ipfw.8 revision 17586
1.Dd July 20, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm 9.Ar file 10.Nm ipfw 11flush 12.Nm ipfw 13zero 14.Oo 15.Ar number 16.Oc 17.Nm ipfw 18delete 19.Ar number 20.Nm ipfw 21.Oo 22.Fl atN 23.Oc 24list 25.Nm ipfw 26add 27.Oo 28.Ar number 29.Oc 30.Ar action 31.Oo 32log 33.Oc 34.Ar proto 35from 36.Ar src 37to 38.Ar dst 39.Oo 40via 41.Ar name|ipno 42.Oc 43.Oo 44.Ar options 45.Oc 46.Sh DESCRIPTION 47If used as shown in the first synopsis line, the 48.Ar file 49will be read line by line and applied as arguments to the 50.Nm 51command. 52.Pp 53The 54.Nm 55code works by going through the rule-list for each packet, 56until a match is found. 57All rules have two associated counters, a packet count and 58a byte count. 59These counters are updated when a packet matches the rule. 60.Pp 61The rules are ordered by a ``line-number'' from 1 to 65534 that is used 62to order and delete rules. Rules are tried in increasing order, and the 63first rule that matches a packet applies. 64Multiple rules may share the same number and apply in 65the order in which they were added. 66.Pp 67If a rule is added without a number, it numbered 100 higher 68than the previous rule. If the highest defined rule number is 69greater than 65434, new rules are appended to the last rule. 70.Pp 71The delete operation deletes the first rule with number 72.Ar number , 73if any. 74.Pp 75The list command prints out the current rule set. 76.Pp 77The zero operation zeroes the counters associated with rule number 78.Ar number . 79.Pp 80The flush operation removes all rules. 81.Pp 82One rule is always present: 83.Bd -literal -offset center 8465535 deny all from any to any 85.Ed 86 87This rule is the default policy, i.e., don't allow anything at all. 88Your job in setting up rules is to modify this policy to match your needs. 89.Pp 90The following options are available: 91.Bl -tag -width flag 92.It Fl a 93While listing, show counter values. This option is the only way to see 94accounting records. 95.It Fl t 96While listing, show last match timestamp. 97.It Fl N 98Try to resolve addresses and service names. 99.El 100.Pp 101.Ar action : 102.Bl -hang -offset flag -width 1234567890123456 103.It Nm allow 104Allow packets that match rule. 105The search terminates. 106.It Nm pass 107Same as allow. 108.It Nm accept 109Same as allow. 110.It Nm count 111Update counters for all packets that match rule. 112The search continues with the next rule. 113.It Nm deny 114Discard packets that match this rule. 115The search terminates. 116.It Nm reject 117Discard packets that match this rule, and try to send an ICMP notice. 118The search terminates. 119.It Nm divert port 120Divert packets that match this rule to the divert socket bound to port 121.Ar port . 122The search terminates. 123.El 124.Pp 125When a packet matches a rule with the 126.Nm log 127keyword, a message will be printed on the console. 128If the kernel was compiled with the 129.Nm IP_FIREWALL_VERBOSE_LIMIT 130option, then logging will cease after the number of packets 131specified by the option are recieved for that particular 132chain entry. Logging may then be re-enabled by clearing 133the packet counter for that entry. 134.Pp 135.Ar proto : 136.Bl -hang -offset flag -width 1234567890123456 137.It Nm ip 138All packets match. 139.It Nm all 140All packets match. 141.It Nm tcp 142Only TCP packets match. 143.It Nm udp 144Only UDP packets match. 145.It Nm icmp 146Only ICMP packets match. 147.It Nm <number|name> 148Only packets for the specified protocol matches (see 149.Pa /etc/protocols 150for a complete list). 151.El 152.Pp 153.Ar src 154and 155.Ar dst : 156.Pp 157.Bl -hang -offset flag 158.It <address/mask> [ports] 159.El 160.Pp 161The 162.Em <address/mask> 163may be specified as: 164.Bl -hang -offset flag -width 1234567890123456 165.It Ar ipno 166An ipnumber of the form 1.2.3.4. 167Only this exact ip number match the rule. 168.It Ar ipno/bits 169An ipnumber with a mask width of the form 1.2.3.4/24. 170In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 171.It Ar ipno:mask 172An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 173In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 174.El 175.Pp 176With the TCP and UDP 177.Em protocols , 178an optional 179.Em port 180may be specified as: 181.Pp 182.Bl -hang -offset flag 183.It Ns {port|port-port} Ns Op ,port Ns Op ,... 184.El 185.Pp 186Service names (from 187.Pa /etc/services ) 188may not be used instead of a numeric port value. 