options +can be invoked from multiple places in the protocol stack, +under control of several system parameters, +and it is important to understand when this occurs in order to +design a proper ruleset. The places where +.Nm +is invoked are listed below, together with the sysctl variables +which control its invocation. +.Bd -literal -offset indent + ^ to upper layers V + | | + +----------->-----------+ + ^ V + [ip_input] [ip_output] net.inet.ip.fw.enable=1 + | | + ^ V +[ether_demux] [ether_output_frame] net.link.ether.ipfw=1 + | | + +-->--[bdg_forward]-->--+ net.link.ether.bridge_ipfw=1 + ^ V + | to devices | .Ed .Pp -Each packet can be filtered based on the following information that is -associated with it: +As can be noted from the above picture, the number of +times the same packet goes through the firewall can +vary between 0 and 4 depending o packet source and +destination, and system configuration. +In each of these places, the packet is passed to +.Nm +with all (and only) the fields that belong to that level. +That is, incoming packets will include the MAC header when +.Nm +is invoked from +.Cm ether_demux() , +but the same packets will have the MAC header stripped off when +.Nm +is invoked from +.Cm ip_input() . +.br +The complete ruleset is always used, +irrespective of the place where +.Nm +is invoked, or the source of the packet. +If a rule contains some match patterns or actions which are not valid +for the place of invokation (e.g. trying +to match a MAC header when +.Nm +is called from +.Cm ip_input() +) the rule will simply not match. It is thus responsibility of +the programmer, if necessary, to write a suitable ruleset to +differentiate among the possible places. +.Cm skipto +rules can be useful here, as an example: +.Bd -literal -offset indent +# packets from ether_demux or bdg_forward +ipfw add 10 skipto 1000 all from any to any layer2 in +# packets from ip_input +ipfw add 10 skipto 2000 all from any to any not layer2 in +# packets from ip_output +ipfw add 10 skipto 3000 all from any to any not layer2 out +# packets from ether_output_frame +ipfw add 10 skipto 4000 all from any to any layer2 out +.Ed .Pp -.Bl -tag -width "Source and destination IP address" -offset indent -compact -.It Protocol -(TCP, UDP, ICMP, etc.) -.It Source and destination IP address -(possibly masked) -.It Source and destination port -(lists, ranges or masks) +(yes, at the moment there is no way to differentiate between +ether_demux and bdg_forward). +.Sh RULE FORMAT +The format of +.Nm +rules is the following: +.Bd -ragged -offset indent +.Op Ar rule_number +.Op Cm set Ar set_number +.Op Cm prob Ar match_probability +.br +.Ar " " action +.Op Cm log Op Cm logamount Ar number +.Ar body +.Ed +.Pp +where the body of the rule specifies which information is used +for filtering packets, among the following: +.Pp +.Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact +.It Layer-2 header fields +When available +.It IPv4 Protocol +TCP, UDP, ICMP, etc. +.It Source and dest. addresses and ports .It Direction -(incoming or outgoing) +See Section +.Sx PACKET FLOW .It Transmit and receive interface -(by name or address) -.It IP version -.It IP type of service -.It IP datagram length -.It IP identification -.It IP fragment flag -(non-zero IP offset) -.It IP time to live +By name or address +.It Misc. IP header fields +Version, type of service, datagram length, identification, +fragment flag (non-zero IP offset), +Time To Live .It IP options -.It TCP sequence number -.It TCP acknowledgment number -.It TCP flags -(SYN, FIN, ACK, RST, etc.) -.It TCP window +.It Misc. TCP header fields +TCP flags (SYN, FIN, ACK, RST, etc.), +sequence number, acknowledgment number, +window .It TCP options .It ICMP types -(for ICMP packets) -.It User/group ID of the socket associated with the packet +for ICMP packets +.It User/group ID +When the packet can be associate to a local socket. .El .Pp -Note that it may be dangerous to filter on the source IP -address or source TCP/UDP port because either or both could -easily be spoofed. +Note that some of the above information, e.g. source MAC or IP addresses and +TCP/UDP ports, could easily be spoofed, so filtering on those fields +alone might not guarantee the desired results. .Bl -tag -width indent +.It Ar rule_number +Each rule is associated with a +.Ar rule_number +in the range 1..65535, with the latter reserved for the +.Em default +rule. +Rules are checked sequentially by rule number. +Multiple rules can have the same number, in which case they are +checked (and listed) according to the order in which they have +been added. +If a rule is entered without specifying a number, the kernel will +assign one in such a way