1999-04-28 02:49:29 +00:00
|
|
|
.\"
|
1999-08-28 00:22:10 +00:00
|
|
|
.\" $FreeBSD$
|
1999-04-28 02:49:29 +00:00
|
|
|
.\"
|
2001-06-04 23:56:26 +00:00
|
|
|
.Dd May 31, 2001
|
1999-06-15 12:56:38 +00:00
|
|
|
.Dt IPFW 8
|
2001-07-10 11:04:34 +00:00
|
|
|
.Os
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh NAME
|
1995-10-26 05:36:24 +00:00
|
|
|
.Nm ipfw
|
2001-06-04 23:56:26 +00:00
|
|
|
.Nd IP firewall and traffic shaper control program
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh SYNOPSIS
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
1998-11-23 10:54:28 +00:00
|
|
|
.Op Fl q
|
1998-08-04 14:41:37 +00:00
|
|
|
.Oo
|
1998-11-23 10:54:28 +00:00
|
|
|
.Fl p Ar preproc
|
2000-02-28 15:21:12 +00:00
|
|
|
.Oo Fl D
|
2000-12-27 14:40:52 +00:00
|
|
|
.Ar macro Ns Op = Ns Ar value
|
2000-02-28 15:21:12 +00:00
|
|
|
.Oc
|
1998-11-23 10:54:28 +00:00
|
|
|
.Op Fl U Ar macro
|
1998-08-04 14:41:37 +00:00
|
|
|
.Oc
|
2000-10-11 12:17:06 +00:00
|
|
|
.Ar pathname
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
.Op Fl f | q
|
|
|
|
.Cm flush
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
.Op Fl q
|
2001-10-01 14:13:36 +00:00
|
|
|
.Brq Cm zero | resetlog | delete
|
1997-06-02 05:02:37 +00:00
|
|
|
.Op Ar number ...
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
.Op Fl s Op Ar field
|
2001-06-04 23:56:26 +00:00
|
|
|
.Op Fl adeftN
|
2001-10-01 14:13:36 +00:00
|
|
|
.Brq Cm list | show
|
1998-01-07 02:23:04 +00:00
|
|
|
.Op Ar number ...
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
.Op Fl q
|
|
|
|
.Cm add
|
1996-12-23 02:03:15 +00:00
|
|
|
.Op Ar number
|
2000-02-28 15:21:12 +00:00
|
|
|
.Ar rule-body
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm pipe
|
2000-01-08 11:19:19 +00:00
|
|
|
.Ar number
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm config
|
2000-01-08 11:19:19 +00:00
|
|
|
.Ar pipe-config-options
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm pipe
|
2001-10-01 14:13:36 +00:00
|
|
|
.Brq Cm delete | list | show
|
2000-06-12 09:43:00 +00:00
|
|
|
.Op Ar number ...
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-06-08 13:38:57 +00:00
|
|
|
.Cm queue
|
|
|
|
.Ar number
|
|
|
|
.Cm config
|
|
|
|
.Ar queue-config-options
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm
|
2000-06-08 13:38:57 +00:00
|
|
|
.Cm queue
|
2001-10-01 14:13:36 +00:00
|
|
|
.Brq Cm delete | list | show
|
2000-01-08 11:19:19 +00:00
|
|
|
.Op Ar number ...
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh DESCRIPTION
|
2000-01-08 11:19:19 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
is the user interface for controlling the
|
|
|
|
.Xr ipfirewall 4
|
|
|
|
and the
|
|
|
|
.Xr dummynet 4
|
|
|
|
traffic shaper in
|
|
|
|
.Fx .
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
A firewall configuration is made of a list of numbered rules,
|
2002-01-02 20:48:21 +00:00
|
|
|
which is scanned for each incoming or outgoing IP packet
|
|
|
|
until a match is found and
|
2000-02-28 15:21:12 +00:00
|
|
|
the relevant action is performed.
|
|
|
|
Depending on the action and certain system settings, packets
|
|
|
|
can be reinjected into the firewall at the rule after the
|
|
|
|
matching one for further processing.
|
|
|
|
All rules apply to all interfaces, so it is responsibility
|
|
|
|
of the system administrator to write the ruleset in such a
|
|
|
|
way as to minimize the number of checks.
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
|
|
|
A configuration always includes a
|
2000-02-28 15:21:12 +00:00
|
|
|
.Em DEFAULT
|
2001-09-27 23:44:27 +00:00
|
|
|
rule (numbered 65535) which cannot be modified,
|
|
|
|
and matches all packets.
|
2000-02-28 15:21:12 +00:00
|
|
|
The action associated with the default rule can be either
|
|
|
|
.Cm deny
|
2000-01-08 11:19:19 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm allow
|
2000-01-08 11:19:19 +00:00
|
|
|
depending on how the kernel is configured.
|
|
|
|
.Pp
|
2000-02-10 14:25:26 +00:00
|
|
|
If the ruleset includes one or more rules with the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm keep-state
|
2001-09-27 23:44:27 +00:00
|
|
|
or
|
|
|
|
.Cm limit
|
2000-02-10 14:25:26 +00:00
|
|
|
option, then
|
2000-02-28 15:21:12 +00:00
|
|
|
.Nm
|
2000-02-10 14:25:26 +00:00
|
|
|
assumes a
|
2000-02-28 15:21:12 +00:00
|
|
|
.Em stateful
|
2001-09-27 23:44:27 +00:00
|
|
|
behaviour, i.e. upon a match it will create dynamic rules matching
|
2000-02-28 15:21:12 +00:00
|
|
|
the exact parameters (addresses and ports) of the matching packet.
|
|
|
|
.Pp
|
|
|
|
These dynamic rules, which have a limited lifetime, are checked
|
|
|
|
at the first occurrence of a
|
|
|
|
.Cm check-state
|
2000-02-10 14:25:26 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm keep-state
|
|
|
|
rule, and are typically used to open the firewall on-demand to
|
|
|
|
legitimate traffic only.
|
|
|
|
See the
|
|
|
|
.Sx RULE FORMAT
|
2000-02-10 14:25:26 +00:00
|
|
|
and
|
2000-02-28 15:21:12 +00:00
|
|
|
.Sx EXAMPLES
|
|
|
|
sections below for more information on the stateful behaviour of
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm .
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pp
|
|
|
|
All rules (including dynamic ones) have a few associated counters:
|
|
|
|
a packet count, a byte count, a log count and a timestamp
|
|
|
|
indicating the time of the last match.
|
|
|
|
Counters can be displayed or reset with
|
2000-01-08 11:19:19 +00:00
|
|
|
.Nm
|
|
|
|
commands.
|
|
|
|
.Pp
|
|
|
|
Rules can be added with the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm add
|
2000-01-08 11:19:19 +00:00
|
|
|
command; deleted individually with the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm delete
|
2000-01-08 11:19:19 +00:00
|
|
|
command, and globally with the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm flush
|
|
|
|
command; displayed, optionally with the content of the
|
|
|
|
counters, using the
|
|
|
|
.Cm show
|
2000-01-08 11:19:19 +00:00
|
|
|
and
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm list
|
|
|
|
commands.
|
|
|
|
Finally, counters can be reset with the
|
|
|
|
.Cm zero
|
2000-01-08 11:19:19 +00:00
|
|
|
and
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm resetlog
|
2000-01-08 11:19:19 +00:00
|
|
|
commands.
|
|
|
|
.Pp
|
|
|
|
The following options are available:
|
|
|
|
.Bl -tag -width indent
|
|
|
|
.It Fl a
|
2000-02-28 15:21:12 +00:00
|
|
|
While listing, show counter values.
|
2002-01-02 20:16:15 +00:00
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm show
|
2002-01-02 20:16:15 +00:00
|
|
|
command just implies this option.
|
2001-05-20 10:01:39 +00:00
|
|
|
.It Fl d
|
2001-06-04 23:56:26 +00:00
|
|
|
While listing, show dynamic rules in addition to static ones.
|
|
|
|
.It Fl e
|
|
|
|
While listing, if the
|
|
|
|
.Fl d
|
|
|
|
option was specified, also show expired dynamic rules.
|
2000-01-08 11:19:19 +00:00
|
|
|
.It Fl f
|
2000-02-28 15:21:12 +00:00
|
|
|
Don't ask for confirmation for commands that can cause problems
|
|
|
|
if misused,
|
|
|
|
.No i.e. Cm flush .
|
|
|
|
.Em Note ,
|
2000-01-08 11:19:19 +00:00
|
|
|
if there is no tty associated with the process, this is implied.
|
|
|
|
.It Fl q
|
2000-02-28 15:21:12 +00:00
|
|
|
While
|
|
|
|
.Cm add Ns ing ,
|
|
|
|
.Cm zero Ns ing ,
|
|
|
|
.Cm resetlog Ns ging
|
|
|
|
or
|
|
|
|
.Cm flush Ns ing ,
|
|
|
|
be quiet about actions
|
2001-08-07 15:48:51 +00:00
|
|
|
(implies
|
|
|
|
.Fl f ) .
|
2000-01-08 11:19:19 +00:00
|
|
|
This is useful for adjusting rules by executing multiple
|
|
|
|
.Nm
|
|
|
|
commands in a script
|
2001-08-07 15:48:51 +00:00
|
|
|
(e.g.,
|
|
|
|
.Ql sh\ /etc/rc.firewall ) ,
|
2000-01-08 11:19:19 +00:00
|
|
|
or by processing a file of many
|
2000-02-28 15:21:12 +00:00
|
|
|
.Nm
|
2000-01-08 11:19:19 +00:00
|
|
|
rules,
|
2000-02-28 15:21:12 +00:00
|
|
|
across a remote login session.
|
|
|
|
If a
|
|
|
|
.Cm flush
|
|
|
|
is performed in normal (verbose) mode (with the default kernel
|
|
|
|
configuration), it prints a message.
|
|
|
|
Because all rules are flushed, the message cannot be delivered
|
|
|
|
to the login session.
|
|
|
|
This causes the remote login session to be closed and the
|
|
|
|
remainder of the ruleset is not processed.
|
|
|
|
Access to the console is required to recover.
|
2000-01-08 11:19:19 +00:00
|
|
|
.It Fl t
|
|
|
|
While listing, show last match timestamp.