189Also, note that a range may only be specified as the first value, 190and the port list is limited to 191.Nm IP_FW_MAX_PORTS 192(as defined in /usr/src/sys/netinet/ip_fw.h) 193ports. 194.Pp 195If ``via'' 196.Ar name 197is specified, only packets received via or on their way out of an interface 198matching 199.Ar name 200will match this rule. 201.Pp 202If ``via'' 203.Ar ipno 204is specified, only packets received via or on their way out of an interface 205having the address 206.Ar ipno 207will match this rule. 208.Pp 209.Ar options : 210.Bl -hang -offset flag -width 1234567890123456 211.It frag 212Matches if the packet is a fragment and this is not the first fragment 213of the datagram. 214.It in 215Matches if this packet was on the way in. 216.It out 217Matches if this packet was on the way out. 218.It ipoptions Ar spec 219Matches if the IP header contains the comma separated list of 220options specified in 221.Ar spec . 222The supported IP options are: 223.Nm ssrr 224(strict source route), 225.Nm lsrr 226(loose source route), 227.Nm rr 228(record packet route), and 229.Nm ts 230(timestamp). 231The absence of a particular option may be denoted 232with a ``!''. 233.It established 234Matches packets that have the RST or ACK bits set. 235TCP packets only. 236.It setup 237Matches packets that have the SYN bit set but no ACK bit. 238TCP packets only. 239.It tcpflags Ar spec 240Matches if the TCP header contains the comma separated list of 241flags specified in 242.Ar spec . 243The supported TCP flags are: 244.Nm fin , 245.Nm syn , 246.Nm rst , 247.Nm psh , 248.Nm ack , 249and 250.Nm urg . 251The absence of a particular flag may be denoted 252with a ``!''. 253.It icmptypes Ar types 254Matches if the ICMP type is in the list 255.Ar types . 256The list may be specified as any combination of ranges 257or individual types separated by commas. 258.El 259.Sh CHECKLIST 260Here are some important points to consider when designing your 261rules: 262.Bl -bullet -hang -offset flag -width 1234567890123456 263.It 264Remember that you filter both packets going in and out. 265Most connections need packets going in both directions. 266.It 267Remember to test very carefully. 268It is a good idea to be near the console when doing this. 269.It 270Don't forget the loopback interface. 271.El 272.Sh FINE POINTS 273There is one kind of packet that the firewall will always discard, 274that is an IP fragment with a fragment offset of one. 275This is a valid packet, but it only has one use, to try to circumvent 276firewalls. 277.Pp 278If you are logged in over a network, loading the LKM version of 279.Nm 280is probably not as straightforward as you would think. 281I recommend this command line: 282.Bd -literal -offset center 283modload /lkm/ipfw_mod.o && \e 284ipfw add 32000 allow all from any to any 285.Ed 286 287Along the same lines, doing an 288.Bd -literal -offset center 289ipfw flush 290.Ed 291 292in similar surroundings is also a bad idea. 293.Sh PACKET DIVERSION 294A divert socket bound to the specified port will receive all packets diverted 295to that port; see 296.Xr divert 4 . 297If no socket is bound to the destination port, or if the kernel 298wasn't compiled with divert socket support, diverted packets are dropped. 299.Sh EXAMPLES 300This command adds an entry which denies all tcp packets from 301.Em hacker.evil.org 302to the telnet port of 303.Em wolf.tambov.su 304from being forwarded by the host: 305.Pp 306.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 307.Pp 308This one disallows any connection from the entire hackers network to 309my host: 310.Pp 311.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 312.Pp 313Here is good usage of list command to see accounting records: 314.Pp 315.Dl ipfw -at l 316.Pp 317or in short form 318.Pp 319.Dl ipfw -a l 320.Pp 321This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 322.Pp 323.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 324.Sh SEE ALSO 325.Xr divert 4 , 326.Xr ip 4 , 327.Xr ipfirewall 4 , 328.Xr protocols 5 , 329.Xr services 5 , 330.Xr reboot 8 , 331.Xr syslogd 8 332.Sh BUGS 333.Pp 334.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 335.Pp 336This program can put your computer in rather unusable state. When 337using it for the first time, work on the console of the computer, and 338do 339.Em NOT 340do anything you don't understand. 341.Pp 342When manipulating/adding chain entries, service and protocol names are 343not accepted. 344.Sh AUTHORS 345Ugen J. S. Antsilevich, 346Poul-Henning Kamp, 347Alex Nash, 348Archie Cobbs. 349API based upon code written by Daniel Boulet for BSDI. 350.Sh HISTORY 351.Nm 352first appeared in FreeBSD 2.0. 353