that the rule becomes the last one +before the +.Em default +rule. +Automatic rule numbers are assigned by incrementing the last +non-default rule number by the value of the sysctl variable +.Ar net.inet.ip.fw.autoinc_step +which defaults to 100. +If this is not possible (e.g. because we would go beyond the +maximum allowed rule number), the same number of the last +non-default value is used instead. +.It Ar set_number +Each rule is associated to a +.Ar set_number +in the range 0..31, with the latter reserved for the +.Em default +rule. +Sets can be individually disabled and enabled, so this parameter +is of fundamental importance for atomic ruleset manipulation. +It can be also used to simplify deletion of groups of rules. +If a rule is entered without specifying a set number, +set 0 will be used. .It Cm prob Ar match_probability A match is only declared with the specified probability (floating point number between 0 and 1). @@ -300,116 +424,110 @@ random packet drop or .Xr dummynet 4 ) to simulate the effect of multiple paths leading to out-of-order packet delivery. -.It Ar action : +.It Cm log Op Cm logamount Ar number +When a packet matches a rule with the +.Cm log +keyword, a message will be +logged to +.Xr syslogd 8 +with a +.Dv LOG_SECURITY +facility. +The logging only occurs if the sysctl variable +.Em net.inet.ip.fw.verbose +is set to 1 +(which is the default when the kernel is compiled with +.Dv IPFIREWALL_VERBOSE +) and the number of packets logged so far for that +particular rule does not exceed ther +.Cm logamount +parameter. +If no +.Cm logamount +is specified, the limit is taken from the sysctl variable +.Em net.inet.ip.fw.verbose_limit . +In both cases, a value of 0 +removes the logging limit. +.Pp +Once the limit is reached, logging can be re-enabled by +clearing the logging counter +or the packet counter for that entry, see the +.Cm resetlog +command. +.Pp +.El +.Ss RULE ACTIONS +A rule can be associated with one of the following actions, which +will be executed when the packet matches the body of the rule. .Bl -tag -width indent -.It Cm allow +.It Cm allow | accept | pass | permit Allow packets that match rule. The search terminates. -Aliases are -.Cm pass , -.Cm permit -and -.Cm accept . -.It Cm deny -Discard packets that match this rule. -The search terminates. -.Cm drop -is an alias for -.Cm deny . -.It Cm reject -(Deprecated). -Discard packets that match this rule, and try to send an ICMP -host unreachable notice. -The search terminates. -.It Cm unreach Ar code -Discard packets that match this rule, and try to send an ICMP -unreachable notice with code -.Ar code , -where -.Ar code -is a number from 0 to 255, or one of these aliases: -.Cm net , host , protocol , port , -.Cm needfrag , srcfail , net-unknown , host-unknown , -.Cm isolated , net-prohib , host-prohib , tosnet , -.Cm toshost , filter-prohib , host-precedence -or -.Cm precedence-cutoff . -The search terminates. -.It Cm reset -TCP packets only. -Discard packets that match this rule, and try to send a TCP -reset (RST) notice. -The search terminates. -.It Cm count -Update counters for all packets that match rule. -The search continues with the next rule. .It Cm check-state Checks the packet against the dynamic ruleset. -If a match is found then the search terminates, otherwise -we move to the next rule. +If a match is found, execute the action associated with +the rule which generated this dynamic rule, otherwise +move to the next rule. +.br +.Cm Check-state +rules do not have a body. If no .Cm check-state rule is found, the dynamic ruleset is checked at the first .Cm keep-state +or +.Cm limit rule. +.It Cm count +Update counters for all packets that match rule. +The search continues with the next rule. +.It Cm deny | drop +Discard packets that match this rule. +The search terminates. .It Cm divert Ar port Divert packets that match this rule to the .Xr divert 4 socket bound to port .Ar port . The search terminates. -.It Cm tee Ar port -Send a copy of packets matching this rule to the -.Xr divert 4 -socket bound to port -.Ar port . -The search terminates and the original packet is accepted -(but see section -.Sx BUGS -below). -.It Cm fwd Ar ipaddr Ns Op , Ns Ar port +.It Cm fwd | forward Ar ipaddr Ns Op , Ns Ar port Change the next-hop on matching packets to .Ar ipaddr , which can be an IP address in dotted quad or a host name. +The search terminates if this rule matches. +.Pp If .Ar ipaddr -is not a directly-reachable address, the route as found in -the local routing table for that IP is used instead. -If -.Ar ipaddr -is a local address, then on a packet matching a -.Cm fwd -rule, -it will be diverted to +is a local address, then matching packets