New man pages from Ugen. Delete my old, first attempt. I only hope

that the english in Ugen's two replacement pages is not too impenetrable! :-)
[Note:  Poul - please pull these into the BETA branch along with the
other firewall changes]

Submitted by:	ugen
This commit is contained in:
jkh 1994-11-17 09:50:30 +00:00
parent 06d8605f45
commit 74b1e0b017
3 changed files with 338 additions and 0 deletions

View File

@ -2,4 +2,8 @@ PROG= ipfw
DPADD= ${LIBKVM}
LDADD= -lkvm
MAN4= ipfirewall.4
MLINKS= ipfirewall.4 ipacct.4 ipfirewall.4 ipfw.4 ipfirewall.4 ipaccounting.4
MAN8= ipfw.8
.include <bsd.prog.mk>

206
sbin/ipfw/ipfirewall.4 Normal file
View File

@ -0,0 +1,206 @@
.Dd November 16, 1994
.Dt IPFW(4)/IPACCT 4
.Os
.Sh NAME
ipfirewall,ipfw - IP packets filter.
ipaccounting,ipacct - IP packets/traffic accounting.
.Sh SYNOPSIS
#include <netinet/ip_fw.h>
setsockopt(raw_socket,IPPROTO_IP,<ipfw/ipacct option>,
<struct ip|struct ipfw>,<size>)
Ipfw options:
IP_FW_ADD_BLK - add entry to blocking chain.
IP_FW_ADD_FWD - add entry to forwarding chain.
IP_FW_CHK_BLK - check ip packet against blocking chain.
IP_FW_CHK_FWD - check ip packet against forwarding chain.
IP_FW_DEL_BLK - delete entry from blocking chain.
IP_FW_DEL_FWD - delete entry from forwarding chain.
IP_FW_FLUSH - flush all blocking & forwarding chain entries.
IP_FW_POLICY - define default ipfw policy.
Ipacct options:
IP_ACCT_ADD - add entry to accounting chain.
IP_ACCT_DEL - delete entry from accounting chain.
IP_ACCT_FLUSH - flush all accounting chain entries.
IP_ACCT_ZERO - zero all accounting chain entries.
Ipfw/ipacct entry structure:
#define IP_FW_MAX_PORTS 10
struct ip_fw {
struct ip_fw *next;
struct in_addr src, dst;
struct in_addr src_mask, dst_mask;
u_short flags;
u_short n_src_p, n_dst_p;
u_short ports[IP_FW_MAX_PORTS];
u_long p_cnt,b_cnt;
}
Flags values for "flags" field:
IP_FW_F_ALL - The entry should match all IP packets.
IP_FW_F_TCP - The entry should match TCP packets.
IP_FW_F_UDP - The entry should match UDP packets.
IP_FW_F_ICMP - The entry should match ICMP packets.
IP_FW_F_KIND - Mask value to separate protocol kind.
IP_FW_F_ACCEPT - This entry is accepting ( see below )
IP_FW_F_SRNG - Source ports are range ( see below )
IP_FW_F_DRNG - Destination ports are range ( see below )
IP_FW_F_PRN - Print this entry ( see below )
IP_FW_F_BIDIR - This acct entry is bidirectional ( see below )
IP_FW_F_MASK - Mask to match all valid flag bits.
Kernel symbols to kvm_nlist():
struct ip_fw *ip_fw_blk_chain - chain of forwarding entries.
struct ip_fw *ip_fw_fwd_chain - chain of blocking entries.
int ip_fw_policy - default policy.
struct ip_fw *ip_acct_chain - chain of accounting entries.
Options in the kernel configuration file:
IPFIREWALL - enable ipfirewall.
IPFIREWALL_VERBOSE - enable firewall output ( see below )
DEBUG_IPFIREWALL - enable extensive debugging output.
IPACCT - enable ipaccounting.
.Sh DESCRIPTION
Ipfirewall (later ipfw) is a system facility,which allows filtering
of incoming and/or forwarding packets on the protocol+source/destination
adress/ports base.
Ipaccounting (later ipacct) is a system facility,which allows counting
of incoming,outgoing and forwarding traffic by packet/byte count.
Basic idea is that every packet checked against number of entries
in several chains.There are 3 chains:
Blocking - this chain defines whenever packet should be accepted
ever for local delivery or for forwarding.
Forwarding - this chain defines whenever packet should be accepted
for forwarding only.
Accounting - this chain defines types of packets , which should be
counted.
Entries added to chains by means of setsockopt() call on RAW IP socket.
Options to add/remove specific entries or to flush all entries described
above. Value passed to setsockopt() is a value of struct ip_fw for
entry. If entry added , it checked by such rules that when we start
searching chain for matching entry the first matching is the best match,
[ or at least one of them :^) ].
That means:
* First in chain entries with specific protocol and small ranges
of src/dst adresses and ports.
* Later going entries with wider ranges of ports and adresses.
* Later entries matching every port for some adress range.
* Later universal entries matching any protocol.
While deleting entry , every entry which equal to that passed to
