491 lines
11 KiB
Groff
491 lines
11 KiB
Groff
.Dd February 24, 1996
|
|
.Dt IPFW 8 SMM
|
|
.Os FreeBSD
|
|
.Sh NAME
|
|
.Nm ipfw
|
|
.Nd controlling utility for IP firewall
|
|
.Sh SYNOPSIS
|
|
.Nm ipfw
|
|
.Ar file
|
|
.Nm ipfw
|
|
flush
|
|
.Nm ipfw
|
|
zero
|
|
.Nm ipfw
|
|
delete
|
|
.Ar number
|
|
.Nm ipfw
|
|
.Oo
|
|
.Fl aN
|
|
.Oc
|
|
list
|
|
.Nm ipfw
|
|
add
|
|
.Oo
|
|
.Ar number
|
|
.Oc
|
|
.Ar action
|
|
.Oo
|
|
log
|
|
.Oc
|
|
.Ar proto
|
|
from
|
|
.Ar src
|
|
to
|
|
.Ar dst
|
|
.Oo
|
|
via
|
|
.Ar name|ipno
|
|
.Oc
|
|
.Oo
|
|
.Ar options
|
|
.Oc
|
|
.Sh DESCRIPTION
|
|
If used as shown in the first synopsis line, the
|
|
.Ar file
|
|
will be read line by line and applied as arguments to the
|
|
.Nm ipfw
|
|
command.
|
|
.Pp
|
|
The ipfw code works by going through the rule-list for each packet,
|
|
until a match is found.
|
|
All rules have two counters associated with them, a packet count and
|
|
a byte count.
|
|
These counters are updated when a packet matches the rule.
|
|
.Pp
|
|
The rules are ordered by a ``line-number'' that is used to order and
|
|
delete rules.
|
|
If a rule is added without a number, it is put at the end, just before
|
|
the terminal ``policy-rule'', and numbered 100 higher than the previous
|
|
rule.
|
|
.Pp
|
|
One rule is always present:
|
|
.Bd -literal -offset center
|
|
65535 deny all from any to any
|
|
.Ed
|
|
|
|
this is rule is the default policy, ie. don't allow anything at all.
|
|
Your job in setting up rules is to modify this policy to match your
|
|
needs.
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width flag
|
|
.It Fl a
|
|
While listing, show counter values. This option is the only way to see
|
|
accounting records.
|
|
.It Fl N
|
|
Try to resolve addresses.
|
|
.El
|
|
.Pp
|
|
.Ar action :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It Nm accept
|
|
Accept packets that match rule.
|
|
The search terminates.
|
|
.It Nm pass
|
|
same as accept.
|
|
.It Nm count
|
|
update counters for all packets that match rule.
|
|
The search continues with next rule.
|
|
.It Nm deny
|
|
Discard packets that match this rule.
|
|
The search terminates.
|
|
.It Nm reject
|
|
Discard packets that match this rule, try to send ICMP notice.
|
|
The search terminates.
|
|
.El
|
|
.Pp
|
|
When a packet matches a rule with the
|
|
.Nm log
|
|
keyword, a message will be printed on the console.
|
|
.Pp
|
|
.Ar proto :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It Nm ip
|
|
All packets match.
|
|
.It Nm all
|
|
All packets match.
|
|
.It Nm tcp
|
|
Only TCP packets match.
|
|
.It Nm udp
|
|
Only UDP packets match.
|
|
.It Nm icmp
|
|
Only ICMP packets match.
|
|
.El
|
|
.Pp
|
|
.Ar src
|
|
and
|
|
.Ar dst :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It Ar ipno
|
|
An ipnumber of the form 1.2.3.4.
|
|
Only this exact ip number match the rule.
|
|
.It Ar ipno/bits
|
|
An ipnumber with a mask width of the form 1.2.3.4/24.
|
|
In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
|
|
.It Ar ipno:mask
|
|
An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0
|
|
In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
|
|
.El
|
|
.Pp
|
|
If ``via''
|
|
.Ar name
|
|
is specified, only packets received via or on their way out of an interface
|
|
matching
|
|
.Ar name
|
|
will match this rule.