will be forwarded to .Ar port -on the local machine, keeping the local address of the socket -set to the original IP address the packet was destined for. +(or the port number in the packet if one is not specified in the rule) +on the local machine. +.br +If +.Ar ipaddr +is not a local address, then the port number +(if specified) is ignored, and the packet will be +forwarded to the remote address, using the route as found in +the local routing table for that IP. +.br +A +.Ar fwd +rule will not match layer-2 packets (those received +on ether_input, ether_output, or bridged). +.br +The +.Cm fwd +action does not change the contents of the packet at all. +In particular, the destination address remains unmodified, so +packets forwarded to another system will usually be rejected by that system +unless there is a matching rule on that system to capture them. +For packets forwarded locally, +the local address of the socket will be +set to the original destination address of the packet. This makes the .Xr netstat 1 entry look rather weird but is intended for use with transparent proxy servers. -If the IP is not a local address then the port number -(if specified) is ignored. -This will also map addresses when packets are -generated locally. -The search terminates if this rule matches. -If the port number is not given then the port number in the -packet is used, so that a packet for an external machine port -Y would be forwarded to local port Y. -The kernel must have been compiled with the -.Dv IPFIREWALL_FORWARD -option. -Bridging interferes with forwarding of packets not destined -to the local system as they bypass -.Fn ip_input -and -.Fn ip_output -where forwarding is implemented. -The -.Cm fwd -action does not change the contents of the packet at all so -packets forwarded to another system will usually be rejected by that system -unless there is a matching rule on that system to capture them. .It Cm pipe Ar pipe_nr Pass packet to a .Xr dummynet 4 @@ -430,53 +548,93 @@ Pass packet to a .Xr dummynet 4 .Dq queue (for bandwidth limitation using WF2Q). +.It Cm reject +(Deprecated). +Synonym for +.Cm unreach host . +.It Cm reset +Discard packets that match this rule, and if the +packet is a TCP packet, try to send a TCP reset (RST) notice. +The search terminates. .It Cm skipto Ar number Skip all subsequent rules numbered less than .Ar number . The search continues with the first rule numbered .Ar number or higher. +.It Cm tee Ar port +Send a copy of packets matching this rule to the +.Xr divert 4 +socket bound to port +.Ar port . +The search terminates and the original packet is accepted +(but see section +.Sx BUGS +below). +.It Cm unreach Ar code +Discard packets that match this rule, and try to send an ICMP +unreachable notice with code +.Ar code , +where +.Ar code +is a number from 0 to 255, or one of these aliases: +.Cm net , host , protocol , port , +.Cm needfrag , srcfail , net-unknown , host-unknown , +.Cm isolated , net-prohib , host-prohib , tosnet , +.Cm toshost , filter-prohib , host-precedence +or +.Cm precedence-cutoff . +The search terminates. .El -.It Cm log Op Cm logamount Ar number -If the kernel was compiled with -.Dv IPFIREWALL_VERBOSE , -then when a packet matches a rule with the -.Cm log -keyword a message will be -logged to -.Xr syslogd 8 -with a -.Dv LOG_SECURITY -facility. -.Em Note : -by default, they are appended to the -.Pa /var/log/security -file (see -.Xr syslog.conf 5 ) . -If the kernel was compiled with the -.Dv IPFIREWALL_VERBOSE_LIMIT -option, then by default logging will cease after the number -of packets specified by the option are received for that -particular chain entry, and -.Em net.inet.ip.fw.verbose_limit -will be set to that number. -However, if -.Cm logamount Ar number -is used, that -.Ar number -will be the logging limit rather than -.Em net.inet.ip.fw.verbose_limit , -where the value -.Dq 0 -removes the logging limit. -Logging may then be re-enabled by clearing the logging counter -or the packet counter for that entry. +.Ss RULE BODY +The body of a rule contains zero or more patterns (such as +specific source and destination addresses or ports, +protocol options, incoming or outgoing interfaces, etc.) +that the packet must match in order to be recognised. +In general, the patterns are connected by (implicit) +.Em and +connectives -- i.e. all must match in order for the +rule to match. +Individual patterns can be prefixed by the +.Em not +keyword to reverse the result of the match, as in .Pp -Console logging and the log limit are adjustable dynamically -through the -.Xr sysctl 8 -interface in the MIB base of -.Em net.inet.ip.fw . +.Dl "ipfw add 100 allow ip from not 1.2.3.4 to any" +.Pp +Additionally, sets of alternative match patterns ( +.Em or-blocks +) can be constructed by putting the patterns in +lists enclosed between parentheses ( ) or braces { }, and +using +.Cm or +connectives as follows: +.Pp +.Dl "ipfw add 100 allow ip from { x or not y or z } to any" +.Pp +Only one level of parentheses is allowed. +Beware that most shells have special meanings for parentheses +or braces, so it is advisable to put a \\ in front of them. +.Pp +The body of a rule must in general comprise a source and destination +addres specifier. +The keyword +.Ar any +can be used in various places to specify that the content of +a required field is irrelevant. +.Pp +The general rule body format is one of the following: +.Bd -ragged -offset indent +.Ar proto +.Cm from Ar src +.Cm to Ar dst +.Op Ar options +.br +.Cm MAC Ar dst-mac src-mac mac-type +.Op Ar options +.Ed +.Pp +where fields have the following meaning: +.Bl -tag -width indent .It Ar proto An IP protocol specified by number or name (for a complete list see @@ -487,66 +645,88 @@ or .Cm all keywords mean any protocol will match. .It Ar src No and Ar dst : -.Cm any | me | Op Cm not -.Aq Ar address Ns / Ns Ar mask -.Op Ar ports -.Pp -Specifying -.Cm any -makes the rule match any IP address. -.Pp -Specifying -.Cm me -makes the rule match any IP address configured on an interface in the system. -.Pp -The -.Aq Ar address Ns / Ns Ar mask -may be specified as: -.Bl -tag -width "ipno/bits" -.It Ar ipno -An IP number of the form 1.2.3.4. -Only this exact IP number will match the rule. -.It Ar ipno Ns / Ns Ar bits -An IP number with a mask width of the form 1.2.3.4/24. -In this case all IP numbers from 1.2.3.0 to 1.2.3.255 will match. -.It Ar ipno Ns : Ns Ar mask -An IP number with a mask of the form 1.2.3.4:255.255.240.0. -In this case all IP numbers from 1.2.0.0 to 1.2.15.255 will match. -.El -.Pp -The sense of the match can be inverted by preceding an address with the +A single +.Ar ip address +, or an +.Em or-block +containing one or more of them, +optionally followed by +.Em port numbers. +followed by a set of port numbers. +.It Ar ip address : +An address (or set of addresses) specified in one of the following +ways, optionally preceded by a .Cm not -modifier, causing all other addresses to be matched instead. -This does not affect the selection of port numbers. -.Pp -With the TCP and UDP protocols, optional -.Em ports -may be specified as: +operator: +.Bl -tag -width indent +.It Cm any +matches any IP address. +.It Cm me +matches any IP address configured on an interface in the system. +The address list is evaluated at the time the packet is +analysed. +.It Ar numeric-ip | hostname +Matches a single IPv4 address, specified as dotted-quad or a hostname. +Hostnames are resolved at the time the rule is added to the firewall list. +.It Ar addr Ns / Ns Ar masklen +Matches all addresses with base +.Ar addr +(specified as a dotted quad or a hostname) +and mask width of +.Cm masklen +bits. +As an example, 1.2.3.4/25 will match +all IP numbers from 1.2.3.0 to 1.2.3.127 . +.It Ar addr Ns / Ns Ar masklen Ns Cm { Ns Ar num,num,... Ns Cm } +Matches all addresses with base address +.Ar addr +(specified as a dotted quad or a hostname) +and whose last byte is in the list between braces { } . +Note that there must be no spaces between braces, commas and +numbers. +The +.Ar masklen +field is used to limit the size of the set of addresses, +and can have any value between 24 and 32. +.br +As an example, an address specified as 1.2.3.4/24{128,35,55,89} +will match the following IP addresses: +.br +1.2.3.128 1.2.3.35 1.2.3.55 1.2.3.89 . +.br +This format is particularly useful to handle sparse address sets +within a single rule. Because the matching occurs using a +bitmask, it takes constant time and dramatically reduces +the complexity of rulesets. +.El +.It Cm port numbers +With protocols which support port numbers (such as TCP and UDP), optional +.Cm ports +may be specified as one or more ports or port ranges, separated +by commas but no spaces, and an optional +.Cm not +operator: .Bd -ragged -offset indent -.Sm off -.Brq Ar port | port No \&- Ar port | port : mask -.Op , Ar port Op , Ar ... -.Sm on +.Op Cm not +.Brq Ar port | port Ns \&- Ns Ar port Ns +.Op , Ns Ar ... .Ed .Pp The .Ql \&- notation specifies a range of ports (including boundaries). .Pp -The -.Ql \&: -notation specifies a port and a mask, a match is declared if -the port number in the packet matches the one in the rule, -limited to the bits which are set in the mask. -.Pp Service names (from .Pa /etc/services ) may be used instead of numeric port values. -A range may only be specified as the first value, and the -length of the port