.Dd November 16, 1994 .Dt IPFW 8 .Os .Sh NAME ipfw - controlling utility for ipfw/ipacct facilities. .Sh SYNOPSIS ipfw [-n] ipfw [-ans] .Sh DESCRIPTION In the first synopsis form, the ipfw utility allows control of firewall and accounting chains. In the second synopsis form, the ipfw utility allows setting of global firewall/accounting properties and listing of chain contents. The following options are available: -a While listing,show counter values-this option is the only way to see accounting records.Works only with -s. -n Do not resolve anything. When setting entries, do not try to resolve a given address. When listing, display addresses in numeric form. -s Short listing form.By default listing format is compatible with ipfw input string format,so you can save listings to file and then reuse them. With this option list format is much more short but incompatible with ipfw syntacs. These are : addf[irewall] - add entry to firewall chain. delf[irewall] - remove entry from firewall chain. adda[ccounting] - add entry to accounting chain. dela[ccounting] - remove entry from accounting chain. clr[accounting] - clear counters for accounting chain entry. These are : f[lush] - remove all entries in firewall/accounting chains. l[ist] - show all entries in firewall/accounting chains. z[ero] - clear chain counters(accounting only). p[olicy] - set default policy properties. This is structure: For forwarding/blocking chains: lr[eject] reject packet,send ICMP unreachable and log. r[eject] reject packet,send ICMP unreachable. ld[eny] reject packet,log it. d[eny] reject packet. l[og] allow packet,log it. a[ccept] allow packet. For accounting chain: s[ingle] log packets matching entry. b[idirectional] log packets matching entry and those going in opposite direction (from entry "dst" to "src"). The is: all|icmp from to [via ] tcp[syn]|udp from [ports] to [ports][via ] all matches any IP packet. icmp,tcp and udp - packets for corresponding protocols. tcpsyn - tcp SYN packets (which used when initiating connection). The : [/mask bits | :mask pattern] Mask bits is a decimal number of bits set in the address mask. Mask pattern has form of IP address and AND'ed logically with address given. [ports]: [ port,port....|port:port] Name of service can be used instead of port numeric value. The via is optional and may specify IP address/domain name of local IP interface, or interface name (e.g. ed0) to match only packets coming through this interface.The IP or name given is NOT checked, and wrong value of IP causes entry to not match anything. To l[ist] command may be passed: f[irewall] | a[ccounting] to list specific chain or none to list all of chains.Long output format compatible with utility input syntacs. To f[lush] command may be passed: f[irewall] | a[ccounting] to remove all entries from firewall or from accounting chain.Without arguments removes all chain entries. To z[ero] command no arguments needed,this command clears counters for whole accounting chain. The p[olicy] command can be given a[ccept]|d[eny] to set default policy as denial/accepting.Without arguments current default policy displayed. .Sh EXAMPLES This command add entry which denies all tcp packets from hacker.evil.org to telnet port of wolf.tambov.su from being forwarded by the host: ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet This one disallows any connection from entire hackers network to my host: ipfw addf deny all from to my.host.org Here is good usage of list command to see accounting records: ipfw -sa list accounting (or in short form ipfw -sa l a ). Much more examples can be found in files: /usr/share/FAQ/ipfw.FAQ (missing for the moment) .Sh SEE ALSO ip(4),ipfirewall(4),ipaccounting(4),reboot(8) .Sh BUGS WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! This programm can put your computer in rather unusable state. First time try using it from console and do *NOT* do anything you don't understand. Remember that "ipfw flush" can solve all the problemms. Also take in your mind that "ipfw policy deny" combined with some wrong chain entry(possible the only entry which designed to deny some external packets), can close your computer from outer world for good. .Sh HISTORY Initially this utility was written for BSDI by: Daniel Boulet The FreeBSD version is written completely by: Ugen J.S.Antsilevich while synopsis partially compatible with old one.