1996-02-24 13:39:46 +00:00
|
|
|
.Dd February 24, 1996
|
1995-10-26 05:36:24 +00:00
|
|
|
.Dt IPFW 8 SMM
|
|
|
|
.Os FreeBSD
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh NAME
|
1995-10-26 05:36:24 +00:00
|
|
|
.Nm ipfw
|
1996-02-24 13:39:46 +00:00
|
|
|
.Nd controlling utility for IP firewall
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh SYNOPSIS
|
1996-02-24 13:39:46 +00:00
|
|
|
.Nm ipfw
|
|
|
|
.Ar file
|
|
|
|
.Nm ipfw
|
|
|
|
flush
|
|
|
|
.Nm ipfw
|
|
|
|
zero
|
1996-06-15 01:38:51 +00:00
|
|
|
.Oo
|
|
|
|
.Ar number
|
|
|
|
.Oc
|
1996-02-24 13:39:46 +00:00
|
|
|
.Nm ipfw
|
|
|
|
delete
|
|
|
|
.Ar number
|
|
|
|
.Nm ipfw
|
1995-10-26 05:36:24 +00:00
|
|
|
.Oo
|
1996-06-15 01:38:51 +00:00
|
|
|
.Fl atN
|
1995-10-26 05:36:24 +00:00
|
|
|
.Oc
|
1996-02-24 13:39:46 +00:00
|
|
|
list
|
1995-10-26 05:36:24 +00:00
|
|
|
.Nm ipfw
|
1996-02-24 13:39:46 +00:00
|
|
|
add
|
1995-10-26 05:36:24 +00:00
|
|
|
.Oo
|
1996-02-24 13:39:46 +00:00
|
|
|
.Ar number
|
|
|
|
.Oc
|
|
|
|
.Ar action
|
|
|
|
.Oo
|
|
|
|
log
|
|
|
|
.Oc
|
|
|
|
.Ar proto
|
|
|
|
from
|
|
|
|
.Ar src
|
|
|
|
to
|
|
|
|
.Ar dst
|
|
|
|
.Oo
|
|
|
|
via
|
|
|
|
.Ar name|ipno
|
|
|
|
.Oc
|
|
|
|
.Oo
|
|
|
|
.Ar options
|
1995-10-26 05:36:24 +00:00
|
|
|
.Oc
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh DESCRIPTION
|
1996-02-24 13:39:46 +00:00
|
|
|
If used as shown in the first synopsis line, the
|
|
|
|
.Ar file
|
|
|
|
will be read line by line and applied as arguments to the
|
|
|
|
.Nm ipfw
|
|
|
|
command.
|
|
|
|
.Pp
|
|
|
|
The ipfw code works by going through the rule-list for each packet,
|
|
|
|
until a match is found.
|
|
|
|
All rules have two counters associated with them, a packet count and
|
|
|
|
a byte count.
|
|
|
|
These counters are updated when a packet matches the rule.
|
|
|
|
.Pp
|
|
|
|
The rules are ordered by a ``line-number'' that is used to order and
|
|
|
|
delete rules.
|
|
|
|
If a rule is added without a number, it is put at the end, just before
|
|
|
|
the terminal ``policy-rule'', and numbered 100 higher than the previous
|
|
|
|
rule.
|
|
|
|
.Pp
|
|
|
|
One rule is always present:
|
|
|
|
.Bd -literal -offset center
|
|
|
|
65535 deny all from any to any
|
|
|
|
.Ed
|
|
|
|
|
1996-06-15 01:38:51 +00:00
|
|
|
this rule is the default policy, ie. don't allow anything at all.
|
1996-02-24 13:39:46 +00:00
|
|
|
Your job in setting up rules is to modify this policy to match your
|
|
|
|
needs.
|
|
|
|
.Pp
|
|
|
|
The following options are available:
|
|
|
|
.Bl -tag -width flag
|
|
|
|
.It Fl a
|
|
|
|
While listing, show counter values. This option is the only way to see
|
|
|
|
accounting records.
