From c9a156d59643f274c2ecc88249ed1897aaabe84b Mon Sep 17 00:00:00 2001 From: "Jordan K. Hubbard" Date: Thu, 17 Nov 1994 09:50:30 +0000 Subject: [PATCH] New man pages from Ugen. Delete my old, first attempt. I only hope that the english in Ugen's two replacement pages is not too impenetrable! :-) [Note: Poul - please pull these into the BETA branch along with the other firewall changes] Submitted by: ugen --- sbin/ipfw/Makefile | 4 + sbin/ipfw/ipfirewall.4 | 206 +++++++++++++++++++++++++++++++++++++++++ sbin/ipfw/ipfw.8 | 128 +++++++++++++++++++++++++ 3 files changed, 338 insertions(+) create mode 100644 sbin/ipfw/ipfirewall.4 create mode 100644 sbin/ipfw/ipfw.8 diff --git a/sbin/ipfw/Makefile b/sbin/ipfw/Makefile index 1188c0a448ee..be403fc87924 100644 --- a/sbin/ipfw/Makefile +++ b/sbin/ipfw/Makefile @@ -2,4 +2,8 @@ PROG= ipfw DPADD= ${LIBKVM} LDADD= -lkvm +MAN4= ipfirewall.4 +MLINKS= ipfirewall.4 ipacct.4 ipfirewall.4 ipfw.4 ipfirewall.4 ipaccounting.4 +MAN8= ipfw.8 + .include diff --git a/sbin/ipfw/ipfirewall.4 b/sbin/ipfw/ipfirewall.4 new file mode 100644 index 000000000000..e8aaa7c95612 --- /dev/null +++ b/sbin/ipfw/ipfirewall.4 @@ -0,0 +1,206 @@ +.Dd November 16, 1994 +.Dt IPFW(4)/IPACCT 4 +.Os +.Sh NAME + +ipfirewall,ipfw - IP packets filter. +ipaccounting,ipacct - IP packets/traffic accounting. + +.Sh SYNOPSIS +#include + +setsockopt(raw_socket,IPPROTO_IP,, + ,) + +Ipfw options: + IP_FW_ADD_BLK - add entry to blocking chain. + IP_FW_ADD_FWD - add entry to forwarding chain. + IP_FW_CHK_BLK - check ip packet against blocking chain. + IP_FW_CHK_FWD - check ip packet against forwarding chain. + IP_FW_DEL_BLK - delete entry from blocking chain. + IP_FW_DEL_FWD - delete entry from forwarding chain. + IP_FW_FLUSH - flush all blocking & forwarding chain entries. + IP_FW_POLICY - define default ipfw policy. + +Ipacct options: + IP_ACCT_ADD - add entry to accounting chain. + IP_ACCT_DEL - delete entry from accounting chain. + IP_ACCT_FLUSH - flush all accounting chain entries. + IP_ACCT_ZERO - zero all accounting chain entries. + +Ipfw/ipacct entry structure: + #define IP_FW_MAX_PORTS 10 + +struct ip_fw { + struct ip_fw *next; + struct in_addr src, dst; + struct in_addr src_mask, dst_mask; + u_short flags; + u_short n_src_p, n_dst_p; + u_short ports[IP_FW_MAX_PORTS]; + u_long p_cnt,b_cnt; +} + +Flags values for "flags" field: + IP_FW_F_ALL - The entry should match all IP packets. + IP_FW_F_TCP - The entry should match TCP packets. + IP_FW_F_UDP - The entry should match UDP packets. + IP_FW_F_ICMP - The entry should match ICMP packets. + IP_FW_F_KIND - Mask value to separate protocol kind. + IP_FW_F_ACCEPT - This entry is accepting ( see below ) + IP_FW_F_SRNG - Source ports are range ( see below ) + IP_FW_F_DRNG - Destination ports are range ( see below ) + IP_FW_F_PRN - Print this entry ( see below ) + IP_FW_F_BIDIR - This acct entry is bidirectional ( see below ) + IP_FW_F_MASK - Mask to match all valid flag bits. + +Kernel symbols to kvm_nlist(): + struct ip_fw *ip_fw_blk_chain - chain of forwarding entries. + struct ip_fw *ip_fw_fwd_chain - chain of blocking entries. + int ip_fw_policy - default policy. + struct ip_fw *ip_acct_chain - chain of accounting entries. + +Options in the kernel configuration file: + IPFIREWALL - enable ipfirewall. + IPFIREWALL_VERBOSE - enable firewall output ( see below ) + DEBUG_IPFIREWALL - enable extensive debugging output. + IPACCT - enable ipaccounting. + +.Sh DESCRIPTION +Ipfirewall (later ipfw) is a system facility,which allows filtering +of incoming and/or forwarding packets on the protocol+source/destination +adress/ports base. +Ipaccounting (later ipacct) is a system facility,which allows counting +of incoming,outgoing and forwarding traffic by packet/byte count. + +Basic idea is that every packet checked against number of entries +in several chains.There are 3 chains: + Blocking - this chain defines whenever packet should be accepted + ever for local delivery or for forwarding. + Forwarding - this chain defines whenever packet should be accepted + for forwarding only. + Accounting - this chain defines types of packets , which should be + counted. + +Entries added to chains by means of setsockopt() call on RAW IP socket. +Options to add/remove specific entries or to flush all entries described +above. Value passed to setsockopt() is a value of struct ip_fw for +entry. If entry added , it checked by such rules that when we start +searching chain for matching entry the first matching is the best match, +[ or at least one of them :^) ]. + That means: + * First in chain entries with specific protocol and small ranges + of src/dst adresses and ports. + * Later going entries with wider ranges of ports and adresses. + * Later entries matching every port for some adress range. + * Later universal entries matching any protocol. + +While deleting entry , every entry which equal to that passed to +setsockopt() will be removed. +Flush removes all entries. + +Every entry have several fields,by which packets matched: + struct ip_fw *next - next entry in chain.