New man pages from Ugen. Delete my old, first attempt. I only hope
that the english in Ugen's two replacement pages is not too impenetrable! :-) [Note: Poul - please pull these into the BETA branch along with the other firewall changes] Submitted by: ugen
This commit is contained in:
parent
4f64b36cda
commit
c9a156d596
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=4541
@ -2,4 +2,8 @@ PROG= ipfw
|
|||||||
DPADD= ${LIBKVM}
|
DPADD= ${LIBKVM}
|
||||||
LDADD= -lkvm
|
LDADD= -lkvm
|
||||||
|
|
||||||
|
MAN4= ipfirewall.4
|
||||||
|
MLINKS= ipfirewall.4 ipacct.4 ipfirewall.4 ipfw.4 ipfirewall.4 ipaccounting.4
|
||||||
|
MAN8= ipfw.8
|
||||||
|
|
||||||
.include <bsd.prog.mk>
|
.include <bsd.prog.mk>
|
||||||
|
206
sbin/ipfw/ipfirewall.4
Normal file
206
sbin/ipfw/ipfirewall.4
Normal file
@ -0,0 +1,206 @@
|
|||||||
|
.Dd November 16, 1994
|
||||||
|
.Dt IPFW(4)/IPACCT 4
|
||||||
|
.Os
|
||||||
|
.Sh NAME
|
||||||
|
|
||||||
|
ipfirewall,ipfw - IP packets filter.
|
||||||
|
ipaccounting,ipacct - IP packets/traffic accounting.
|
||||||
|
|
||||||
|
.Sh SYNOPSIS
|
||||||
|
#include <netinet/ip_fw.h>
|
||||||
|
|
||||||
|
setsockopt(raw_socket,IPPROTO_IP,<ipfw/ipacct option>,
|
||||||
|
<struct ip|struct ipfw>,<size>)
|
||||||
|
|
||||||
|
Ipfw options:
|
||||||
|
IP_FW_ADD_BLK - add entry to blocking chain.
|
||||||
|
IP_FW_ADD_FWD - add entry to forwarding chain.
|
||||||
|
IP_FW_CHK_BLK - check ip packet against blocking chain.
|
||||||
|
IP_FW_CHK_FWD - check ip packet against forwarding chain.
|
||||||
|
IP_FW_DEL_BLK - delete entry from blocking chain.
|
||||||
|
IP_FW_DEL_FWD - delete entry from forwarding chain.
|
||||||
|
IP_FW_FLUSH - flush all blocking & forwarding chain entries.
|
||||||
|
IP_FW_POLICY - define default ipfw policy.
|
||||||
|
|
||||||
|
Ipacct options:
|
||||||
|
IP_ACCT_ADD - add entry to accounting chain.
|
||||||
|
IP_ACCT_DEL - delete entry from accounting chain.
|
||||||
|
IP_ACCT_FLUSH - flush all accounting chain entries.
|
||||||
|
IP_ACCT_ZERO - zero all accounting chain entries.
|
||||||
|
|
||||||
|
Ipfw/ipacct entry structure:
|
||||||
|
#define IP_FW_MAX_PORTS 10
|
||||||
|
|
||||||
|
struct ip_fw {
|
||||||
|
struct ip_fw *next;
|
||||||
|
struct in_addr src, dst;
|
||||||
|
struct in_addr src_mask, dst_mask;
|
||||||
|
u_short flags;
|
||||||
|
u_short n_src_p, n_dst_p;
|
||||||
|
u_short ports[IP_FW_MAX_PORTS];
|
||||||
|
u_long p_cnt,b_cnt;
|
||||||
|
}
|
||||||
|
|
||||||
|
Flags values for "flags" field:
|
||||||
|
IP_FW_F_ALL - The entry should match all IP packets.
|
||||||
|
IP_FW_F_TCP - The entry should match TCP packets.
|
||||||
|
IP_FW_F_UDP - The entry should match UDP packets.
|
||||||
|
IP_FW_F_ICMP - The entry should match ICMP packets.
|
||||||
|
IP_FW_F_KIND - Mask value to separate protocol kind.
