1997-03-07 02:50:01 +00:00
|
|
|
.\"
|
1999-08-28 00:22:10 +00:00
|
|
|
.\" $FreeBSD$
|
1997-03-07 02:50:01 +00:00
|
|
|
.\"
|
1997-06-23 02:12:21 +00:00
|
|
|
.Dd June 22, 1997
|
1996-07-11 02:37:59 +00:00
|
|
|
.Dt IPFIREWALL 4
|
1995-02-17 18:48:36 +00:00
|
|
|
.Os
|
|
|
|
.Sh NAME
|
1997-06-23 02:12:21 +00:00
|
|
|
.Nm ipfirewall
|
|
|
|
.Nd IP packet filter and traffic accounting
|
1995-02-17 18:48:36 +00:00
|
|
|
.Sh SYNOPSIS
|
1997-03-19 19:47:43 +00:00
|
|
|
.Fd #include <sys/types.h>
|
|
|
|
.Fd #include <sys/queue.h>
|
|
|
|
.Fd #include <netinet/in.h>
|
1996-07-11 02:37:59 +00:00
|
|
|
.Fd #include <netinet/ip_fw.h>
|
|
|
|
.Ft int
|
1997-06-23 02:12:21 +00:00
|
|
|
.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size
|
1995-02-17 18:48:36 +00:00
|
|
|
.Sh DESCRIPTION
|
1997-06-23 02:12:21 +00:00
|
|
|
Ipfirewall (alias ipfw) is a system facility which allows filtering,
|
|
|
|
redirecting, and other operations on IP packets travelling through
|
2000-03-01 14:50:24 +00:00
|
|
|
system interfaces.
|
|
|
|
Packets are matched by applying an ordered list
|
1997-06-23 02:12:21 +00:00
|
|
|
of pattern rules against each packet until a match is found, at
|
2000-03-01 14:50:24 +00:00
|
|
|
which point the corresponding action is taken.
|
|
|
|
Rules are numbered
|
1997-06-23 02:12:21 +00:00
|
|
|
from 1 to 65534; multiple rules may share the same number.
|
1996-07-11 02:37:59 +00:00
|
|
|
.Pp
|
2000-03-02 14:54:02 +00:00
|
|
|
There is one rule that always exists, rule number 65535.
|
|
|
|
This rule
|
2000-03-01 14:50:24 +00:00
|
|
|
normally causes all packets to be dropped.
|
|
|
|
Hence, any packet which does not
|
1997-09-10 03:11:36 +00:00
|
|
|
match a lower numbered rule will be dropped. However, a kernel compile
|
|
|
|
time option
|
|
|
|
.Dq IPFIREWALL_DEFAULT_TO_ACCEPT
|
|
|
|
allows the administrator to change this fixed rule to permit everything.
|
1996-07-11 02:37:59 +00:00
|
|
|
.Pp
|
1997-06-23 02:12:21 +00:00
|
|
|
The value passed to
|
1996-07-11 02:37:59 +00:00
|
|
|
.Fn setsockopt
|
2000-03-02 14:54:02 +00:00
|
|
|
is a struct ip_fw describing the rule (see below).
|
|
|
|
In some cases
|
2000-03-07 22:45:32 +00:00
|
|
|
(such as
|
|
|
|
.Dv IP_FW_DEL ) ,
|
|
|
|
only the rule number is significant.
|
|
|
|
.Ss Commands
|
1997-06-23 02:12:21 +00:00
|
|
|
The following socket options are used to manage the rule list:
|
2000-03-07 22:45:32 +00:00
|
|
|
.Bl -tag -width "IP_FW_FLUSH"
|
|
|
|
.It Dv IP_FW_ADD
|
|
|
|
inserts the rule into the rule list
|
|
|
|
.It Dv IP_FW_DEL
|
|
|
|
deletes all rules having the matching rule number
|
|
|
|
.It Dv IP_FW_GET
|
|
|
|
returns the (first) rule having the matching rule number
|
|
|
|
.It Dv IP_FW_ZERO
|
|
|
|
zeros the statistics associated with all rules having the
|
2000-03-01 14:50:24 +00:00
|
|
|
matching rule number.
|
|
|
|
If the rule number is zero, all rules are zeroed.
|
2000-03-07 22:45:32 +00:00
|
|
|
.It Dv IP_FW_FLUSH
|
|
|
|
removes all rules (except 65535).