setsockopt() will be removed.
Flush removes all entries.
Every entry have several fields,by which packets matched:
struct ip_fw *next - next entry in chain.(Set internally)
struct in_addr src - source adress to be matched.
struct in_addr src_mask - source adress mask.
To match whole networks/subnets or adress groups
mask bits should be zeroed here and also
in src_mask field. Valuable bits should be set
in src_mask field.
struct in_addr dst - destination adress to be matched.
struct in_addr dst_mask - destination adress mask.
u_short flags - flags field.See exact description of flags meaning
in description later.
u_short n_src_p - number of source ports in "ports" array.
u_short n_dst_p - number of destination ports in "ports" array.
u_short ports[] - ports array.Overall length currently defined
to reasonable maximum - 10,and could be changed.
The packet's src port can ever match one of
ports[0] ... ports[--n_src_p] numbers,or if
flag IP_FW_F_SRNG set take port[0] as bottom
range value and ports[1] as top one.n_src_p should
be set to 2 then.If n_src_p equal to 0 , every port
match. The same rules apply to packet's dst port,
except that it matched against ports[n_src_p] ...
... ports[n_src_p+n_dst_p--],or if IP_FW_F_DRNG set,
range is ports[n_src_p] to ports[n_srcp++].
u_long p_cnt - packets count for ipacct entries.
u_long b_cnt - bytes count for ipacct entries.
Packet matching proceeds in following way:
a) If packet entry protocol set to ALL, see c).
b) If entry protocol set to TCP/UDP/ICMP and packet protocol
different - no match,if packet protocol and entry protocol
same - continue.
c) If source addres pattern does not equal to packets sources adress
masked with src_mask , or destination pattern not equal to packets
destination adress masked with dst_mask - no match.
If they does and protocol set to ALL/ICMP - got match.
If they does and protocol set to TCP/UDP - continue.
d) If src port doesn't match or dst port doesn't match - all
packet don't match. If they does - got match.
In ipfw packet matched consequently against every chain entry.
Search continues untill first matching entry found.If IP_FW_F_ACCEPT
flag set - packet accepted.If it is not set - packet denied.
If no matching entry found , all unmatched packets ever accepted or
denied depending on global polici value. It can be set with
IP_FW_POLICY raw socket option. Deny value is 0, other values
(default 1) is accept.
Entries can be added with IP_FW_F_PRN flag set.If kernel compiled
with IPFIREWALL_VERBOSE option,packets matching this entries will
be printed by kernel printf's.
If some chain is empty,every packet accepted by this chain no
matter what default policy is.
To check whenever or not packet denied by some chain , checking
options to setsockopt() can be issued. Then the argument is
a buffer representing ip packet,thus it has to be
struct ip + struct tcphdr .
Then setsockopt() return value 0 on accept or another on deny.
Ipaccounting entries added the same way as ipfw ones.Packet checked
against all entries in chain and values of p_cnt and b_cnt in matching
entries rised.p_cnt rises by 1 and b_cnt by ip_len value of ip packet.
Thus all traffic size counted including IP headers.
If IP_FW_F_BIDIR flag is set in accounting entry,packets counted are
those which match entry in standart way along with packets which match
entry while their source and destination addr/port pairs swapped.
Zero option allows all accounting to be cleared.
.Sh DIAGNOSTICS
[EINVAL] The IP option field was improperly formed; an option
field was shorter than the minimum value or longer than
the option buffer provided.An structural error in
ip_fw structure occured (n_src_p+n_dst_p too big,
ports set for ALL/ICMP protocols etc.)
.Sh SEE ALSO
ip(4), setsockopt(2), kvm_nlist(3), kvm_read(3)
.Sh BUGS
Ipfw/ipacct facilities are new and , although serious bugs has
been tracked,some less important ones expected.
This man page also uncomplete bad styled.
.Sh HISTORY
Ipfw facility has been intitially written as package to BSDI
by Daniel Boulet <danny@BouletFermat.ab.ca>.
It has been havily modified and ported to FreeBSD 2.0
by Ugen J.S.Antsilevich <ugen@NetVision.net.il>
Ipacct facility written for FreeBSD 2.0
by Ugen J.S.Antsilevich <ugen@NetVision.net.il>