|
||||||
|
IP_FW_F_ACCEPT - This entry is accepting ( see below )
|
||||||
|
IP_FW_F_SRNG - Source ports are range ( see below )
|
||||||
|
IP_FW_F_DRNG - Destination ports are range ( see below )
|
||||||
|
IP_FW_F_PRN - Print this entry ( see below )
|
||||||
|
IP_FW_F_BIDIR - This acct entry is bidirectional ( see below )
|
||||||
|
IP_FW_F_MASK - Mask to match all valid flag bits.
|
||||||
|
|
||||||
|
Kernel symbols to kvm_nlist():
|
||||||
|
struct ip_fw *ip_fw_blk_chain - chain of forwarding entries.
|
||||||
|
struct ip_fw *ip_fw_fwd_chain - chain of blocking entries.
|
||||||
|
int ip_fw_policy - default policy.
|
||||||
|
struct ip_fw *ip_acct_chain - chain of accounting entries.
|
||||||
|
|
||||||
|
Options in the kernel configuration file:
|
||||||
|
IPFIREWALL - enable ipfirewall.
|
||||||
|
IPFIREWALL_VERBOSE - enable firewall output ( see below )
|
||||||
|
DEBUG_IPFIREWALL - enable extensive debugging output.
|
||||||
|
IPACCT - enable ipaccounting.
|
||||||
|
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
Ipfirewall (later ipfw) is a system facility,which allows filtering
|
||||||
|
of incoming and/or forwarding packets on the protocol+source/destination
|
||||||
|
adress/ports base.
|
||||||
|
Ipaccounting (later ipacct) is a system facility,which allows counting
|
||||||
|
of incoming,outgoing and forwarding traffic by packet/byte count.
|
||||||
|
|
||||||
|
Basic idea is that every packet checked against number of entries
|
||||||
|
in several chains.There are 3 chains:
|
||||||
|
Blocking - this chain defines whenever packet should be accepted
|
||||||
|
ever for local delivery or for forwarding.
|
||||||
|
Forwarding - this chain defines whenever packet should be accepted
|
||||||
|
for forwarding only.
|
||||||
|
Accounting - this chain defines types of packets , which should be
|
||||||
|
counted.
|
||||||
|
|
||||||
|
Entries added to chains by means of setsockopt() call on RAW IP socket.
|
||||||
|
Options to add/remove specific entries or to flush all entries described
|
||||||
|
above. Value passed to setsockopt() is a value of struct ip_fw for
|
||||||
|
entry. If entry added , it checked by such rules that when we start
|
||||||
|
searching chain for matching entry the first matching is the best match,
|
||||||
|
[ or at least one of them :^) ].
|
||||||
|
That means:
|
||||||
|
* First in chain entries with specific protocol and small ranges
|
||||||
|
of src/dst adresses and ports.
|
||||||
|
* Later going entries with wider ranges of ports and adresses.
|
||||||
|
* Later entries matching every port for some adress range.
|
||||||
|
* Later universal entries matching any protocol.
|
||||||
|
|
||||||
|
While deleting entry , every entry which equal to that passed to
|
||||||
|
setsockopt() will be removed.
|
||||||
|
Flush removes all entries.
|
||||||
|
|
||||||
|
Every entry have several fields,by which packets matched:
|
||||||
|
struct ip_fw *next - next entry in chain.(Set internally)
|
||||||
|
|
||||||
|
struct in_addr src - source adress to be matched.
|
||||||
|
struct in_addr src_mask - source adress mask.
|
||||||
|
To match whole networks/subnets or adress groups
|
||||||
|
mask bits should be zeroed here and also
|
||||||
|
in src_mask field. Valuable bits should be set
|
||||||
|
in src_mask field.
|
||||||
|
struct in_addr dst - destination adress to be matched.
|
||||||
|
struct in_addr dst_mask - destination adress mask.
|
||||||
|
|
||||||
|
u_short flags - flags field.See exact description of flags meaning
|
||||||
|
in description later.
|
||||||
|
|
||||||
|
u_short n_src_p - number of source ports in "ports" array.
|
||||||
|
u_short n_dst_p - number of destination ports in "ports" array.