|
|
|
|
.El
|
1996-07-11 02:37:59 +00:00
|
|
|
.Pp
|
2000-03-07 22:45:32 +00:00
|
|
|
When the kernel security level is greater than 2, only
|
|
|
|
.Dv IP_FW_GET
|
1997-06-23 02:12:21 +00:00
|
|
|
is allowed.
|
2000-03-07 22:45:32 +00:00
|
|
|
.Ss Rule Structure
|
1997-06-23 02:12:21 +00:00
|
|
|
Rules are described by the following structure:
|
|
|
|
.Bd -literal
|
|
|
|
/* Specify an interface */
|
|
|
|
union ip_fw_if {
|
|
|
|
struct in_addr fu_via_ip; /* Specified by IP address */
|
|
|
|
struct { /* Specified by interface name */
|
|
|
|
#define FW_IFNLEN 6 /* To keep structure on 2^x boundary */
|
|
|
|
char name[FW_IFNLEN];
|
|
|
|
short unit; /* -1 means match any unit */
|
|
|
|
} fu_via_if;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* One ipfw rule */
|
|
|
|
struct ip_fw {
|
|
|
|
u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */
|
|
|
|
struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
|
|
|
|
struct in_addr fw_smsk, fw_dmsk;/* Mask for src and dest IP addr */
|
|
|
|
u_short fw_number; /* Rule number */
|
|
|
|
u_short fw_flg; /* Flags word */
|
|
|
|
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
|
|
|
|
u_short fw_pts[IP_FW_MAX_PORTS];/* Array of port numbers to match */
|
|
|
|
u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */
|
|
|
|
u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
|
|
|
|
#define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
|
|
|
|
unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
|
|
|
|
long timestamp; /* timestamp (tv_sec) of last match */
|
|
|
|
union ip_fw_if fw_in_if, fw_out_if;/* Incoming / outgoing interfaces */
|
|
|
|
union {
|
|
|
|
u_short fu_divert_port; /* Divert/tee port */
|
|
|
|
u_short fu_skipto_rule; /* SKIPTO command rule number */
|
|
|
|
u_short fu_reject_code; /* REJECT response code */
|
|
|
|
} fw_un;
|
|
|
|
u_char fw_prot; /* IP protocol */
|
|
|
|
u_char fw_nports; /* N'of src ports and # of dst ports */
|
|
|
|
/* in ports array (dst ports follow */
|
|
|
|
/* src ports; max of 10 ports in all */
|
|
|
|
/* count of 0 means match all ports) */
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Encoding of number of source/dest ports from "fw_nports" */
|
|
|
|
|
|
|
|
#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
|
|
|
|
#define IP_FW_SETNSRCP(rule, n) do { \\
|
|
|
|
(rule)->fw_nports &= ~0x0f; \\
|
|
|
|
(rule)->fw_nports |= (n); \\
|
|
|
|
} while (0)
|
|
|
|
#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
|
|
|
|
#define IP_FW_SETNDSTP(rule, n) do { \\
|
|
|
|
(rule)->fw_nports &= ~0xf0; \\
|
|
|
|
(rule)->fw_nports |= (n) << 4;\\
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
/* Flags values for "flags" field */
|
|
|
|
|
|
|
|
#define IP_FW_F_IN 0x0001 /* Check inbound packets */
|
|
|
|
#define IP_FW_F_OUT 0x0002 /* Check outbound packets */
|
|
|
|
#define IP_FW_F_IIFACE 0x0004 /* Apply inbound interface test */
|
|
|
|
#define IP_FW_F_OIFACE 0x0008 /* Apply outbound interface test */
|
|
|
|
|
|
|
|
