f27f47054d
import of new ipfilter vendor sources by flattening them. To keep the tags consistent with dist, the tags are also flattened. Approved by: glebius (Mentor)
268 lines
9.6 KiB
Plaintext
268 lines
9.6 KiB
Plaintext
.Dd December 8, 2000
|
|
.Dt IP\ FILTER 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm IP Filter
|
|
.Nd Introduction to IP packet filtering
|
|
.Sh DESCRIPTION
|
|
IP Filter is a TCP/IP packet filter, suitable for use in a firewall
|
|
environment. To use, it can either be used as a loadable kernel module or
|
|
incorporated into your UNIX kernel; use as a loadable kernel module where
|
|
possible is highly recommended. Scripts are provided to install and patch
|
|
system files, as required.
|
|
.Sh FEATURES
|
|
The IP packet filter can:
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
explicitly deny/permit any packet from passing through
|
|
.It
|
|
distinguish between various interfaces
|
|
.It
|
|
filter by IP networks or hosts
|
|
.It
|
|
selectively filter any IP protocol
|
|
.It
|
|
selectively filter fragmented IP packets
|
|
.It
|
|
selectively filter packets with IP options
|
|
.It
|
|
send back an ICMP error/TCP reset for blocked packets
|
|
.It
|
|
keep packet state information for TCP, UDP and ICMP packet flows
|
|
.It
|
|
keep fragment state information for any IP packet, applying the same rule
|
|
to all fragments.
|
|
.It
|
|
act as a Network Address Translator (NAT)
|
|
.It
|
|
use redirection to setup true transparent proxy connections
|
|
.It
|
|
provide packet header details to a user program for authentication
|
|
.It
|
|
in addition, supports temporary storage of pre-authenticated rules for passing packets through
|
|
.El
|
|
.Pp
|
|
Special provision is made for the three most common Internet protocols, TCP,
|
|
UDP and ICMP. The IP Packet filter allows filtering of:
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
Inverted host/net matchingTCP/UDP packets by port number or a port number
|
|
range
|
|
.It
|
|
ICMP packets by type/code
|
|
.It
|
|
"established" TCP packets
|
|
.It
|
|
On any arbitrary combination of TCP flags
|
|
.It
|
|
"short" (fragmented) IP packets with incomplete headers can be filtered
|
|
.It
|
|
any of the 19 IP options or 8 registered IP security classes TOS (Type of
|
|
Service) field in packets
|
|
.El
|
|
.Pp
|
|
To keep track of the performance of the IP packet filter, a logging device
|
|
is used which supports logging of:
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
the TCP/UDP/ICMP and IP packet headers
|
|
.It
|
|
the first 128 bytes of the packet (including headers)
|
|
.El
|
|
.Pp
|
|
A packet can be logged when:
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
it is successfully passed through
|
|
.It
|
|
it is blocked from passing through
|
|
.It
|
|
it matches a rule setup to look for suspicious packets
|
|
.El
|
|
.Pp
|
|
IP Filter keeps its own set of statistics on:
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
packets blocked
|
|
.It
|
|
packets (and bytes!) used for accounting
|
|
.It
|
|
packets passed
|
|
.li
|
|
packets logged
|
|
.It
|
|
attempts to log which failed (buffer full)
|
|
.El
|
|
and much more, for packets going both in and out.
|
|
|
|
.Sh Tools
|
|
The current implementation provides a small set of tools, which can easily
|
|
be used and integrated with regular unix shells and tools. A brief description
|
|
of the tools provided:
|
|
.Pp
|
|
.Xr ipf 8
|
|
reads in a set of rules, from either stdin or a file, and adds them to
|
|
the kernels current list (appending them). It can also be used to flush the
|
|
current filter set or delete individual filter rules. The file format is
|
|
described in
|
|
.Xr ipf 5 .
|
|
.Pp
|
|
.Xr ipfs 8
|
|
is a utility to temporarily lock the IP Filter kernel tables (state tables
|
|
and NAT mappings) and write them to disk. After that the system can be
|
|
rebooted, and ipfs can be used to read these tables from disk and restore
|
|
them into the kernel. This way the system can be rebooted without the
|
|
connections being terminated.
|
|
.Pp
|
|
.Xr ipfstat 8
|
|
interrogates the kernel for statistics on packet filtering, so
|
|
far, and retrieves the list of filters in operation for inbound and outbound
|
|
packets.
|
|
.Pp
|
|
.Xr ipftest 1
|
|
reads in a filter rule file and then applies sample IP packets to
|
|
the rule file. This allows for testing of filter list and examination of how
|
|
a packet is passed along through it.