|
||||||
|
u_short ports[] - ports array.Overall length currently defined
|
||||||
|
to reasonable maximum - 10,and could be changed.
|
||||||
|
The packet's src port can ever match one of
|
||||||
|
ports[0] ... ports[--n_src_p] numbers,or if
|
||||||
|
flag IP_FW_F_SRNG set take port[0] as bottom
|
||||||
|
range value and ports[1] as top one.n_src_p should
|
||||||
|
be set to 2 then.If n_src_p equal to 0 , every port
|
||||||
|
match. The same rules apply to packet's dst port,
|
||||||
|
except that it matched against ports[n_src_p] ...
|
||||||
|
... ports[n_src_p+n_dst_p--],or if IP_FW_F_DRNG set,
|
||||||
|
range is ports[n_src_p] to ports[n_srcp++].
|
||||||
|
|
||||||
|
u_long p_cnt - packets count for ipacct entries.
|
||||||
|
u_long b_cnt - bytes count for ipacct entries.
|
||||||
|
|
||||||
|
Packet matching proceeds in following way:
|
||||||
|
|
||||||
|
a) If packet entry protocol set to ALL, see c).
|
||||||
|
|
||||||
|
b) If entry protocol set to TCP/UDP/ICMP and packet protocol
|
||||||
|
different - no match,if packet protocol and entry protocol
|
||||||
|
same - continue.
|
||||||
|
|
||||||
|
c) If source addres pattern does not equal to packets sources adress
|
||||||
|
masked with src_mask , or destination pattern not equal to packets
|
||||||
|
destination adress masked with dst_mask - no match.
|
||||||
|
If they does and protocol set to ALL/ICMP - got match.
|
||||||
|
If they does and protocol set to TCP/UDP - continue.
|
||||||
|
|
||||||
|
d) If src port doesn't match or dst port doesn't match - all
|
||||||
|
packet don't match. If they does - got match.
|
||||||
|
|
||||||
|
In ipfw packet matched consequently against every chain entry.
|
||||||
|
Search continues untill first matching entry found.If IP_FW_F_ACCEPT
|
||||||
|
flag set - packet accepted.If it is not set - packet denied.
|
||||||
|
If no matching entry found , all unmatched packets ever accepted or
|
||||||
|
denied depending on global polici value. It can be set with
|
||||||
|
IP_FW_POLICY raw socket option. Deny value is 0, other values
|
||||||
|
(default 1) is accept.
|
||||||
|
|
||||||
|
Entries can be added with IP_FW_F_PRN flag set.If kernel compiled
|
||||||
|
with IPFIREWALL_VERBOSE option,packets matching this entries will
|
||||||
|
be printed by kernel printf's.
|
||||||
|
|
||||||
|
If some chain is empty,every packet accepted by this chain no
|
||||||
|
matter what default policy is.
|
||||||
|
|
||||||
|
To check whenever or not packet denied by some chain , checking
|
||||||
|
options to setsockopt() can be issued. Then the argument is
|
||||||
|
a buffer representing ip packet,thus it has to be
|
||||||
|
struct ip + struct tcphdr .
|
||||||
|
Then setsockopt() return value 0 on accept or another on deny.
|
||||||
|
|
||||||
|
Ipaccounting entries added the same way as ipfw ones.Packet checked
|
||||||
|
against all entries in chain and values of p_cnt and b_cnt in matching
|
||||||
|
entries rised.p_cnt rises by 1 and b_cnt by ip_len value of ip packet.
|
||||||
|
Thus all traffic size counted including IP headers.
|
||||||
|
|
||||||
|
If IP_FW_F_BIDIR flag is set in accounting entry,packets counted are
|
||||||
|
those which match entry in standart way along with packets which match
|
||||||
|
entry while their source and destination addr/port pairs swapped.
|
||||||
|
|
||||||
|
Zero option allows all accounting to be cleared.
|
||||||
|
|
||||||
|
.Sh DIAGNOSTICS
|
||||||
|
|
||||||
|
[EINVAL] The IP option field was improperly formed; an option
|
||||||
|
field was shorter than the minimum value or longer than
|
||||||
|
the option buffer provided.An structural error in
|
||||||
|
ip_fw structure occured (n_src_p+n_dst_p too big,
|
||||||
|
ports set for ALL/ICMP protocols etc.)