128
sbin/ipfw/ipfw.8 Normal file
View File

@ -0,0 +1,128 @@
.Dd November 16, 1994
.Dt IPFW 8
.Os
.Sh NAME
ipfw - controlling utility for ipfw/ipacct facilities.
.Sh SYNOPSIS
ipfw [-vn] <entry-action> <chain entry pattern>
ipfw [-vn] <check-action> <packet pattern>
ipfw [-vn] <chain-action> <chain[s] type>
.Sh DESCRIPTION
In the first synopsis form, the ipfw utility allows adding/removing of
entries of blocking/forwarding/accounting chains.
In the second synopsis form, the ipfw utility checks whenever a given
IP packet type is accepted or denied by a blocking/forwarding firewall.
In the third synopsis form, the ipfw utility allows global actions
on chain-zeroing of counters, and flushing or listing of chain entries
and their counter values.
The following options are available:
-v be verbose. The meaning of this option varies depending on ipfw
usage.
-n do not resolve anything. When setting entries, do not try to resolve
a given address. When listing, display addresses in numeric form.
These are <entry-actions>:
addb[locking] - add entry to blocking firewall.
delb[locking] - remove entry from blocking firewall.
addf[orwarding] - add entry to forwarding firewall.
delf[orwarding] - remove entry from forwarding firewall.
adda[ccounting] - add entry to accounting chain.
dela[ccounting] - remove entry from accounting chain.
These are <check-actions>:
checkb[locking] - check packet against blocking firewall.
checkf[orwarding] - check packet against forwarding firewall.
These are <chain-actions>:
f[lush] - remove all entries in firewall/accounting chains.
l[ist] - show all entries in blocking/forwarding/accounting chains.
z[ero] - clear chain counters(for now accounting only).
p[olicy] - define default firewall policy.
The <chain-entry pattern> build like this:
For forwarding/blocking chains:
d[eny] <proto/addr pattern>
a[ccept] <proto/addr pattern>
For accounting chain:
s[ingle] <proto/addr pattern>
b[idirectional] <proto/addr pattern>
The <proto/addr pattern> is:
all|icmp from <src addr/mask> to <dst addr/mask>
tcp|udp from <src addr/mask> [ports] to <dst addr/mask> [ports]
<src addr/mask>:
<INET IP addr | domain name> [/mask bits | :mask pattern]
[ports]:
[ port,port....|port:port] where name of service can be
used instead of port numeric value.
When entry added to chain and -v option used,entry added with
PRN flag set.
The <packet pattern> build exactly like <chain-entry pattern>.
To l[ist] command may be passed:
f[orwarding]|b[locking]|a[ccounting] to list specific chain or none
to list all of them.Option -v causes output format to change so that
packet/bytes counters printed.Standart output format fully suitable
to be used as <chain-entry pattern>.
To f[lush] command may be passed:
f[irewall]|a[ccounting] to remove all entries from forwarding/blocking
chains or from accounting chain.No arguments removes all chain entries.
To z[ero] command no arguments needed,and all counters of accounting
chain zeroed.
To p[olicy] command accepts a[ccept]|d[eny] to define default policy
as denial/accepting.Withno arguments current default policy displayed.
.Sh EXAMPLES
This command add entry which denies all tcp packets from
hacker.evil.org to telnet port of wolf.tambov.su from being
forwarded by the host:
ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
This one disallows any connection from entire hackers network
to my host:
ipfw addb deny all from 123.45.67.8/24 to my.host.org
Here is useful usage of lt] command to see accounting records:
ipfw -v list accounting (or in short form ipfw -v l a ).
Much more examples can be found in files:
/usr/share/misc/ipfw.samp.filters
/usr/share/misc/ipfw.samp.scripts
.Sh SEE ALSO
ipfirewall(4),ipaccounting(4),reboot(1)
.Sh BUGS
WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
This programm can put your computer in rather unusable state.
First time try using it from console and do *NOT* do anything
you don't understand.
Remember that "ipfw flush" can solve all the problemms.
Also take in your mind that "ipfw policy deny" combined with
some wrong chain entry(possible the only entry which designed
to deny some external packets) can close your computer from
outer world for good.
Besides of misuse the only known bug is that entry added
with -v option set should be deleted with same option,
but there is no way to see this in list command.
.Sh HISTORY
Initially this utility was written for BSDI by:
Daniel Boulet <danny@BouletFermat.ab.ca>
The FreeBSD version is written completely by:
Ugen J.S.Antsilevich <ugen@NetVision.net.il>
while synopsis partially compatible with old one.