| ipf.5 (26119) | ipf.5 (31183) |
|---|---|
| 1.TH IPF 5 2.SH NAME 3ipf \- IP packet filter rule syntax 4.SH DESCRIPTION 5.PP 6A rule file for \fBipf\fP may have any name or even be stdin. As 7\fBipfstat\fP produces parseable rules as output when displaying the internal 8kernel filter lists, it is quite plausible to use its output to feed back --- 4 unchanged lines hidden (view full) --- 13\fC# ipfstat \-i | ipf \-rf \-\fP 14.fi 15.SH GRAMMAR 16.PP 17The format used by \fBipf\fP for construction of filtering rules can be 18described using the following grammar in BNF: 19\fC 20.nf | 1.TH IPF 5 2.SH NAME 3ipf \- IP packet filter rule syntax 4.SH DESCRIPTION 5.PP 6A rule file for \fBipf\fP may have any name or even be stdin. As 7\fBipfstat\fP produces parseable rules as output when displaying the internal 8kernel filter lists, it is quite plausible to use its output to feed back --- 4 unchanged lines hidden (view full) --- 13\fC# ipfstat \-i | ipf \-rf \-\fP 14.fi 15.SH GRAMMAR 16.PP 17The format used by \fBipf\fP for construction of filtering rules can be 18described using the following grammar in BNF: 19\fC 20.nf |
| 21filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ] | 21filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] 22 [ proto ] [ ip ] [ group ]. |
| 22 23insert = "@" decnumber . | 23 24insert = "@" decnumber . |
| 24action = block | "pass" | log | "count" | call . | 25action = block | "pass" | log | "count" | skip | auth | call . |
| 25in-out = "in" | "out" . 26options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] . | 26in-out = "in" | "out" . 27options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] . |
| 27match = [ tos ] [ ttl ] [ proto ] [ ip ] . 28keep = "keep state" | "keep frags" . | 28tos = "tos" decnumber | "tos" hexnumber . 29ttl = "ttl" decnumber . 30proto = "proto" protocol . 31ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . 32group = [ "head" decnumber ] [ "group" decnumber ] . |
| 29 30block = "block" [ "return-icmp"[return-code] | "return-rst" ] . | 33 34block = "block" [ "return-icmp"[return-code] | "return-rst" ] . |
| 31log = "log" [ "body" ] [ "first" ] [ "or-block" ] . 32call = "call" [ "now" ] function-name . 33 34dup = "dup-to" interface-name[":"ipaddr] . | 35auth = "auth" | "preauth" . 36log = "log" [ "body" ] [ "first" ] [ "or-block" ] . 37call = "call" [ "now" ] function-name . 38skip = "skip" decnumber . 39dup = "dup-to" interface-name[":"ipaddr] . |
| 35froute = "fastroute" | "to" interface-name . | 40froute = "fastroute" | "to" interface-name . |
| 36 37tos = "tos" decnumber | "tos" hexnumber . 38ttl = "ttl" decnumber . 39proto = "proto" protocol . 40ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . 41 | |
| 42protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . 43srcdst = "all" | fromto . 44fromto = "from" object "to" object . 45 46object = addr [ port-comp | port-range ] . 47addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . 48port-comp = "port" compare port-num . 49port-range = "port" port-num range port-num . | 41protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . 42srcdst = "all" | fromto . 43fromto = "from" object "to" object . 44 45object = addr [ port-comp | port-range ] . 46addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . 47port-comp = "port" compare port-num . 48port-range = "port" port-num range port-num . |
| 50 | |
| 51flags = "flags" flag { flag } [ "/" flag { flag } ] . 52with = "with" | "and" . 53icmp = "icmp-type" icmp-type [ "code" decnumber ] . 54return-code = "("icmp-code")" . | 49flags = "flags" flag { flag } [ "/" flag { flag } ] . 50with = "with" | "and" . 51icmp = "icmp-type" icmp-type [ "code" decnumber ] . 52return-code = "("icmp-code")" . |
| 53keep = "keep" "state" | "keep" "frags" . |
|
