593f7481aa
Submitted by: fenner (with modifications by me) Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
361 lines
8.5 KiB
Groff
361 lines
8.5 KiB
Groff
.Dd July 20, 1996
|
|
.Dt IPFW 8 SMM
|
|
.Os FreeBSD
|
|
.Sh NAME
|
|
.Nm ipfw
|
|
.Nd controlling utility for IP firewall
|
|
.Sh SYNOPSIS
|
|
.Nm ipfw
|
|
.Ar file
|
|
.Nm ipfw
|
|
flush
|
|
.Nm ipfw
|
|
zero
|
|
.Oo
|
|
.Ar number
|
|
.Oc
|
|
.Nm ipfw
|
|
delete
|
|
.Ar number
|
|
.Nm ipfw
|
|
.Oo
|
|
.Fl atN
|
|
.Oc
|
|
list
|
|
.Nm ipfw
|
|
add
|
|
.Oo
|
|
.Ar number
|
|
.Oc
|
|
.Ar action
|
|
.Oo
|
|
log
|
|
.Oc
|
|
.Ar proto
|
|
from
|
|
.Ar src
|
|
to
|
|
.Ar dst
|
|
.Oo
|
|
via
|
|
.Ar name|ipno
|
|
.Oc
|
|
.Oo
|
|
.Ar options
|
|
.Oc
|
|
.Sh DESCRIPTION
|
|
If used as shown in the first synopsis line, the
|
|
.Ar file
|
|
will be read line by line and applied as arguments to the
|
|
.Nm ipfw
|
|
command.
|
|
.Pp
|
|
The ipfw code works by going through the rule-list for each packet,
|
|
until a match is found.
|
|
All rules have two associated counters, a packet count and
|
|
a byte count.
|
|
These counters are updated when a packet matches the rule.
|
|
.Pp
|
|
The rules are ordered by a ``line-number'' from 1 to 65534 that is used
|
|
to order and delete rules. Rules are tried in increasing order, and the
|
|
first rule that matches a packet applies.
|
|
Multiple rules may share the same number and apply in
|
|
the order in which they were added.
|
|
.Pp
|
|
If a rule is added without a number, it numbered 100 higher
|
|
than the previous rule. If the highest defined rule number is
|
|
greater than 65434, new rules are appended to the last rule.
|
|
.Pp
|
|
The delete operation deletes the first rule with number
|
|
.Ar number ,
|
|
if any.
|
|
.Pp
|
|
The list command prints out the current rule set.
|
|
.Pp
|
|
The zero operation zeroes the counters associated with rule number
|
|
.Ar number .
|
|
.Pp
|
|
The flush operation removes all rules.
|
|
.Pp
|
|
One rule is always present:
|
|
.Bd -literal -offset center
|
|
65535 deny all from any to any
|
|
.Ed
|
|
|
|
This rule is the default policy, i.e., don't allow anything at all.
|
|
Your job in setting up rules is to modify this policy to match your needs.
|
|
.Pp
|
|
The following options are available:
|
|
.Bl -tag -width flag
|
|
.It Fl a
|
|
While listing, show counter values. This option is the only way to see
|
|
accounting records.
|
|
.It Fl t
|
|
While listing, show last match timestamp.
|
|
.It Fl N
|
|
Try to resolve addresses and service names.
|
|
.El
|
|
.Pp
|
|
.Ar action :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It Nm allow
|
|
Allow packets that match rule.
|
|
The search terminates.
|
|
.It Nm pass
|
|
Same as allow.
|
|
.It Nm accept
|
|
Same as allow.
|
|
.It Nm count
|
|
Update counters for all packets that match rule.
|
|
The search continues with the next rule.
|
|
.It Nm deny
|
|
Discard packets that match this rule.
|
|
The search terminates.
|
|
.It Nm reject
|
|
Discard packets that match this rule, and try to send an ICMP notice.
|
|
The search terminates.
|
|
.It Nm divert port
|
|
Divert packets that match this rule to the divert socket bound to port
|
|
.Ar port .
|
|
The search terminates.
|
|
.El
|
|
.Pp
|
|
When a packet matches a rule with the
|
|
.Nm log
|
|
keyword, a message will be printed on the console.