#define IP_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */
|
|
|
|
#define IP_FW_F_DENY 0x0000 /* This is a deny rule */
|
|
|
|
#define IP_FW_F_REJECT 0x0010 /* Deny and send a response packet */
|
|
|
|
#define IP_FW_F_ACCEPT 0x0020 /* This is an accept rule */
|
|
|
|
#define IP_FW_F_COUNT 0x0030 /* This is a count rule */
|
|
|
|
#define IP_FW_F_DIVERT 0x0040 /* This is a divert rule */
|
|
|
|
#define IP_FW_F_TEE 0x0050 /* This is a tee rule */
|
|
|
|
#define IP_FW_F_SKIPTO 0x0060 /* This is a skipto rule */
|
|
|
|
|
|
|
|
#define IP_FW_F_PRN 0x0080 /* Print if this rule matches */
|
|
|
|
|
|
|
|
#define IP_FW_F_SRNG 0x0100 /* The first two src ports are a min *
|
|
|
|
* and max range (stored in host byte *
|
|
|
|
* order). */
|
|
|
|
|
|
|
|
#define IP_FW_F_DRNG 0x0200 /* The first two dst ports are a min *
|
|
|
|
* and max range (stored in host byte *
|
|
|
|
* order). */
|
|
|
|
|
|
|
|
#define IP_FW_F_IIFNAME 0x0400 /* In interface by name/unit (not IP) */
|
|
|
|
#define IP_FW_F_OIFNAME 0x0800 /* Out interface by name/unit (not IP) */
|
|
|
|
|
|
|
|
#define IP_FW_F_INVSRC 0x1000 /* Invert sense of src check */
|
|
|
|
#define IP_FW_F_INVDST 0x2000 /* Invert sense of dst check */
|
|
|
|
|
|
|
|
#define IP_FW_F_FRAG 0x4000 /* Fragment */
|
|
|
|
|
|
|
|
#define IP_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */
|
|
|
|
|
|
|
|
#define IP_FW_F_MASK 0xFFFF /* All possible flag bits mask */
|
|
|
|
.Ed
|
2000-03-07 22:45:32 +00:00
|
|
|
.Ss Rule Actions
|
1997-06-23 02:12:21 +00:00
|
|
|
Each rule has an action described by the IP_FW_F_COMMAND bits in the
|
|
|
|
flags word:
|
2000-03-07 22:45:32 +00:00
|
|
|
.Bl -tag -width "IP_FW_F_DIVERT"
|
|
|
|
.It Dv IP_FW_F_DENY
|
|
|
|
drop packet
|
|
|
|
.It Dv IP_FW_F_REJECT
|
|
|
|
drop packet; send rejection via ICMP or TCP
|
|
|
|
.It Dv IP_FW_F_ACCEPT
|
|
|
|
accept packet
|
|
|
|
.It Dv IP_FW_F_COUNT
|
|
|
|
increment counters; continue matching
|
|
|
|
.It Dv IP_FW_F_DIVERT
|
|
|
|
divert packet to a
|
|
|
|
.Xr divert 4
|
|
|
|
socket
|
|
|
|
.It Dv IP_FW_F_TEE
|
|
|
|
copy packet to a
|
|
|
|
.Xr divert 4
|
|
|
|
socket; continue
|
|
|
|
.It Dv IP_FW_F_SKIPTO
|
|
|
|
skip to rule number
|
|
|
|
.Va fu_skipto_rule
|
|
|
|
.El
|
1996-07-11 02:37:59 +00:00
|
|
|
.Pp
|
2000-03-07 22:45:32 +00:00
|
|
|
In the case of
|
|
|
|
.Dv IP_FW_F_REJECT ,
|
|
|
|
if the
|
|
|
|
.Va fu_reject_code
|
|
|
|
is a number
|
1997-06-23 02:12:21 +00:00
|
|
|
from 0 to 255, then an ICMP unreachable packet is sent back to the
|
|
|
|
original packet's source IP address, with the corresponding code.
|
2000-03-07 22:45:32 +00:00
|
|
|
Otherwise, the value must be 256 and the protocol
|
|
|
|
.Dv IPPROTO_TCP ,
|
1997-06-23 02:12:21 +00:00
|
|
|
in which case a TCP reset packet is sent instead.
|
1996-07-11 02:37:59 +00:00
|
|
|
.Pp
|
2000-03-07 22:45:32 +00:00
|
|
|
With
|
|
|
|
.Dv IP_FW_F_SKIPTO ,
|
|
|
|
all succeeding rules having rule number less
|
|
|
|
than
|
|
|
|
.Va fu_skipto_rule
|
|
|
|
are skipped.
