From b877c0f37e013ea3c2be4e793f7ab99ac4092a47 Mon Sep 17 00:00:00 2001 From: "Jordan K. Hubbard" Date: Fri, 28 Oct 1994 15:06:53 +0000 Subject: [PATCH] Add the ipfw command, for IP firewall construction. Submitted by: danny ugen --- sbin/ipfw/Makefile | 5 + sbin/ipfw/README | 610 +++++++++++++++++++++++++++ sbin/ipfw/ipfw.1 | 524 +++++++++++++++++++++++ sbin/ipfw/ipfw.c | 1006 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 2145 insertions(+) create mode 100644 sbin/ipfw/Makefile create mode 100644 sbin/ipfw/README create mode 100644 sbin/ipfw/ipfw.1 create mode 100644 sbin/ipfw/ipfw.c diff --git a/sbin/ipfw/Makefile b/sbin/ipfw/Makefile new file mode 100644 index 000000000000..1188c0a448ee --- /dev/null +++ b/sbin/ipfw/Makefile @@ -0,0 +1,5 @@ +PROG= ipfw +DPADD= ${LIBKVM} +LDADD= -lkvm + +.include diff --git a/sbin/ipfw/README b/sbin/ipfw/README new file mode 100644 index 000000000000..1cc296c45631 --- /dev/null +++ b/sbin/ipfw/README @@ -0,0 +1,610 @@ +***************************************************************************** +27 Oct 94 +Hi again! +So thanx to Brian McGovern , i'v took this piece of code in hands again +and made some changes: + 1) Port to FreeBSD 2.0 , so we will not go after time. + 2) Some minor changes in kernel part to improve speed and such.. + 3) Chane in behaviour: now any recently added firewall definition + preferred on other matching but older firewalls. + REMEMBER: in any case universal IP firewall has larger preference + then special TCP/UDP/ICMP firewalls. + 4) Cosmetical changes to control programm. Now it is called ipfw. + 5) Changed ip_firewall.* to ip_fw.* in kernel,and shortened some long + variable names. + 6) From now on we have user defined *policy*,which is DENY/ACCEPT for + every packet which does not matches any of firewalls.I.e.: if any + firewall defined and packet does not match them you may set it up + so it will be anyway throwed or anyway accepted. +Mostly that's all. +Bye! + +-- + -= Ugen J.S.Antsilevich =- + NetVision - Commercial Internet Provider +-----------------------------------------------------[C]--- +NetVision - Home of Israeli Commercial Internet + E-mail: ugen@NetVision.net.il + HTTP: http://www.NetVision.net.il/~ugen/ + Phone: +972-4-550330 Fax: +972-4-550122 + +***************************************************************************** +10 Jul 94 +Hi again...So i sitted and stared at this nice working tool and thought to +myself that it's nice but something there it needs and have not.. +So i took a piece of file and a keyboard and typed some strings. +What it was is: + +o List facility improved...Now listing of currently installed firewall + entries does not go through kernel printf's ,which is really unnice to + one who runs it NOT from console:) + +o Really important facility of deleting entries added..Yes , till this + day you had to remove all entries and then add them one by one again + to remove actually just one.Now it's over:) + +o All this changes documented in this readme,while you will see where i + added my words just by vast number of mistaces in English.Well,i hope + you will forgive one Russian guy like me:) + +So enjoy this new code and if you think it needs some additions - you +are welcome to suggest.Also i made some more warnings , while compiling +this code,i have no a clue where do they come from,however they does not +make any bad to programm.But if you will find way to remove them,feel free +to do it and post anywhere(and notify me as i also need this:) + + Bye! Ugen J.S.Antsilevich + + +########################################################################## +# Ugen J.S.Antsilevich NetVision (Israel) System Staff Member # +#------------------------------------------------------------------------# +# Email: ugen@NetVision.net.il | Phone: 972-4-550330 # +# ugen@NetManage.co.il | Fax: 972-4-550122 # +#------------------------------------------------------------------------# +# WWW HomePage: http://www.NetVision.net.il/~ugen # +# Special : Volk@Les.Tambov.SU # +########################################################################## + + +***************************************************************************** +8 Jul 94 +OK..so first of all,this is simple port to FreeBSD by Ugen J.S.Antsilevich +Actually all i had to do is to find appropriate place in kernel source files +for ipfirewall stuff..so all your thanks should go to the author... +Anyway i am porting it now to 1.1.5 (not much job though..:) so if you want +to ask something about write to me: + +ugen@NetVision.net.il + +That's it and let the --==REAL==-- author speak... +***************************************************************************** + +Here's my ipfirewall facility. I consider it to still be beta quality mostly +because the various interfaces are pretty crude. Here's some information that +you'll probably find useful (in roughly the order in which you'll need to know +it). Some of this will be absurdly simplistic. Better safe than sorry... + +This software was written for BSD/386. The current version has been ported +to BSD/386 v1.1. The context diffs are with respect to that version of +BSD/386. If you don't have access to BSD/386 v1.1 and can't make sense out of +the diffs, contact me and I'll send you the entire files (they are copyrighted +by UC-Berkeley with very 'friendly' conditions). + +Speaking of copyrights, here's mine: + +/* + * Copyright (c) 1993 Daniel Boulet + * Copyright (c) 1994 Ugen J.S.Antsilevich + * + * Redistribution and use in source forms, with and without modification, + * are permitted provided that this entire comment appears intact. + * + * Redistribution in binary form may occur without any restrictions. + * Obviously, it would be nice if you gave credit where credit is due + * but requiring it would be too onerous. + * + * This software is provided ``AS IS'' without any warranties of any kind. + */ + +Enough introductory stuff, here we go... + + 1) The file IPFIREWALL is the configuration of kernel i use with + IPFIREWALL and GATEWAY options enabled. You may not find it useful. + About the only key things are that it enables the IPFIREWALL + option and the GATEWAY option. IPFIREWALL turns on my + stuff and GATEWAY turns your machine into an IP router. + + There is nothing magical about the name of this file or the + ident name for the kernel. + + 2) The files ip_fw.c and ip_fw.h are new files that should be + placed into the /usr/src/sys/netinet directory. + + 3) The files ip_input.c and raw_ip.c are new patched versions of the + same files , they made up for version 2.0 of FreeBSD,however it was + some pre-Beta release we worked on , so to add it to other releases + just find all parts of code surrounded by: + #ifdef IPFIREWALL + .... + #endif + and place in the appropriate places in the same files. + All those files are in /usr/src/sys/netinet directory of corse. + + 4) Add the line "netinet/ip_fw.c optional ipfirewall" to the + file /usr/src/sys/conf/files. This tells the config program to + include the netinet/ip_fw.c file if the IPFIREWALL option is + defined for a kernel. + + 5) The Makefile and ipfw.c files should go into directory probably + back in your home directory tree somewhere. If this ever becomes a + part of the system then they should go into the (newly created) + directory /usr/src/sbin/ipfw. + + 6) Build yourself a kernel, make a backup of the current kernel and + and install the new one. It should behave in a completely normal + fashion since you won't have defined any firewalls yet. + + 7) Explore the ipfw program. The smartest way to do this is to + compile the program and then run it.To do it you SHOULD be root + as the programm uses setsockopt on RAW sockets to define firewalls, + and also reads kernel symbols.If any other user will run ipw + it will detect that it isn't being run by root and will just + complain and exit. + The ipfw program takes command line parameters + and (assuming they are valid) issues a single appropriate setsockopt + call. If you're defining 5 firewalls then you'll have to run the + program 5 times. See below for a description of the command syntax + of ipfirewall. + + ==================================================================== + WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! + The ipfw program can be used to put your machine into very + disfunctional state.So if you want to test it make sure you + a) Have read carifully this README till it's end. + b) First time run it from machine console,as else you can + simply shut down your own access to it. + ==================================================================== + Make sure that you never setup the program as setuid root!!! Instead, + always run it from the root command line or from "/etc/rc.local" + as part of the boot process. + + 8) Use the "ipfirewall" checkb or checkf command (see below) to pass some + test packets through the firewalls that you've defined. + + 9) You may find it useful to create a file in which the first line is + "ipfirewall flush" to flush any existing firewalls and the remaining + lines are the ipfirewall commands needed to define the firewalls that + you want to use. This will ensure that you're always working from a + known state. + + 10) If you've gotten this far then you're probably ready to let the critter + see prime time. Copy your