list is limited to -.Dv IP_FW_MAX_PORTS -ports (as defined in -.Pa /usr/src/sys/netinet/ip_fw.h ) . +The length of the port list is limited to 14 ports or ranges, +though you can also use port ranges within an +.Em or-block +to build essentially unlimited lists: +.Pp +.Dl "ipfw add allow tcp from any { 1-20,30-50 or 500-600 } to any" +.Pp +.Pp A backslash .Pq Ql \e can be used to escape the dash @@ -561,134 +741,38 @@ specifications. See the .Cm frag option for details on matching fragmented packets. -.It Ar interface-spec -Some combinations of the following specifiers are allowed: -.Bl -tag -width "via ipno" -.It Cm in -Only match incoming packets. -.It Cm out -Only match outgoing packets. -.It Cm via Ar ifX -Packet must be going through interface -.Ar ifX . -.It Cm via Ar if Ns Cm * -Packet must be going through interface -.Ar ifX , -where -.Ar X -is any unit number. -.It Cm via any -Packet must be going through -.Em some -interface. -.It Cm via Ar ipno -Packet must be going through the interface having IP address -.Ar ipno . .El +.Ss RULE OPTIONS +Additional match patterns can be used within +rules. Zero or more of these so-called +.Em options +can be present in a rule, optionally prefixed by the +.Cm not +operand, and possibly grouped into +.Em or-blocks . .Pp -The -.Cm via -keyword causes the interface to always be checked. -If -.Cm recv -or -.Cm xmit -is used instead of -.Cm via , -then only the receive or transmit interface (respectively) -is checked. -By specifying both, it is possible to match packets based on -both receive and transmit interface, e.g.: +Note that there is an ambiguity in the syntax: in a rule of +the form .Pp -.Dl "ipfw add 100 deny ip from any to any out recv ed0 xmit ed1" +.Dl "ipfw add allow ip from any to any { in or layer2 }" .Pp -The -.Cm recv -interface can be tested on either incoming or outgoing packets, -while the -.Cm xmit -interface can only be tested on outgoing packets. -So -.Cm out -is required (and -.Cm in -is invalid) whenever -.Cm xmit -is used. -Specifying -.Cm via -together with -.Cm xmit -or -.Cm recv -is invalid. +the or-block could contain either port lists or options. +To remove the ambiguity, one should specify a destination +port, which can be done by either using the keyword +.Cm any +or an empty or-block +.Cm { } +e.g.: .Pp -A packet may not have a receive or transmit interface: packets -originating from the local host have no receive interface, -while packets destined for the local host have no transmit -interface. -.It Ar options : +.Dl "ipfw add allow ip from any to any any { in or layer2 }" +.Pp +The following options are available: .Bl -tag -width indent -.It Cm keep-state -Upon a match, the firewall will create a dynamic rule, whose -default behaviour is to matching bidirectional traffic between -source and destination IP/port using the same protocol. -The rule has a limited lifetime (controlled by a set of -.Xr sysctl 8 -variables), and the lifetime is refreshed every time a matching -packet is found. -.It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N -The firewall will only allow -.Ar N -connections with the same -set of parameters as specified in the rule. -One or more -of source and destination addresses and ports can be -specified. .It Cm bridged Matches only bridged packets. -This can be useful for multicast or broadcast traffic, which -would otherwise pass through the firewall twice: once during -bridging, and a second time when the packet is delivered to -the local stack. -.Pp -Apart from a small performance penalty, this would be a problem -when using -.Em pipes -because the same packet would be accounted for twice in terms -of bandwidth, queue occupation, and also counters. -.It Cm ipversion Ar ver -Match if the IP header version is -.Ar ver . -.It Cm ipprecedence Ar precedence -Match if the numeric value of IP datagram's precedence is equal to -.Ar precedence . -.It Cm iptos Ar spec -Match if the IP header contains the comma separated list of -service types specified in -.Ar spec . -The supported IP types of service are: -.Pp -.Cm lowdelay -.Pq Dv IPTOS_LOWDELAY , -.Cm throughput -.Pq Dv IPTOS_THROUGHPUT , -.Cm reliability -.Pq Dv IPTOS_RELIABILITY , -.Cm mincost -.Pq Dv IPTOS_MINCOST , -.Cm congestion -.Pq Dv IPTOS_CE . -The absence of a particular type may be denoted -with a -.Ql \&! . -.It Cm iplen Ar len -Match if the total length of a packet, including header and data, is -.Ar len -bytes. -.It Cm ipid Ar id -Match if the identification of IP datagram is -.Ar id . +.It Cm established +TCP packets only. +Match packets that have the RST or ACK bits set. .It Cm frag Match if the packet is a fragment and this is not the first fragment of the