| 55 56nummask = host-name [ "/" decnumber ] . 57host-name = ipaddr | hostname | "any" . 58ipaddr = host-num "." host-num "." host-num "." host-num . 59host-num = digit [ digit [ digit ] ] . 60port-num = service-name | decnumber . 61 62withopt = [ "not" | "no" ] opttype [ withopt ] . --- 4 unchanged lines hidden (view full) --- 67seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | 68 "reserv-4" | "secret" | "topsecret" . 69icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" | 70 "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | 71 "inforep" | "maskreq" | "maskrep" | decnumber . 72icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | 73 "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | 74 "net-prohib" | "host-prohib" | "net-tos" | "host-tos" . | 54 55nummask = host-name [ "/" decnumber ] . 56host-name = ipaddr | hostname | "any" . 57ipaddr = host-num "." host-num "." host-num "." host-num . 58host-num = digit [ digit [ digit ] ] . 59port-num = service-name | decnumber . 60 61withopt = [ "not" | "no" ] opttype [ withopt ] . --- 4 unchanged lines hidden (view full) --- 66seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | 67 "reserv-4" | "secret" | "topsecret" . 68icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" | 69 "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | 70 "inforep" | "maskreq" | "maskrep" | decnumber . 71icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | 72 "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | 73 "net-prohib" | "host-prohib" | "net-tos" | "host-tos" . |
| 75optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | 76 "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | 77 "visa" | "imitd" | "eip" | "finn" . | 74optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | 75 "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | 76 "addext" | "visa" | "imitd" | "eip" | "finn" . |
| 78 79hexnumber = "0" "x" hexstring . 80hexstring = hexdigit [ hexstring ] . 81decnumber = digit [ decnumber ] . 82 | 77 78hexnumber = "0" "x" hexstring . 79hexstring = hexdigit [ hexstring ] . 80decnumber = digit [ decnumber ] . 81 |
| 83compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" | 84 "le" | "ge" . | 82compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | 83 "gt" | "le" | "ge" . |
| 85range = "<>" | "><" . 86hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" . 87digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . 88flag = "F" | "S" | "R" | "P" | "A" | "U" . 89.fi 90.PP 91This syntax is somewhat simplified for readability, some combinations 92that match this grammar are disallowed by the software because they do 93not make sense (such as tcp \fBflags\fP for non-TCP packets). 94.SH FILTER RULES 95.PP 96The "briefest" valid rules are (currently) no-ops and are of the form: 97.nf | 84range = "<>" | "><" . 85hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" . 86digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . 87flag = "F" | "S" | "R" | "P" | "A" | "U" . 88.fi 89.PP 90This syntax is somewhat simplified for readability, some combinations 91that match this grammar are disallowed by the software because they do 92not make sense (such as tcp \fBflags\fP for non-TCP packets). 93.SH FILTER RULES 94.PP 95The "briefest" valid rules are (currently) no-ops and are of the form: 96.nf |
| 98 block in 99 pass in 100 log in 101 count in 102.fi 103.PP 104These are supposed to be the same as, but currently differ from: 105.\" XXX How, why do they differ?? 106.nf | |
| 107 block in all | 97 block in all |
| 108 pass in from any to any 109 log in all | 98 pass in all 99 log out all |
| 110 count in all 111.fi 112.PP 113Filter rules are checked in order, with the last matching rule 114determining the fate of the packet (but see the \fBquick\fP option, 115below). 116.PP 117Filters are installed by default at the end of the kernel's filter --- 30 unchanged lines hidden (view full) --- 148the filter. These statistics are viewable with ipfstat(8). 149.TP 150.B call 151this action is used to invoke the named function in the kernel, which 152must conform to a specific calling interface. Customised actions and 153semantics can thus be implemented to supplement those available. This 154feature is for use by knowledgeable hackers, and is not currently 155documented. | 100 count in all 101.fi 102.PP 103Filter rules are checked in order, with the last matching rule 104determining the fate of the packet (but see the \fBquick\fP option, 105below). 106.PP 107Filters are installed by default at the end of the kernel's filter --- 30 unchanged lines hidden (view full) --- 138the filter. These statistics are viewable with ipfstat(8). 139.TP 140.B call 141this action is used to invoke the named function in the kernel, which 142must conform to a specific calling interface. Customised actions and 143semantics can thus be implemented to supplement those available. This 144feature is for use by knowledgeable hackers, and is not currently 145documented. |