file of ipfirewall commands into the + /etc/rc.local file and reboot the system. Once you're up, use the + ipfirewall list command to see that you've got the firewalls that you + wanted and try to test the firewall with real packets from trusted + and untrusted hosts. + +Enough of that. Here's the syntax for the ipfirewall command. It is rather +complex and yet simple at the same time (if you know what I mean). There +are seven sub-commands. Probably the easiest way to get into this is to give +you a roughly BNF style grammar for the command (curly brackets are used for +precedence, alternatives are separated by |, optional things are enclosed +in square brackets, white space is required if it appears below and must +not appear if there isn't any between the tokens below (i.e. no white space +around periods, colons or slashes, whitespace required between all other +tokens)): + + command ::= ipfirewall | | | | + + ::= list + + ::= flush + + ::= { checkb[locking] | checkf[orwarding] } + + ::= { addb[locking] | addf[orwarding] } + + ::= { delb[locking] | delf[orwarding] } + + ::= from to + + ::= tcp | udp + + ::= ... | + + ::= a host name from /etc/hosts + + ::= | + + ::= a service from /etc/services + + ::= a non-negative integer + + ::= { accept | deny } { | } + + ::= all from to + + ::= { / } | { : } | + + ::= integer in the range 0 to 32 inclusive + + ::= from to + + ::= + + ::= [ : ] + + ::= [ ] + +Although I think that the above grammar is complete, it isn't exactly what +one would call easy to comprehend! Here's the basic idea along with what +each of the forms mean: + + The "ipfirewall list" command prints a list of the firewalls on both the + forwarding and blocking chain in some more or less understudable format. + + The "ipfirewall flush" command empties the two firewall chains. + + The "ipfirewall addblocking" and "ipfirewall addforwarding" commands take + a firewall description and add the firewall to the appropriate firewall + chain.Take notice,that if you will add some description more then once, + it will take more then one entry in memory.It does not lead to significant + slow down of computer operation though. + + The "ipfirewall delblocking" and "ipfirewall delforwarding" commands take + a firewall description and deletes the firewall from the appropriate + firewall chain.The description must be exactly the same as it was defined + by add command.One delete command removes ALL same entries from firewall + chains. + + There are two basic kinds of firewall descriptions. Universal firewall + descriptions match all IP packets between specified pairs of hosts. + Universal firewalls only check IP addresses (i.e. they match any combination + of protocol and port numbers). Protocol-specific firewalls match either + TCP/IP or UDP/IP packets between specified pairs of hosts. In addition + to host descriptions, protocol-specific firewalls optionally take a + description of which port numbers to match. + + A host description consists of an IP address and a mask. The IP address + is specified as either a domain name or in the familiar + nn.nn.nn.nn format. The mask indicates how much of the IP address + should be looked at when vetting packets. There are two ways to + specify the mask. The first way is to suffix the IP address in the + firewall with a slash and an integer in the range 0 through 32 inclusive. + This integer is taken to be the number of high order bits of the IP + address which are to be checked (for example, 192.153.211.0/24 checks + the top 24 bits of the IP address, 192.153.211.17/32 checks all the + bits and 0.0.0.0/0 checks none of the bits (i.e. all IP addresses are + matched by this example)). The second way to specify a mask is to + suffix the IP address with a colon followed by another IP address. + This second address is the mask. Specifications equivalent to the + above three examples using this syntax would be + + 192.153.211.0:255.255.255.0 + 192.153.211.17:255.255.255.255 + 0.0.0.0:0.0.0.0 + + The first form is taken from the syntax accepted by a Telebit NetBlazer. + The second form is more along the lines of how a netmask is specified + in /etc/netmasks. Finally, if no mask is specified then a mask of all + 1's is supplied (i.e. no mask is equivalent to /32 or :255.255.255.255). + + The optional description of port numbers to mask can take three forms. + The simplest form is to omit the list in which case all port numbers + match. The next form is to specify a list of port numbers (either as + positive integers or service names from /etc/services). The final form + is actually a special case of the second form in which the first pair + of port numbers is separated by a colon instead of white space. This + pair specifies a range of port numbers (i.e. x:y specifies that all + ports between x and y inclusive should match). A port description + matches a particular port number if any of the following is true: + + - the port description is null + - the first pair of port numbers is a range and the port number + is in the range (inclusive) + - the port number is equal to any of the port numbers in the list + + There is a limit of a total of 10 port numbers in the source and + destination port lists. This limit is arbitrary and easy to increase. + It is determined by the value of the IP_FIREWALL_MAX_PORTS #define + variable in ip_firewall.h. Each increase of 1 for this value adds two + bytes to the size of each firewall. Since the size of a firewall is only + slightly over 30 bytes right now, this limit of 10 could probably + be increased by quite a bit before it became a concern. I've been + thinking of increasing it to 20 which would be longer than any + reasonable firewall would need and would only consume 20 more bytes + per firewall. The counter argument to any increase is that it is + always possible to construct an equivalent set of two or more firewalls + that behaves like a single firewall with a really long port list. + + This probably all sounds hopelessly complicated. It is actually not + all that tricky (I'm just not very good at explaining it yet). A few + examples will probably help a lot now: + + Block all IP packets originating from the host hackers-den: + + ipfirewall addb deny all from hackers-den to 0.0.0.0/0 + + Block all telnet packets to our telnet server from anywhere: + + ipfirewall addb deny tcp from 0.0.0.0/0 to mymachine/32 telnet + + Don't forward telnet, rlogin and rsh packets onto our local + class C network: + + ipfirewall addf deny tcp from 0.0.0.0/0 to ournetwork/24 telnet login shell + + Don't let anyone on the local machine or any machine inside + our local network ftp access to games.com: + + ipfirewall addb deny tcp from games.com ftp to 0.0.0.0/0 + + This last one might look a little strange. It doesn't prevent + anyone from sending packets to the games.com ftp server. What it + does do is block any packets that the games.com ftp server sends + back! + + The "ipfirewall checkblocking" and "ipfirewall checkforwarding" commands + take a description of an IP packet and check to see if the blocking + or forwarding chain of firewalls respectively accept or reject the packet. + It is used to make sure that the firewalls that you've defined work as + expected. The basic syntax is probably best understood by looking at + a couple of examples: + + ipfirewall checkb from bsdi.com 3001 to mymachine telnet + + checks to see if the blocking firewall will block a telnet packet from + a telnet session originating on bsdi.com to the host mymachine will be + blocked or not. Note that someone connecting to our telnet server + could be using practically any port number. To be really sure, the + firewall used to prevent access should be as simple as possible and/or + you should try a variety of port numbers in addition to the rather + arbitrarily chosen port of 3001. + + One final note on the check* ,add* and del* command syntax. The noise word + "to" exists in the syntax so that I can detect the end of a list of + port numbers in the from description. Since I needed a noise word to + detect this case, I added the noise word "from" in front of the from + case for consistency. + + Finally, have a look at the file "filters". It is the set of filters + that I run at home. + Also check "scripts",where individual access restrictions written. + We use those for our dial-in PPP/SLIP users,to allow some of them + to access our internal networks,while disallowing other.This way we + open access to user's IP,when he enters the system ,and shut it + down when he leaves.All those changes may be applyed at any time, + and so entries added and deleted from firewall while system is + is working.No any side effects will arise. + +Now for a bit of a description of how the firewalls are applied (i.e. what +happens in the kernel): + + When an IP packet is received, the ipintr() routine in ip_input.c is + called. This routine does a bit of basic error checking. If it + detects any errors in the packet it generally drops the packet on + the floor. The idea behind the ipfirewall facility is to treat packets + that we don't want to accept as bad packets (i.e. drop them on the + floor). The ipfirewall facility intercedes in the normal processing + at two points. Just after the basic sanity checks are done, we pass + any packets not targeted at the loopback network (127.0.0.0/8) to