|
|
|
|
.It Fl N
|
|
|
|
Try to resolve addresses and service names in output.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Fl s Op Ar field
|
|
|
|
While listing pipes, sort according to one of the four
|
2000-02-10 14:25:26 +00:00
|
|
|
counters (total and current packets or bytes).
|
2000-01-08 11:19:19 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
To ease configuration, rules can be put into a file which is
|
|
|
|
processed using
|
2000-01-08 11:19:19 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
as shown in the first synopsis line.
|
2000-10-11 12:17:06 +00:00
|
|
|
An absolute
|
|
|
|
.Ar pathname
|
|
|
|
must be used.
|
|
|
|
The file
|
2000-02-28 15:21:12 +00:00
|
|
|
will be read line by line and applied as arguments to the
|
1996-08-13 19:43:24 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
utility.
|
1996-02-24 13:39:46 +00:00
|
|
|
.Pp
|
1998-11-23 10:54:28 +00:00
|
|
|
Optionally, a preprocessor can be specified using
|
|
|
|
.Fl p Ar preproc
|
|
|
|
where
|
2000-10-11 12:17:06 +00:00
|
|
|
.Ar pathname
|
2000-02-28 15:21:12 +00:00
|
|
|
is to be piped through.
|
|
|
|
Useful preprocessors include
|
1998-11-23 10:54:28 +00:00
|
|
|
.Xr cpp 1
|
|
|
|
and
|
|
|
|
.Xr m4 1 .
|
|
|
|
If
|
|
|
|
.Ar preproc
|
2000-02-28 15:21:12 +00:00
|
|
|
doesn't start with a slash
|
|
|
|
.Pq Ql /
|
|
|
|
as its first character, the usual
|
1998-11-23 10:54:28 +00:00
|
|
|
.Ev PATH
|
2000-02-28 15:21:12 +00:00
|
|
|
name search is performed.
|
|
|
|
Care should be taken with this in environments where not all
|
|
|
|
filesystems are mounted (yet) by the time
|
1998-11-23 10:54:28 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
is being run (e.g. when they are mounted over NFS).
|
|
|
|
Once
|
1998-11-23 10:54:28 +00:00
|
|
|
.Fl p
|
|
|
|
has been specified, optional
|
|
|
|
.Fl D
|
|
|
|
and
|
|
|
|
.Fl U
|
1999-04-28 02:49:29 +00:00
|
|
|
specifications can follow and will be passed on to the preprocessor.
|
1998-11-23 10:54:28 +00:00
|
|
|
This allows for flexible configuration files (like conditionalizing
|
|
|
|
them on the local hostname) and the use of macros to centralize
|
|
|
|
frequently required arguments like IP addresses.
|
|
|
|
.Pp
|
2000-01-08 11:19:19 +00:00
|
|
|
The
|
1999-04-28 02:49:29 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm pipe
|
|
|
|
commands are used to configure the traffic shaper, as shown in the
|
|
|
|
.Sx TRAFFIC SHAPER CONFIGURATION
|
|
|
|
section below.
|
2000-01-08 11:19:19 +00:00
|
|
|
.Sh RULE FORMAT
|
|
|
|
The
|
1999-04-28 02:49:29 +00:00
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
rule format is the following:
|
|
|
|
.Bd -ragged
|
|
|
|
.Op Cm prob Ar match_probability
|
2000-01-08 11:19:19 +00:00
|
|
|
.Ar action
|
2000-02-28 15:21:12 +00:00
|
|
|
.Op Cm log Op Cm logamount Ar number
|
2000-01-08 11:19:19 +00:00
|
|
|
.Ar proto
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm from Ar src
|
|
|
|
.Cm to Ar dst
|
|
|
|
.Op Ar interface-spec
|
2000-01-08 11:19:19 +00:00
|
|
|
.Op Ar options
|
2000-02-28 15:21:12 +00:00
|
|
|
.Ed
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
1999-04-28 02:49:29 +00:00
|
|
|
Each packet can be filtered based on the following information that is
|
|
|
|
associated with it:
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Bl -tag -width "Source and destination IP address" -offset indent -compact
|
|
|
|
.It Protocol
|
|
|
|
(TCP, UDP, ICMP, etc.)
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Source and destination IP address
|
|
|
|
(possibly masked)
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Source and destination port
|
|
|
|
(lists, ranges or masks)
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Direction
|
|
|
|
(incoming or outgoing)
|
|
|
|
.It Transmit and receive interface
|
|
|
|
(by name or address)
|
|
|
|
.It IP version
|
|
|
|
.It IP type of service
|
|
|
|
.It IP datagram length
|
|
|
|
.It IP identification
|
2000-02-28 15:21:12 +00:00
|
|
|
.It IP fragment flag
|
2000-10-06 11:17:06 +00:00
|
|
|
(non-zero IP offset)
|
|
|
|
.It IP time to live
|
2000-02-28 15:21:12 +00:00
|
|
|
.It IP options
|
2000-10-06 11:17:06 +00:00
|
|
|
.It TCP sequence number
|
|
|
|
.It TCP acknowledgment number
|
|
|
|
.It TCP flags
|
|
|
|
(SYN, FIN, ACK, RST, etc.)
|
|
|
|
.It TCP window
|
|
|
|
.It TCP options
|
2000-02-28 15:21:12 +00:00
|
|
|
.It ICMP types
|
2000-10-06 11:17:06 +00:00
|
|
|
(for ICMP packets)
|
2000-02-28 15:21:12 +00:00
|
|
|
.It User/group ID of the socket associated with the packet
|
1999-04-28 02:49:29 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
Note that it may be dangerous to filter on the source IP
|
|
|
|
address or source TCP/UDP port because either or both could
|
|
|
|
easily be spoofed.
|
|
|
|
.Bl -tag -width indent
|
|
|
|
.It Cm prob Ar match_probability
|
|
|
|
A match is only declared with the specified probability
|
|
|
|
(floating point number between 0 and 1).
|
|
|
|
This can be useful for a number of applications such as
|
|
|
|
random packet drop or
|
2001-08-07 15:48:51 +00:00
|
|
|
(in conjunction with
|
|
|
|
.Xr dummynet 4 )
|
2000-02-28 15:21:12 +00:00
|
|
|
to simulate the effect of multiple paths leading to out-of-order
|
1999-08-11 15:36:13 +00:00
|
|
|
packet delivery.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Ar action :
|
|
|
|
.Bl -tag -width indent
|
|
|
|
.It Cm allow
|
1996-06-15 01:38:51 +00:00
|
|
|
Allow packets that match rule.
|
2000-02-28 15:21:12 +00:00
|
|
|
The search terminates.
|
|
|
|
Aliases are
|
|
|
|
.Cm pass ,
|
|
|
|
.Cm permit
|
1997-06-02 05:02:37 +00:00
|
|
|
and
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm accept .
|
|
|
|
.It Cm deny
|
1996-02-24 13:39:46 +00:00
|
|
|
Discard packets that match this rule.
|
|
|
|
The search terminates.
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm drop
|
1997-06-02 05:02:37 +00:00
|
|
|
is an alias for
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm deny .
|
|
|
|
.It Cm reject
|
2001-08-07 15:48:51 +00:00
|
|
|
(Deprecated).
|
2000-02-28 15:21:12 +00:00
|
|
|
Discard packets that match this rule, and try to send an ICMP
|
1997-06-02 05:02:37 +00:00
|
|
|
host unreachable notice.
|
1996-07-10 19:44:30 +00:00
|
|
|
The search terminates.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm unreach Ar code
|
1997-06-02 05:02:37 +00:00
|
|
|
Discard packets that match this rule, and try to send an ICMP
|
|
|
|
unreachable notice with code
|
|
|
|
.Ar code ,
|
|
|
|
where
|
|
|
|
.Ar code
|
2000-02-28 15:21:12 +00:00
|
|
|
is a number from 0 to 255, or one of these aliases:
|
|
|
|
.Cm net , host , protocol , port ,
|
|
|
|
.Cm needfrag , srcfail , net-unknown , host-unknown ,
|
|
|
|
.Cm isolated , net-prohib , host-prohib , tosnet ,
|
|
|
|
.Cm toshost , filter-prohib , host-precedence
|
1997-06-02 05:02:37 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm precedence-cutoff .
|
1997-06-02 05:02:37 +00:00
|
|
|
The search terminates.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm reset
|
|
|
|
TCP packets only.
|
|
|
|
Discard packets that match this rule, and try to send a TCP
|
|
|
|
reset (RST) notice.
|
1997-06-02 05:02:37 +00:00
|
|
|
The search terminates.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm count
|
1997-06-02 05:02:37 +00:00
|
|
|
Update counters for all packets that match rule.
|
|
|
|
The search continues with the next rule.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm check-state
|
|
|
|
Checks the packet against the dynamic ruleset.
|
|
|
|
If a match is found then the search terminates, otherwise
|
|
|
|
we move to the next rule.
|
2000-02-10 14:25:26 +00:00
|
|
|
If no
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm check-state
|
2000-02-10 14:25:26 +00:00
|
|
|
rule is found, the dynamic ruleset is checked at the first
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm keep-state
|
2000-02-10 14:25:26 +00:00
|
|
|
rule.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm divert Ar port
|
1997-06-02 05:02:37 +00:00
|
|
|
Divert packets that match this rule to the
|
|
|
|
.Xr divert 4
|
|
|
|
socket bound to port
|
1996-07-10 19:44:30 +00:00
|
|
|
.Ar port .
|
1996-02-24 13:39:46 +00:00
|
|
|
The search terminates.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm tee Ar port
|
1997-06-02 05:02:37 +00:00
|
|
|
Send a copy of packets matching this rule to the
|
|
|
|
.Xr divert 4
|
|
|
|
socket bound to port
|
|
|
|
.Ar port .
|
1999-12-06 01:00:24 +00:00
|
|
|
The search terminates and the original packet is accepted
|
2001-08-07 15:48:51 +00:00
|
|
|
(but see section
|
2000-02-28 15:21:12 +00:00
|
|
|
.Sx BUGS
|
2001-08-07 15:48:51 +00:00
|
|
|
below).