| 146.TP 147.B "skip <n>" 148.TP 149.B auth 150.TP 151.B preauth |
|
| 156.PP 157The next word must be either \fBin\fP or \fBout\fP. Each packet 158moving through the kernel is either inbound (just been received on an 159interface, and moving towards the kernel's protocol processing) or 160outbound (transmitted or forwarded by the stack, and on its way to an 161interface). There is a requirement that each filter rule explicitly 162state which side of the I/O it is to be used on. 163.SH OPTIONS --- 52 unchanged lines hidden (view full) --- 216match. The following general-purpose attributes are provided for 217matching, and must be used in this order: 218.TP 219.B tos 220packets with different Type-Of-Service values can be filtered. 221Individual service levels or combinations can be filtered upon. The 222value for the TOS mask can either be represented as a hex number or a 223decimal integer value. | 152.PP 153The next word must be either \fBin\fP or \fBout\fP. Each packet 154moving through the kernel is either inbound (just been received on an 155interface, and moving towards the kernel's protocol processing) or 156outbound (transmitted or forwarded by the stack, and on its way to an 157interface). There is a requirement that each filter rule explicitly 158state which side of the I/O it is to be used on. 159.SH OPTIONS --- 52 unchanged lines hidden (view full) --- 212match. The following general-purpose attributes are provided for 213matching, and must be used in this order: 214.TP 215.B tos 216packets with different Type-Of-Service values can be filtered. 217Individual service levels or combinations can be filtered upon. The 218value for the TOS mask can either be represented as a hex number or a 219decimal integer value. |
| 224.\" XXX TOS mask?? not in grammar! | |
| 225.TP 226.B ttl 227packets may also be selected by their Time-To-Live value. The value given in 228the filter rule must exactly match that in the packet for a match to occur. 229This value can only be given as a decimal integer value. 230.TP 231.B proto 232allows a specific protocol to be matched against. All protocol names --- 118 unchanged lines hidden (view full) --- 351.B icmp-type 352is only effective when used with \fBproto icmp\fP and must NOT be used 353in conjuction with \fBflags\fP. There are a number of types, which can be 354referred to by an abbreviation recognised by this language, or the numbers 355with which they are associated can be used. The most important from 356a security point of view is the ICMP redirect. 357.SH KEEP HISTORY 358.PP | 220.TP 221.B ttl 222packets may also be selected by their Time-To-Live value. The value given in 223the filter rule must exactly match that in the packet for a match to occur. 224This value can only be given as a decimal integer value. 225.TP 226.B proto 227allows a specific protocol to be matched against. All protocol names --- 118 unchanged lines hidden (view full) --- 346.B icmp-type 347is only effective when used with \fBproto icmp\fP and must NOT be used 348in conjuction with \fBflags\fP. There are a number of types, which can be 349referred to by an abbreviation recognised by this language, or the numbers 350with which they are associated can be used. The most important from 351a security point of view is the ICMP redirect. 352.SH KEEP HISTORY 353.PP |
| 359The last parameter which can be set for a filter rule is whether on not to 360record historical information for that packet, and what sort to keep. The following information can be kept: | 354The second last parameter which can be set for a filter rule is whether on not 355to record historical information for that packet, and what sort to keep. The 356following information can be kept: |