the + firewall checker along with the chain of blocking firewalls.If the firewall + checker tells us to block the packet then we branch to the "bad:" label + in ipintr() which is where all bad packets are dropped on the floor. + Otherwise, we allow normal processing of the packet to continue. The + exact point at which we intercede was chosen to be after the basic + sanity checking and before the option processing is done. We want to + be after the basic sanity checking so that we don't have to be able + to handle complete garbage. We want to be before the option processing + because option processing is done in separate rather complex routine. + Why bother doing this special processing if we might be dropping the + packet? + + The second point at which we intercede is when a packet is about to be + forwarded to another host. All such packets are passed to the ip_forward + routine. The ipfirewall code is at the very top of this routine. If + the packet isn't targetted at the loopback interface (is it possible + that it could be when we reach this point? I doubt it but safety first) + then pass the packet to the firewall checker along with the forwarding + firewall chain. If the firewall checker indicates that the packet should + not be forwarded then we drop in (using code copied from a few lines + further into the routine which drops broadcast packets which are not + to be forwarded). + +There are a couple of consequences of this approach: + + 1) Packets which are blocked are never forwarded (something to keep + in mind when designing firewalls). + 2) Packets targeted at the loopback interface (127.0.0.0/8) are never + blocked. Blocking packets to the loopback interface seems pointless + and potentially quite confusing. It also makes a possibly common + case very cheap. + 3) The sender of a packet which is blocked receives no indication that + the packet was dropped. The Telebit NetBlazer can be configured to + silently drop a blocked packet or to send back a "you can't get there + from here" packet to the sender. Implementing the later would have + been more work (possibly quite a bit more, I don't really know). Also, + I don't see any reason to give a potential hacker any more information + than necessary. Dropping the packet into the bit bucket seems like + the best way to keep a hacker guessing. + Well,anyway i working on this feature.It would be made optional and + configurable by some ICMP_UNREACH_ON_DROP or like this. + +Now for some details on how the firewall checker works: + + The firewall checker takes two parameters. The first parameter is a pointer + to the packet in question. The second parameter is a pointer to the + appropriate firewall chain. At the present time, the firewall checker passes + these parameters to a second routine which is the real firewall checker. + If the real checker says NO then an appropriate message is printed + onto the console. This is useful for debugging purposes. Whether or + not it remains in the long term depends on whether it is considered useful + for logging purposes (I'm a little reluctant to leave it in since it + provides a hacker with a way to commit a "denial of service" offense + against you by filling up your /var/log/messages file's file system + with error messages. There are ways of preventing this but ...). + In default configuration now no information about dropped packets + printed.You may,however,define it,as i do by adding + option IPFIREWALL_VERBOSE + to your kernel configuration file.Very useful thingy! + + A return value of 0 from this routine (or the real firewall checker) + indicates that the packet is to be dropped. A value of 1 indicates + that the packet is to be accepted. In the early testing stages you + might want to make the top level firewall checker always return 1 even + if the real checker returns 0 just in case the real firewall checker + screws up (or your firewalls aren't as well designed as they should be). + In fact, this might be a useful optional feature (providing a way to + leave a door unlocked doesn't seem all that wise but it has to be + balanced against the inconvenience to legitimate users who might get + screwed up by poorly designed firewalls). + + The real firewall returns 1 (accept the packet) if the chain is empty. If + efficiency is a concern (which it is in this code), this check should + be done in ip_input.c before calling the firewall checker. + + Assuming that there is a firewall chain to scan through, the real firewall + checker picks up the src and dst IP addresses from the IP packet. It + then goes through the firewall chain looking for the first firewall that + matches the packet. Once a matching firewall has been found, a value of + 1 is returned if the firewall is an accept firewall and a value of 0 is + returned otherwise. + + The following processing is done for each firewall on the chain: + + 1) check the src and dst IP addresses. If they don't match then + there isn't any point in looking any further at this firewall. + This check is done by anding the packet's IP addresses the + with appropriate masks and comparing the results to the + appropriate addresses in the firewall. Note that the mask is + NOT applied to the address in the firewall. If it has any 1 + bits that are 0 bits in the mask then the firewall will never + match (this will be checked in ipfirewall soon). If the addresses + match then we continue with the next step. + + 2) If the firewall is a universal firewall then we've got a match. + Return either 0 or 1 as appropriate. Otherwise, continue with + the next step. + + 3) Examine the IP protocol from the packet. If we havn't had to + look at it before then we get it and set a local variable to + IP_FIREWALL_TCP for TCP/IP packets, IP_FIREWALL_UDP for UDP/IP + packets, IP_FIREWALL_ICMP for ICMP packets, and IP_FIREWALL_UNIVERSAL + for all other packet types. Also, if the packet is a TCP/IP or + a UDP/IP packet, save the source and destination port numbers + at this point (taking advantage of the fact that the port numbers + are stored in the same place in either a TCP/IP or a UDP/IP + packet header). If the packet is neither a TCP/IP or a UDP/IP + packet then this firewall won't match it (on to the next firewall). + If this packet's protocol doesn't match this firewall's protocol + (which can't be universal or we wouldn't be here) then on to + the next firewall. Otherwise, continue with the next step. + + 4) We're checking either a TCP/IP or a UDP/IP packet. If the + firewall's source port list is empty or the packet's source + port matches something in the source port list AND if the firewall's + destination port list is empty or the packet's destination + port matches something in the destination port list then + we've got a match (return 0 or 1 as appropriate). Otherwise, + on to the next firewall. + + As indicated above, if no packet on the chain matches the packet then + it is accepted if the first firewall was a deny firewall and it is rejected + if the first firewall was an accept packet. This is equivalent to the + default behaviour of a Telebit NetBlazer. They provide a way to override + this behaviour. I'm not convinced that it is necessary (I'm open to + suggestions). + +That's about it for the firewall checker. The ipfirewall program communicates +with the kernel part of the firewall facility by making setsockopt calls +on RAW IP sockets. Only root is allowed to open a RAW IP socket. This +ensures that only root uses ipfirewall to manipulate the firewall facility. +Also, somewhere in the kernel source or on a man page, I read that the +RAW IP setsockopt calls are intended for manipulating the IP protocol layer +as opposed to manipulating any particular instance of a socket. This seems +like a reasonable description of what the firewall setsockopt command +codes do. + +There are seven setsockopt command codes defined by the firewall facility +(in netinet/in.h). They are: + + IP_FLUSH_FIREWALLS flush (i.e. free) both firewall chains. + + IP_ADD_FORWARDING_FIREWALL add firewall pointed at by optval parm to + the end of the forwarding firewall chain. + + IP_ADD_BLOCKING_FIREWALL add firewall pointed at by optval parm to + the end of the blocking firewall chain. + + IP_DEL_FORWARDING_FIREWALL delete firewall pointed at by optval parm + from the forwarding firewall chain. + + IP_DEL_BLOCKING_FIREWALL delete firewall pointed at by optval parm + from the blocking firewall chain. + + IP_CHECK_FORWARDING_FIREWALL pass the IP packet do the firewall checker + along with the forwarding firewall chain. + Return 0 if packet was accepted, -1 (with + errno set to EACCES) if it wasn't. + + IP_CHECK_BLOCKING_FIREWALL pass the IP packet do the firewall checker + along with the blocking firewall chain. + Return 0 if packet was accepted, -1 (with + errno set to EACCES) if it wasn't. + + The IP_ADD_* and IP_DEL_* command codes do a fair bit of validity checking. + It is quite unlikely that a garbage firewall could get past them that + would cause major problems in the firewall checker. It IS possible for + a garbage packet to get past the checks which causes major grief because + it either blocks or accepts packets according to unusual rules (the rules + will conform to the ones described above but will probably come as quite + a surprise). + + The IP_CHECK_* command codes