freebsd-nq/sbin/ipfw/ipfw.8
Gary Palmer 38a98b2254 Correct minor nit - to filter out SYN packets, the keyword is
`syn' not `tcpsyn' (which matches `tcp' which blocks all tcp
packets)
1995-08-31 21:12:05 +00:00

142 lines
5.6 KiB
Groff

.Dd November 16, 1994
.Dt IPFW 8
.Os
.Sh NAME
ipfw - controlling utility for ipfw/ipacct facilities.
.Sh SYNOPSIS
ipfw [-n] <entry-action> <chain entry pattern>
ipfw [-ans] <chain-action> <chain[s] type>
.Sh DESCRIPTION
In the first synopsis form, the ipfw utility allows control of firewall
and accounting chains.
In the second synopsis form, the ipfw utility allows setting of global
firewall/accounting properties and listing of chain contents.
The following options are available:
-a While listing,show counter values-this option is the only way to
see accounting records.Works only with -s.
-n Do not resolve anything. When setting entries, do not try to resolve
a given address. When listing, display addresses in numeric form.
-s Short listing form.By default listing format is compatible with ipfw
input string format,so you can save listings to file and then reuse
them. With this option list format is much more short but
incompatible with ipfw syntacs.
These are <entry-actions>:
addf[irewall] - add entry to firewall chain.
delf[irewall] - remove entry from firewall chain.
adda[ccounting] - add entry to accounting chain.
dela[ccounting] - remove entry from accounting chain.
clr[accounting] - clear counters for accounting chain entry.
If no <entry-action> specified,default addf[irewall] or add[accounting]
will be used,depending on <chain-entry pattern> specified.
These are <chain-actions>:
f[lush] - remove all entries in firewall/accounting chains.
l[ist] - show all entries in firewall/accounting chains.
z[ero] - clear chain counters(accounting only).
p[olicy] - set default policy properties.
This is <chain-entry pattern> structure:
For forwarding/blocking chains:
lreject <proto/addr pattern> reject packet,send ICMP unreachable and log.
reject <proto/addr pattern> reject packet,send ICMP unreachable.
ldeny <proto/addr pattern> reject packet,log it.
deny <proto/addr pattern> reject packet.
log <proto/addr pattern> allow packet,log it.
accept <proto/addr pattern> allow packet.
pass <proto/addr pattern> allow packet.
For accounting chain:
single <proto/addr pattern> log packets matching entry.
bidirectional <proto/addr pattern> log packets matching entry and
those going in opposite direction (from entry
"dst" to "src").
Each keyword will be recognized by the shortest unambigious prefix.
The <proto/addr pattern> is:
all|icmp from <src addr/mask> to <dst addr/mask> [via <via>]
tcp[syn]|udp from <src addr/mask>[ports] to <dst addr/mask>[ports][via <via>]
all matches any IP packet.
icmp,tcp and udp - packets for corresponding protocols.
syn - tcp SYN packets (which used when initiating connection).
The order of from/to/via keywords is unimportant.You can skip any
of them,which will be then substituted by default entry matching
any from/to/via packet kind.
The <src addr/mask>:
<INET IP addr | domain name> [/mask bits | :mask pattern]
Mask bits is a decimal number of bits set in the address mask.
Mask pattern has form of IP address and AND'ed logically with address given.
Keyword "any" can be used to specify 'any IP'.
[ports]: [ port,port....|port:port]
Name of service can be used instead of port numeric value.
The via <via> is optional and may specify IP address/domain name of local
IP interface, or interface name (e.g. ed0) to match only packets coming
through this interface.The IP or name given is NOT checked, and wrong
value of IP causes entry to not match anything.
Keyword 'via' can be substituted by 'on',for readability reasons.
To l[ist] command may be passed:
f[irewall] | a[ccounting] to list specific chain or none to list
all of chains.Long output format compatible with utility input syntacs.
To f[lush] command may be passed:
f[irewall] | a[ccounting] to remove all entries from firewall or
from accounting chain.Without arguments removes all chain entries.
To z[ero] command no arguments needed,this command clears counters for
whole accounting chain.
The p[olicy] command can be given a[ccept]|d[eny] to set default policy
as denial/accepting.Without arguments current default policy displayed.
.Sh EXAMPLES
This command add entry which denies all tcp packets from
hacker.evil.org to telnet port of wolf.tambov.su from being
forwarded by the host:
ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
This one disallows any connection from entire hackers network
to my host:
ipfw addf deny all from 123.45.67.8/24 to my.host.org
Here is good usage of list command to see accounting records:
ipfw -sa list accounting (or in short form ipfw -sa l a ).
Much more examples can be found in files:
/usr/share/FAQ/ipfw.FAQ (missing for the moment)
.Sh SEE ALSO
ip(4),ipfirewall(4),ipaccounting(4),reboot(8)
.Sh BUGS
WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
This programm can put your computer in rather unusable state.
First time try using it from console and do *NOT* do anything
you don't understand.
Remember that "ipfw flush" can solve all the problemms.
Also take in your mind that "ipfw policy deny" combined with
some wrong chain entry(possible the only entry which designed
to deny some external packets), can close your computer from
outer world for good.
.Sh HISTORY
Initially this utility was written for BSDI by:
Daniel Boulet <danny@BouletFermat.ab.ca>
The FreeBSD version is written completely by:
Ugen J.S.Antsilevich <ugen@NetVision.net.il>
while synopsis partially compatible with old one.