| 361.TP 362.B state 363keeps information about the flow of a communication session. State can 364be kept for TCP, UDP, and ICMP packets. 365.TP 366.B frags 367keeps information on fragmented packets, to be applied to later 368fragments. 369.PP 370allowing packets which match these to flow straight through, rather 371than going through the access control list. | 357.TP 358.B state 359keeps information about the flow of a communication session. State can 360be kept for TCP, UDP, and ICMP packets. 361.TP 362.B frags 363keeps information on fragmented packets, to be applied to later 364fragments. 365.PP 366allowing packets which match these to flow straight through, rather 367than going through the access control list. |
| 368.SH GROUPS 369The last pair of parameters control filter rule "grouping". By default, all 370filter rules are placed in group 0 if no other group is specified. To add a 371rule to a non-default group, the group must first be started by creating a 372group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a 373group, the filter processing then switches to the group, using that rule as 374the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule 375processing isn't stopped until it has returned from processing the group. 376.PP 377A rule may be both the head for a new group and a member of a non-default 378group (\fBhead\fP and \fBgroup\fP may be used together in a rule). 379.TP 380.B "head <n>" 381indicates that a new group (number n) should be created. 382.TP 383.B "group <n>" 384indicates that the rule should be put in group (number n) rather than group 0. |
|
| 372.SH LOGGING 373.PP 374When a packet is logged, with either the \fBlog\fP action or option, 375the headers of the packet are written to the \fBipl\fP packet logging 376psuedo-device. Immediately following the \fBlog\fP keyword, the 377following qualifiers may be used (in order): 378.TP 379.B body --- 42 unchanged lines hidden (view full) --- 422result as a failed match on the "block" action does not imply a pass, 423only that the rule hasn't taken effect. To then allow ports < 1024, a 424rule such as: 425.LP 426.nf 427 pass in quick from any to any port < 1024 428.fi 429.PP | 385.SH LOGGING 386.PP 387When a packet is logged, with either the \fBlog\fP action or option, 388the headers of the packet are written to the \fBipl\fP packet logging 389psuedo-device. Immediately following the \fBlog\fP keyword, the 390following qualifiers may be used (in order): 391.TP 392.B body --- 42 unchanged lines hidden (view full) --- 435result as a failed match on the "block" action does not imply a pass, 436only that the rule hasn't taken effect. To then allow ports < 1024, a 437rule such as: 438.LP 439.nf 440 pass in quick from any to any port < 1024 441.fi 442.PP |
| 430would be needed before the first block. | 443would be needed before the first block. To create a new group for 444processing all inbould packets on le0/le1/lo0, with the default being to block 445all inbound packets, we would do something like: 446.LP 447.nf 448 block in all 449 block in on le0 quick all head 100 450 block in on le1 quick all head 200 451 block in on lo0 quick all head 300 452.fi 453.PP 454 455and to then allow ICMP packets in on le0, only, we would do: 456.LP 457.nf 458 pass in proto icmp all group 100 459.fi 460.PP 461Note that because only inbound packets on le0 are used processed by group 100, 462there is no need to respecify the interface name. Likewise, we could further 463breakup processing of TCP, etc, as follows: 464.LP 465.nf 466 block in proto tcp all head 110 group 100 467 pass in from any to any port = 23 group 110 468.fi 469.PP 470and so on. The last line, if written without the groups would be: 471.LP 472.nf 473 pass in on le0 proto tcp from any to any port = telnet 474.fi 475.PP 476Note, that if we wanted to say "port = telnet", "proto tcp" would 477need to be specified as the parser interprets each rule on its own and 478qualifies all service/port names with the protocol specified. |
| 431.SH FILES 432/etc/services 433.br 434/etc/hosts 435.SH SEE ALSO 436ipf(1), ipftest(1), mkfilters(1) | 479.SH FILES 480/etc/services 481.br 482/etc/hosts 483.SH SEE ALSO 484ipf(1), ipftest(1), mkfilters(1) |