|
2001-10-01 14:13:36 +00:00
|
|
|
.It Cm fwd Ar ipaddr Ns Op , Ns Ar port
|
1998-07-06 03:20:19 +00:00
|
|
|
Change the next-hop on matching packets to
|
|
|
|
.Ar ipaddr ,
|
|
|
|
which can be an IP address in dotted quad or a host name.
|
|
|
|
If
|
|
|
|
.Ar ipaddr
|
2000-02-28 15:21:12 +00:00
|
|
|
is not a directly-reachable address, the route as found in
|
|
|
|
the local routing table for that IP is used instead.
|
1998-07-06 03:20:19 +00:00
|
|
|
If
|
|
|
|
.Ar ipaddr
|
2002-01-10 15:41:06 +00:00
|
|
|
is a local address, then on a packet matching a
|
|
|
|
.Cm fwd
|
|
|
|
rule,
|
2001-12-28 22:24:26 +00:00
|
|
|
it will be diverted to
|
1998-07-06 03:20:19 +00:00
|
|
|
.Ar port
|
2000-02-28 15:21:12 +00:00
|
|
|
on the local machine, keeping the local address of the socket
|
|
|
|
set to the original IP address the packet was destined for.
|
2001-12-28 22:24:26 +00:00
|
|
|
This makes the
|
|
|
|
.Xr netstat 1
|
2002-01-02 19:46:14 +00:00
|
|
|
entry look rather weird but is intended for
|
2001-12-28 22:24:26 +00:00
|
|
|
use with transparent proxy servers.
|
2000-02-28 15:21:12 +00:00
|
|
|
If the IP is not a local address then the port number
|
2001-12-28 22:24:26 +00:00
|
|
|
(if specified) is ignored.
|
|
|
|
This will also map addresses when packets are
|
2000-02-28 15:21:12 +00:00
|
|
|
generated locally.
|
|
|
|
The search terminates if this rule matches.
|
|
|
|
If the port number is not given then the port number in the
|
|
|
|
packet is used, so that a packet for an external machine port
|
|
|
|
Y would be forwarded to local port Y.
|
|
|
|
The kernel must have been compiled with the
|
|
|
|
.Dv IPFIREWALL_FORWARD
|
2002-01-10 15:41:06 +00:00
|
|
|
option.
|
|
|
|
Bridging interferes with forwarding of packets not destined
|
|
|
|
to the local system as they bypass
|
|
|
|
.Fn ip_input
|
|
|
|
and
|
|
|
|
.Fn ip_output
|
|
|
|
where forwarding is implemented.
|
|
|
|
The
|
|
|
|
.Cm fwd
|
2001-12-28 22:24:26 +00:00
|
|
|
action does not change the contents of the packet at all so
|
|
|
|
packets forwarded to another system will usually be rejected by that system
|
|
|
|
unless there is a matching rule on that system to capture them.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm pipe Ar pipe_nr
|
1999-08-11 15:36:13 +00:00
|
|
|
Pass packet to a
|
|
|
|
.Xr dummynet 4
|
2000-02-28 15:21:12 +00:00
|
|
|
.Dq pipe
|
|
|
|
(for bandwidth limitation, delay, etc.).
|
|
|
|
See the
|
2000-06-08 13:38:57 +00:00
|
|
|
.Sx TRAFFIC SHAPER CONFIGURATION
|
|
|
|
section for further information.
|
2000-02-28 15:21:12 +00:00
|
|
|
The search terminates; however, on exit from the pipe and if
|
|
|
|
the
|
|
|
|
.Xr sysctl 8
|
|
|
|
variable
|
|
|
|
.Em net.inet.ip.fw.one_pass
|
|
|
|
is not set, the packet is passed again to the firewall code
|
|
|
|
starting from the next rule.
|
2000-06-08 13:38:57 +00:00
|
|
|
.It Cm queue Ar queue_nr
|
|
|
|
Pass packet to a
|
|
|
|
.Xr dummynet 4
|
|
|
|
.Dq queue
|
|
|
|
(for bandwidth limitation using WF2Q).
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm skipto Ar number
|
1997-06-02 05:02:37 +00:00
|
|
|
Skip all subsequent rules numbered less than
|
|
|
|
.Ar number .
|
|
|
|
The search continues with the first rule numbered
|
|
|
|
.Ar number
|
|
|
|
or higher.
|
1996-02-24 13:39:46 +00:00
|
|
|
.El
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm log Op Cm logamount Ar number
|
1997-06-02 05:02:37 +00:00
|
|
|
If the kernel was compiled with
|
|
|
|
.Dv IPFIREWALL_VERBOSE ,
|
1999-04-28 02:49:29 +00:00
|
|
|
then when a packet matches a rule with the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm log
|
2001-02-22 09:12:44 +00:00
|
|
|
keyword a message will be
|
|
|
|
logged to
|
|
|
|
.Xr syslogd 8
|
|
|
|
with a
|
|
|
|
.Dv LOG_SECURITY
|
|
|
|
facility.
|
|
|
|
.Em Note :
|
|
|
|
by default, they are appended to the
|
|
|
|
.Pa /var/log/security
|
|
|
|
file (see
|
|
|
|
.Xr syslog.conf 5 ) .
|
2000-01-08 11:19:19 +00:00
|
|
|
If the kernel was compiled with the
|
1997-06-02 05:02:37 +00:00
|
|
|
.Dv IPFIREWALL_VERBOSE_LIMIT
|
1999-08-01 16:57:24 +00:00
|
|
|
option, then by default logging will cease after the number
|
|
|
|
of packets specified by the option are received for that
|
2000-04-30 06:44:11 +00:00
|
|
|
particular chain entry, and
|
|
|
|
.Em net.inet.ip.fw.verbose_limit
|
|
|
|
will be set to that number.
|
2000-02-28 15:21:12 +00:00
|
|
|
However, if
|
|
|
|
.Cm logamount Ar number
|
1999-08-01 16:57:24 +00:00
|
|
|
is used, that
|
|
|
|
.Ar number
|
2000-04-30 06:44:11 +00:00
|
|
|
will be the logging limit rather than
|
|
|
|
.Em net.inet.ip.fw.verbose_limit ,
|
|
|
|
where the value
|
|
|
|
.Dq 0
|
|
|
|
removes the logging limit.
|
1999-08-01 16:57:24 +00:00
|
|
|
Logging may then be re-enabled by clearing the logging counter
|
|
|
|
or the packet counter for that entry.
|
1996-02-24 13:39:46 +00:00
|
|
|
.Pp
|
2000-01-08 11:19:19 +00:00
|
|
|
Console logging and the log limit are adjustable dynamically
|
|
|
|
through the
|
1997-06-02 05:02:37 +00:00
|
|
|
.Xr sysctl 8
|
1999-08-01 16:57:24 +00:00
|
|
|
interface in the MIB base of
|
2000-02-28 15:21:12 +00:00
|
|
|
.Em net.inet.ip.fw .
|
|
|
|
.It Ar proto
|
|
|
|
An IP protocol specified by number or name (for a complete
|
|
|
|
list see
|
|
|
|
.Pa /etc/protocols ) .
|
2000-01-08 11:19:19 +00:00
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm ip
|
2000-01-08 11:19:19 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm all
|
2000-01-08 11:19:19 +00:00
|
|
|
keywords mean any protocol will match.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Ar src No and Ar dst :
|
2001-02-15 08:36:20 +00:00
|
|
|
.Cm any | me | Op Cm not
|
2000-02-28 15:21:12 +00:00
|
|
|
.Aq Ar address Ns / Ns Ar mask
|
|
|
|
.Op Ar ports
|
1996-06-15 01:38:51 +00:00
|
|
|
.Pp
|
2001-02-13 14:12:37 +00:00
|
|
|
Specifying
|
|
|
|
.Cm any
|
2001-09-29 06:33:42 +00:00
|
|
|
makes the rule match any IP address.
|
2001-02-13 14:12:37 +00:00
|
|
|
.Pp
|
|
|
|
Specifying
|
|
|
|
.Cm me
|
2001-09-29 06:33:42 +00:00
|
|
|
makes the rule match any IP address configured on an interface in the system.
|
2001-02-13 14:12:37 +00:00
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Aq Ar address Ns / Ns Ar mask
|
1996-06-15 01:38:51 +00:00
|
|
|
may be specified as:
|
2000-10-06 11:17:06 +00:00
|
|
|
.Bl -tag -width "ipno/bits"
|
1996-02-24 13:39:46 +00:00
|
|
|
.It Ar ipno
|
2000-02-28 15:21:12 +00:00
|
|
|
An IP number of the form 1.2.3.4.
|
|
|
|
Only this exact IP number will match the rule.
|
|
|
|
.It Ar ipno Ns / Ns Ar bits
|
|
|
|
An IP number with a mask width of the form 1.2.3.4/24.
|
|
|
|
In this case all IP numbers from 1.2.3.0 to 1.2.3.255 will match.
|
|
|
|
.It Ar ipno Ns : Ns Ar mask
|
|
|
|
An IP number with a mask of the form 1.2.3.4:255.255.240.0.
|
|
|
|
In this case all IP numbers from 1.2.0.0 to 1.2.15.255 will match.
|
1996-02-24 13:39:46 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
1997-01-16 21:04:29 +00:00
|
|
|
The sense of the match can be inverted by preceding an address with the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm not
|
|
|
|
modifier, causing all other addresses to be matched instead.
|
|
|
|
This does not affect the selection of port numbers.
|
1997-01-16 21:04:29 +00:00
|
|
|
.Pp
|
1997-06-23 22:32:13 +00:00
|
|
|
With the TCP and UDP protocols, optional
|
1997-01-16 21:04:29 +00:00
|
|
|
.Em ports
|
1996-06-15 01:38:51 +00:00
|
|
|
may be specified as:
|
2000-02-28 15:21:12 +00:00
|
|
|
.Bd -ragged -offset indent
|
|
|
|
.Sm off
|
2001-10-01 14:13:36 +00:00
|
|
|
.Brq Ar port | port No \&- Ar port | port : mask
|
|
|
|
.Op , Ar port Op , Ar ...
|
2000-02-28 15:21:12 +00:00
|
|
|
.Sm on
|
|
|
|
.Ed
|
1996-06-15 01:38:51 +00:00
|
|
|
.Pp
|
2000-01-08 11:19:19 +00:00
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Ql \&-
|
2000-01-08 11:19:19 +00:00
|
|
|
notation specifies a range of ports (including boundaries).
|
|
|
|
.Pp
|
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Ql \&:
|
2000-01-08 11:19:19 +00:00
|
|
|
notation specifies a port and a mask, a match is declared if
|
|
|
|
the port number in the packet matches the one in the rule,
|
|
|
|
limited to the bits which are set in the mask.