expect the optval parameter to point + to a struct ip immediately followed by a header appropriate to the protocol + value described in the ip_p field of the ip header. The exact requirements + are as follows: + + - The length of the optval parameter must be at least + + sizeof(struct ip) + 2 * sizeof(u_short) + + since this is the amount of memory that might be referenced by + the firewall checker. + + - The ip_hl field of the ip structure must be equal to + + sizeof(struct ip) / sizeof(int) + + since this value indicates that the tcp/udp/??? header immediately + follows the ip header (appropriate for the purposes that this + interface is intended for). + + Failure to follow these rules (for either the IP_ADD_*,IP_DEL_* or the + IP_CHECK_*_FIREWALL commands) will result in a return value of -1 with + errno set to EINVAL (for now, it will also result in an appropriate + message on the console). + + To read current configuration of firewalls,the kvm_read() function used. + Symbols,which you have to find are : + struct ip_firewall * ip_firewall_blocking_chain ; + struct ip_firewall * ip_firewall_forwarding_chain ; + Both are pointers to the linked list of firewall entries. + Of corse you have to be at least kmem group member,to read kernel symbols. + +That's about all that I can think of for now. There are a couple of details +that are worth reading about in the ip_firewall.h file. Other than that, let +me know how you do. If you have any problems, give me a call at home (403 +449-1835) or send me e-mail at "danny@BouletFermat.ab.ca". If you call, please +keep in mind that I live in the Canadian Mountain timezone (GMT-0600). + +-Danny + +So that's it..if you want to say something to me-call me or mail: +Phone: 972-4-550-330 +E-mail ugen@NetVision.net.il +If you call,remember that i live in Israel timezone which is GMT+02. + +-Ugen + diff --git a/sbin/ipfw/ipfw.1 b/sbin/ipfw/ipfw.1 new file mode 100644 index 000000000000..72a55616f9c3 --- /dev/null +++ b/sbin/ipfw/ipfw.1 @@ -0,0 +1,524 @@ +.\" +.\" ipfw - a utility for manipulating the configuration of an IP firewall. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" @(#)ipfw.1 +.\" +.TH ipfw 1 "October 27, 1994" "" "FreeBSD" + +.SH NAME +ipfw - a utility for manipulating the configuration of an IP firewall. +.SH SYNOPSIS +.na +.B ipfw +.RB [options] +.SH DESCRIPTION +The +.B ipfw +command is used to configure an active IP firewall, setting masks on just +what sites are allowed to connect through it, which packets are rejected, +etc. +.SH OPTIONS +The command-line syntax of this command is rather involved, and rather than +spend a lot of time that I just don't have at the moment creating a +.B real +man page, with properly formatted sections and all, I'm just going to loosely +format the README I got. This really needs an nroff expert to go through +it with a chainsaw and do a +.N REAL +job of formatting it! This all looks rather horrible at present, and +I would actually almost recommend that you simply read the man page text +directly, rather than trying to format it. Sorry, but I do NOT speak +nroff, nor do I ever wish to learn how! :-) [-jkh]. +.PP +For a sample kernel configuration file that will enable the right kernel +features necessary for firewalling, see +.I /sys/i386/conf/IPFIREWALL +. +.PP +.B WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! WARNING!!! +.PP +This utility can be used to put your machine into very dysfunctional state, +so if you want to test it then you should first make sure to read this man page +all the way through, and don't run it anywhere from the system console! +Using +.I ipfw +incorrectly is a really good way to kick yourself off your own machine +if you're logged in over a network! Also make sure to never set this +utility to be setuid root! It's a blatant security hole that way. +Instead, run it as root or from "/etc/rc.local" as part of the boot process. +It's also a good idea to use the checkb or checkf command options (see below) +to pass some test packets through the firewalls that you've defined before +going "live". +.PP +You may find it useful to create a file in which the first line is +.I firewall flush +to flush any existing firewalls before defining the explicit firewalls +that you wish to use. This will ensure that you're always working from a +known state. +.PP +The syntax for the +.BI ipfirewall +command option is rather complex and yet simple at the same time (if you know +what I mean). There are seven sub-commands, and probably the easiest way to +get into this is to give you a roughly BNF style grammar for the command +(curly brackets are used for precedence, alternatives are separated by |, +optional things are enclosed in square brackets, white space is required if +it appears below and must not appear if there isn't any between the tokens +below (i.e. no white space around periods, colons or slashes, whitespace +required between all other tokens)): +.PP +.nf + command ::= ipfirewall | | | | + ::= list + ::= flush + ::= { checkb[locking] | checkf[orwarding] } + ::= { addb[locking] | addf[orwarding] } + ::= { delb[locking] | delf[orwarding] } + ::= from to + ::= tcp | udp + ::= ... | + ::= a host name from /etc/hosts + ::= | + ::= a service from /etc/services + ::= a non-negative integer + ::= { accept | deny } { | } + ::= all from to + ::= { / } | { : } | + ::= integer in the range 0 to 32 inclusive + ::= from to + ::= + ::= [ : ] + ::= [ ] +.fi +.PP +Although I think that the above grammar is complete, it isn't exactly what +one would call easy to comprehend! Here's the basic idea along with what +each of the forms mean: +.PP +The +.I ipfirewall list +command prints a list of the firewalls on both the +forwarding and blocking chain in some more or less comprehensible format. +.PP +The +.I ipfirewall flush +command empties the two firewall chains. +.PP +The +.I ipfirewall addblocking +and +.I ipfirewall addforwarding +commands take a firewall description and add the firewall to the appropriate +firewall chain. Note that you'll probably need to add some descriptions more +then once, which will naturally take more then one entry in memory. It does +not lead to significant degradation of performance, so don't worry about it. +.PP +The +.I ipfirewall delblocking +and +.I ipfirewall delforwarding +commands take a firewall description and delete the firewall from the +appropriate firewall chain. The description must exactly match that given +to an earlier add command. One delete command removes ALL matching entries +from firewall chains. +.PP +There are two basic kinds of firewall descriptions. Universal firewall +descriptions match all IP packets between specified pairs of hosts. +Universal firewalls only check IP addresses (e.g. they match any combination +of protocol and port numbers). Protocol-specific firewalls match either +TCP/IP or UDP/IP packets between specified pairs of hosts. In addition +to host descriptions, protocol-specific firewalls optionally take a +description of which port numbers to match. +.PP +A host description consists of an IP address and a mask. The IP address +is specified as either a domain name or in the familiar +nn.nn.nn.nn format. The mask indicates how much of the IP address +should be looked at when vetting packets. There are two ways to +specify the mask. The first way is to suffix the IP address in the +firewall with a slash and an integer in the range 0 through 32 inclusive. +This integer is taken to be the number of high order bits of the IP +address which are to be checked (for example, 192.153.211.0/24 checks +the top 24 bits of the IP address, 192.153.211.17/32 checks all the +bits and 0.0.0.0/0 checks none of the bits (i.e. all IP addresses are +matched by this example)). The second way to specify a mask is to +suffix the IP address with a colon followed by another IP address. +This second address is the mask. Specifications equivalent to the +above three examples using this syntax would be +.PP +.nf +192.153.211.0:255.255.255.0 +192.153.211.17:255.255.255.255 +0.0.0.0:0.0.0.0 +.fi +.PP +The first form is taken from the syntax accepted by a Telebit NetBlazer. +The second form is more along the lines of how a netmask is specified +in /etc/netmasks. Finally, if no mask is specified then a mask of all +1's is supplied (i.e. no mask is equivalent to /32 or :255.255.255.255). +.PP +The optional description of port numbers to mask can take three forms. +The simplest form is to omit the list in which case all port numbers +match. The next form is to specify a list of port numbers (either as +positive integers or service names from /etc/services). The final form +is actually a special case of the second form in which the first pair +of port numbers is separated by a colon instead of white space. This +pair specifies a range of port numbers (i.e. x:y specifies that all +ports between x and y inclusive should match). A port description +matches a particular port number if any of the following is true: +.nf + - the port description is null + + - the first pair of port numbers is a range and the port number + is in the range (inclusive) + + - the port number is equal to any of the port numbers in the list +.fi +.PP +There is a limit of a total of 10 port numbers in the source and +destination port lists. This limit is arbitrary and easy to increase. +It