|
||||||
|
|
||||||
|
.Sh SEE ALSO
|
||||||
|
|
||||||
|
ip(4), setsockopt(2), kvm_nlist(3), kvm_read(3)
|
||||||
|
|
||||||
|
.Sh BUGS
|
||||||
|
Ipfw/ipacct facilities are new and , although serious bugs has
|
||||||
|
been tracked,some less important ones expected.
|
||||||
|
This man page also uncomplete bad styled.
|
||||||
|
|
||||||
|
.Sh HISTORY
|
||||||
|
Ipfw facility has been intitially written as package to BSDI
|
||||||
|
by Daniel Boulet <danny@BouletFermat.ab.ca>.
|
||||||
|
It has been havily modified and ported to FreeBSD 2.0
|
||||||
|
by Ugen J.S.Antsilevich <ugen@NetVision.net.il>
|
||||||
|
Ipacct facility written for FreeBSD 2.0
|
||||||
|
by Ugen J.S.Antsilevich <ugen@NetVision.net.il>
|
128
sbin/ipfw/ipfw.8
Normal file
128
sbin/ipfw/ipfw.8
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
.Dd November 16, 1994
|
||||||
|
.Dt IPFW 8
|
||||||
|
.Os
|
||||||
|
.Sh NAME
|
||||||
|
ipfw - controlling utility for ipfw/ipacct facilities.
|
||||||
|
|
||||||
|
.Sh SYNOPSIS
|
||||||
|
|
||||||
|
ipfw [-vn] <entry-action> <chain entry pattern>
|
||||||
|
ipfw [-vn] <check-action> <packet pattern>
|
||||||
|
ipfw [-vn] <chain-action> <chain[s] type>
|
||||||
|
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
In the first synopsis form, the ipfw utility allows adding/removing of
|
||||||
|
entries of blocking/forwarding/accounting chains.
|
||||||
|
In the second synopsis form, the ipfw utility checks whenever a given
|
||||||
|
IP packet type is accepted or denied by a blocking/forwarding firewall.
|
||||||
|
In the third synopsis form, the ipfw utility allows global actions
|
||||||
|
on chain-zeroing of counters, and flushing or listing of chain entries
|
||||||
|
and their counter values.
|
||||||
|
|
||||||
|
The following options are available:
|
||||||
|
|
||||||
|
-v be verbose. The meaning of this option varies depending on ipfw
|
||||||
|
usage.
|
||||||
|
|
||||||
|
-n do not resolve anything. When setting entries, do not try to resolve
|
||||||
|
a given address. When listing, display addresses in numeric form.
|
||||||
|
|
||||||
|
These are <entry-actions>:
|
||||||
|
|
||||||
|
addb[locking] - add entry to blocking firewall.
|
||||||
|
delb[locking] - remove entry from blocking firewall.
|
||||||
|
addf[orwarding] - add entry to forwarding firewall.
|
||||||
|
delf[orwarding] - remove entry from forwarding firewall.
|
||||||
|
adda[ccounting] - add entry to accounting chain.
|
||||||
|
dela[ccounting] - remove entry from accounting chain.
|
||||||
|
|
||||||
|
These are <check-actions>:
|
||||||
|
checkb[locking] - check packet against blocking firewall.
|
||||||
|
checkf[orwarding] - check packet against forwarding firewall.
|
||||||
|
|
||||||
|
These are <chain-actions>:
|
||||||
|
f[lush] - remove all entries in firewall/accounting chains.
|
||||||
|
l[ist] - show all entries in blocking/forwarding/accounting chains.
|
||||||
|
z[ero] - clear chain counters(for now accounting only).
|
||||||
|
p[olicy] - define default firewall policy.