|
1996-06-15 01:38:51 +00:00
|
|
|
.It Fl t
|
|
|
|
While listing, show last match timestamp.
|
1996-02-24 13:39:46 +00:00
|
|
|
.It Fl N
|
1996-06-15 01:38:51 +00:00
|
|
|
Try to resolve addresses and service names.
|
1996-02-24 13:39:46 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
.Ar action :
|
|
|
|
.Bl -hang -offset flag -width 1234567890123456
|
1996-06-15 01:38:51 +00:00
|
|
|
.It Nm allow
|
|
|
|
Allow packets that match rule.
|
1996-02-24 13:39:46 +00:00
|
|
|
The search terminates.
|
|
|
|
.It Nm pass
|
1996-06-15 01:38:51 +00:00
|
|
|
Same as allow.
|
|
|
|
.It Nm accept
|
|
|
|
Same as allow.
|
1996-02-24 13:39:46 +00:00
|
|
|
.It Nm count
|
1996-06-15 01:38:51 +00:00
|
|
|
Update counters for all packets that match rule.
|
1996-02-24 13:39:46 +00:00
|
|
|
The search continues with next rule.
|
|
|
|
.It Nm deny
|
|
|
|
Discard packets that match this rule.
|
|
|
|
The search terminates.
|
|
|
|
.It Nm reject
|
|
|
|
Discard packets that match this rule, try to send ICMP notice.
|
|
|
|
The search terminates.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
When a packet matches a rule with the
|
|
|
|
.Nm log
|
|
|
|
keyword, a message will be printed on the console.
|
1996-06-15 01:38:51 +00:00
|
|
|
If the kernel was compiled with the
|
|
|
|
.Nm IP_FIREWALL_VERBOSE_LIMIT
|
|
|
|
option, then logging will cease after the number of packets
|
|
|
|
specified by the option are recieved for that particular
|
|
|
|
chain entry. Logging may then be re-enabled by clearing
|
|
|
|
the packet counter for that entry.
|
1996-02-24 13:39:46 +00:00
|
|
|
.Pp
|
|
|
|
.Ar proto :
|
|
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
|
|
.It Nm ip
|
|
|
|
All packets match.
|
|
|
|
.It Nm all
|
|
|
|
All packets match.
|
|
|
|
.It Nm tcp
|
|
|
|
Only TCP packets match.
|
|
|
|
.It Nm udp
|
|
|
|
Only UDP packets match.
|
|
|
|
.It Nm icmp
|
|
|
|
Only ICMP packets match.
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
.Ar src
|
|
|
|
and
|
|
|
|
.Ar dst :
|
1996-06-15 01:38:51 +00:00
|
|
|
.Pp
|
|
|
|
.Bl -hang -offset flag
|
|
|
|
.It <address/mask> [ports]
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
The
|
|
|
|
.Em <address/mask>
|
|
|
|
may be specified as:
|
1996-02-24 13:39:46 +00:00
|
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
|
|
.It Ar ipno
|
|
|
|
An ipnumber of the form 1.2.3.4.
|
|
|
|
Only this exact ip number match the rule.
|
|
|
|
.It Ar ipno/bits
|
|
|
|
An ipnumber with a mask width of the form 1.2.3.4/24.
|
|
|
|
In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
|
|
|
|
.It Ar ipno:mask
|
|
|
|
An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0
|
|
|
|
In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
|
|
|
|
.El
|
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
With the TCP and UDP
|
|
|
|
.Em protocols ,
|
|
|
|
an optional
|
|
|
|
.Em port
|
|
|
|
may be specified as:
|
|
|
|
.Pp
|
|
|
|
.Bl -hang -offset flag
|
|
|
|
.It Ns {port|port:port} Ns Op ,port Ns Op ,...
