38a98b2254
`syn' not `tcpsyn' (which matches `tcp' which blocks all tcp packets)
142 lines
5.6 KiB
Groff
142 lines
5.6 KiB
Groff
.Dd November 16, 1994
|
|
.Dt IPFW 8
|
|
.Os
|
|
.Sh NAME
|
|
ipfw - controlling utility for ipfw/ipacct facilities.
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
ipfw [-n] <entry-action> <chain entry pattern>
|
|
ipfw [-ans] <chain-action> <chain[s] type>
|
|
|
|
.Sh DESCRIPTION
|
|
In the first synopsis form, the ipfw utility allows control of firewall
|
|
and accounting chains.
|
|
In the second synopsis form, the ipfw utility allows setting of global
|
|
firewall/accounting properties and listing of chain contents.
|
|
|
|
The following options are available:
|
|
|
|
-a While listing,show counter values-this option is the only way to
|
|
see accounting records.Works only with -s.
|
|
|
|
-n Do not resolve anything. When setting entries, do not try to resolve
|
|
a given address. When listing, display addresses in numeric form.
|
|
|
|
-s Short listing form.By default listing format is compatible with ipfw
|
|
input string format,so you can save listings to file and then reuse
|
|
them. With this option list format is much more short but
|
|
incompatible with ipfw syntacs.
|
|
|
|
These are <entry-actions>:
|
|
|
|
addf[irewall] - add entry to firewall chain.
|
|
delf[irewall] - remove entry from firewall chain.
|
|
adda[ccounting] - add entry to accounting chain.
|
|
dela[ccounting] - remove entry from accounting chain.
|
|
clr[accounting] - clear counters for accounting chain entry.
|
|
|
|
If no <entry-action> specified,default addf[irewall] or add[accounting]
|
|
will be used,depending on <chain-entry pattern> specified.
|
|
|
|
These are <chain-actions>:
|
|
f[lush] - remove all entries in firewall/accounting chains.
|
|
l[ist] - show all entries in firewall/accounting chains.
|
|
z[ero] - clear chain counters(accounting only).
|
|
p[olicy] - set default policy properties.
|
|
|
|
This is <chain-entry pattern> structure:
|
|
For forwarding/blocking chains:
|
|
lreject <proto/addr pattern> reject packet,send ICMP unreachable and log.
|
|
reject <proto/addr pattern> reject packet,send ICMP unreachable.
|
|
ldeny <proto/addr pattern> reject packet,log it.
|
|
deny <proto/addr pattern> reject packet.
|
|
log <proto/addr pattern> allow packet,log it.
|
|
accept <proto/addr pattern> allow packet.
|
|
pass <proto/addr pattern> allow packet.
|
|
For accounting chain:
|
|
single <proto/addr pattern> log packets matching entry.
|
|
bidirectional <proto/addr pattern> log packets matching entry and
|
|
those going in opposite direction (from entry
|
|
"dst" to "src").
|
|
|
|
Each keyword will be recognized by the shortest unambigious prefix.
|
|
|
|
The <proto/addr pattern> is:
|
|
all|icmp from <src addr/mask> to <dst addr/mask> [via <via>]
|
|
tcp[syn]|udp from <src addr/mask>[ports] to <dst addr/mask>[ports][via <via>]
|
|
all matches any IP packet.
|
|
icmp,tcp and udp - packets for corresponding protocols.
|
|
syn - tcp SYN packets (which used when initiating connection).
|
|
|
|
|
|
The order of from/to/via keywords is unimportant.You can skip any
|
|
of them,which will be then substituted by default entry matching
|
|
any from/to/via packet kind.
|
|
|
|
The <src addr/mask>:
|
|
<INET IP addr | domain name> [/mask bits | :mask pattern]
|
|
Mask bits is a decimal number of bits set in the address mask.
|
|
Mask pattern has form of IP address and AND'ed logically with address given.
|
|
Keyword "any" can be used to specify 'any IP'.
|
|
[ports]: [ port,port....|port:port]
|
|
Name of service can be used instead of port numeric value.
|
|
|
|
The via <via> is optional and may specify IP address/domain name of local
|
|
IP interface, or interface name (e.g. ed0) to match only packets coming
|
|
through this interface.The IP or name given is NOT checked, and wrong
|
|
value of IP causes entry to not match anything.
|
|
Keyword 'via' can be substituted by 'on',for readability reasons.
|
|
|
|
To l[ist] command may be passed:
|
|
f[irewall] | a[ccounting] to list specific chain or none to list
|
|
all of chains.Long output format compatible with utility input syntacs.
|
|
|
|
To f[lush] command may be passed:
|
|
f[irewall] | a[ccounting] to remove all entries from firewall or
|
|
from accounting chain.Without arguments removes all chain entries.
|
|
|
|
To z[ero] command no arguments needed,this command clears counters for
|
|
whole accounting chain.
|
|
|
|
The p[olicy] command can be given a[ccept]|d[eny] to set default policy
|
|
as denial/accepting.Without arguments current default policy displayed.
|
|
|
|
.Sh EXAMPLES
|
|
|
|
This command add entry which denies all tcp packets from
|
|
hacker.evil.org to telnet port of wolf.tambov.su from being
|
|
forwarded by the host:
|
|
ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
|
|
|
|
This one disallows any connection from entire hackers network
|
|
to my host:
|
|
ipfw addf deny all from 123.45.67.8/24 to my.host.org
|
|
|
|
Here is good usage of list command to see accounting records:
|
|
ipfw -sa list accounting (or in short form ipfw -sa l a ).
|
|
|
|
Much more examples can be found in files:
|
|
/usr/share/FAQ/ipfw.FAQ (missing for the moment)
|
|
|
|
.Sh SEE ALSO
|
|
ip(4),ipfirewall(4),ipaccounting(4),reboot(8)
|
|
|
|
.Sh BUGS
|
|
WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
|
This programm can put your computer in rather unusable state.
|
|
First time try using it from console and do *NOT* do anything
|
|
you don't understand.
|
|
Remember that "ipfw flush" can solve all the problemms.
|
|
Also take in your mind that "ipfw policy deny" combined with
|
|
some wrong chain entry(possible the only entry which designed
|
|
to deny some external packets), can close your computer from
|
|
outer world for good.
|
|
|
|
.Sh HISTORY
|
|
Initially this utility was written for BSDI by:
|
|
Daniel Boulet <danny@BouletFermat.ab.ca>
|
|
The FreeBSD version is written completely by:
|
|
Ugen J.S.Antsilevich <ugen@NetVision.net.il>
|
|
while synopsis partially compatible with old one.
|