datagram. @@ -696,90 +780,12 @@ fragment of the datagram. may not be used in conjunction with either .Cm tcpflags or TCP/UDP port specifications. -.It Cm ipttl Ar ttl -Match if the time to live of IP datagram is -.Ar ttl . -.It Cm ipoptions Ar spec -Match if the IP header contains the comma separated list of -options specified in -.Ar spec . -The supported IP options are: -.Pp -.Cm ssrr -(strict source route), -.Cm lsrr -(loose source route), -.Cm rr -(record packet route) and -.Cm ts -(timestamp). -The absence of a particular option may be denoted -with a -.Ql \&! . -.It Cm tcpseq Ar seq -TCP packets only. -Match if the TCP header sequence number field is set to -.Ar seq . -.It Cm tcpack Ar ack -TCP packets only. -Match if the TCP header acknowledgment number field is set to -.Ar ack . -.It Cm tcpflags Ar spec -TCP packets only. -Match if the TCP header contains the comma separated list of -flags specified in -.Ar spec . -The supported TCP flags are: -.Pp -.Cm fin , -.Cm syn , -.Cm rst , -.Cm psh , -.Cm ack -and -.Cm urg . -The absence of a particular flag may be denoted -with a -.Ql \&! . -A rule which contains a -.Cm tcpflags -specification can never match a fragmented packet which has -a non-zero offset. -See the -.Cm frag -option for details on matching fragmented packets. -.It Cm established -TCP packets only. -Match packets that have the RST or ACK bits set. -.It Cm setup -TCP packets only. -Match packets that have the SYN bit set but no ACK bit. -This is the short form of -.Dq Li tcpflags\ syn,!ack . -.It Cm tcpwin Ar win -TCP packets only. -Match if the TCP header window field is set to -.Ar win . -.It Cm tcpoptions Ar spec -TCP packets only. -Match if the TCP header contains the comma separated list of -options specified in -.Ar spec . -The supported TCP options are: -.Pp -.Cm mss -(maximum segment size), -.Cm window -(tcp window advertisement), -.Cm sack -(selective ack), -.Cm ts -(rfc1323 timestamp) and -.Cm cc -(rfc1644 t/tcp connection count). -The absence of a particular option may be denoted -with a -.Ql \&! . +.It Cm gid Ar group +Match all TCP or UDP packets sent by or received for a +.Ar group . +A +.Ar group +may be matched by name or identification number. .It Cm icmptypes Ar types ICMP packets only. Match if the ICMP type is in the list @@ -818,20 +824,200 @@ address mask request .Pq Cm 17 and address mask reply .Pq Cm 18 . +.It Cm in | out +Only match incoming or outgoing packets, respectively. +.Cm in +and +.Cm out +are mutually exclusive (in fact, +.Cm out +is implemented as +.Cm not in +). +.It Cm ipid Ar id +Match if the identification of IP datagram is +.Ar id . +.It Cm iplen Ar len +Match if the total length of a packet, including header and data, is +.Ar len +bytes. +.It Cm ipoptions Ar spec +Match if the IP header contains the comma separated list of +options specified in +.Ar spec . +The supported IP options are: +.Pp +.Cm ssrr +(strict source route), +.Cm lsrr +(loose source route), +.Cm rr +(record packet route) and +.Cm ts +(timestamp). +The absence of a particular option may be denoted +with a +.Ql \&! . +.It Cm ipprecedence Ar precedence +Match if the numeric value of IP datagram's precedence is equal to +.Ar precedence . +.It Cm iptos Ar spec +Match if the IP header contains the comma separated list of +service types specified in +.Ar spec . +The supported IP types of service are: +.Pp +.Cm lowdelay +.Pq Dv IPTOS_LOWDELAY , +.Cm throughput +.Pq Dv IPTOS_THROUGHPUT , +.Cm reliability +.Pq Dv IPTOS_RELIABILITY , +.Cm mincost +.Pq Dv IPTOS_MINCOST , +.Cm congestion +.Pq Dv IPTOS_CE . +The absence of a particular type may be denoted +with a +.Ql \&! . +.It Cm ipttl Ar ttl +Match if the time to live of IP datagram is +.Ar ttl . +.It Cm ipversion Ar ver +Match if the IP header version is +.Ar ver . +.It Cm keep-state +Upon a match, the firewall will create a dynamic rule, whose +default behaviour is to matching bidirectional traffic between +source and destination IP/port using the same protocol. +The rule has a limited lifetime (controlled by a set of +.Xr sysctl 8 +variables), and the lifetime is refreshed every time a matching +packet is found. +.It Cm layer2 +Matches only layer2 packets, i.e. those passed to +.Nm +from ether_demux() and ether_output_frame(). +.It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N +The firewall will only allow +.Ar N +connections with the same +set of parameters as specified in the rule. +One or more +of source and destination addresses and ports can be +specified. +.