ipfirewall.4 (53273) | ipfirewall.4 (57676) |
---|---|
1.\" | 1.\" |
2.\" $FreeBSD: head/share/man/man4/ipfirewall.4 53273 1999-11-17 12:34:35Z phantom $ | 2.\" $FreeBSD: head/share/man/man4/ipfirewall.4 57676 2000-03-01 14:50:24Z sheldonh $ |
3.\" 4.Dd June 22, 1997 5.Dt IPFIREWALL 4 6.Os 7.Sh NAME 8.Nm ipfirewall 9.Nd IP packet filter and traffic accounting 10.Sh SYNOPSIS 11.Fd #include <sys/types.h> 12.Fd #include <sys/queue.h> 13.Fd #include <netinet/in.h> 14.Fd #include <netinet/ip_fw.h> 15.Ft int 16.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size 17.Sh DESCRIPTION 18Ipfirewall (alias ipfw) is a system facility which allows filtering, 19redirecting, and other operations on IP packets travelling through | 3.\" 4.Dd June 22, 1997 5.Dt IPFIREWALL 4 6.Os 7.Sh NAME 8.Nm ipfirewall 9.Nd IP packet filter and traffic accounting 10.Sh SYNOPSIS 11.Fd #include <sys/types.h> 12.Fd #include <sys/queue.h> 13.Fd #include <netinet/in.h> 14.Fd #include <netinet/ip_fw.h> 15.Ft int 16.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size 17.Sh DESCRIPTION 18Ipfirewall (alias ipfw) is a system facility which allows filtering, 19redirecting, and other operations on IP packets travelling through |
20system interfaces. Packets are matched by applying an ordered list | 20system interfaces. 21Packets are matched by applying an ordered list |
21of pattern rules against each packet until a match is found, at | 22of pattern rules against each packet until a match is found, at |
22which point the corresponding action is taken. Rules are numbered | 23which point the corresponding action is taken. 24Rules are numbered |
23from 1 to 65534; multiple rules may share the same number. 24.Pp 25There is one rule that always exists, rule number 65535. This rule | 25from 1 to 65534; multiple rules may share the same number. 26.Pp 27There is one rule that always exists, rule number 65535. This rule |
26normally causes all packets to be dropped. Hence, any packet which does not | 28normally causes all packets to be dropped. 29Hence, any packet which does not |
27match a lower numbered rule will be dropped. However, a kernel compile 28time option 29.Dq IPFIREWALL_DEFAULT_TO_ACCEPT 30allows the administrator to change this fixed rule to permit everything. 31.Pp 32The value passed to 33.Fn setsockopt 34is a struct ip_fw describing the rule (see below). In some cases 35(such as IP_FW_DEL), only the rule number is significant. 36.Sh COMMANDS 37The following socket options are used to manage the rule list: 38.Pp 39IP_FW_ADD inserts the rule into the rule list. 40.Pp 41IP_FW_DEL deletes all rules having the matching rule number. 42.Pp 43IP_FW_GET returns the (first) rule having the matching rule number. 44.Pp 45IP_FW_ZERO zeros the statistics associated with all rules having the | 30match a lower numbered rule will be dropped. However, a kernel compile 31time option 32.Dq IPFIREWALL_DEFAULT_TO_ACCEPT 33allows the administrator to change this fixed rule to permit everything. 34.Pp 35The value passed to 36.Fn setsockopt 37is a struct ip_fw describing the rule (see below). In some cases 38(such as IP_FW_DEL), only the rule number is significant. 39.Sh COMMANDS 40The following socket options are used to manage the rule list: 41.Pp 42IP_FW_ADD inserts the rule into the rule list. 43.Pp 44IP_FW_DEL deletes all rules having the matching rule number. 45.Pp 46IP_FW_GET returns the (first) rule having the matching rule number. 47.Pp 48IP_FW_ZERO zeros the statistics associated with all rules having the |
46matching rule number. If the rule number is zero, all rules are zeroed. | 49matching rule number. 50If the rule number is zero, all rules are zeroed. |
47.Pp 48IP_FW_FLUSH removes all rules (except 65535). 49.Pp 50When the kernel security level is greater than 2, only IP_FW_GET 51is allowed. 52.Sh RULE STRUCTURE 53Rules are described by the following structure: 54.Bd -literal --- 111 unchanged lines hidden (view full) --- 166 IPFIREWALL - enable ipfirewall. 167 IPFIREWALL_VERBOSE - enable firewall output 168 IPFIREWALL_VERBOSE_LIMIT - limit firewall output 169 IPDIVERT - enable divert(4) sockets. 170.Pp 171When packets match a rule with the IP_FW_F_PRN bit set, a message 172is logged to the console if IPFIREWALL_VERBOSE has been enabled; 173IPFIREWALL_VERBOSE_LIMIT limits the maximum number of times each | 51.Pp 52IP_FW_FLUSH removes all rules (except 65535). 53.Pp 54When the kernel security level is greater than 2, only IP_FW_GET 55is allowed. 56.Sh RULE STRUCTURE 57Rules are described by the following structure: 58.Bd -literal --- 111 unchanged lines hidden (view full) --- 170 IPFIREWALL - enable ipfirewall. 171 IPFIREWALL_VERBOSE - enable firewall output 172 IPFIREWALL_VERBOSE_LIMIT - limit firewall output 173 IPDIVERT - enable divert(4) sockets. 174.Pp 175When packets match a rule with the IP_FW_F_PRN bit set, a message 176is logged to the console if IPFIREWALL_VERBOSE has been enabled; 177IPFIREWALL_VERBOSE_LIMIT limits the maximum number of times each |
174rule can cause a log message. These variables are also | 178rule can cause a log message. 179These variables are also |
175available via the 176.Xr sysctl 3 177interface. 178.Sh DIAGNOSTICS 179 180[EINVAL] The IP option field was improperly formed; an option 181 field was shorter than the minimum value or longer than | 180available via the 181.Xr sysctl 3 182interface. 183.Sh DIAGNOSTICS 184 185[EINVAL] The IP option field was improperly formed; an option 186 field was shorter than the minimum value or longer than |
182 the option buffer provided. A structural error in | 187 the option buffer provided. A structural error in |
183 ip_fw structure occurred (n_src_p+n_dst_p too big, 184 ports set for ALL/ICMP protocols etc.). An invalid 185 rule number was used. 186.Sh SEE ALSO 187.Xr setsockopt 2 , 188.Xr divert 4 , 189.Xr ip 4 , 190.Xr ipfw 8 , --- 12 unchanged lines hidden --- | 188 ip_fw structure occurred (n_src_p+n_dst_p too big, 189 ports set for ALL/ICMP protocols etc.). An invalid 190 rule number was used. 191.Sh SEE ALSO 192.Xr setsockopt 2 , 193.Xr divert 4 , 194.Xr ip 4 , 195.Xr ipfw 8 , --- 12 unchanged lines hidden --- |