|
|
.Pp
|
|
If ``via''
|
|
.Ar ipno
|
|
is specified, only packets received via or on their way out of an interface
|
|
having the address
|
|
.Ar ipno
|
|
will match this rule.
|
|
.Pp
|
|
.Ar options :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It frag
|
|
Matches is the packet is a fragment and this is not the first fragment
|
|
of the datagram.
|
|
.It in
|
|
Matches if this packet was on the way in.
|
|
.It out
|
|
Matches if this packet was on the way out.
|
|
.It ipoptions Ar spec
|
|
Not yet documented. Look in the source: src/sys/netnet/ipfw.c.
|
|
.It established
|
|
Matches packets that do not have the SYN bit set.
|
|
TCP packets only.
|
|
.It setup
|
|
Matches packets that have the SYN bit set but no ACK bit.
|
|
TCP packets only.
|
|
.It tcpflags Ar spec
|
|
Not yet documented. Look in the source: src/sys/netnet/ipfw.c.
|
|
TCP packets only.
|
|
.El
|
|
.Sh CHECKLIST
|
|
Here are some important points to consider when designing your
|
|
rules:
|
|
.Bl -bullet -hang -offset flag -width 1234567890123456
|
|
.It
|
|
Remember that you filter both packets going in and out.
|
|
Most connections needs packets going in both directions.
|
|
.It
|
|
Remember to test very carefully.
|
|
It is a good idea to be near the console when doint this.
|
|
.It
|
|
Don't forget the loopback interface.
|
|
.El
|
|
.Sh FINE POINTS
|
|
There is one kind of packet that the firewall will always discard,
|
|
that is an IP fragment with a fragment offset of one.
|
|
This is a valid packet, but it only has one use, to try to circumvent
|
|
firewalls.
|
|
.Pp
|
|
If you are logged in over a network, loading the LKM version of
|
|
.Nm
|
|
is probably not as straightforward as you would think.
|
|
I recommend this command line:
|
|
.Bd -literal -offset center
|
|
modload /lkm/ipfw_mod.o && \e
|
|
ipfw add 32000 allow all from any to any
|
|
.Ed
|
|
|
|
Along the same lines, doing a
|
|
.Bd -literal -offset center
|
|
ipfw flush
|
|
.Ed
|
|
|
|
in similar surroundings is also a bad idea.
|
|
.Sh WARNING
|
|
This manual page is out of date beyond this point!
|
|
It is left here until some new text can be written.
|
|
.Sh OLD
|
|
In the first synopsis form,
|
|
.Nm
|
|
controls the firewall and accounting chains. In the second
|
|
synopsis form,
|
|
.Nm
|
|
sets the global firewall / accounting properties and
|
|
show the chain list's contents.
|
|
.Pp
|
|
.Pp
|
|
These are the valid
|
|
.Ar entry_actions :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It Nm addf[irewall]
|
|
add entry to firewall chain.
|
|
.It Nm delf[irewall]
|
|
remove entry from firewall chain.
|
|
.It Nm adda[ccounting]
|
|
add entry to accounting chain.
|
|
.It Nm dela[ccounting]
|
|
remove entry from accounting chain.
|
|
.It Nm clr[accounting]
|
|
clear counters for accounting chain entry.
|
|
.El
|
|
.Pp
|
|
If no
|
|
.Ar entry_action
|
|
is specified, it will default to
|
|
.Nm addf[irewall]
|
|
or
|
|
.Nm adda[ccounting] ,
|
|
depending on the
|
|
.Ar chain_entry_pattern
|
|
specified.
|
|
.Pp
|
|
The valid
|
|
.Ar chain_actions
|
|
are:
|
|
.Bl -hang -offset flag -width 123456789
|
|
.It Nm f[lush]
|
|
remove all entries in firewall / accounting chains.
|
|
.It Nm l[ist]
|
|
display all entries in firewall / accounting chains.
|
|
.It Nm z[ero]
|
|
clear chain counters (accounting only).