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
Service names (from
|
1996-06-15 01:38:51 +00:00
|
|
|
.Pa /etc/services )
|
1997-06-23 22:32:13 +00:00
|
|
|
may be used instead of numeric port values.
|
2000-02-28 15:21:12 +00:00
|
|
|
A range may only be specified as the first value, and the
|
|
|
|
length of the port list is limited to
|
1996-12-23 02:03:15 +00:00
|
|
|
.Dv IP_FW_MAX_PORTS
|
2000-02-28 15:21:12 +00:00
|
|
|
ports (as defined in
|
|
|
|
.Pa /usr/src/sys/netinet/ip_fw.h ) .
|
|
|
|
A backslash
|
|
|
|
.Pq Ql \e
|
|
|
|
can be used to escape the dash
|
|
|
|
.Pq Ql -
|
1999-06-15 12:56:38 +00:00
|
|
|
character in a service name:
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
|
1996-06-15 01:38:51 +00:00
|
|
|
.Pp
|
1998-02-12 00:57:06 +00:00
|
|
|
Fragmented packets which have a non-zero offset (i.e. not the first
|
|
|
|
fragment) will never match a rule which has one or more port
|
2000-02-28 15:21:12 +00:00
|
|
|
specifications.
|
|
|
|
See the
|
|
|
|
.Cm frag
|
1998-02-12 00:57:06 +00:00
|
|
|
option for details on matching fragmented packets.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Ar interface-spec
|
2000-01-08 11:19:19 +00:00
|
|
|
Some combinations of the following specifiers are allowed:
|
2000-02-28 15:21:12 +00:00
|
|
|
.Bl -tag -width "via ipno"
|
|
|
|
.It Cm in
|
2000-01-08 11:19:19 +00:00
|
|
|
Only match incoming packets.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm out
|
2000-01-08 11:19:19 +00:00
|
|
|
Only match outgoing packets.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm via Ar ifX
|
1997-06-02 05:02:37 +00:00
|
|
|
Packet must be going through interface
|
2000-02-28 15:21:12 +00:00
|
|
|
.Ar ifX .
|
|
|
|
.It Cm via Ar if Ns Cm *
|
1997-06-02 05:02:37 +00:00
|
|
|
Packet must be going through interface
|
|
|
|
.Ar ifX ,
|
2000-02-28 15:21:12 +00:00
|
|
|
where
|
|
|
|
.Ar X
|
|
|
|
is any unit number.
|
|
|
|
.It Cm via any
|
1997-06-02 05:02:37 +00:00
|
|
|
Packet must be going through
|
|
|
|
.Em some
|
|
|
|
interface.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm via Ar ipno
|
1997-06-02 05:02:37 +00:00
|
|
|
Packet must be going through the interface having IP address
|
|
|
|
.Ar ipno .
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm via
|
1997-06-02 05:02:37 +00:00
|
|
|
keyword causes the interface to always be checked.
|
|
|
|
If
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm recv
|
1997-06-02 05:02:37 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm xmit
|
1997-06-02 05:02:37 +00:00
|
|
|
is used instead of
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm via ,
|
2001-10-14 22:46:05 +00:00
|
|
|
then only the receive or transmit interface (respectively)
|
2000-02-28 15:21:12 +00:00
|
|
|
is checked.
|
|
|
|
By specifying both, it is possible to match packets based on
|
|
|
|
both receive and transmit interface, e.g.:
|
1997-06-02 05:02:37 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add 100 deny ip from any to any out recv ed0 xmit ed1"
|
1996-02-24 13:39:46 +00:00
|
|
|
.Pp
|
1997-06-02 05:02:37 +00:00
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm recv
|
|
|
|
interface can be tested on either incoming or outgoing packets,
|
|
|
|
while the
|
|
|
|
.Cm xmit
|
|
|
|
interface can only be tested on outgoing packets.
|
|
|
|
So
|
|
|
|
.Cm out
|
1997-06-02 05:02:37 +00:00
|
|
|
is required (and
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm in
|
|
|
|
is invalid) whenever
|
|
|
|
.Cm xmit
|
|
|
|
is used.
|
|
|
|
Specifying
|
|
|
|
.Cm via
|
1997-06-02 05:02:37 +00:00
|
|
|
together with
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm xmit
|
1997-06-02 05:02:37 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm recv
|
1997-06-02 05:02:37 +00:00
|
|
|
is invalid.
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
A packet may not have a receive or transmit interface: packets
|
|
|
|
originating from the local host have no receive interface,
|
|
|
|
while packets destined for the local host have no transmit
|
|
|
|
interface.
|
|
|
|
.It Ar options :
|
|
|
|
.Bl -tag -width indent
|
2001-09-27 23:44:27 +00:00
|
|
|
.It Cm keep-state
|
2000-02-28 15:21:12 +00:00
|
|
|
Upon a match, the firewall will create a dynamic rule, whose
|
|
|
|
default behaviour is to matching bidirectional traffic between
|
|
|
|
source and destination IP/port using the same protocol.
|
|
|
|
The rule has a limited lifetime (controlled by a set of
|
|
|
|
.Xr sysctl 8
|
|
|
|
variables), and the lifetime is refreshed every time a matching
|
|
|
|
packet is found.
|
2001-10-01 14:13:36 +00:00
|
|
|
.It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
|
|
|
|
The firewall will only allow
|
|
|
|
.Ar N
|
|
|
|
connections with the same
|
|
|
|
set of parameters as specified in the rule.
|
|
|
|
One or more
|
2001-09-27 23:44:27 +00:00
|
|
|
of source and destination addresses and ports can be
|
|
|
|
specified.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm bridged
|
|
|
|
Matches only bridged packets.
|
|
|
|
This can be useful for multicast or broadcast traffic, which
|
|
|
|
would otherwise pass through the firewall twice: once during
|
|
|
|
bridging, and a second time when the packet is delivered to
|
|
|
|
the local stack.
|
2000-02-10 14:25:26 +00:00
|
|
|
.Pp
|
|
|
|
Apart from a small performance penalty, this would be a problem
|
|
|
|
when using
|
2000-02-28 15:21:12 +00:00
|
|
|
.Em pipes
|
|
|
|
because the same packet would be accounted for twice in terms
|
|
|
|
of bandwidth, queue occupation, and also counters.
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Cm ipversion Ar ver
|
|
|
|
Match if the IP header version is
|
|
|
|
.Ar ver .
|
2001-12-21 18:43:37 +00:00
|
|
|
.It Cm ipprecedence Ar precedence
|
|
|
|
Match if the numeric value of IP datagram's precedence is equal to
|
|
|
|
.Ar precedence .
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Cm iptos Ar spec
|
|
|
|
Match if the IP header contains the comma separated list of
|
|
|
|
service types specified in
|
|
|
|
.Ar spec .
|
|
|
|
The supported IP types of service are:
|
|
|
|
.Pp
|
|
|
|
.Cm lowdelay
|
|
|
|
.Pq Dv IPTOS_LOWDELAY ,
|
|
|
|
.Cm throughput
|
|
|
|
.Pq Dv IPTOS_THROUGHPUT ,
|
|
|
|
.Cm reliability
|
|
|
|
.Pq Dv IPTOS_RELIABILITY ,
|
|
|
|
.Cm mincost
|
|
|
|
.Pq Dv IPTOS_MINCOST ,
|
|
|
|
.Cm congestion
|
|
|
|
.Pq Dv IPTOS_CE .
|
|
|
|
The absence of a particular type may be denoted
|
|
|
|
with a
|
2000-12-18 15:16:24 +00:00
|
|
|
.Ql \&! .
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Cm iplen Ar len
|
|
|
|
Match if the total length of a packet, including header and data, is
|
|
|
|
.Ar len
|
|
|
|
bytes.
|
|
|
|
.It Cm ipid Ar id
|
|
|
|
Match if the identification of IP datagram is
|
|
|
|
.Ar id .
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm frag
|
|
|
|
Match if the packet is a fragment and this is not the first
|
|
|
|
fragment of the datagram.
|
|
|
|
.Cm frag
|
1998-02-12 00:57:06 +00:00
|
|
|
may not be used in conjunction with either
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm tcpflags
|
1998-02-12 00:57:06 +00:00
|
|
|
or TCP/UDP port specifications.
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Cm ipttl Ar ttl
|
|
|
|
Match if the time to live of IP datagram is
|
|
|
|
.Ar ttl .
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm ipoptions Ar spec
|
|
|
|
Match if the IP header contains the comma separated list of
|
1996-06-15 01:38:51 +00:00
|
|
|
options specified in
|
|
|
|
.Ar spec .
|
|
|
|
The supported IP options are:
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm ssrr
|
1996-06-15 01:38:51 +00:00
|
|
|
(strict source route),
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm lsrr
|
1996-06-15 01:38:51 +00:00
|
|
|
(loose source route),
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm rr
|
|
|
|
(record packet route) and
|
|
|
|
.Cm ts
|
1996-06-15 01:38:51 +00:00
|
|
|
(timestamp).
|
|
|
|
The absence of a particular option may be denoted
|
1999-04-28 02:49:29 +00:00
|
|
|
with a
|
2000-12-18 15:16:24 +00:00
|
|
|
.Ql \&! .
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Cm tcpseq Ar seq
|
2000-02-28 15:21:12 +00:00
|
|
|
TCP packets only.
|
2000-10-06 11:17:06 +00:00
|
|
|
Match if the TCP header sequence number field is set to
|
|
|
|
.Ar seq .
|
|
|
|
.It Cm tcpack Ar ack
|
1996-02-24 13:39:46 +00:00
|
|
|
TCP packets only.
|
2000-10-06 11:17:06 +00:00
|
|
|
Match if the TCP header acknowledgment number field is set to
|
|
|
|
.Ar ack .