|
||||||
|
|
||||||
|
The <chain-entry pattern> build like this:
|
||||||
|
For forwarding/blocking chains:
|
||||||
|
d[eny] <proto/addr pattern>
|
||||||
|
a[ccept] <proto/addr pattern>
|
||||||
|
For accounting chain:
|
||||||
|
s[ingle] <proto/addr pattern>
|
||||||
|
b[idirectional] <proto/addr pattern>
|
||||||
|
|
||||||
|
The <proto/addr pattern> is:
|
||||||
|
all|icmp from <src addr/mask> to <dst addr/mask>
|
||||||
|
tcp|udp from <src addr/mask> [ports] to <dst addr/mask> [ports]
|
||||||
|
|
||||||
|
<src addr/mask>:
|
||||||
|
<INET IP addr | domain name> [/mask bits | :mask pattern]
|
||||||
|
[ports]:
|
||||||
|
[ port,port....|port:port] where name of service can be
|
||||||
|
used instead of port numeric value.
|
||||||
|
|
||||||
|
When entry added to chain and -v option used,entry added with
|
||||||
|
PRN flag set.
|
||||||
|
|
||||||
|
The <packet pattern> build exactly like <chain-entry pattern>.
|
||||||
|
|
||||||
|
To l[ist] command may be passed:
|
||||||
|
f[orwarding]|b[locking]|a[ccounting] to list specific chain or none
|
||||||
|
to list all of them.Option -v causes output format to change so that
|
||||||
|
packet/bytes counters printed.Standart output format fully suitable
|
||||||
|
to be used as <chain-entry pattern>.
|
||||||
|
|
||||||
|
To f[lush] command may be passed:
|
||||||
|
f[irewall]|a[ccounting] to remove all entries from forwarding/blocking
|
||||||
|
chains or from accounting chain.No arguments removes all chain entries.
|
||||||
|
|
||||||
|
To z[ero] command no arguments needed,and all counters of accounting
|
||||||
|
chain zeroed.
|
||||||
|
|
||||||
|
To p[olicy] command accepts a[ccept]|d[eny] to define default policy
|
||||||
|
as denial/accepting.Withno arguments current default policy displayed.
|
||||||
|
|
||||||
|
.Sh EXAMPLES
|
||||||
|
|
||||||
|
This command add entry which denies all tcp packets from
|
||||||
|
hacker.evil.org to telnet port of wolf.tambov.su from being
|
||||||
|
forwarded by the host:
|
||||||
|
ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
|
||||||
|
|
||||||
|
This one disallows any connection from entire hackers network
|
||||||
|
to my host:
|
||||||
|
ipfw addb deny all from 123.45.67.8/24 to my.host.org
|
||||||
|
|
||||||
|
Here is useful usage of lt] command to see accounting records:
|
||||||
|
ipfw -v list accounting (or in short form ipfw -v l a ).
|
||||||
|
|
||||||
|
Much more examples can be found in files:
|
||||||
|
/usr/share/misc/ipfw.samp.filters
|
||||||
|
/usr/share/misc/ipfw.samp.scripts
|
||||||
|
|
||||||
|
.Sh SEE ALSO
|
||||||
|
ipfirewall(4),ipaccounting(4),reboot(1)
|
||||||
|
|
||||||
|
.Sh BUGS
|
||||||
|
WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
||||||
|
This programm can put your computer in rather unusable state.
|
||||||
|
First time try using it from console and do *NOT* do anything
|
||||||
|
you don't understand.
|
||||||
|
Remember that "ipfw flush" can solve all the problemms.
|
||||||
|
Also take in your mind that "ipfw policy deny" combined with
|
||||||
|
some wrong chain entry(possible the only entry which designed
|
||||||
|
to deny some external packets) can close your computer from
|
||||||
|
outer world for good.
|
||||||
|
Besides of misuse the only known bug is that entry added
|
||||||
|
with -v option set should be deleted with same option,
|
||||||
|
but there is no way to see this in list command.
|
||||||
|
|
||||||
|
.Sh HISTORY
|
||||||
|
Initially this utility was written for BSDI by:
|
||||||
|
Daniel Boulet <danny@BouletFermat.ab.ca>
|
||||||
|
The FreeBSD version is written completely by:
|
||||||
|
Ugen J.S.Antsilevich <ugen@NetVision.net.il>
|
||||||
|
while synopsis partially compatible with old one.
|
Loading…
Reference in New Issue
Block a user