|
|
|
|
.Ss Kernel Options
|
1997-06-23 02:12:21 +00:00
|
|
|
Options in the kernel configuration file:
|
2000-03-07 22:45:32 +00:00
|
|
|
.Bl -tag -width "optionsXIPFIREWALL_VERBOSE_LIMIT"
|
|
|
|
.It Cd options IPFIREWALL
|
|
|
|
enable
|
|
|
|
.Nm
|
|
|
|
.It Cd options IPFIREWALL_VERBOSE
|
|
|
|
enable firewall output
|
|
|
|
.It Cd options IPFIREWALL_VERBOSE_LIMIT
|
|
|
|
limit firewall output
|
|
|
|
.It Cd options IPDIVERT
|
|
|
|
enable
|
|
|
|
.Xr divert 4
|
|
|
|
sockets
|
|
|
|
.El
|
1997-06-23 02:12:21 +00:00
|
|
|
.Pp
|
2000-03-07 22:45:32 +00:00
|
|
|
When packets match a rule with the
|
|
|
|
.Dv IP_FW_F_PRN
|
|
|
|
bit set, a message
|
|
|
|
is logged to the console if
|
|
|
|
.Dv IPFIREWALL_VERBOSE
|
|
|
|
has been enabled;
|
|
|
|
Dq IPFIREWALL_VERBOSE_LIMIT
|
|
|
|
limits the maximum number of times each
|
2000-03-01 14:50:24 +00:00
|
|
|
rule can cause a log message.
|
|
|
|
These variables are also
|
1997-06-23 02:12:21 +00:00
|
|
|
available via the
|
|
|
|
.Xr sysctl 3
|
|
|
|
interface.
|
2000-03-02 13:53:01 +00:00
|
|
|
.Sh RETURN VALUES
|
|
|
|
The
|
|
|
|
.Fn setsockopt
|
|
|
|
function returns 0 on success.
|
|
|
|
Otherwise, -1 is returned and the global variable
|
|
|
|
.Va errno
|
|
|
|
is set to indicate the error.
|
|
|
|
.Sh ERRORS
|
|
|
|
The
|
|
|
|
.Fn setsockopt
|
|
|
|
function will fail if:
|
|
|
|
.Bl -tag -width Er
|
|
|
|
.It Bq Er EINVAL
|
|
|
|
The IP option field was improperly formed;
|
|
|
|
an option field was shorter than the minimum value
|
|
|
|
or longer than the option buffer provided.
|
|
|
|
.It Bq Er EINVAL
|
|
|
|
A structural error in ip_fw structure occurred
|
|
|
|
(n_src_p+n_dst_p too big, ports set for ALL/ICMP protocols etc.).
|
|
|
|
.It Bq Er EINVAL
|
|
|
|
An invalid rule number was used.
|
|
|
|
.El
|
1995-02-17 18:48:36 +00:00
|
|
|
.Sh SEE ALSO
|
1996-07-11 02:37:59 +00:00
|
|
|
.Xr setsockopt 2 ,
|
1997-06-23 02:12:21 +00:00
|
|
|
.Xr divert 4 ,
|
1997-09-29 10:11:02 +00:00
|
|
|
.Xr ip 4 ,
|
1997-06-23 02:12:21 +00:00
|
|
|
.Xr ipfw 8 ,
|
|
|
|
.Xr sysctl 8 .
|
1995-02-17 18:48:36 +00:00
|
|
|
.Sh BUGS
|
1997-06-23 02:12:21 +00:00
|
|
|
The ``tee'' rule is not yet implemented (currently it has no effect).
|
1996-07-11 02:37:59 +00:00
|
|
|
.Pp
|
1997-06-23 02:12:21 +00:00
|
|
|
This man page still needs work.
|
1995-02-17 18:48:36 +00:00
|
|
|
.Sh HISTORY
|
1997-06-23 02:12:21 +00:00
|
|
|
The ipfw facility was initially written as package to BSDI
|
2000-03-07 22:45:32 +00:00
|
|
|
by
|
|
|
|
.An Daniel Boulet
|
|
|
|
.Aq danny@BouletFermat.ab.ca .
|
|
|
|
It has been heavily modified and ported to
|
|
|
|
.Fx
|
|
|
|
by
|
|
|
|
.Ar Ugen J.S.Antsilevich
|
|
|
|
.Aq ugen@NetVision.net.il .
|
1997-06-23 02:12:21 +00:00
|
|
|
.Pp
|
2000-03-07 22:45:32 +00:00
|
|
|
Several enhancements added by
|
|
|
|
.An Archie Cobbs
|
|
|
|
.Aq archie@whistle.com .
|