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm tcpflags Ar spec
|
1996-02-24 13:39:46 +00:00
|
|
|
TCP packets only.
|
1999-05-29 08:12:38 +00:00
|
|
|
Match if the TCP header contains the comma separated list of
|
1996-06-15 01:38:51 +00:00
|
|
|
flags specified in
|
|
|
|
.Ar spec .
|
|
|
|
The supported TCP flags are:
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm fin ,
|
|
|
|
.Cm syn ,
|
|
|
|
.Cm rst ,
|
|
|
|
.Cm psh ,
|
|
|
|
.Cm ack
|
1996-06-15 01:38:51 +00:00
|
|
|
and
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm urg .
|
1996-06-15 01:38:51 +00:00
|
|
|
The absence of a particular flag may be denoted
|
1999-04-28 02:49:29 +00:00
|
|
|
with a
|
2000-12-18 15:16:24 +00:00
|
|
|
.Ql \&! .
|
1998-02-12 00:57:06 +00:00
|
|
|
A rule which contains a
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm tcpflags
|
1998-02-12 00:57:06 +00:00
|
|
|
specification can never match a fragmented packet which has
|
2000-02-28 15:21:12 +00:00
|
|
|
a non-zero offset.
|
|
|
|
See the
|
|
|
|
.Cm frag
|
1998-02-12 00:57:06 +00:00
|
|
|
option for details on matching fragmented packets.
|
2000-10-06 11:17:06 +00:00
|
|
|
.It Cm established
|
|
|
|
TCP packets only.
|
|
|
|
Match packets that have the RST or ACK bits set.
|
|
|
|
.It Cm setup
|
|
|
|
TCP packets only.
|
|
|
|
Match packets that have the SYN bit set but no ACK bit.
|
|
|
|
This is the short form of
|
|
|
|
.Dq Li tcpflags\ syn,!ack .
|
|
|
|
.It Cm tcpwin Ar win
|
|
|
|
TCP packets only.
|
|
|
|
Match if the TCP header window field is set to
|
|
|
|
.Ar win .
|
|
|
|
.It Cm tcpoptions Ar spec
|
|
|
|
TCP packets only.
|
|
|
|
Match if the TCP header contains the comma separated list of
|
|
|
|
options specified in
|
|
|
|
.Ar spec .
|
|
|
|
The supported TCP options are:
|
|
|
|
.Pp
|
|
|
|
.Cm mss
|
|
|
|
(maximum segment size),
|
|
|
|
.Cm window
|
|
|
|
(tcp window advertisement),
|
|
|
|
.Cm sack
|
|
|
|
(selective ack),
|
|
|
|
.Cm ts
|
|
|
|
(rfc1323 timestamp) and
|
|
|
|
.Cm cc
|
|
|
|
(rfc1644 t/tcp connection count).
|
|
|
|
The absence of a particular option may be denoted
|
|
|
|
with a
|
2000-12-18 15:16:24 +00:00
|
|
|
.Ql \&! .
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm icmptypes Ar types
|
|
|
|
ICMP packets only.
|
1999-05-29 08:12:38 +00:00
|
|
|
Match if the ICMP type is in the list
|
1996-06-15 01:38:51 +00:00
|
|
|
.Ar types .
|
2000-02-28 15:21:12 +00:00
|
|
|
The list may be specified as any combination of ranges or
|
|
|
|
individual types separated by commas.
|
2000-01-08 11:19:19 +00:00
|
|
|
The supported ICMP types are:
|
|
|
|
.Pp
|
|
|
|
echo reply
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 0 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
destination unreachable
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 3 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
source quench
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 4 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
redirect
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 5 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
echo request
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 8 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
router advertisement
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 9 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
router solicitation
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 10 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
time-to-live exceeded
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 11 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
IP header bad
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 12 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
timestamp request
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 13 ,
|
|
|
|
timestamp reply
|
|
|
|
.Pq Cm 14 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
information request
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 15 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
information reply
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 16 ,
|
2000-01-08 11:19:19 +00:00
|
|
|
address mask request
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 17
|
2000-01-08 11:19:19 +00:00
|
|
|
and address mask reply
|
2000-02-28 15:21:12 +00:00
|
|
|
.Pq Cm 18 .
|
|
|
|
.It Cm uid Ar user
|
2000-01-08 11:19:19 +00:00
|
|
|
Match all TCP or UDP packets sent by or received for a
|
|
|
|
.Ar user .
|
|
|
|
A
|
|
|
|
.Ar user
|
|
|
|
may be matched by name or identification number.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm gid Ar group
|
2000-01-08 11:19:19 +00:00
|
|
|
Match all TCP or UDP packets sent by or received for a
|
|
|
|
.Ar group .
|
|
|
|
A
|
|
|
|
.Ar group
|
|
|
|
may be matched by name or identification number.
|
|
|
|
.El
|
2000-02-28 15:21:12 +00:00
|
|
|
.El
|
2000-01-08 11:19:19 +00:00
|
|
|
.Sh TRAFFIC SHAPER CONFIGURATION
|
2000-02-28 15:21:12 +00:00
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
utility is also the user interface for the
|
2000-01-08 11:19:19 +00:00
|
|
|
.Xr dummynet 4
|
|
|
|
traffic shaper.
|
2000-06-08 13:38:57 +00:00
|
|
|
The shaper operates by dividing packets into
|
|
|
|
.Em flows
|
|
|
|
according to a user-specified mask on different fields
|
2000-06-12 09:43:00 +00:00
|
|
|
of the IP header.
|
|
|
|
Packets belonging to the same flow are then passed to two
|
2000-06-08 13:38:57 +00:00
|
|
|
different objects, named
|
|
|
|
.Em pipe
|
|
|
|
or
|
|
|
|
.Em queue .
|
|
|
|
.Pp
|
|
|
|
A
|
|
|
|
.Em pipe
|
2000-06-12 09:43:00 +00:00
|
|
|
emulates a link with given bandwidth, propagation delay,
|
|
|
|
queue size and packet loss rate.
|
|
|
|
Packets transit through the pipe according to its parameters.
|
2000-06-08 13:38:57 +00:00
|
|
|
.Pp
|
|
|
|
A
|
|
|
|
.Em queue
|
2001-12-14 21:51:28 +00:00
|
|
|
is an abstraction used to implement the WF2Q+ (Worst-case Fair Weighted Fair Queueing) policy.
|
2000-06-08 13:38:57 +00:00
|
|
|
The queue associates to each flow a weight and a reference pipe.
|
|
|
|
Then, all flows linked to the same pipe are scheduled at the
|
|
|
|
rate fixed by the pipe according to the WF2Q+ policy.
|
|
|
|
.Pp
|
2000-01-08 11:19:19 +00:00
|
|
|
The
|
|
|
|
.Nm
|
2000-02-28 15:21:12 +00:00
|
|
|
pipe configuration format is the following:
|
|
|
|
.Bd -ragged
|
|
|
|
.Cm pipe Ar number Cm config
|
2000-06-12 09:43:00 +00:00
|
|
|
.Op Cm bw Ar bandwidth | device
|
2000-06-08 13:38:57 +00:00
|
|
|
.Op Cm delay Ar ms-delay
|
2000-02-28 15:21:12 +00:00
|
|
|
.Oo
|
|
|
|
.Cm queue
|
2001-10-01 14:13:36 +00:00
|
|
|
.Brq Ar slots | size
|
2000-02-28 15:21:12 +00:00
|
|
|
.Oc
|
|
|
|
.Op Cm plr Ar loss-probability
|
|
|
|
.Op Cm mask Ar mask-specifier
|
|
|
|
.Op Cm buckets Ar hash-table-size
|
2000-06-12 09:43:00 +00:00
|
|
|
.Oo
|
|
|
|
.Cm red | gred
|
|
|
|
.Sm off
|
2001-10-01 14:13:36 +00:00
|
|
|
.Ar w_q No / Ar min_th No / Ar max_th No / Ar max_p
|
2000-06-12 09:43:00 +00:00
|
|
|
.Sm on
|
|
|
|
.Oc
|
2000-02-28 15:21:12 +00:00
|
|
|
.Ed
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-06-08 13:38:57 +00:00
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
queue configuration format is the following:
|
|
|
|
.Bd -ragged
|
|
|
|
.Cm queue Ar number Cm config
|
|
|
|
.Op Cm pipe Ar pipe_nr
|
|
|
|
.Op Cm weight Ar weight
|
|
|
|
.Oo
|
|
|
|
.Cm queue
|
2001-10-01 14:13:36 +00:00
|
|
|
.Brq Ar slots | size
|
2000-06-08 13:38:57 +00:00
|
|
|
.Oc
|
|
|
|
.Op Cm plr Ar loss-probability
|
|
|
|
.Op Cm mask Ar mask-specifier
|
|
|
|
.Op Cm buckets Ar hash-table-size
|
2000-06-12 09:43:00 +00:00
|
|
|
.Oo
|
|
|
|
.Cm red | gred
|
|
|
|
.Sm off
|
2001-10-01 14:13:36 +00:00
|
|
|
.Ar w_q No / Ar min_th No / Ar max_th No / Ar max_p
|
2000-06-12 09:43:00 +00:00
|
|
|
.Sm on
|
|
|
|
.Oc
|
2000-06-08 13:38:57 +00:00
|
|
|
.Ed
|
2000-06-12 09:43:00 +00:00
|
|
|
.Pp
|
2000-01-08 11:19:19 +00:00
|
|
|
The following parameters can be configured for a pipe:
|
2000-02-28 15:21:12 +00:00
|
|
|
.Bl -tag -width indent
|
2000-06-12 09:43:00 +00:00
|
|
|
.It Cm bw Ar bandwidth | device
|
2000-01-08 11:19:19 +00:00
|
|
|
Bandwidth, measured in
|
2000-02-28 15:21:12 +00:00
|
|
|
.Sm off
|
2001-10-01 14:13:36 +00:00
|
|
|
.Op Cm K | M
|
|
|
|
.Brq Cm bit/s | Byte/s .
|
2000-02-28 15:21:12 +00:00
|
|
|
.Sm on
|
|
|
|
.Pp
|
2000-01-08 11:19:19 +00:00
|
|
|
A value of 0 (default) means unlimited bandwidth.
|
|
|
|
The unit must follow immediately the number, as in
|
2000-06-12 09:43:00 +00:00
|
|
|
.Pp
|
2000-01-08 11:19:19 +00:00
|
|
|
.Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes"
|
2000-06-12 09:43:00 +00:00
|
|
|
.Pp
|
|
|
|
If a device name is specified instead of a numeric
|
2000-06-08 13:38:57 +00:00
|
|
|
value, then the transmit clock is supplied by the specified
|
2000-06-12 09:43:00 +00:00
|
|
|
device.
|
|
|
|
At the moment only the
|
|
|
|
.Xr tun 4
|
|
|
|
device supports this
|
|
|
|
functionality, for use in conjunction with
|
|
|
|
.Xr ppp 8 .