is determined by the value of the IP_FIREWALL_MAX_PORTS #define +variable in ip_firewall.h. Each increase of 1 for this value adds two +bytes to the size of each firewall. Since the size of a firewall is only +slightly over 30 bytes right now, this limit of 10 could probably +be increased by quite a bit before it became a concern. I've been +thinking of increasing it to 20 which would be longer than any +reasonable firewall would need and would only consume 20 more bytes +per firewall. The counter argument to any increase is that it is +always possible to construct an equivalent set of two or more firewalls +that behaves like a single firewall with a really long port list. +.PP +This probably all sounds hopelessly complicated. It is actually not +all that tricky (I'm just not very good at explaining it yet). A few +examples will probably help a lot now: +.PP +Block all IP packets originating from the host hackers-den: +.PP +.nf + ipfirewall addb deny all from hackers-den to 0.0.0.0/0 +.fi +.PP +Block all telnet packets to our telnet server from anywhere: +.PP +.nf + ipfirewall addb deny tcp from 0.0.0.0/0 to mymachine/32 telnet +.fi +.PP +Don't forward telnet, rlogin and rsh packets onto our local +class C network: +.PP +.nf + ipfirewall addf deny tcp from 0.0.0.0/0 to ournetwork/24 telnet login shell +.fi +.PP +Don't let anyone on the local machine or any machine inside +our local network ftp access to games.com: +.PP +.nf + ipfirewall addb deny tcp from games.com ftp to 0.0.0.0/0 +.fi +.PP +This last one might look a little strange. It doesn't prevent +anyone from sending packets to the games.com ftp server. What it +does do is block any packets that the games.com ftp server sends +back! +.PP +The +.I ipfirewall checkblocking +and +.I ipfirewall checkforwarding +commands take a description of an IP packet and check to see if the blocking +or forwarding chain of firewalls respectively accept or reject the packet. +It is used to make sure that the firewalls that you've defined work as +expected. The basic syntax is probably best understood by looking at +a couple of examples: +.PP +.nf + ipfirewall checkb from bsdi.com 3001 to mymachine telnet +.fi +.PP +checks to see if the blocking firewall will block a telnet packet from +a telnet session originating on bsdi.com to the host mymachine will be +blocked or not. Note that someone connecting to our telnet server +could be using practically any port number. To be really sure, the +firewall used to prevent access should be as simple as possible and/or +you should try a variety of port numbers in addition to the rather +arbitrarily chosen port of 3001. +.PP +One final note on the check* ,add* and del* command syntax. The noise word +"to" exists in the syntax so that I can detect the end of a list of +port numbers in the from description. Since I needed a noise word to +detect this case, I added the noise word "from" in front of the from +case for consistency. +.PP +Finally, have a look at the file +.I "/usr/share/misc/ipfw.samp.filters" +. It is the set of filters that I run at home [Danny]. +.PP +Also check +.I "/usr/share/misc/ipfw.samp.scripts" +For examples of individual access restrictions. +We [NetVision] use those for our dial-in PPP/SLIP users to allow some of them +to access our internal networks, while disallowing others. +This way we open access for the user's IP when he enters the system and shut it +down when he leaves. All such changes may be applyed at any time, +and so entries added and deleted from firewall while the system is +is working have no other side effects [Ugen]. + +.SH "TECHNICAL DETAILS" +A bit of a description of how the firewalls are applied (i.e. what happens in +the kernel) may be instructive to the advanced firewall-builder: +.PP +When an IP packet is received, the ipintr() routine in ip_input.c is +called. This routine does a bit of basic error checking. If it +detects any errors in the packet it generally drops the packet on +the floor. The idea behind the ipfirewall facility is to treat packets +that we don't want to accept as bad packets (i.e. drop them on the +floor). The ipfirewall facility intercedes in the normal processing +at two points. Just after the basic sanity checks are done, we pass +any packets not targeted at the loopback network (127.0.0.0/8) to the +firewall checker along with the chain of blocking firewalls.If the firewall +checker tells us to block the packet then we branch to the "bad:" label +in ipintr() which is where all bad packets are dropped on the floor. +Otherwise, we allow normal processing of the packet to continue. The +exact point at which we intercede was chosen to be after the basic +sanity checking and before the option processing is done. We want to +be after the basic sanity checking so that we don't have to be able +to handle complete garbage. We want to be before the option processing +because option processing is done in separate rather complex routine. +Why bother doing this special processing if we might be dropping the +packet? +.PP +The second point at which we intercede is when a packet is about to be +forwarded to another host. All such packets are passed to the ip_forward +routine. The ipfirewall code is at the very top of this routine. If +the packet isn't targetted at the loopback interface (is it possible +that it could be when we reach this point? I doubt it but safety first) +then pass the packet to the firewall checker along with the forwarding +firewall chain. If the firewall checker indicates that the packet should +not be forwarded then we drop in (using code copied from a few lines +further into the routine which drops broadcast packets which are not +to be forwarded). +.PP +There are a couple of consequences of this approach: +.PP +1) Packets which are blocked are never forwarded (something to keep +in mind when designing firewalls). +.PP +2) Packets targeted at the loopback interface (127.0.0.0/8) are never +blocked. Blocking packets to the loopback interface seems pointless +and potentially quite confusing. It also makes a possibly common +case very cheap. +.PP +3) The sender of a packet which is blocked receives no indication that +the packet was dropped. The Telebit NetBlazer can be configured to +silently drop a blocked packet or to send back a "you can't get there +from here" packet to the sender. Implementing the later would have +been more work (possibly quite a bit more, I don't really know). Also, +I don't see any reason to give a potential hacker any more information +than necessary. Dropping the packet into the bit bucket seems like +the best way to keep a hacker guessing. [Danny] +.PP +(I am working on this feature, it would be made optional and +configurable by some ICMP_UNREACH_ON_DROP option, or such [Ugen]). +.PP +The firewall checker takes two parameters. The first parameter is a pointer +to the packet in question. The second parameter is a pointer to the +appropriate firewall chain. At the present time, the firewall checker passes +these parameters to a second routine which is the real firewall checker. +If the real checker says NO then an appropriate message is printed +onto the console. This is useful for debugging purposes. Whether or +not it remains in the long term depends on whether it is considered useful +for logging purposes (I'm a little reluctant to leave it in since it +provides a hacker with a way to commit a "denial of service" offense +against you by filling up your /var/log/messages file's file system +with error messages. There are ways of preventing this but ... [Danny]). +In default configuration now no information about dropped packets +printed.You may, however, define it as i do by adding +.I options IPFIREWALL_VERBOSE +to your kernel configuration file. Very useful thingy! [Ugen] + +.PP +A return value of 0 from this routine (or the real firewall checker) +indicates that the packet is to be dropped. A value of 1 indicates +that the packet is to be accepted. In the early testing stages you +might want to make the top level firewall checker always return 1 even +if the real checker returns 0 just in case the real firewall checker +screws up (or your firewalls aren't as well designed as they should be). +In fact, this might be a useful optional feature (providing a way to +leave a door unlocked doesn't seem all that wise but it has to be +balanced against the inconvenience to legitimate users who might get +screwed up by poorly designed firewalls). + +.PP +The real firewall returns 1 (accept the packet) if the chain is empty. If +efficiency is a concern (which it is in this code), this check should +be done in ip_input.c before calling the firewall checker. + +.PP +Assuming that there is a firewall chain to scan through, the real firewall +checker picks up the src and dst IP addresses from the IP packet. It +then goes through the firewall chain looking for the first firewall that +matches the packet. Once a matching firewall has been found, a value of +1 is returned if the firewall is an accept firewall and a value of 0 is +returned otherwise. +.PP +The following processing is done for each firewall on the chain: +.PP +1) check the src and dst IP addresses. If they don't match then +there isn't any point in looking any further at this firewall. +This check is done by anding the packet's IP addresses the +with appropriate