|
|
.Pp
|
|
.Xr ipmon 8
|
|
reads buffered data from the logging device (default is /dev/ipl)
|
|
for output to either:
|
|
.Bl -bullet -offset indent -compact
|
|
.It
|
|
screen (standard output)
|
|
.It
|
|
file
|
|
.It
|
|
syslog
|
|
.El
|
|
.Pp
|
|
.Xr ipsend 1
|
|
generates arbitary IP packets for ethernet connected machines.
|
|
.Pp
|
|
.Xr ipresend 1
|
|
reads in a data file of saved IP packets (ie
|
|
snoop/tcpdump/etherfind output) and sends it back across the network.
|
|
.Pp
|
|
.Xr iptest 1
|
|
contains a set of test "programs" which send out a series of IP
|
|
packets, aimed at testing the strength of the TCP/IP stack at which it is
|
|
aimed at. WARNING: this may crash machine(s) targeted!
|
|
.Pp
|
|
.Xr ipnat 8
|
|
reads in a set of rules, from either stdin or a file and adds them
|
|
to the kernels current list of active NAT rules. NAT rules can also be
|
|
deleted using ipnat. The format of the configuration file to be used
|
|
with ipnat is described in
|
|
.Xr ipnat 5 .
|
|
.Pp
|
|
For use in your own programs (e.g. for writing of transparent application
|
|
proxies), the programming interface and the associated ioctl's are
|
|
documented in
|
|
.Xr ipf 4 .
|
|
|
|
Documentation on ioctl's and the format of data saved
|
|
to the logging character device is provided in
|
|
.Xr ipl 4
|
|
so that you may develop your own applications to work with or in place of any
|
|
of the above.
|
|
|
|
Similar, the interface to the NAT code is documented in
|
|
.Xr ipnat 4 .
|
|
|
|
.Sh PACKET PROCESSING FLOW
|
|
The following diagram illustrates the flow of TCP/IP packets through the
|
|
various stages introduced by IP Filter.
|
|
.Pp
|
|
.nf
|
|
IN
|
|
|
|
|
V
|
|
+-------------------------+--------------------------+
|
|
| | |
|
|
| V |
|
|
| Network Address Translation |
|
|
| | |
|
|
| authenticated | |
|
|
| +-------<---------+ |
|
|
| | | |
|
|
| | V |
|
|
| V IP Accounting |
|
|
| | | |
|
|
| | V |
|
|
| | Fragment Cache Check--+ |
|
|
| | | | |
|
|
| V V V |
|
|
| | Packet State Check-->+ |
|
|
| | | | |
|
|
| | +->--+ | | |
|
|
| | | | V | |
|
|
| V groups IP Filtering V |
|
|
| | | | | | |
|
|
| | +--<-+ | | |
|
|
| | | | |
|
|
| +---------------->|<-----------+ |
|
|
| | |
|
|
| V |
|
|
| +---<----+ |
|
|
| | | |
|
|
| function | |
|
|
| | V |
|
|
| +--->----+ |
|
|
| | |
|
|
| V |
|
|
+--|---<--- fast-route ---<--+ |
|
|
| | | |
|
|
| | V |
|
|
| +-------------------------+--------------------------+
|
|
| |
|
|
| pass only
|
|
| |
|
|
| V
|
|
V [KERNEL TCP/IP Processing]
|
|
| |
|
|
| +-------------------------+--------------------------+
|
|
| | | |
|
|
| | V |
|
|
| | Fragment Cache Check--+ |
|
|
| | | | |
|
|
| | V V |
|
|
| | Packet State Check-->+ |
|
|
| | | | |
|
|
| | V | |
|
|
V | IP Filtering | |
|
|
| | | V |
|
|
| | |<-----------+ |
|
|
| | V |
|
|
| | IP Accounting |
|
|
| | | |
|
|
| | V |
|
|
| | Network Address Translation |
|
|
| | | |
|
|
| | V |
|
|
| +-------------------------+--------------------------+
|
|
| |
|
|
| pass only
|
|
V |
|
|
+--------------------------->|
|
|
V
|
|
OUT
|
|
.fi
|
|
|
|
.Sh MORE INFORMATION
|
|
More information (including pointers to the FAQ and the mailing list) can be
|
|
obtained from the sofware's official homepage: www.ipfilter.org
|
|
|
|
.Sh SEE ALSO
|
|
.Xr ipf 4 ,
|
|
.Xr ipf 5 ,
|
|
.Xr ipf 8 ,
|
|
.Xr ipfilter 5 ,
|
|
.Xr ipfs 8 ,
|
|
.Xr ipfstat 8 ,
|
|
.Xr ipftest 1 ,
|
|
.Xr ipl 4 ,
|
|
.Xr ipmon 8 ,
|
|
.Xr ipnat 4 ,
|
|
.Xr ipnat 8 ,
|
|
|