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm delay Ar ms-delay
|
|
|
|
Propagation delay, measured in milliseconds.
|
|
|
|
The value is rounded to the next multiple of the clock tick
|
|
|
|
(typically 10ms, but it is a good practice to run kernels
|
|
|
|
with
|
|
|
|
.Dq "options HZ=1000"
|
|
|
|
to reduce
|
|
|
|
the granularity to 1ms or less).
|
|
|
|
Default value is 0, meaning no delay.
|
2001-10-01 14:13:36 +00:00
|
|
|
.It Cm queue Brq Ar slots | size Ns Cm Kbytes
|
2000-02-28 15:21:12 +00:00
|
|
|
Queue size, in
|
|
|
|
.Ar slots
|
2000-01-08 11:19:19 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm KBytes .
|
|
|
|
Default value is 50 slots, which
|
|
|
|
is the typical queue size for Ethernet devices.
|
|
|
|
Note that for slow speed links you should keep the queue
|
|
|
|
size short or your traffic might be affected by a significant
|
|
|
|
queueing delay.
|
|
|
|
E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit
|
|
|
|
or 20s of queue on a 30Kbit/s pipe.
|
|
|
|
Even worse effect can result if you get packets from an
|
|
|
|
interface with a much larger MTU, e.g. the loopback interface
|
|
|
|
with its 16KB packets.
|
|
|
|
.It Cm plr Ar packet-loss-rate
|
|
|
|
Packet loss rate.
|
|
|
|
Argument
|
|
|
|
.Ar packet-loss-rate
|
|
|
|
is a floating-point number between 0 and 1, with 0 meaning no
|
|
|
|
loss, 1 meaning 100% loss.
|
|
|
|
The loss rate is internally represented on 31 bits.
|
|
|
|
.It Cm mask Ar mask-specifier
|
2000-06-12 09:43:00 +00:00
|
|
|
The
|
2000-02-28 15:21:12 +00:00
|
|
|
.Xr dummynet 4
|
2000-06-08 13:38:57 +00:00
|
|
|
lets you to create per-flow queues.
|
2000-02-28 15:21:12 +00:00
|
|
|
A flow identifier is constructed by masking the IP addresses,
|
|
|
|
ports and protocol types as specified in the pipe configuration.
|
|
|
|
Packets with the same identifier after masking fall into the
|
|
|
|
same queue.
|
|
|
|
Available mask specifiers are a combination of the following:
|
|
|
|
.Cm dst-ip Ar mask ,
|
|
|
|
.Cm src-ip Ar mask ,
|
|
|
|
.Cm dst-port Ar mask ,
|
|
|
|
.Cm src-port Ar mask ,
|
|
|
|
.Cm proto Ar mask
|
|
|
|
or
|
|
|
|
.Cm all ,
|
2000-01-08 11:19:19 +00:00
|
|
|
where the latter means all bits in all fields are significant.
|
2000-06-08 13:38:57 +00:00
|
|
|
When used within a
|
|
|
|
.Ar pipe
|
|
|
|
configuration, each flow is assigned a rate equal
|
2000-06-12 09:43:00 +00:00
|
|
|
to the rate of the pipe.
|
|
|
|
When used within a
|
2000-06-08 13:38:57 +00:00
|
|
|
.Ar queue
|
|
|
|
configuration, each flow is assigned a weight equal to the
|
|
|
|
weight of the queue, and all flows insisting on the same pipe
|
|
|
|
share bandwidth proportionally to their weight.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Cm buckets Ar hash-table-size
|
|
|
|
Specifies the size of the hash table used for storing the
|
|
|
|
various queues.
|
|
|
|
Default value is 64 controlled by the
|
|
|
|
.Xr sysctl 8
|
|
|
|
variable
|
|
|
|
.Em net.inet.ip.dummynet.hash_size ,
|
2000-01-08 11:19:19 +00:00
|
|
|
allowed range is 16 to 1024.
|
2000-06-08 13:38:57 +00:00
|
|
|
.It Cm pipe Ar pipe_nr
|
2000-06-12 09:43:00 +00:00
|
|
|
Connects a queue to the specified pipe.
|
|
|
|
Multiple queues (usually
|
2000-06-08 13:38:57 +00:00
|
|
|
with different weights) can be connected to the same pipe, which
|
|
|
|
specifies the aggregate rate for the set of queues.
|
|
|
|
.It Cm weight Ar weight
|
|
|
|
Specifies the weight to be used for flows matching this queue.
|
|
|
|
The weight must be in the range 1..100, and defaults to 1.
|
2001-10-01 14:13:36 +00:00
|
|
|
.It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p
|
2001-12-14 21:51:28 +00:00
|
|
|
Make use of the RED (Random Early Detection) queue management algorithm.
|
2000-06-12 09:43:00 +00:00
|
|
|
.Ar w_q
|
|
|
|
and
|
|
|
|
.Ar max_p
|
|
|
|
are floating
|
|
|
|
point numbers between 0 and 1 (0 not included), while
|
|
|
|
.Ar min_th
|
|
|
|
and
|
|
|
|
.Ar max_th
|
|
|
|
are integer numbers specifying thresholds for queue management
|
|
|
|
(thresholds are computed in bytes if the queue has been defined
|
|
|
|
in bytes, in slots otherwise).
|
|
|
|
The
|
|
|
|
.Xr dummynet 4
|
|
|
|
also supports the gentle RED variant (gred).
|
|
|
|
Three
|
|
|
|
.Xr sysctl 8
|
|
|
|
variables can be used to control the RED behaviour:
|
|
|
|
.Bl -tag -width indent
|
|
|
|
.It Em net.inet.ip.dummynet.red_lookup_depth
|
2000-06-08 13:38:57 +00:00
|
|
|
specifies the accuracy in computing the average queue
|
2000-06-12 09:43:00 +00:00
|
|
|
when the link is idle (defaults to 256, must be greater than zero)
|
|
|
|
.It Em net.inet.ip.dummynet.red_avg_pkt_size
|
|
|
|
specifies the expected average packet size (defaults to 512, must be
|
|
|
|
greater than zero)
|
|
|
|
.It Em net.inet.ip.dummynet.red_max_pkt_size
|
|
|
|
specifies the expected maximum packet size, only used when queue
|
|
|
|
thresholds are in bytes (defaults to 1500, must be greater than zero).
|
|
|
|
.El
|
1996-02-24 13:39:46 +00:00
|
|
|
.El
|
|
|
|
.Sh CHECKLIST
|
|
|
|
Here are some important points to consider when designing your
|
|
|
|
rules:
|
2000-02-28 15:21:12 +00:00
|
|
|
.Bl -bullet
|
|
|
|
.It
|
|
|
|
Remember that you filter both packets going
|
|
|
|
.Cm in
|
|
|
|
and
|
|
|
|
.Cm out .
|
1996-06-15 01:38:51 +00:00
|
|
|
Most connections need packets going in both directions.
|
1996-02-24 13:39:46 +00:00
|
|
|
.It
|
|
|
|
Remember to test very carefully.
|
1996-06-15 01:38:51 +00:00
|
|
|
It is a good idea to be near the console when doing this.
|
2001-06-06 20:56:56 +00:00
|
|
|
If you cannot be near the console,
|
|
|
|
use an auto-recovery script such as the one in
|
|
|
|
.Pa /usr/share/examples/ipfw/change_rules.sh .
|
1996-02-24 13:39:46 +00:00
|
|
|
.It
|
|
|
|
Don't forget the loopback interface.
|
|
|
|
.El
|
|
|
|
.Sh FINE POINTS
|
2000-10-30 09:44:20 +00:00
|
|
|
.Bl -bullet
|
|
|
|
.It
|
2002-05-01 06:29:16 +00:00
|
|
|
There are circumstances where fragmented datagrams are unconditionally
|
|
|
|
dropped.
|
|
|
|
TCP packets are dropped if they do not contain at least 20 bytes of
|
|
|
|
TCP header, UDP packets are dropped if they do not contain a full 8
|
|
|
|
byte UDP header, and ICMP packets are dropped if they do not contain
|
|
|
|
4 bytes of ICMP header, enough to specify the ICMP type, code, and
|
|
|
|
checksum.
|
|
|
|
These packets are simply logged as
|
|
|
|
.Dq pullup failed
|
|
|
|
since there may not be enough good data in the packet to produce a
|
|
|
|
meaningful log entry.
|
|
|
|
.It
|
|
|
|
Another type of packet is unconditionally dropped, a TCP packet with a
|
|
|
|
fragment offset of one.
|
2000-02-28 15:21:12 +00:00
|
|
|
This is a valid packet, but it only has one use, to try
|
2001-03-16 07:39:46 +00:00
|
|
|
to circumvent firewalls.
|
|
|
|
When logging is enabled, these packets are
|
2001-03-16 01:28:11 +00:00
|
|
|
reported as being dropped by rule -1.
|
2000-10-30 09:44:20 +00:00
|
|
|
.It
|
2000-02-28 15:21:12 +00:00
|
|
|
If you are logged in over a network, loading the
|
|
|
|
.Xr kld 4
|
|
|
|
version of
|
1996-02-24 13:39:46 +00:00
|
|
|
.Nm
|
|
|
|
is probably not as straightforward as you would think.