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any +Packet must be received, transmitted or be going through, +respectively, the interface specified by exact name ( +.Ar ifX +), by device name ( +.Ar if Ns Cm * +), by IP address, or through some interface. +.Pp +The +.Cm via +keyword causes the interface to always be checked. +If +.Cm recv +or +.Cm xmit +is used instead of +.Cm via , +then only the receive or transmit interface (respectively) +is checked. +By specifying both, it is possible to match packets based on +both receive and transmit interface, e.g.: +.Pp +.Dl "ipfw add deny ip from any to any out recv ed0 xmit ed1" +.Pp +The +.Cm recv +interface can be tested on either incoming or outgoing packets, +while the +.Cm xmit +interface can only be tested on outgoing packets. +So +.Cm out +is required (and +.Cm in +is invalid) whenever +.Cm xmit +is used. +.Pp +A packet may not have a receive or transmit interface: packets +originating from the local host have no receive interface, +while packets destined for the local host have no transmit +interface. +.It Cm setup +TCP packets only. +Match packets that have the SYN bit set but no ACK bit. +This is the short form of +.Dq Li tcpflags\ syn,!ack . +.It Cm tcpack Ar ack +TCP packets only. +Match if the TCP header acknowledgment number field is set to +.Ar ack . +.It Cm tcpflags Ar spec +TCP packets only. +Match if the TCP header contains the comma separated list of +flags specified in +.Ar spec . +The supported TCP flags are: +.Pp +.Cm fin , +.Cm syn , +.Cm rst , +.Cm psh , +.Cm ack +and +.Cm urg . +The absence of a particular flag may be denoted +with a +.Ql \&! . +A rule which contains a +.Cm tcpflags +specification can never match a fragmented packet which has +a non-zero offset. +See the +.Cm frag +option for details on matching fragmented packets. +.It Cm tcpseq Ar seq +TCP packets only. +Match if the TCP header sequence number field is set to +.Ar seq . +.It Cm tcpwin Ar win +TCP packets only. +Match if the TCP header window field is set to +.Ar win . +.It Cm tcpoptions Ar spec +TCP packets only. +Match if the TCP header contains the comma separated list of +options specified in +.Ar spec . +The supported TCP options are: +.Pp +.Cm mss +(maximum segment size), +.Cm window +(tcp window advertisement), +.Cm sack +(selective ack), +.Cm ts +(rfc1323 timestamp) and +.Cm cc +(rfc1644 t/tcp connection count). +The absence of a particular option may be denoted +with a +.Ql \&! . .It Cm uid Ar user Match all TCP or UDP packets sent by or received for a .Ar user . A .Ar user may be matched by name or identification number. -.It Cm gid Ar group -Match all TCP or UDP packets sent by or received for a -.Ar group . -A -.Ar group -may be matched by name or identification number. -.El .El +.Sh STATEFUL FIREWALL +To be completed. .Sh TRAFFIC SHAPER CONFIGURATION The .Nm @@ -864,49 +1050,20 @@ rate fixed by the pipe according to the WF2Q+ policy. The .Nm pipe configuration format is the following: -.Bd -ragged -.Cm pipe Ar number Cm config -.Op Cm bw Ar bandwidth | device -.Op Cm delay Ar ms-delay -.Oo -.Cm queue -.Brq Ar slots | size -.Oc -.Op Cm plr Ar loss-probability -.Op Cm mask Ar mask-specifier -.Op Cm buckets Ar hash-table-size -.Oo -.Cm red | gred -.Sm off -.Ar w_q No / Ar min_th No / Ar max_th No / Ar max_p -.Sm on -.Oc +.Bd -ragged -offset indent +.Cm pipe Ar number Cm config Ar pipe-configuration .Ed .Pp The .Nm queue configuration format is the following: -.Bd -ragged -.Cm queue Ar number Cm config -.Op Cm pipe Ar pipe_nr -.Op Cm weight Ar weight -.Oo -.Cm queue -.Brq Ar slots | size -.Oc -.Op Cm plr Ar loss-probability -.Op Cm mask Ar mask-specifier -.Op Cm buckets Ar hash-table-size -.Oo -.Cm red | gred -.Sm off -.Ar w_q No / Ar min_th No / Ar max_th No / Ar max_p -.Sm on -.Oc +.Bd -ragged -offset indent +.Cm queue Ar number Cm config Ar queue-configuration .Ed .Pp The following parameters can be configured for a pipe: -.Bl -tag -width indent +.Pp +.Bl -tag -width indent -compact .It Cm bw Ar bandwidth | device Bandwidth, measured in .Sm off @@ -917,7 +1074,7 @@ Bandwidth, measured in A value of 0 (default) means unlimited bandwidth. The unit must follow immediately the number, as in .Pp -.Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes" +.Dl "ipfw pipe 1 config bw 300Kbit/s" .Pp If a device name is specified instead of a numeric value, then the transmit clock is supplied by the specified @@ -927,6 +1084,7 @@ At the moment only the device supports this functionality, for use in conjunction with .Xr ppp 8 . +.Pp .It Cm delay Ar ms-delay Propagation delay, measured in milliseconds. The value is rounded to the next multiple of the clock tick @@ -936,6 +1094,36 @@ with to reduce the granularity to 1ms or less). Default value is 0, meaning no delay. +.El +.Pp +The following parameters can be configured for a queue: +.Pp +.Bl -tag -width indent -compact +.It Cm pipe Ar pipe_nr +Connects a queue to the specified pipe. +Multiple queues (usually +with different weights) can be connected to the same pipe, which +specifies the aggregate rate for the set of queues. +.Pp +.It Cm weight Ar weight +Specifies the weight to be used for flows matching this queue. +The weight must be in the range 1..100, and defaults to 1. +.El +.Pp +Finally, the following parameters can be configured for both +pipes and queues: +.Pp +.Bl -tag -width indent -compact +.Pp +.It Cm buckets Ar hash-table-size +Specifies the size of the hash table used for storing the +various queues. +Default value is 64 controlled by the +.Xr sysctl 8 +variable +.Em net.inet.ip.dummynet.hash_size , +allowed range is 16 to 1024. +.Pp .It Cm queue Brq Ar slots | size Ns Cm Kbytes Queue size, in .Ar slots @@ -951,13 +1139,7 @@ or 20s of queue on a 30Kbit/s pipe. Even worse effect can result if you get packets from an interface with a much larger MTU, e.g. the loopback interface with its 16KB packets. -.It Cm plr Ar packet-loss-rate -Packet loss rate. -Argument -.Ar packet-loss-rate -is a floating-point number between 0 and 1, with 0 meaning no -loss, 1 meaning 100% loss. -The loss rate is internally represented on 31 bits. +.Pp .It Cm mask Ar mask-specifier The .Xr dummynet 4 @@ -984,22 +1166,15 @@ When used within a configuration, each flow is assigned a weight equal to the weight of the queue, and all flows insisting on the same pipe share bandwidth proportionally to their weight. -.It Cm buckets Ar hash-table-size -Specifies the size of the hash table used for storing the -various queues. -Default value is 64 controlled by the -.Xr sysctl 8 -variable -.Em net.inet.ip.dummynet.hash_size , -allowed range is 16 to 1024. -.It Cm pipe Ar pipe_nr -Connects a queue to the specified pipe. -Multiple queues (usually -with different weights) can be connected to the same pipe, which -specifies the aggregate rate for the set of queues. -.It Cm weight Ar weight -Specifies the weight to be used for flows matching this queue. -The weight must be in the range 1..100, and defaults to 1. +.Pp +.It Cm plr Ar packet-loss-rate +Packet loss rate. +Argument +.Ar packet-loss-rate +is a floating-point number between 0 and 1, with 0 meaning no +loss, 1 meaning 100% loss. +The loss rate is internally represented on 31 bits. +.Pp .It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p Make use of the RED (Random Early Detection) queue management algorithm. .Ar w_q @@ -1159,6 +1334,14 @@ rules. Upon the initial SYN exchange the lifetime is kept short, then increased after both SYN have been seen, then decreased again during the final FIN exchange or when a RST +.It Em net.link.ether.ipfw : No 0 +Controls whether layer-2 packets are passed to +.Nm . +Default is no. +.It Em net.link.ether.bridge_ipfw : No 0 +Controls whether bridged packets are passed to +.Nm . +Default is no. .El .Sh EXAMPLES This command adds an entry which denies all tcp packets from @@ -1342,22 +1525,6 @@ on a net with per-host limits, rather than per-network limits: .Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in" .Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" .Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" -.Sh IMPLEMENTATION NOTES -The number of times a packet is processed by -.Nm -varies \(em basically, -.Nm -is invoked every time the kernel functions -.Fn ip_input , -.Fn ip_output -and -.Fn bdg_forward -are invoked. -This means that packets are processed once for connections having -only one endpoint on the local host, twice for connections with -both endpoints on the local host, or for packet routed by the host -(acting as a gateway), and once for packets bridged by the host -(acting as a bridge). .Sh SEE ALSO .Xr cpp 1 , .Xr m4 1 , @@ -1402,22 +1569,19 @@ both endpoints on the local host, or for packet routed by the host .Sh BUGS The syntax has grown over the years and it is not very clean. .Pp -.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! +.Em WARNING .Pp -This program can put your computer in rather unusable state. -When using it for the first time, work on the console of the -computer, and do -.Em NOT -do anything you don't understand. -.Pp -When manipulating/adding chain entries, service and protocol names -are not accepted. +Misconfiguring the firewall can put your computer in an unusable state, +possibly shutting down network services and requiring console access to +regain control to it. .Pp Incoming packet fragments diverted by .Cm divert or .Cm tee are reassembled before delivery to the socket. +The action used on those packet is the one from the +rule which matches the first fragment of the packet. .Pp Packets that match a .Cm tee