|
|
.It Nm p[olicy]
|
|
set default policy properties.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Ar chain_entry_pattern
|
|
structure is:
|
|
.Pp
|
|
.Dl [keyword] [protocol] [address pattern]
|
|
.Pp
|
|
For the firewall chain, valid
|
|
.Em keywords
|
|
are:
|
|
.Bl -hang -offset flag -width 12345678
|
|
.It Nm reject
|
|
Reject the packet, and send an
|
|
.Tn ICMP HOST_UNREACHABLE
|
|
packet to the source.
|
|
.It Nm lreject
|
|
The same as
|
|
.Nm reject ,
|
|
but also log the packets details.
|
|
.It Nm deny
|
|
Reject the packet.
|
|
.It Nm ldeny
|
|
The same as
|
|
.Nm deny ,
|
|
but also log the packets details.
|
|
.It Nm log
|
|
Accept the packet, and log it.
|
|
.It Nm accept
|
|
Accept the packet (obviously).
|
|
.It Nm pass
|
|
A synonym for accept.
|
|
.El
|
|
|
|
.Pp
|
|
For the accounting chain, valid
|
|
.Em keywords
|
|
are:
|
|
.Bl -tag -width flag
|
|
.It Nm single
|
|
Log packets matching entry.
|
|
.It Nm bidirectional
|
|
Log packets matching entry and also those going in the
|
|
opposite direction (from
|
|
.Dq dst
|
|
to
|
|
.Dq src ) .
|
|
.El
|
|
.Pp
|
|
Each keyword will be recognized by the shortest unambiguous prefix.
|
|
.Pp
|
|
Recognized
|
|
.Em protocols
|
|
are:
|
|
.Bl -hang -offset flag -width 123456
|
|
.It Nm all
|
|
Matches any IP packet.
|
|
.It Nm icmp
|
|
Matches ICMP packets.
|
|
.It Nm tcp
|
|
Matches TCP packets.
|
|
.It Nm udp
|
|
Matches UDP packets.
|
|
.It Nm syn
|
|
Matches the TCP SYN packet used in initiating a TCP connection. It
|
|
does not match the packet returned from a destination machine which
|
|
has the SYN and ACK bits set.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Em address pattern
|
|
is:
|
|
.Pp
|
|
.Dl from <address/mask>[ports] to <address/mask][ports] [via <interface>]
|
|
.Pp
|
|
You can only specify
|
|
.Em ports
|
|
with
|
|
.Em protocols
|
|
which actually have ports (TCP, UDP and SYN).
|
|
.Pp
|
|
The order of
|
|
.Sq from/to/via
|
|
keywords is unimportant. You can skip any of them, which will be
|
|
then substituted by default entry matching any
|
|
.Sq from/to/via
|
|
packet kind.
|
|
.Pp
|
|
The
|
|
.Em <address/mask>
|
|
is defined as:
|
|
.Pp
|
|
.Dl <address|name>[/mask_bits|:mask_pattern]
|
|
.Pp
|
|
.Em mask bits
|
|
is the decimal number of bits set in the address mask.
|
|
.Em mask pattern
|
|
has the form of an IP address to be AND'ed logically with the address
|
|
given. The keyword
|
|
.Em any
|
|
can be used to specify
|
|
.Dq any IP .
|
|
The IP address or name given is
|
|
.Em NOT
|
|
checked, and the wrong value
|
|
causes the entry to not match anything.
|
|
.Pp
|
|
The
|
|
.Em ports
|
|
to be blocked are specified as:
|
|
.Dl Ns port Ns Op ,port Ns Op ,...
|
|
or:
|
|
.Dl port:port
|
|
.Pp
|
|
to specify a range of ports. The name of a service (from
|
|
.Pa /etc/services )
|
|
can be used instead of
|
|
a numeric port value.
|
|
.Pp
|
|
The
|
|
.Em via <interface>
|
|
entry is optional and may specify IP address/domain name of local IP
|
|
interface, or interface name (e.g.
|
|
.Em ed0 )
|
|
to match only packets coming
|
|
through this interface. The keyword
|
|
.Em via
|
|
can be substituted by
|
|
.Em on ,
|
|
for readability reasons.