|
2000-02-28 15:21:12 +00:00
|
|
|
I recommend the following command line:
|
|
|
|
.Bd -literal -offset indent
|
1999-04-08 13:56:25 +00:00
|
|
|
kldload /modules/ipfw.ko && \e
|
2000-02-28 15:21:12 +00:00
|
|
|
ipfw add 32000 allow ip from any to any
|
1996-02-24 13:39:46 +00:00
|
|
|
.Ed
|
1996-12-23 02:03:15 +00:00
|
|
|
.Pp
|
1996-06-15 01:38:51 +00:00
|
|
|
Along the same lines, doing an
|
2000-02-28 15:21:12 +00:00
|
|
|
.Bd -literal -offset indent
|
1996-02-24 13:39:46 +00:00
|
|
|
ipfw flush
|
|
|
|
.Ed
|
1996-12-23 02:03:15 +00:00
|
|
|
.Pp
|
1996-02-24 13:39:46 +00:00
|
|
|
in similar surroundings is also a bad idea.
|
2000-10-30 09:44:20 +00:00
|
|
|
.It
|
2000-02-28 15:21:12 +00:00
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
filter list may not be modified if the system security level
|
1999-04-28 02:49:29 +00:00
|
|
|
is set to 3 or higher
|
2001-08-07 15:48:51 +00:00
|
|
|
(see
|
1998-12-16 17:10:03 +00:00
|
|
|
.Xr init 8
|
2001-08-07 15:48:51 +00:00
|
|
|
for information on system security levels).
|
2000-10-30 09:44:20 +00:00
|
|
|
.El
|
1996-07-10 19:44:30 +00:00
|
|
|
.Sh PACKET DIVERSION
|
2000-02-28 15:21:12 +00:00
|
|
|
A
|
|
|
|
.Xr divert 4
|
|
|
|
socket bound to the specified port will receive all packets
|
|
|
|
diverted to that port.
|
1996-07-10 19:44:30 +00:00
|
|
|
If no socket is bound to the destination port, or if the kernel
|
2000-02-28 15:21:12 +00:00
|
|
|
wasn't compiled with divert socket support, the packets are
|
|
|
|
dropped.
|
2000-02-10 14:25:26 +00:00
|
|
|
.Sh SYSCTL VARIABLES
|
|
|
|
A set of
|
2000-02-28 15:21:12 +00:00
|
|
|
.Xr sysctl 8
|
|
|
|
variables controls the behaviour of the firewall.
|
2001-09-27 23:44:27 +00:00
|
|
|
These are shown below together with their default value
|
|
|
|
(but always check with the
|
2001-10-01 14:13:36 +00:00
|
|
|
.Xr sysctl 8
|
2001-09-27 23:44:27 +00:00
|
|
|
command what value is actually in use) and meaning:
|
2000-02-28 15:21:12 +00:00
|
|
|
.Bl -tag -width indent
|
|
|
|
.It Em net.inet.ip.fw.debug : No 1
|
|
|
|
Controls debugging messages produced by
|
2000-11-20 16:52:27 +00:00
|
|
|
.Nm .
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Em net.inet.ip.fw.one_pass : No 1
|
2000-09-29 08:39:06 +00:00
|
|
|
When set, the packet exiting from the
|
|
|
|
.Xr dummynet 4
|
|
|
|
pipe is not passed though the firewall again.
|
|
|
|
Otherwise, after a pipe action, the packet is
|
|
|
|
reinjected into the firewall at the next rule.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Em net.inet.ip.fw.verbose : No 1
|
2000-02-10 14:25:26 +00:00
|
|
|
Enables verbose messages.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Em net.inet.ip.fw.enable : No 1
|
|
|
|
Enables the firewall.
|
|
|
|
Setting this variable to 0 lets you run your machine without
|
|
|
|
firewall even if compiled in.
|
|
|
|
.It Em net.inet.ip.fw.verbose_limit : No 0
|
2000-02-10 14:25:26 +00:00
|
|
|
Limits the number of messages produced by a verbose firewall.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Em net.inet.ip.fw.dyn_buckets : No 256
|
|
|
|
.It Em net.inet.ip.fw.curr_dyn_buckets : No 256
|
|
|
|
The configured and current size of the hash table used to
|
|
|
|
hold dynamic rules.
|
|
|
|
This must be a power of 2.
|
|
|
|
The table can only be resized when empty, so in order to
|
|
|
|
resize it on the fly you will probably have to
|
|
|
|
.Cm flush
|
2000-02-10 14:25:26 +00:00
|
|
|
and reload the ruleset.
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Em net.inet.ip.fw.dyn_count : No 3
|
|
|
|
Current number of dynamic rules
|
2001-08-07 15:48:51 +00:00
|
|
|
(read-only).
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Em net.inet.ip.fw.dyn_max : No 1000
|
|
|
|
Maximum number of dynamic rules.
|
|
|
|
When you hit this limit, no more dynamic rules can be
|
|
|
|
installed until old ones expire.
|
|
|
|
.It Em net.inet.ip.fw.dyn_ack_lifetime : No 300
|
|
|
|
.It Em net.inet.ip.fw.dyn_syn_lifetime : No 20
|
2001-09-27 23:44:27 +00:00
|
|
|
.It Em net.inet.ip.fw.dyn_fin_lifetime : No 1
|
|
|
|
.It Em net.inet.ip.fw.dyn_rst_lifetime : No 1
|
|
|
|
.It Em net.inet.ip.fw.dyn_udp_lifetime : No 5
|
2000-02-28 15:21:12 +00:00
|
|
|
.It Em net.inet.ip.fw.dyn_short_lifetime : No 30
|
|
|
|
These variables control the lifetime, in seconds, of dynamic
|
|
|
|
rules.
|
2000-02-10 14:25:26 +00:00
|
|
|
Upon the initial SYN exchange the lifetime is kept short,
|
|
|
|
then increased after both SYN have been seen, then decreased
|
|
|
|
again during the final FIN exchange or when a RST
|
|
|
|
.El
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh EXAMPLES
|
1995-10-26 05:36:24 +00:00
|
|
|
This command adds an entry which denies all tcp packets from
|
1998-04-08 12:00:48 +00:00
|
|
|
.Em cracker.evil.org
|
1995-10-26 05:36:24 +00:00
|
|
|
to the telnet port of
|
|
|
|
.Em wolf.tambov.su
|
|
|
|
from being forwarded by the host:
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet"
|
|
|
|
.Pp
|
|
|
|
This one disallows any connection from the entire crackers
|
|
|
|
network to my host:
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Dl "ipfw add deny ip from 123.45.67.0/24 to my.host.org"
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
2000-02-10 14:25:26 +00:00
|
|
|
A first and efficient way to limit access (not using dynamic rules)
|
2000-02-28 15:21:12 +00:00
|
|
|
is the use of the following rules:
|
2000-02-10 14:25:26 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add allow tcp from any to any established"
|
|
|
|
.Dl "ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup"
|
|
|
|
.Dl "ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup"
|
|
|
|
.Dl "..."
|
|
|
|
.Dl "ipfw add deny tcp from any to any"
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
The first rule will be a quick match for normal TCP packets,
|
|
|
|
but it will not match the initial SYN packet, which will be
|
2000-02-10 14:25:26 +00:00
|
|
|
matched by the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm setup
|
2000-02-10 14:25:26 +00:00
|
|
|
rules only for selected source/destination pairs.
|
|
|
|
All other SYN packets will be rejected by the final
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm deny
|
2000-02-10 14:25:26 +00:00
|
|
|
rule.
|
|
|
|
.Pp
|
|
|
|
In order to protect a site from flood attacks involving fake
|
|
|
|
TCP packets, it is safer to use dynamic rules:
|
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add check-state"
|
|
|
|
.Dl "ipfw add deny tcp from any to any established"
|
|
|
|
.Dl "ipfw add allow tcp from my-net to any setup keep-state"
|
|
|
|
.Pp
|
|
|
|
This will let the firewall install dynamic rules only for
|
2000-02-28 15:21:12 +00:00
|
|
|
those connection which start with a regular SYN packet coming
|
|
|
|
from the inside of our network.
|
|
|
|
Dynamic rules are checked when encountering the first
|
|
|
|
.Cm check-state
|
2000-02-10 14:25:26 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm keep-state
|
|
|
|
rule.
|
|
|
|
A
|
|
|
|
.Cm check-state
|
|
|
|
rule should be usually placed near the beginning of the
|
|
|
|
ruleset to minimize the amount of work scanning the ruleset.
|
|
|
|
Your mileage may vary.
|
|
|
|
.Pp
|
2001-09-27 23:44:27 +00:00
|
|
|
To limit the number of connections a user can open
|
|
|
|
you can use the following type of rules:
|
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
|
|
|
|
.Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
|
|
|
|
.Pp
|
|
|
|
The former (assuming it runs on a gateway) will allow each host
|
2001-10-01 14:13:36 +00:00
|
|
|
on a /24 network to open at most 10 TCP connections.
|
2001-09-27 23:44:27 +00:00
|
|
|
The latter can be placed on a server to make sure that a single
|
|
|
|
client does not use more than 4 simultaneous connections.
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Em BEWARE :
|
2000-02-10 14:25:26 +00:00
|
|
|
stateful rules can be subject to denial-of-service attacks
|
|
|
|
by a SYN-flood which opens a huge number of dynamic rules.
|
2000-02-28 15:21:12 +00:00
|
|
|
The effects of such attacks can be partially limited by
|
|
|
|
acting on a set of
|
|
|
|
.Xr sysctl 8
|
2000-02-10 14:25:26 +00:00
|
|
|
variables which control the operation of the firewall.
|
|
|
|
.Pp
|
1999-04-28 02:49:29 +00:00
|
|
|
Here is a good usage of the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm list
|
|
|
|
command to see accounting records and timestamp information:
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Dl ipfw -at list
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
1997-05-15 00:51:08 +00:00
|
|
|
or in short form without timestamps:
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Dl ipfw -a list
|
1995-10-26 05:36:24 +00:00
|
|
|
.Pp
|
2002-01-02 20:16:15 +00:00
|
|
|
which is equivalent to:
|
|
|
|
.Pp
|
|
|
|
.Dl ipfw show
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
Next rule diverts all incoming packets from 192.168.2.0/24
|
|
|
|
to divert port 5000:
|
1996-07-10 19:44:30 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
.Dl ipfw divert 5000 ip from 192.168.2.0/24 to any in
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
The following rules show some of the applications of
|
|
|
|
.Nm
|
|
|
|
and
|
|
|
|
.Xr dummynet 4
|
|
|
|
for simulations and the like.