masks and comparing the results to the +appropriate addresses in the firewall. Note that the mask is +NOT applied to the address in the firewall. If it has any 1 +bits that are 0 bits in the mask then the firewall will never +match (this will be checked in ipfirewall soon). If the addresses +match then we continue with the next step. +.PP +2) If the firewall is a universal firewall then we've got a match. +Return either 0 or 1 as appropriate. Otherwise, continue with +the next step. +.PP +3) Examine the IP protocol from the packet. If we havn't had to +look at it before then we get it and set a local variable to +IP_FIREWALL_TCP for TCP/IP packets, IP_FIREWALL_UDP for UDP/IP +packets, IP_FIREWALL_ICMP for ICMP packets, and IP_FIREWALL_UNIVERSAL +for all other packet types. Also, if the packet is a TCP/IP or +a UDP/IP packet, save the source and destination port numbers +at this point (taking advantage of the fact that the port numbers +are stored in the same place in either a TCP/IP or a UDP/IP +packet header). If the packet is neither a TCP/IP or a UDP/IP +packet then this firewall won't match it (on to the next firewall). +If this packet's protocol doesn't match this firewall's protocol +(which can't be universal or we wouldn't be here) then on to +the next firewall. Otherwise, continue with the next step. +.PP +4) We're checking either a TCP/IP or a UDP/IP packet. If the +firewall's source port list is empty or the packet's source +port matches something in the source port list AND if the firewall's +destination port list is empty or the packet's destination +port matches something in the destination port list then +we've got a match (return 0 or 1 as appropriate). Otherwise, +on to the next firewall. +.PP +As indicated above, if no packet on the chain matches the packet then +it is accepted if the first firewall was a deny firewall and it is rejected +if the first firewall was an accept packet. This is equivalent to the +default behaviour of a Telebit NetBlazer. They provide a way to override +this behaviour. I'm not convinced that it is necessary (I'm open to +suggestions). +.PP +That's about it for the firewall checker. The +.I ipfw +program communicates with the kernel part of the firewall facility by making +setsockopt calls on RAW IP sockets. Only root is allowed to open a RAW IP +socket. This ensures that only root uses +.I ipfw to manipulate the firewall facility. +Also, somewhere in the kernel source or on a man page, I read that the +RAW IP setsockopt calls are intended for manipulating the IP protocol layer +as opposed to manipulating any particular instance of a socket. This seems +like a reasonable description of what the firewall setsockopt command +codes do. +.PP +There are seven setsockopt command codes defined by the firewall facility +(in netinet/in.h). They are: +.PP +.nf + IP_FLUSH_FIREWALLS flush (i.e. free) both firewall chains. + + IP_ADD_FORWARDING_FIREWALL add firewall pointed at by optval parm to + the end of the forwarding firewall chain. + + IP_ADD_BLOCKING_FIREWALL add firewall pointed at by optval parm to + the end of the blocking firewall chain. + + IP_DEL_FORWARDING_FIREWALL delete firewall pointed at by optval parm + from the forwarding firewall chain. + + IP_DEL_BLOCKING_FIREWALL delete firewall pointed at by optval parm + from the blocking firewall chain. + + IP_CHECK_FORWARDING_FIREWALL pass the IP packet do the firewall checker + along with the forwarding firewall chain. + Return 0 if packet was accepted, -1 (with + errno set to EACCES) if it wasn't. + + IP_CHECK_BLOCKING_FIREWALL pass the IP packet do the firewall checker + along with the blocking firewall chain. + Return 0 if packet was accepted, -1 (with + errno set to EACCES) if it wasn't. + + The IP_ADD_* and IP_DEL_* command codes do a fair bit of validity checking. + It is quite unlikely that a garbage firewall could get past them that + would cause major problems in the firewall checker. It IS possible for + a garbage packet to get past the checks which causes major grief because + it either blocks or accepts packets according to unusual rules (the rules + will conform to the ones described above but will probably come as quite + a surprise). + + The IP_CHECK_* command codes expect the optval parameter to point + to a struct ip immediately followed by a header appropriate to the protocol + value described in the ip_p field of the ip header. The exact requirements + are as follows: + + - The length of the optval parameter must be at least + + sizeof(struct ip) + 2 * sizeof(u_short) + + since this is the amount of memory that might be referenced by + the firewall checker. + + - The ip_hl field of the ip structure must be equal to + + sizeof(struct ip) / sizeof(int) + + since this value indicates that the tcp/udp/??? header immediately + follows the ip header (appropriate for the purposes that this + interface is intended for). + + Failure to follow these rules (for either the IP_ADD_*,IP_DEL_* or the + IP_CHECK_*_FIREWALL commands) will result in a return value of -1 with + errno set to EINVAL (for now, it will also result in an appropriate + message on the console). + + To read current configuration of firewalls,the kvm_read() function used. + Symbols,which you have to find are : + struct ip_firewall * ip_firewall_blocking_chain ; + struct ip_firewall * ip_firewall_forwarding_chain ; + Both are pointers to the linked list of firewall entries. + Of course, you must at least be a member of group kmem to read kernel + symbols. +.fi +.PP +There are a couple of additional details that are worth reading about in +the ip_firewall.h file. Other than that, let the authors know how you do! +If you have any problems, you may call Danny Boulet at home (403 449-1835) +or send e-mail to . If you call, please keep in +mind that Danny lives in the Canadian Mountain timezone (GMT-0600). +.PP +You may also reach some commercial users of this package (and also those +responsible for porting it to FreeBSD and adding several additional +commands), at 972-4-550-330, or via email at . +If you call, remember that Ugen lives in the Israel timezone, which is GMT+02. + +.SH FILES +/usr/share/misc/ipfw.samp.filters +/usr/share/misc/ipfw.samp.scripts +.SH "BUGS" +You can very easily hose your machine utterly if you don't know what you're +doing. Dieses Befehl ist nur fuer Experten! +.SH "SEE ALSO" +.BR reboot (1) , +.BR /sys/i386/conf/IPFIREWALL +.SH AUTHORS +Daniel Boulet +Ugen J.S.Antsilevich +Jordan K. Hubbard [Crimes committed in this manpage] diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c new file mode 100644 index 000000000000..6178dc3971f4 --- /dev/null +++ b/sbin/ipfw/ipfw.c @@ -0,0 +1,1006 @@ +/* + * Copyright (c) 1993 Daniel Boulet + * Copyright (c) 1994 Ugen J.S.Antsilevich + * + * Redistribution and use in source forms, with and without modification, + * are permitted provided that this entire comment appears intact. + * + * Redistribution in binary form may occur without any restrictions. + * Obviously, it would be nice if you gave credit where credit is due + * but requiring it would be too onerous. + * + * This software is provided ``AS IS'' without any warranties of any kind. + * + * + * Command line interface for IP firewall facility + */ + +#define IPFIREWALL +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +struct nlist nl[]={ +#define N_BCHAIN 0 + { "_ip_fw_blk_chain" }, +#define N_FCHAIN 1 + { "_ip_fw_fwd_chain" }, +#define N_POLICY 2 + { "_ip_fw_policy" }, + "" , +}; + +typedef enum { + IPF_BLOCKING, + IPF_FORWARDING +} ipf_kind; + +int do_resolv=1; + +show_usage() +{ +fprintf(stderr,"ipfw: [-n] \n"); +} + + +static +void +print_ip(xaddr) +struct in_addr xaddr; +{ + u_long addr = ntohl(xaddr.s_addr); + printf("%d.%d.%d.%d",(addr>>24) & 0xff,(addr>>16)&0xff,(addr>>8)&0xff,addr&0xff); +} + +void +show_firewall_chain(chain) +struct ip_firewall *chain; +{ + char *comma; + u_long adrt; + struct hostent *he; + int i; + + if ( chain->flags & IP_FIREWALL_ACCEPT ) { + printf("accept "); + } else { + printf("deny "); + } + + switch ( chain->flags & IP_FIREWALL_KIND ) { + case IP_FIREWALL_ICMP: printf("icmp "); break; + case IP_FIREWALL_TCP: printf("tcp "); break; + case IP_FIREWALL_UDP: printf("udp "); break; + case IP_FIREWALL_UNIVERSAL: printf("all "); break; + default: break; + } + printf("from "); + + adrt=ntohl(chain->src_mask.s_addr); + if (adrt==0xFFFFFFFFl && do_resolv) + { + adrt=(chain->src.s_addr); + he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET); + if (he==NULL) + { + print_ip(chain->src); printf(":"); + print_ip(chain->src_mask); + } + else + printf("%s",he->h_name); + } + else + { + print_ip(chain->src); printf(":"); + print_ip(chain->src_mask); + } + + comma = " "; + for ( i = 0; i < chain->num_src_ports; i += 1 ) { + printf("%s%d",comma,chain->ports[i]); + if ( i == 0 && (chain->flags & IP_FIREWALL_SRC_RANGE) ) { + comma = ":"; + } else { + comma = ","; + } + } + + printf(" to "); + adrt=ntohl(chain->dst_mask.s_addr); + if (adrt==0xFFFFFFFFl && do_resolv) + { + adrt=(chain->dst.s_addr); + he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET); + if (he==NULL) + { + print_ip(chain->dst); printf(":"); + print_ip(chain->dst_mask); + } + else + printf("%s",he->h_name); + } + else + { + print_ip(chain->dst); printf(":"); + print_ip(chain->dst_mask); + } + + comma = " "; + for ( i = 0; i < chain->num_dst_ports; i += 1 ) { + printf("%s%d",comma,chain->ports[chain->num_src_ports+i]); + if ( i == chain->num_src_ports && (chain->flags & IP_FIREWALL_DST_RANGE) ) { + comma = ":"; + } else { + comma = ","; + } + } + printf("\n"); + /* chain = chain->next; */ +} + + +list_kernel_data() +{ +kvm_t *kd; +static char errb[_POSIX2_LINE_MAX]; +struct ip_firewall b,*btmp; + + if ( (kd=kvm_openfiles(NULL,NULL,NULL,O_RDONLY,errb)) == NULL) + { + printf("kvm_openfiles: %s\n",kvm_geterr(kd)); + exit(1); + } + if (kvm_nlist(kd,nl) < 0 || nl[0].n_type == 0) + { + printf("kvm_nlist: no namelist in %s\n",getbootfile()); + exit(1); + } + +kvm_read(kd,(u_long)nl[N_BCHAIN].n_value,&b,sizeof(struct ip_firewall)); +printf("Blocking chain entries:\n"); +while(b.next!