|
|
If the kernel was compiled with the
|
|
.Nm IP_FIREWALL_VERBOSE_LIMIT
|
|
option, then logging will cease after the number of packets
|
|
specified by the option are recieved for that particular
|
|
chain entry. Logging may then be re-enabled by clearing
|
|
the packet counter for that entry.
|
|
.Pp
|
|
.Ar proto :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It Nm ip
|
|
All packets match.
|
|
.It Nm all
|
|
All packets match.
|
|
.It Nm tcp
|
|
Only TCP packets match.
|
|
.It Nm udp
|
|
Only UDP packets match.
|
|
.It Nm icmp
|
|
Only ICMP packets match.
|
|
.El
|
|
.Pp
|
|
.Ar src
|
|
and
|
|
.Ar dst :
|
|
.Pp
|
|
.Bl -hang -offset flag
|
|
.It <address/mask> [ports]
|
|
.El
|
|
.Pp
|
|
The
|
|
.Em <address/mask>
|
|
may be specified as:
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It Ar ipno
|
|
An ipnumber of the form 1.2.3.4.
|
|
Only this exact ip number match the rule.
|
|
.It Ar ipno/bits
|
|
An ipnumber with a mask width of the form 1.2.3.4/24.
|
|
In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
|
|
.It Ar ipno:mask
|
|
An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0.
|
|
In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
|
|
.El
|
|
.Pp
|
|
With the TCP and UDP
|
|
.Em protocols ,
|
|
an optional
|
|
.Em port
|
|
may be specified as:
|
|
.Pp
|
|
.Bl -hang -offset flag
|
|
.It Ns {port|port-port} Ns Op ,port Ns Op ,...
|
|
.El
|
|
.Pp
|
|
Service names (from
|
|
.Pa /etc/services )
|
|
may not be used instead of a numeric port value.
|
|
Also, note that a range may only be specified as the first value,
|
|
and the port list is limited to
|
|
.Nm IP_FW_MAX_PORTS
|
|
(as defined in /usr/src/sys/netinet/ip_fw.h)
|
|
ports.
|
|
.Pp
|
|
If ``via''
|
|
.Ar name
|
|
is specified, only packets received via or on their way out of an interface
|
|
matching
|
|
.Ar name
|
|
will match this rule.
|
|
.Pp
|
|
If ``via''
|
|
.Ar ipno
|
|
is specified, only packets received via or on their way out of an interface
|
|
having the address
|
|
.Ar ipno
|
|
will match this rule.
|
|
.Pp
|
|
.Ar options :
|
|
.Bl -hang -offset flag -width 1234567890123456
|
|
.It frag
|
|
Matches if the packet is a fragment and this is not the first fragment
|
|
of the datagram.
|
|
.It in
|
|
Matches if this packet was on the way in.
|
|
.It out
|
|
Matches if this packet was on the way out.
|
|
.It ipoptions Ar spec
|
|
Matches if the IP header contains the comma separated list of
|
|
options specified in
|
|
.Ar spec .
|
|
The supported IP options are:
|
|
.Nm ssrr
|
|
(strict source route),
|
|
.Nm lsrr
|
|
(loose source route),
|
|
.Nm rr
|
|
(record packet route), and
|
|
.Nm ts
|
|
(timestamp).
|
|
The absence of a particular option may be denoted
|
|
with a ``!''.
|
|
.It established
|
|
Matches packets that have the RST or ACK bits set.
|
|
TCP packets only.
|
|
.It setup
|
|
Matches packets that have the SYN bit set but no ACK bit.
|
|
TCP packets only.
|
|
.It tcpflags Ar spec
|
|
Matches if the TCP header contains the comma separated list of
|
|
flags specified in
|
|
.Ar spec .
|
|
The supported TCP flags are:
|
|
.Nm fin ,
|
|
.Nm syn ,
|
|
.Nm rst ,
|
|
.Nm psh ,
|
|
.Nm ack ,
|
|
and
|
|
.Nm urg .
|
|
The absence of a particular flag may be denoted
|
|
with a ``!''.
|
|
.It icmptypes Ar types
|
|
Matches if the ICMP type is in the list
|
|
.Ar types .