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
This rule drops random incoming packets with a probability
|
|
|
|
of 5%:
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add prob 0.05 deny ip from any to any in"
|
|
|
|
.Pp
|
|
|
|
A similar effect can be achieved making use of dummynet pipes:
|
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add pipe 10 ip from any to any"
|
|
|
|
.Dl "ipfw pipe 10 config plr 0.05"
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
We can use pipes to artificially limit bandwidth, e.g. on a
|
|
|
|
machine acting as a router, if we want to limit traffic from
|
|
|
|
local clients on 192.168.2.0/24 we do:
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out"
|
|
|
|
.Dl "ipfw pipe 1 config bw 300Kbit/s queue 50KBytes"
|
|
|
|
.Pp
|
|
|
|
note that we use the
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm out
|
|
|
|
modifier so that the rule is not used twice.
|
|
|
|
Remember in fact that
|
|
|
|
.Nm
|
|
|
|
rules are checked both on incoming and outgoing packets.
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
|
|
|
Should we like to simulate a bidirectional link with bandwidth
|
|
|
|
limitations, the correct way is the following:
|
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add pipe 1 ip from any to any out"
|
|
|
|
.Dl "ipfw add pipe 2 ip from any to any in"
|
|
|
|
.Dl "ipfw pipe 1 config bw 64Kbit/s queue 10Kbytes"
|
|
|
|
.Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes"
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
The above can be very useful, e.g. if you want to see how
|
|
|
|
your fancy Web page will look for a residential user which
|
|
|
|
is connected only through a slow link.
|
|
|
|
You should not use only one pipe for both directions, unless
|
|
|
|
you want to simulate a half-duplex medium (e.g. AppleTalk,
|
|
|
|
Ethernet, IRDA).
|
2000-01-08 11:19:19 +00:00
|
|
|
It is not necessary that both pipes have the same configuration,
|
|
|
|
so we can also simulate asymmetric links.
|
|
|
|
.Pp
|
2000-06-12 09:43:00 +00:00
|
|
|
Should we like to verify network performance with the RED queue
|
|
|
|
management algorithm:
|
2000-06-08 13:38:57 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add pipe 1 ip from any to any"
|
|
|
|
.Dl "ipfw pipe 1 config bw 500Kbit/s queue 100 red 0.002/30/80/0.1"
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
Another typical application of the traffic shaper is to
|
|
|
|
introduce some delay in the communication.
|
|
|
|
This can affect a lot applications which do a lot of Remote
|
|
|
|
Procedure Calls, and where the round-trip-time of the
|
|
|
|
connection often becomes a limiting factor much more than
|
|
|
|
bandwidth:
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add pipe 1 ip from any to any out"
|
|
|
|
.Dl "ipfw add pipe 2 ip from any to any in"
|
|
|
|
.Dl "ipfw pipe 1 config delay 250ms bw 1Mbit/s"
|
|
|
|
.Dl "ipfw pipe 2 config delay 250ms bw 1Mbit/s"
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
Per-flow queueing can be useful for a variety of purposes.
|
|
|
|
A very simple one is counting traffic:
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add pipe 1 tcp from any to any"
|
|
|
|
.Dl "ipfw add pipe 1 udp from any to any"
|
|
|
|
.Dl "ipfw add pipe 1 ip from any to any"
|
|
|
|
.Dl "ipfw pipe 1 config mask all"
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
The above set of rules will create queues (and collect
|
|
|
|
statistics) for all traffic.
|
|
|
|
Because the pipes have no limitations, the only effect is
|
|
|
|
collecting statistics.
|
|
|
|
Note that we need 3 rules, not just the last one, because
|
|
|
|
when
|
|
|
|
.Nm
|
|
|
|
tries to match IP packets it will not consider ports, so we
|
|
|
|
would not see connections on separate ports as different
|
|
|
|
ones.
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
A more sophisticated example is limiting the outbound traffic
|
|
|
|
on a net with per-host limits, rather than per-network limits:
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
|
|
|
.Dl "ipfw add pipe 1 ip from 192.168.2.0/24 to any out"
|
|
|
|
.Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in"
|
|
|
|
.Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
|
|
|
|
.Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
|
2002-01-02 20:48:21 +00:00
|
|
|
.Sh IMPLEMENTATION NOTES
|
|
|
|
The number of times a packet is processed by
|
|
|
|
.Nm
|
|
|
|
varies \(em basically,
|
|
|
|
.Nm
|
|
|
|
is invoked every time the kernel functions
|
|
|
|
.Fn ip_input ,
|
|
|
|
.Fn ip_output
|
|
|
|
and
|
|
|
|
.Fn bdg_forward
|
|
|
|
are invoked.
|
|
|
|
This means that packets are processed once for connections having
|
|
|
|
only one endpoint on the local host, twice for connections with
|
|
|
|
both endpoints on the local host, or for packet routed by the host
|
|
|
|
(acting as a gateway), and once for packets bridged by the host
|
|
|
|
(acting as a bridge).
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh SEE ALSO
|
1998-11-23 10:54:28 +00:00
|
|
|
.Xr cpp 1 ,
|
|
|
|
.Xr m4 1 ,
|
2000-02-28 15:21:12 +00:00
|
|
|
.Xr bridge 4 ,
|
1997-09-29 19:11:55 +00:00
|
|
|
.Xr divert 4 ,
|
1999-08-11 15:36:13 +00:00
|
|
|
.Xr dummynet 4 ,
|
1995-10-26 05:36:24 +00:00
|
|
|
.Xr ip 4 ,
|
1997-06-23 22:32:13 +00:00
|
|
|
.Xr ipfirewall 4 ,
|
1996-08-05 02:38:51 +00:00
|
|
|
.Xr protocols 5 ,
|
|
|
|
.Xr services 5 ,
|
1998-12-16 17:10:03 +00:00
|
|
|
.Xr init 8 ,
|
1999-04-08 13:56:25 +00:00
|
|
|
.Xr kldload 8 ,
|
1995-10-26 05:36:24 +00:00
|
|
|
.Xr reboot 8 ,
|
1997-09-29 19:11:55 +00:00
|
|
|
.Xr sysctl 8 ,
|
2000-11-15 16:44:24 +00:00
|
|
|
.Xr syslogd 8
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh BUGS
|
2000-01-08 11:19:19 +00:00
|
|
|
The syntax has grown over the years and it is not very clean.
|
|
|
|
.Pp
|
1995-10-26 05:36:24 +00:00
|
|
|
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
This program can put your computer in rather unusable state.
|
|
|
|
When using it for the first time, work on the console of the
|
|
|
|
computer, and do
|
1995-10-26 05:36:24 +00:00
|
|
|
.Em NOT
|
|
|
|
do anything you don't understand.
|
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
When manipulating/adding chain entries, service and protocol names
|
|
|
|
are not accepted.
|
1997-06-02 05:02:37 +00:00
|
|
|
.Pp
|
|
|
|
Incoming packet fragments diverted by
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm divert
|
1999-12-06 01:00:24 +00:00
|
|
|
or
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm tee
|
1999-12-06 01:00:24 +00:00
|
|
|
are reassembled before delivery to the socket.
|
1997-06-23 22:32:13 +00:00
|
|
|
.Pp
|
1999-12-06 01:00:24 +00:00
|
|
|
Packets that match a
|
2000-02-28 15:21:12 +00:00
|
|
|
.Cm tee
|
1999-12-06 01:00:24 +00:00
|
|
|
rule should not be immediately accepted, but should continue
|
2000-02-28 15:21:12 +00:00
|
|
|
going through the rule list.
|
|
|
|
This may be fixed in a later version.
|
2002-01-03 01:00:23 +00:00
|
|
|
.Pp
|
|
|
|
Packets diverted to userland, and then reinserted by a userland process
|
|
|
|
(such as
|
|
|
|
.Xr natd 8 )
|
|
|
|
will lose various packet attributes, including their source interface.
|
|
|
|
If a packet is reinserted in this manner, later rules may be incorrectly
|
|
|
|
applied, making the order of
|
|
|
|
.Cm divert
|
|
|
|
rules in the rule sequence very important.
|
1996-08-13 19:43:24 +00:00
|
|
|
.Sh AUTHORS
|
1998-03-19 07:46:04 +00:00
|
|
|
.An Ugen J. S. Antsilevich ,
|
|
|
|
.An Poul-Henning Kamp ,
|
|
|
|
.An Alex Nash ,
|
2000-01-08 11:19:19 +00:00
|
|
|
.An Archie Cobbs ,
|
|
|
|
.An Luigi Rizzo .
|
|
|
|
.Pp
|
2000-11-22 09:35:58 +00:00
|
|
|
.An -nosplit
|
1998-03-19 07:46:04 +00:00
|
|
|
API based upon code written by
|
2000-11-22 09:35:58 +00:00
|
|
|
.An Daniel Boulet
|
1998-03-19 07:46:04 +00:00
|
|
|
for BSDI.
|
2000-01-08 11:19:19 +00:00
|
|
|
.Pp
|
2000-02-28 15:21:12 +00:00
|
|
|
Work on
|
|
|
|
.Xr dummynet 4
|
|
|
|
traffic shaper supported by Akamba Corp.
|
1994-11-17 09:50:30 +00:00
|
|
|
.Sh HISTORY
|
2000-02-28 15:21:12 +00:00
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
utility first appeared in
|
1996-08-23 00:57:08 +00:00
|
|
|
.Fx 2.0 .
|
2000-02-28 15:21:12 +00:00
|
|
|
.Xr dummynet 4
|
2000-01-08 11:19:19 +00:00
|
|
|
was introduced in
|
2000-02-10 14:25:26 +00:00
|
|
|
.Fx 2.2.8 .
|
|
|
|
Stateful extensions were introduced in
|
2000-02-28 15:21:12 +00:00
|
|
|
.Fx 4.0 .
|