|
|
.Pp
|
|
The
|
|
.Em l[ist]
|
|
command may be passed:
|
|
.Pp
|
|
.Dl f[irewall] | a[ccounting]
|
|
.Pp
|
|
to list specific chain or none to list all of chains. The long output
|
|
format (default) is compatible with the syntax used by the
|
|
.Nm
|
|
utility.
|
|
.Pp
|
|
The
|
|
.Em f[lush]
|
|
command may be passed:
|
|
.Pp
|
|
.Dl f[irewall] | a[ccounting]
|
|
.Pp
|
|
to remove all entries from firewall or from accounting chain. Without
|
|
an argument it will remove all entries from both chains.
|
|
.Pp
|
|
The
|
|
.Em z[ero]
|
|
command needs no arguments. This command clears all counters for the
|
|
entire accounting chain.
|
|
.Pp
|
|
The
|
|
.Em p[olicy]
|
|
command can be given
|
|
.Pp
|
|
.Dl a[ccept] | d[eny]
|
|
.Pp
|
|
to set default policy as denial/acceptance. Without an argument, the
|
|
current policy status is displayed.
|
|
.Sh EXAMPLES
|
|
This command adds an entry which denies all tcp packets from
|
|
.Em hacker.evil.org
|
|
to the telnet port of
|
|
.Em wolf.tambov.su
|
|
from being forwarded by the host:
|
|
.Pp
|
|
.Dl ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
|
|
.Pp
|
|
This one disallows any connection from the entire hackers network to
|
|
my host:
|
|
.Pp
|
|
.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
|
|
.Pp
|
|
Here is good usage of list command to see accounting records:
|
|
.Pp
|
|
.Dl ipfw -sa list accounting
|
|
.Pp
|
|
or in short form
|
|
.Pp
|
|
.Dl ipfw -sa l a
|
|
.Pp
|
|
Many more examples can be found in the file:
|
|
.Dl Pa /usr/share/FAQ/ipfw.FAQ
|
|
(missing for the moment)
|
|
.Sh SEE ALSO
|
|
.Xr gethostbyname 3 ,
|
|
.Xr getservbyport 3 ,
|
|
.Xr ip 4 ,
|
|
.Xr ipfirewall 4 ,
|
|
.Xr ipaccounting 4 ,
|
|
.Xr reboot 8 ,
|
|
.Xr syslogd 8
|
|
.Sh BUGS
|
|
Currently there is no method for filtering out specific types of ICMP
|
|
packets. Either you don't filter ICMP at all, or all ICMP packets are
|
|
filtered.
|
|
.Pp
|
|
The system has an optional rule weighting system for the firewall chain.
|
|
This means that rules are not used in the order that they are specified.
|
|
To enable this feature, you need to recompile your kernel, see the
|
|
.I LINT
|
|
configuration for details.
|
|
In general you do not want that.
|
|
.Pp
|
|
To see what rule ordering is used, use the
|
|
.Em list
|
|
command.
|
|
.Pp
|
|
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
|
.Pp
|
|
This program can put your computer in rather unusable state. When
|
|
using it for the first time, work on the console of the computer, and
|
|
do
|
|
.Em NOT
|
|
do anything you don't understand.
|
|
.Pp
|
|
Remember that
|
|
.Dq ipfw flush
|
|
can solve all the problems. Bear in mind that
|
|
.Dq ipfw policy deny
|
|
combined with some wrong chain entry (possible the only entry, which
|
|
is designed to deny some external packets), can close your computer
|
|
from the outer world for good (or at least until you can get to the
|
|
console).
|
|
.Sh HISTORY
|
|
Initially this utility was written for BSDI by:
|
|
.Pp
|
|
.Dl Daniel Boulet <danny@BouletFermat.ab.ca>
|
|
.Pp
|
|
The FreeBSD version is written completely by:
|
|
.Pp
|
|
.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG>
|
|
.Pp
|
|
while the synopsis is partially compatible with the old one.
|
|
.Pp
|
|
This has all been extensively rearranged by Poul-Henning Kamp.
|