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
Service names (from
|
|
|
|
.Pa /etc/services )
|
|
|
|
may not be used instead of a numeric port value.
|
|
|
|
Also, note that a range may only be specified as the first value,
|
|
|
|
and the port list is limited to
|
|
|
|
.Nm IP_FW_MAX_PORTS
|
|
|
|
(as defined in /usr/src/sys/netinet/ip_fw.h)
|
|
|
|
ports.
|
|
|
|
.Pp
|
1996-02-24 13:39:46 +00:00
|
|
|
If ``via''
|
|
|
|
.Ar name
|
|
|
|
is specified, only packets received via or on their way out of an interface
|
|
|
|
matching
|
|
|
|
.Ar name
|
|
|
|
will match this rule.
|
|
|
|
.Pp
|
|
|
|
If ``via''
|
|
|
|
.Ar ipno
|
|
|
|
is specified, only packets received via or on their way out of an interface
|
|
|
|
having the address
|
|
|
|
.Ar ipno
|
|
|
|
will match this rule.
|
|
|
|
.Pp
|
|
|
|
.Ar options :
|
|
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
|
|
.It frag
|
1996-06-15 01:38:51 +00:00
|
|
|
Matches if the packet is a fragment and this is not the first fragment
|
1996-02-24 13:39:46 +00:00
|
|
|
of the datagram.
|
|
|
|
.It in
|
|
|
|
Matches if this packet was on the way in.
|
|
|
|
.It out
|
|
|
|
Matches if this packet was on the way out.
|
|
|
|
.It ipoptions Ar spec
|
1996-06-15 01:38:51 +00:00
|
|
|
Matches if the IP header contains the comma separated list of
|
|
|
|
options specified in
|
|
|
|
.Ar spec .
|
|
|
|
The supported IP options are:
|
|
|
|
.Nm ssrr
|
|
|
|
(strict source route),
|
|
|
|
.Nm lsrr
|
|
|
|
(loose source route),
|
|
|
|
.Nm rr
|
|
|
|
(record packet route), and
|
|
|
|
.Nm ts
|
|
|
|
(timestamp).
|
|
|
|
The absence of a particular option may be denoted
|
|
|
|
with a ``!''.
|
1996-02-24 13:39:46 +00:00
|
|
|
.It established
|
|
|
|
Matches packets that do not have the SYN bit set.
|
|
|
|
TCP packets only.
|
|
|
|
.It setup
|
|
|
|
Matches packets that have the SYN bit set but no ACK bit.
|
|
|
|
TCP packets only.
|
|
|
|
.It tcpflags Ar spec
|
1996-06-15 01:38:51 +00:00
|
|
|
Matches if the TCP header contains the comma separated list of
|
|
|
|
flags specified in
|
|
|
|
.Ar spec .
|
|
|
|
The supported TCP flags are:
|
|
|
|
.Nm fin ,
|
|
|
|
.Nm syn ,
|
|
|
|
.Nm rst ,
|
|
|
|
.Nm psh ,
|
|
|
|
.Nm ack ,
|
|
|
|
and
|
|
|
|
.Nm urg .
|
|
|
|
The absence of a particular flag may be denoted
|
|
|
|
with a ``!''.
|
|
|
|
.It icmptypes Ar types
|
|
|
|
Matches if the ICMP type is in the list
|
|
|
|
.Ar types .
|
|
|
|
The list may be specified as any combination of ranges
|
|
|
|
or individual types separated by commas.
|
1996-02-24 13:39:46 +00:00
|
|
|
.El
|
|
|
|
.Sh CHECKLIST
|
|
|
|
Here are some important points to consider when designing your
|
|
|
|
rules:
|
|
|
|
.Bl -bullet -hang -offset flag -width 1234567890123456
|
|
|
|
.It
|
|
|
|
Remember that you filter both packets going in and out.