=NULL) +{ + btmp=b.next; + kvm_read(kd,(u_long)btmp,&b,sizeof(struct ip_firewall)); + show_firewall_chain(&b); +} + +kvm_read(kd,(u_long)nl[N_FCHAIN].n_value,&b,sizeof(struct ip_firewall)); +printf("Forwarding chain entries:\n"); +while(b.next!=NULL) +{ + btmp=b.next; + kvm_read(kd,(u_long)btmp,&b,sizeof(struct ip_firewall)); + show_firewall_chain(&b); +} +} + + + +static +char * +fmtip(u_long uaddr) +{ + static char tbuf[100]; + + sprintf(tbuf,"%d.%d.%d.%d", + ((char *)&uaddr)[0] & 0xff, + ((char *)&uaddr)[1] & 0xff, + ((char *)&uaddr)[2] & 0xff, + ((char *)&uaddr)[3] & 0xff); + + return( &tbuf[0] ); +} + +static +void +print_ports(int cnt, int range, u_short *ports) +{ + int ix; + char *pad; + + if ( range ) { + if ( cnt < 2 ) { + fprintf(stderr,"ipfw: range flag set but only %d ports\n",cnt); + abort(); + } + printf("%d:%d",ports[0],ports[1]); + ix = 2; + pad = " "; + } else { + ix = 0; + pad = ""; + } + + while ( ix < cnt ) { + printf("%s%d",pad,ports[ix]); + pad = " "; + ix += 1; + } +} + +int +do_setsockopt( int fd, int proto, int cmd, void *data, int datalen, int ok_errno ) +{ + + switch ( cmd ) { + case IP_FW_FLUSH: break; + case IP_FW_POLICY: break; + case IP_FW_CHK_BLK: break; + case IP_FW_CHK_FWD: break; + case IP_FW_ADD_BLK: break; + case IP_FW_ADD_FWD: break; + case IP_FW_DEL_BLK: break; + case IP_FW_DEL_FWD: break; + default: + fprintf(stderr,"ipfw: unknown command (%d) passed to setsockopt\n",cmd); + exit(1); + } + if ( setsockopt(fd, proto, cmd, data, datalen) < 0 ) { + if ( errno == ok_errno ) { + return(errno); + } + perror("ipfw: setsockopt"); + exit(1); + } + return(0); +} + +void +show_parms(char **argv) +{ + while ( *argv ) { + printf("%s ",*argv++); + } +} + +int +get_protocol(char *arg,void (*cmd_usage)(ipf_kind),ipf_kind kind) +{ + if ( arg == NULL ) { + fprintf(stderr,"ipfw: missing protocol name\n"); + } else if ( strcmp(arg, "tcp") == 0 ) { + return( IP_FIREWALL_TCP ); + } else if ( strcmp(arg, "udp") == 0 ) { + return( IP_FIREWALL_UDP ); + } else if ( strcmp(arg, "icmp") == 0 ) { + return( IP_FIREWALL_ICMP ); + } else if ( strcmp(arg, "all") == 0 ) { + return( IP_FIREWALL_UNIVERSAL ); + } else { + fprintf(stderr,"illegal protocol name \"%s\"\n",arg); + } + exit(1); + return(0); +} + +void +get_ipaddr(char *arg,struct in_addr *addr,struct in_addr *mask,void(*usage)(ipf_kind),ipf_kind kind) +{ + char *p, *tbuf; + int period_cnt, non_digit; + struct hostent *hptr; + + if ( arg == NULL ) { + fprintf(stderr,"ipfw: missing ip address\n"); + exit(1); + } + + period_cnt = 0; + non_digit = 0; + for ( p = arg; *p != '\0' && *p != '/' && *p != ':'; p += 1 ) { + if ( *p == '.' ) { + if ( p > arg && *(p-1) == '.' ) { + fprintf(stderr,"ipfw: two periods in a row in ip address (%s)\n",arg); + exit(1); + } + period_cnt += 1; + } else if ( !isdigit(*p) ) { + non_digit = 1; + } + } + + tbuf = malloc(p - arg + 1); + strncpy(tbuf,arg,p-arg); + tbuf[p-arg] = '\0'; + + if ( non_digit ) + { + if (do_resolv) + { + hptr = gethostbyname(tbuf); + if ( hptr == NULL ) { + fprintf(stderr,"ipfw: unknown host \"%s\"\n",tbuf); + exit(1); + } + } + else + { + fprintf(stderr,"ipfw: bad IP \"%s\"\n",tbuf); + exit(1); + } + + if ( hptr->h_length != sizeof(struct in_addr) ) { + fprintf(stderr,"ipfe: hostentry addr length = %d, expected 4\n", + hptr->h_length,sizeof(struct in_addr)); + exit(1); + } + + bcopy( hptr->h_addr, addr, sizeof(struct in_addr) ); + + } else { + + if ( period_cnt == 3 ) { + + int a1, a2, a3, a4; + + sscanf(tbuf,"%d.%d.%d.%d",&a1,&a2,&a3,&a4); + + if ( a1 > 255 || a2 > 255 || a3 > 255 || a4 > 255 ) { + fprintf(stderr,"ipfw: number too large in ip address (%s)\n",arg); + exit(1); + } + + ((char *)addr)[0] = a1; + ((char *)addr)[1] = a2; + ((char *)addr)[2] = a3; + ((char *)addr)[3] = a4; + + } else if ( strcmp(tbuf,"0") == 0 ) { + + ((char *)addr)[0] = 0; + ((char *)addr)[1] = 0; + ((char *)addr)[2] = 0; + ((char *)addr)[3] = 0; + + } else { + + fprintf(stderr,"ipfw: incorrect ip address format \"%s\"\n",tbuf); + exit(1); + + } + + } + + free(tbuf); + + if ( mask == NULL ) { + + if ( *p != '\0' ) { + fprintf(stderr,"ipfw: ip netmask no allowed here (%s)\n",addr); + exit(1); + } + + } else { + + if ( *p == ':' ) { + + get_ipaddr(p+1,mask,NULL,usage,kind); + + } else if ( *p == '/' ) { + + int bits; + char *end; + + p += 1; + if ( *p == '\0' ) { + fprintf(stderr,"ipfw: missing mask value (%s)\n",arg); + exit(1); + } else if ( !isdigit(*p) ) { + fprintf(stderr,"ipfw: non-numeric mask value (%s)\n",arg); + exit(1); + } + + bits = strtol(p,&end,10); + if ( *end != '\0' ) { + fprintf(stderr,"ipfw: junk after mask (%s)\n",arg); + exit(1); + } + + if ( bits < 0 || bits > sizeof(u_long) * 8 ) { + fprintf(stderr,"ipfw: mask length value out of range (%s)\n",arg); + exit(1); + } + + if ( bits == 0 ) { /* left shifts of 32 aren't defined */ + mask->s_addr = 0; + } else { + ((char *)mask)[0] = (-1 << (32 - bits)) >> 24; + ((char *)mask)[1] = (-1 << (32 - bits)) >> 16; + ((char *)mask)[2] = (-1 << (32 - bits)) >> 8; + ((char *)mask)[3] = (-1 << (32 - bits)) >> 0; + } + + } else if ( *p == '\0' ) { + + mask->s_addr = 0xffffffff; + + } else { + + fprintf(stderr,"ipfw: junk after ip address (%s)\n",arg); + exit(1); + + } + + /* + * Mask off any bits in the address that are zero in the mask. + * This allows the user to describe a network by specifying + * any host on the network masked with the network's netmask. + */ + + addr->s_addr &= mask->s_addr; + + } + +} + +u_short +get_one_port(char *arg,void (*usage)(ipf_kind),ipf_kind kind,const char *proto_name) +{ + int slen = strlen(arg); + + if ( slen > 0 && strspn(arg,"0123456789") == slen ) { + int port; + char *end; + + port = strtol(arg,&end,10); + if ( *end != '\0' ) { + fprintf(stderr,"ipfw: illegal port number (%s)\n",arg); + exit(1); + } + + if ( port <= 0 || port > 65535 ) { + fprintf(stderr,"ipfw: port number out of range (%d)\n",port); + exit(1); + } + + return( port ); + + } else { + + struct servent *sptr; + + sptr = getservbyname(arg,proto_name); + + if ( sptr == NULL ) { + fprintf(stderr,"ipfw: unknown %s service \"%s\"\n",proto_name,arg); + exit(1); + } + + return( ntohs(sptr->s_port) ); + + } + +} + +int +get_ports(char ***argv_ptr,u_short *ports,int min_ports,int max_ports,void (*usage)(ipf_kind),ipf_kind kind,const char *proto_name) +{ + int ix; + char *arg; + int sign; + + ix = 0; + sign = 1; + while ( (arg = **argv_ptr) != NULL && strcmp(arg,"from") != 0 && strcmp(arg,"to") != 0 ) { + + char *p; + + /* + * Check that we havn't found too many port numbers. + * We do this here instead of with another condition on the while loop + * so that the caller can assume that the next parameter is NOT a port number. + */ + + if ( ix >= max_ports ) { + fprintf(stderr,"ipfw: too many port numbers (max %d\n",max_ports); + exit(1); + } + + if ( (p = strchr(arg,':')) == NULL ) { + + ports[ix++] = get_one_port(arg,usage,kind,proto_name); + + } else { + + if ( ix > 0 ) { + + fprintf(stderr,"ipfw: port ranges are only allowed for the first port value pair (%s)\n",arg); + exit(1); + + } + + if ( max_ports > 1 ) { + + char *tbuf; + + tbuf = malloc( (p - arg) + 1 ); + strncpy(tbuf,arg,p-arg); + tbuf[p-arg] = '\0'; + + ports[ix++] = get_one_port(tbuf,usage,kind,proto_name); + ports[ix++] = get_one_port(p+1,usage,kind,proto_name); + sign = -1; + + } else { + + fprintf(stderr,"ipfw: port range not allowed here (%s)\n",arg); + exit(1); + + } + } + + *argv_ptr += 1; + } + + if ( ix < min_ports ) { + if ( min_ports == 1 ) { + fprintf(stderr,"ipfw: missing port number%s\n",max_ports == 1 ? "" : "(s)" ); + } else { + fprintf(stderr,"ipfw: not enough port numbers (expected %d)\n",min_ports); + } + exit(1); + } + + return( sign * ix ); + +} + +void +check_usage(ipf_kind kind) +{ + fprintf(stderr,"usage: ipfw check%s \n", + kind == IPF_BLOCKING ? "blocking" : "forwarding"); +} + +void +check(ipf_kind kind, int socket_fd, char **argv) +{ + int protocol; + struct ip *packet; + char *proto_name; + + packet = (struct ip *)malloc( sizeof(struct ip) + sizeof(struct tcphdr) ); + packet->ip_v = IPVERSION; + packet->ip_hl = sizeof(struct ip) / sizeof(int); + + + proto_name = *argv++; + protocol = get_protocol(proto_name,check_usage,kind); + switch ( protocol ) { + case IP_FIREWALL_TCP: packet->ip_p = IPPROTO_TCP; break; + case IP_FIREWALL_UDP: packet->ip_p = IPPROTO_UDP; break; + default: + fprintf(stderr,"ipfw: can only check TCP or UDP packets\n"); + break; + } + + if ( *argv == NULL ) { + fprintf(stderr,"ipfw: missing \"from\" from keyword\n"); + exit(1); + } + if ( strcmp(*argv,"from") == 0 ) { + argv += 1; + get_ipaddr(*argv++,&packet->ip_src,NULL,check_usage,kind); + if ( protocol == IP_FIREWALL_TCP || protocol == IP_FIREWALL_UDP ) { + get_ports(&argv,&((struct tcphdr *)(&packet[1]))->th_sport,1,1,check_usage,kind,proto_name); + ((struct tcphdr *)(&packet[1]))->th_sport = htons( + ((struct tcphdr *)(&packet[1]))->th_sport + ); + } + } else { + fprintf(stderr,"ipfw: expected \"from\" keyword, got \"%s\"\n",*argv); + exit(1); + } + + if ( *argv == NULL ) { + fprintf(stderr,"ipfw: missing \"to\" from keyword\n"); + exit(1); + } + if ( strcmp(*argv,"to") == 0 ) { + argv += 1; + get_ipaddr(*argv++,&packet->ip_dst,NULL,check_usage,kind); + if ( protocol == IP_FIREWALL_TCP || protocol == IP_FIREWALL_UDP ) { + get_ports(&argv,&((struct tcphdr *)(&packet[1]))->th_dport,1,1,check_usage,kind,proto_name); + ((struct tcphdr *)(&packet[1]))->th_dport = htons( + ((struct tcphdr *)(&packet[1]))->th_dport + ); + } + } else { + fprintf(stderr,"ipfw: expected \"to\" keyword, got \"%s\"\n",*argv); + exit(1); + } + + if ( *argv == NULL ) { + + + if ( do_setsockopt( + socket_fd, IPPROTO_IP, + kind == IPF_BLOCKING ? IP_FW_CHK_BLK : IP_FW_CHK_FWD, + packet, + sizeof(struct ip) + sizeof(struct tcphdr), + EACCES + ) == 0 + ) { + printf("packet accepted by %s firewall\n", + kind == IPF_BLOCKING ? "blocking" : "forwarding"); + } else { + printf("packet rejected by %s firewall\n", + kind == IPF_BLOCKING ? "blocking" : "forwarding"); + } + + return; + + } else { + fprintf(stderr,"ipfw: extra parameters at end of command ("); + show_parms(argv); + fprintf(stderr,")\n"); + exit(1); + } +} + +void +add_usage(ipf_kind kind) +{ + fprintf(stderr,"usage: ipfw add%s [accept|deny] \n", + kind == IPF_BLOCKING ? "blocking" : "forwarding"); +} + +void +add(ipf_kind kind, int socket_fd, char **argv) +{ + int protocol, accept_firewall, src_range, dst_range; + struct ip_firewall firewall; + char *proto_name; + + + if ( *argv == NULL ) { + add_usage(kind); + exit(1); + } + + if ( strcmp(*argv,"deny") == 0 ) { + accept_firewall = 0; + } else if ( strcmp(*argv,"accept") == 0 ) { + accept_firewall = IP_FIREWALL_ACCEPT; + } else { + add_usage(kind); + exit(1); + } + + argv += 1; + proto_name = *argv++; + protocol = get_protocol(proto_name,add_usage,kind); + + if ( *argv == NULL ) { + fprintf(stderr,"ipfw: missing \"from\" keyword\n"); + exit(1); + } + if ( strcmp(*argv,"from") == 0 ) { + argv++; + get_ipaddr(*argv++,&firewall.src,&firewall.src_mask,add_usage,kind); + if ( protocol == IP_FIREWALL_TCP || protocol == IP_FIREWALL_UDP ) { + int cnt; + cnt = get_ports(&argv,&firewall.ports[0],0,IP_FIREWALL_MAX_PORTS,add_usage,kind,proto_name); + if ( cnt < 0 ) { + src_range = IP_FIREWALL_SRC_RANGE; + cnt = -cnt; + } else { + src_range = 0; + } + firewall.num_src_ports = cnt; + } else { + firewall.num_src_ports = 0; + src_range = 0; + } + } else { + fprintf(stderr,"ipfw: expected \"from\", got \"%s\"\n",*argv); + exit(1); + } + + if ( *argv == NULL ) { + fprintf(stderr,"ipfw: missing \"to\" keyword\n"); + exit(1); + } + if ( strcmp(*argv,"to") == 0 ) { + argv++; + get_ipaddr(*argv++,&firewall.dst,&firewall.dst_mask,add_usage,kind); + if ( protocol == IP_FIREWALL_TCP || protocol == IP_FIREWALL_UDP ) { + int cnt; + cnt = get_ports(&argv,&firewall.ports[firewall.num_src_ports],0,IP_FIREWALL_MAX_PORTS-firewall.num_src_ports,add_usage,kind,proto_name); + if ( cnt < 0 ) { + dst_range = IP_FIREWALL_DST_RANGE; + cnt = -cnt; + } else { + dst_range = 0; + } + firewall.num_dst_ports = cnt; + } else { + firewall.num_dst_ports = 0; + dst_range = 0; + } + } else { + fprintf(stderr,"ipfw: expected \"to\", got \"%s\"\n",*argv); + exit(1); + } + + if ( *argv == NULL ) { + + firewall.flags = protocol | accept_firewall | src_range | dst_range; + (void)do_setsockopt( + socket_fd, IPPROTO_IP, + kind == IPF_BLOCKING ? IP_FW_ADD_BLK : IP_FW_ADD_FWD, + &firewall, + sizeof(firewall), + 0 + ); + + } else { + fprintf(stderr,"ipfw: extra parameters at end of command ("); + show_parms(argv); + fprintf(stderr,")\n"); + exit(1); + } +} + +void +del_usage(ipf_kind kind) +{ + fprintf(stderr,"usage: ipfw del%s \n", + kind == IPF_BLOCKING ? "blocking" : "forwarding"); +} + +void +del(ipf_kind kind, int socket_fd, char **argv) +{ + int protocol, accept_firewall, src_range, dst_range; + struct ip_firewall firewall; + char *proto_name; + + if ( *argv == NULL ) { + fprintf(stderr,"ipfw: missing \"accept\" or \"deny\" keyword\n"); + exit(1); + } + + if ( strcmp(*argv,"deny") == 0 ) { + accept_firewall = 0; + } else if ( strcmp(*argv,"accept") == 0 ) { + accept_firewall = IP_FIREWALL_ACCEPT; + } else { + fprintf(stderr,"ipfw: expected \"accept\" or \"deny\", got \"%s\"\n",*argv); + exit(1); + } + + argv += 1; + proto_name = *argv++; + protocol = get_protocol(proto_name,del_usage,kind); + + if ( *argv == NULL ) { + fprintf(stderr,"ipfw: missing \"from\" keyword\n"); + exit(1); + } + if ( strcmp(*argv,"from") == 0 ) { + argv++; + get_ipaddr(*argv++,&firewall.src,&firewall.src_mask,del_usage,kind); + if ( protocol == IP_FIREWALL_TCP || protocol == IP_FIREWALL_UDP ) { + int cnt; + cnt = get_ports(&argv,&firewall.ports[0],0,IP_FIREWALL_MAX_PORTS,del_usage,kind,proto_name); + if ( cnt < 0 ) { + src_range = IP_FIREWALL_SRC_RANGE; + cnt = -cnt; + } else { + src_range = 0; + } + firewall.num_src_ports = cnt; + } else { + firewall.num_src_ports = 0; + src_range = 0; + } + } else { + fprintf(stderr,"ipfw: expected \"from\", got \"%s\"\n",*argv); + exit(1); + } + + if ( *argv == NULL ) { + fprintf(stderr,"ipfw: missing \"to\" keyword\n"); + exit(1); + } + if ( strcmp(*argv,"to") == 0 ) { + argv++; + get_ipaddr(*argv++,&firewall.dst,&firewall.dst_mask,del_usage,kind); + if ( protocol == IP_FIREWALL_TCP || protocol == IP_FIREWALL_UDP ) { + int cnt; + cnt = get_ports(&argv,&firewall.ports[firewall.num_src_ports],0,IP_FIREWALL_MAX_PORTS-firewall.num_src_ports,del_usage,kind,proto_name); + if ( cnt < 0 ) { + dst_range = IP_FIREWALL_DST_RANGE; + cnt = -cnt; + } else { + dst_range = 0; + } + firewall.num_dst_ports = cnt; + } else { + firewall.num_dst_ports = 0; + dst_range = 0; + } + } else { + fprintf(stderr,"ipfw: expected \"to\", got \"%s\"\n",*argv); + exit(1); + } + + if ( *argv == NULL ) { + + firewall.flags = protocol | accept_firewall | src_range | dst_range; + (void)do_setsockopt( + socket_fd, IPPROTO_IP, + kind == IPF_BLOCKING ? IP_FW_DEL_BLK : IP_FW_DEL_FWD, + &firewall, + sizeof(firewall), + 0 + ); + + } else { + fprintf(stderr,"ipfw: extra parameters at end of command ("); + show_parms(argv); + fprintf(stderr,")\n"); + exit(1); + } +} + + +void +policy(int socket_fd, char **argv) +{ + int p; + kvm_t *kd; + static char errb[_POSIX2_LINE_MAX]; + int b; + +if (argv[0]==NULL || strlen(argv[0])<=0) + { + if ( (kd=kvm_openfiles(NULL,NULL,NULL,O_RDONLY,errb)) == NULL) + { + printf("kvm_openfiles: %s\n",kvm_geterr(kd)); + exit(1); + } + if (kvm_nlist(kd,nl) < 0 || nl[0].n_type == 0) + { + printf("kvm_nlist: no namelist in %s\n",getbootfile()); + exit(1); + } + +kvm_read(kd,(u_long)nl[N_POLICY].n_value,&b,sizeof(int)); + +if (b==1) + printf("Default policy: ACCEPT\n"); +if (b==0) + printf("Default policy: DENY\n"); +if (b!=0 && b!=1) + printf("Wrong policy value\n"); +exit(1); +} + + if (strncmp(argv[0],"deny",strlen(argv[0]))) + p=1; + else + if (strncmp(argv[0],"accept",strlen(argv[0]))) + p=0; + else + { + fprintf(stderr,"usage: ipfw policy [deny|accept]\n"); + exit(1); + } + + (void)do_setsockopt( + socket_fd, IPPROTO_IP, + IP_FW_POLICY, + &p, + sizeof(p), + 0 + ); +} + + +main(argc,argv) +int argc; +char **argv; +{ + int socket_fd; + struct ip_firewall *data,*fdata; + char **str; + + socket_fd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ); + + if ( socket_fd < 0 ) { + printf("Can't open raw socket.Must be root to use this programm. \n"); + exit(1); + } + + if ( argc == 1 ) { + show_usage(); + exit(1); + } + + if (!strcmp(argv[1],"-n")) + { + str=&argv[2]; + do_resolv=0; + } + else + str=&argv[1]; + + if (str[0]==NULL) + { + show_usage(); + exit(1); + } + + if ( strcmp(str[0],"list") == 0 ) { + + list_kernel_data(); + + } else if ( strcmp(str[0],"flush") == 0 ) { + + (void)do_setsockopt( socket_fd, IPPROTO_IP, + IP_FW_FLUSH, NULL, 0, 0 ); + + } else if ( strlen(str[0]) >= strlen("checkb") + && strncmp(str[0],"checkblocking",strlen(str[0])) == 0 ) { + + check(IPF_BLOCKING,socket_fd,&str[1]); + + } else if ( strlen(str[0]) >= strlen("checkf") + && strncmp(str[0],"checkforwarding",strlen(str[0])) == 0 ) { + + check(IPF_FORWARDING,socket_fd,&str[1]); + + } else if ( strlen(str[0]) >= strlen("addb") + && strncmp(str[0],"addblocking",strlen(str[0])) == 0 ) { + + add(IPF_BLOCKING,socket_fd,&str[1]); + + } else if ( strlen(str[0]) >= strlen("addf") + && strncmp(str[0],"addforwarding",strlen(str[0])) == 0 ) { + + add(IPF_FORWARDING,socket_fd,&str[1]); + + } else if ( strlen(str[0]) >= strlen("delb") + && strncmp(str[0],"delblocking",strlen(str[0])) == 0 ) { + + del(IPF_BLOCKING,socket_fd,&str[1]); + + } else if ( strlen(str[0]) >= strlen("delf") + && strncmp(str[0],"delforwarding",strlen(str[0])) == 0 ) { + + del(IPF_FORWARDING,socket_fd,&str[1]); + + } else if ( strlen(str[0]) >= strlen("poli") + && strncmp(str[0],"policy",strlen(str[0])) == 0 ) { + + policy(socket_fd,&str[1]); + + } else { + + fprintf(stderr,"ipfw: unknown command \"%s\"\n",str[1]); + show_usage(); + exit(1); + } + + exit(0); +}