|
|
The list may be specified as any combination of ranges
|
|
or individual types separated by commas.
|
|
.It proto Ar ipproto
|
|
Matches if the protocol field in the IP header matches
|
|
any of the protocol numbers specified by the list
|
|
.Ar ipproto
|
|
(see
|
|
.Pa /etc/protocols
|
|
for a complete list).
|
|
Protocol ranges may not be used.
|
|
.El
|
|
.Sh CHECKLIST
|
|
Here are some important points to consider when designing your
|
|
rules:
|
|
.Bl -bullet -hang -offset flag -width 1234567890123456
|
|
.It
|
|
Remember that you filter both packets going in and out.
|
|
Most connections need packets going in both directions.
|
|
.It
|
|
Remember to test very carefully.
|
|
It is a good idea to be near the console when doing this.
|
|
.It
|
|
Don't forget the loopback interface.
|
|
.El
|
|
.Sh FINE POINTS
|
|
There is one kind of packet that the firewall will always discard,
|
|
that is an IP fragment with a fragment offset of one.
|
|
This is a valid packet, but it only has one use, to try to circumvent
|
|
firewalls.
|
|
.Pp
|
|
If you are logged in over a network, loading the LKM version of
|
|
.Nm
|
|
is probably not as straightforward as you would think.
|
|
I recommend this command line:
|
|
.Bd -literal -offset center
|
|
modload /lkm/ipfw_mod.o && \e
|
|
ipfw add 32000 allow all from any to any
|
|
.Ed
|
|
|
|
Along the same lines, doing an
|
|
.Bd -literal -offset center
|
|
ipfw flush
|
|
.Ed
|
|
|
|
in similar surroundings is also a bad idea.
|
|
.Sh PACKET DIVERSION
|
|
A divert socket bound to the specified port will receive all packets diverted
|
|
to that port; see
|
|
.Xr divert 4 .
|
|
If no socket is bound to the destination port, or if the kernel
|
|
wasn't compiled with divert socket support, diverted packets are dropped.
|
|
.Sh EXAMPLES
|
|
This command adds an entry which denies all tcp packets from
|
|
.Em hacker.evil.org
|
|
to the telnet port of
|
|
.Em wolf.tambov.su
|
|
from being forwarded by the host:
|
|
.Pp
|
|
.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23
|
|
.Pp
|
|
This one disallows any connection from the entire hackers network to
|
|
my host:
|
|
.Pp
|
|
.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
|
|
.Pp
|
|
Here is good usage of list command to see accounting records:
|
|
.Pp
|
|
.Dl ipfw -at l
|
|
.Pp
|
|
or in short form
|
|
.Pp
|
|
.Dl ipfw -a l
|
|
.Pp
|
|
This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
|
|
.Pp
|
|
.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in
|
|
.Sh SEE ALSO
|
|
.Xr gethostbyname 3 ,
|
|
.Xr getservbyport 3 ,
|
|
.Xr divert 4 ,
|
|
.Xr ip 4 ,
|
|
.Xr ipfirewall 4 ,
|
|
.Xr protocols 5 ,
|
|
.Xr services 5 ,
|
|
.Xr reboot 8 ,
|
|
.Xr syslogd 8
|
|
.Sh BUGS
|
|
.Pp
|
|
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
|
.Pp
|
|
This program can put your computer in rather unusable state. When
|
|
using it for the first time, work on the console of the computer, and
|
|
do
|
|
.Em NOT
|
|
do anything you don't understand.
|
|
.Pp
|
|
When manipulating/adding chain entries, service and protocol names are
|
|
not accepted.
|
|
.Sh HISTORY
|
|
Initially this utility was written for BSDI by:
|
|
.Pp
|
|
.Dl Daniel Boulet <danny@BouletFermat.ab.ca>
|
|
.Pp
|
|
The FreeBSD version is written completely by:
|
|
.Pp
|
|
.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG>
|
|
.Pp
|
|
This has all been extensively rearranged by Poul-Henning Kamp and
|
|
Alex Nash.
|
|
.Pp
|
|
Packet diversion added by Archie Cobbs <archie@whistle.com>.
|