|
1996-06-15 01:38:51 +00:00
|
|
|
Most connections need packets going in both directions.
|
1996-02-24 13:39:46 +00:00
|
|
|
.It
|
|
|
|
Remember to test very carefully.
|
1996-06-15 01:38:51 +00:00
|
|
|
It is a good idea to be near the console when doing this.
|
1996-02-24 13:39:46 +00:00
|
|
|
.It
|
|
|
|
Don't forget the loopback interface.
|
1996-06-15 01:38:51 +00:00
|
|
|
.It
|
|
|
|
Don't filter
|
|
|
|
.Nm all
|
|
|
|
if you are also specifying a port.
|
1996-02-24 13:39:46 +00:00
|
|
|
.El
|
|
|
|
.Sh FINE POINTS
|
|
|
|
There is one kind of packet that the firewall will always discard,
|
|
|
|
that is an IP fragment with a fragment offset of one.
|
|
|
|
This is a valid packet, but it only has one use, to try to circumvent
|
|
|
|
firewalls.
|
|
|
|
.Pp
|
|
|
|
If you are logged in over a network, loading the LKM version of
|
|
|
|
.Nm
|
|
|
|
is probably not as straightforward as you would think.
|
|
|
|
I recommend this command line:
|
|
|
|
.Bd -literal -offset center
|
|
|
|
modload /lkm/ipfw_mod.o && \e
|
|
|
|
ipfw add 32000 allow all from any to any
|
|
|
|
.Ed
|
|
|
|
|
1996-06-15 01:38:51 +00:00
|
|
|
Along the same lines, doing an
|
1996-02-24 13:39:46 +00:00
|
|
|
.Bd -literal -offset center
|
|
|
|
ipfw flush
|
|
|
|
.Ed
|
|
|
|
|
|
|
|
in similar surroundings is also a bad idea.
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh EXAMPLES
|
1995-10-26 05:36:24 +00:00
|
|
|
This command adds an entry which denies all tcp packets from
|
|
|
|
.Em hacker.evil.org
|
|
|
|
to the telnet port of
|
|
|
|
.Em wolf.tambov.su
|
|
|
|
from being forwarded by the host:
|
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
|
|
|
This one disallows any connection from the entire hackers network to
|
|
|
|
my host:
|
|
|
|
.Pp
|
|
|
|
.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
|
|
|
|
.Pp
|
|
|
|
Here is good usage of list command to see accounting records:
|
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
.Dl ipfw -aT l
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
|
|
|
or in short form
|
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
.Dl ipfw -a l
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh SEE ALSO
|
1995-10-26 05:36:24 +00:00
|
|
|
.Xr gethostbyname 3 ,
|
|
|
|
.Xr getservbyport 3 ,
|
|
|
|
.Xr ip 4 ,
|
|
|
|
.Xr ipfirewall 4 ,
|
|
|
|
.Xr ipaccounting 4 ,
|
|
|
|
.Xr reboot 8 ,
|
|
|
|
.Xr syslogd 8
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh BUGS
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
|
|
|
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
|
|
|
.Pp
|
|
|
|
This program can put your computer in rather unusable state. When
|
|
|
|
using it for the first time, work on the console of the computer, and
|
|
|
|
do
|
|
|
|
.Em NOT
|
|
|
|
do anything you don't understand.
|
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
When manipulating/adding chain entries, service names are
|
|
|
|
not accepted.
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh HISTORY
|
1995-10-26 05:36:24 +00:00
|
|
|
Initially this utility was written for BSDI by:
|
|
|
|
.Pp
|
|
|
|
.Dl Daniel Boulet <danny@BouletFermat.ab.ca>
|
|
|
|
.Pp
|
|
|
|
The FreeBSD version is written completely by:
|
|
|
|
.Pp
|
|
|
|
.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG>
|
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
This has all been extensively rearranged by Poul-Henning Kamp and
|
|
|
|
Alex Nash.
|