(Set internally) + + struct in_addr src - source adress to be matched. + struct in_addr src_mask - source adress mask. + To match whole networks/subnets or adress groups + mask bits should be zeroed here and also + in src_mask field. Valuable bits should be set + in src_mask field. + struct in_addr dst - destination adress to be matched. + struct in_addr dst_mask - destination adress mask. + + u_short flags - flags field.See exact description of flags meaning + in description later. + + u_short n_src_p - number of source ports in "ports" array. + u_short n_dst_p - number of destination ports in "ports" array. + u_short ports[] - ports array.Overall length currently defined + to reasonable maximum - 10,and could be changed. + The packet's src port can ever match one of + ports[0] ... ports[--n_src_p] numbers,or if + flag IP_FW_F_SRNG set take port[0] as bottom + range value and ports[1] as top one.n_src_p should + be set to 2 then.If n_src_p equal to 0 , every port + match. The same rules apply to packet's dst port, + except that it matched against ports[n_src_p] ... + ... ports[n_src_p+n_dst_p--],or if IP_FW_F_DRNG set, + range is ports[n_src_p] to ports[n_srcp++]. + + u_long p_cnt - packets count for ipacct entries. + u_long b_cnt - bytes count for ipacct entries. + +Packet matching proceeds in following way: + +a) If packet entry protocol set to ALL, see c). + +b) If entry protocol set to TCP/UDP/ICMP and packet protocol + different - no match,if packet protocol and entry protocol + same - continue. + +c) If source addres pattern does not equal to packets sources adress + masked with src_mask , or destination pattern not equal to packets + destination adress masked with dst_mask - no match. + If they does and protocol set to ALL/ICMP - got match. + If they does and protocol set to TCP/UDP - continue. + +d) If src port doesn't match or dst port doesn't match - all + packet don't match. If they does - got match. + +In ipfw packet matched consequently against every chain entry. +Search continues untill first matching entry found.If IP_FW_F_ACCEPT +flag set - packet accepted.If it is not set - packet denied. +If no matching entry found , all unmatched packets ever accepted or +denied depending on global polici value. It can be set with +IP_FW_POLICY raw socket option. Deny value is 0, other values +(default 1) is accept. + +Entries can be added with IP_FW_F_PRN flag set.If kernel compiled +with IPFIREWALL_VERBOSE option,packets matching this entries will +be printed by kernel printf's. + +If some chain is empty,every packet accepted by this chain no +matter what default policy is. + +To check whenever or not packet denied by some chain , checking +options to setsockopt() can be issued. Then the argument is +a buffer representing ip packet,thus it has to be +struct ip + struct tcphdr . +Then setsockopt() return value 0 on accept or another on deny. + +Ipaccounting entries added the same way as ipfw ones.Packet checked +against all entries in chain and values of p_cnt and b_cnt in matching +entries rised.p_cnt rises by 1 and b_cnt by ip_len value of ip packet. +Thus all traffic size counted including IP headers. + +If IP_FW_F_BIDIR flag is set in accounting entry,packets counted are +those which match entry in standart way along with packets which match +entry while their source and destination addr/port pairs swapped. + +Zero option allows all accounting to be cleared. + +.Sh DIAGNOSTICS + +[EINVAL] The IP option field was improperly formed; an option + field was shorter than the minimum value or longer than + the option buffer provided.An structural error in + ip_fw structure occured (n_src_p+n_dst_p too big, + ports set for ALL/ICMP protocols etc.) + +.Sh SEE ALSO + +ip(4), setsockopt(2), kvm_nlist(3), kvm_read(3) + +.Sh BUGS + Ipfw/ipacct facilities are new and , although serious bugs has +been tracked,some less important ones expected. + This man page also uncomplete bad styled. + +.Sh HISTORY + Ipfw facility has been intitially written as package to BSDI +by Daniel Boulet . + It has been havily modified and ported to FreeBSD 2.0 +by Ugen J.S.Antsilevich + Ipacct facility written for FreeBSD 2.0 +by Ugen J.S.Antsilevich diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 new file mode 100644 index 000000000000..2c491194fc80 --- /dev/null +++ b/sbin/ipfw/ipfw.8 @@ -0,0 +1,128 @@ +.Dd November 16, 1994 +.Dt IPFW 8 +.Os +.Sh NAME +ipfw - controlling utility for ipfw/ipacct facilities. + +.Sh SYNOPSIS + + ipfw [-vn] + ipfw [-vn] + ipfw [-vn] + +.Sh DESCRIPTION + In the first synopsis form, the ipfw utility allows adding/removing of +entries of blocking/forwarding/accounting chains. + In the second synopsis form, the ipfw utility checks whenever a given +IP packet type is accepted or denied by a blocking/forwarding firewall. + In the third synopsis form, the ipfw utility allows global actions +on chain-zeroing of counters, and flushing or listing of chain entries +and their counter values. + +The following options are available: + +-v be verbose. The meaning of this option varies depending on ipfw + usage. + +-n do not resolve anything. When setting entries, do not try to resolve + a given address. When listing, display addresses in numeric form. + +These are : + + addb[locking] - add entry to blocking firewall. + delb[locking] - remove entry from blocking firewall. + addf[orwarding] - add entry to forwarding firewall. + delf[orwarding] - remove entry from forwarding firewall. + adda[ccounting] - add entry to accounting chain. + dela[ccounting] - remove entry from accounting chain. + +These are : + checkb[locking] - check packet against blocking firewall. + checkf[orwarding] - check packet against forwarding firewall. + +These are : + f[lush] - remove all entries in firewall/accounting chains. + l[ist] - show all entries in blocking/forwarding/accounting chains. + z[ero] - clear chain counters(for now accounting only). + p[olicy] - define default firewall policy. + + The build like this: + For forwarding/blocking chains: + d[eny] + a[ccept] + For accounting chain: + s[ingle] + b[idirectional] + + The is: + all|icmp from to + tcp|udp from [ports] to [ports] + + : + [/mask bits | :mask pattern] + [ports]: + [ port,port....|port:port] where name of service can be + used instead of port numeric value. + +When entry added to chain and -v option used,entry added with +PRN flag set. + +The build exactly like . + + To l[ist] command may be passed: +f[orwarding]|b[locking]|a[ccounting] to list specific chain or none +to list all of them.Option -v causes output format to change so that +packet/bytes counters printed.Standart output format fully suitable +to be used as . + + To f[lush] command may be passed: +f[irewall]|a[ccounting] to remove all entries from forwarding/blocking +chains or from accounting chain.No arguments removes all chain entries. + + To z[ero] command no arguments needed,and all counters of accounting +chain zeroed. + + To p[olicy] command accepts a[ccept]|d[eny] to define default policy +as denial/accepting.Withno arguments current default policy displayed. + +.Sh EXAMPLES + + This command add entry which denies all tcp packets from +hacker.evil.org to telnet port of wolf.tambov.su from being +forwarded by the host: + ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet + + This one disallows any connection from entire hackers network +to my host: + ipfw addb deny all from 123.45.67.8/24 to my.host.org + + Here is useful usage of lt] command to see accounting records: + ipfw -v list accounting (or in short form ipfw -v l a ). + + Much more examples can be found in files: + /usr/share/misc/ipfw.samp.filters + /usr/share/misc/ipfw.samp.scripts + +.Sh SEE ALSO +ipfirewall(4),ipaccounting(4),reboot(1) + +.Sh BUGS + WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! + This programm can put your computer in rather unusable state. +First time try using it from console and do *NOT* do anything +you don't understand. + Remember that "ipfw flush" can solve all the problemms. +Also take in your mind that "ipfw policy deny" combined with +some wrong chain entry(possible the only entry which designed +to deny some external packets) can close your computer from +outer world for good. + Besides of misuse the only known bug is that entry added +with -v option set should be deleted with same option, +but there is no way to see this in list command. + +.Sh HISTORY + Initially this utility was written for BSDI by: + Daniel Boulet + The FreeBSD version is written completely by: + Ugen J.S.Antsilevich + while synopsis partially compatible with old one.