1.Dd December 8, 2000 2.Dt IP\ FILTER 4 3.Os 4.Sh NAME 5.Nm IP Filter 6.Nd Introduction to IP packet filtering 7.Sh DESCRIPTION 8IP Filter is a TCP/IP packet filter, suitable for use in a firewall 9environment. To use, it can either be used as a loadable kernel module or 10incorporated into your UNIX kernel; use as a loadable kernel module where 11possible is highly recommended. Scripts are provided to install and patch 12system files, as required. 13.Sh FEATURES 14The IP packet filter can: 15.Bl -bullet -offset indent -compact 16.It 17explicitly deny/permit any packet from passing through 18.It 19distinguish between various interfaces 20.It 21filter by IP networks or hosts 22.It 23selectively filter any IP protocol 24.It 25selectively filter fragmented IP packets 26.It 27selectively filter packets with IP options 28.It 29send back an ICMP error/TCP reset for blocked packets 30.It 31keep packet state information for TCP, UDP and ICMP packet flows 32.It 33keep fragment state information for any IP packet, applying the same rule 34to all fragments. 35.It 36act as a Network Address Translator (NAT) 37.It 38use redirection to setup true transparent proxy connections 39.It 40provide packet header details to a user program for authentication 41.It 42in addition, supports temporary storage of pre-authenticated rules for passing packets through 43.El 44.Pp 45Special provision is made for the three most common Internet protocols, TCP, 46UDP and ICMP. The IP Packet filter allows filtering of: 47.Bl -bullet -offset indent -compact 48.It 49Inverted host/net matchingTCP/UDP packets by port number or a port number 50range 51.It 52ICMP packets by type/code 53.It 54"established" TCP packets 55.It 56On any arbitrary combination of TCP flags 57.It 58"short" (fragmented) IP packets with incomplete headers can be filtered 59.It 60any of the 19 IP options or 8 registered IP security classes TOS (Type of 61Service) field in packets 62.El 63.Pp 64To keep track of the performance of the IP packet filter, a logging device 65is used which supports logging of: 66.Bl -bullet -offset indent -compact 67.It 68the TCP/UDP/ICMP and IP packet headers 69.It 70the first 128 bytes of the packet (including headers) 71.El 72.Pp 73A packet can be logged when: 74.Bl -bullet -offset indent -compact 75.It 76it is successfully passed through 77.It 78it is blocked from passing through 79.It 80it matches a rule setup to look for suspicious packets 81.El 82.Pp 83IP Filter keeps its own set of statistics on: 84.Bl -bullet -offset indent -compact 85.It 86packets blocked 87.It 88packets (and bytes!) used for accounting 89.It 90packets passed 91.li 92packets logged 93.It 94attempts to log which failed (buffer full) 95.El 96and much more, for packets going both in and out. 97 98.Sh Tools 99The current implementation provides a small set of tools, which can easily 100be used and integrated with regular unix shells and tools. A brief description 101of the tools provided: 102.Pp 103.Xr ipf 8 104reads in a set of rules, from either stdin or a file, and adds them to 105the kernels current list (appending them). It can also be used to flush the 106current filter set or delete individual filter rules. The file format is 107described in 108.Xr ipf 5 . 109.Pp 110.Xr ipfs 8 111is a utility to temporarily lock the IP Filter kernel tables (state tables 112and NAT mappings) and write them to disk. After that the system can be 113rebooted, and ipfs can be used to read these tables from disk and restore 114them into the kernel. This way the system can be rebooted without the 115connections being terminated. 116.Pp 117.Xr ipfstat 8 118interrogates the kernel for statistics on packet filtering, so 119far, and retrieves the list of filters in operation for inbound and outbound 120packets. 121.Pp 122.Xr ipftest 1 123reads in a filter rule file and then applies sample IP packets to 124the rule file. This allows for testing of filter list and examination of how 125a packet is passed along through it. 126.Pp 127.Xr ipmon 8 128reads buffered data from the logging device (default is /dev/ipl) 129for output to either: 130.Bl -bullet -offset indent -compact 131.It 132screen (standard output) 133.It 134file 135.It 136syslog 137.El 138.Pp 139.Xr ipsend 1 140generates arbitary IP packets for ethernet connected machines. 141.Pp 142.Xr ipresend 1 143reads in a data file of saved IP packets (ie 144snoop/tcpdump/etherfind output) and sends it back across the network. 145.Pp 146.Xr iptest 1 147contains a set of test "programs" which send out a series of IP 148packets, aimed at testing the strength of the TCP/IP stack at which it is 149aimed at. WARNING: this may crash machine(s) targeted! 150.Pp 151.Xr ipnat 8 152reads in a set of rules, from either stdin or a file and adds them 153to the kernels current list of active NAT rules. NAT rules can also be 154deleted using ipnat. The format of the configuration file to be used 155with ipnat is described in 156.Xr ipnat 5 . 157.Pp 158For use in your own programs (e.g. for writing of transparent application 159proxies), the programming interface and the associated ioctl's are 160documented in 161.Xr ipf 4 . 162 163Documentation on ioctl's and the format of data saved 164to the logging character device is provided in 165.Xr ipl 4 166so that you may develop your own applications to work with or in place of any 167of the above. 168 169Similar, the interface to the NAT code is documented in 170.Xr ipnat 4 . 171 172.Sh PACKET PROCESSING FLOW 173The following diagram illustrates the flow of TCP/IP packets through the 174various stages introduced by IP Filter. 175.Pp 176.nf 177 IN 178 | 179 V 180 +-------------------------+--------------------------+ 181 | | | 182 | V | 183 | Network Address Translation | 184 | | | 185 | authenticated | | 186 | +-------<---------+ | 187 | | | | 188 | | V | 189 | V IP Accounting | 190 | | | | 191 | | V | 192 | | Fragment Cache Check--+ | 193 | | | | | 194 | V V V | 195 | | Packet State Check-->+ | 196 | | | | | 197 | | +->--+ | | | 198 | | | | V | | 199 | V groups IP Filtering V | 200 | | | | | | | 201 | | +--<-+ | | | 202 | | | | | 203 | +---------------->|<-----------+ | 204 | | | 205 | V | 206 | +---<----+ | 207 | | | | 208 | function | | 209 | | V | 210 | +--->----+ | 211 | | | 212 | V | 213 +--|---<--- fast-route ---<--+ | 214 | | | | 215 | | V | 216 | +-------------------------+--------------------------+ 217 | | 218 | pass only 219 | | 220 | V 221 V [KERNEL TCP/IP Processing] 222 | | 223 | +-------------------------+--------------------------+ 224 | | | | 225 | | V | 226 | | Fragment Cache Check--+ | 227 | | | | | 228 | | V V | 229 | | Packet State Check-->+ | 230 | | | | | 231 | | V | | 232 V | IP Filtering | | 233 | | | V | 234 | | |<-----------+ | 235 | | V | 236 | | IP Accounting | 237 | | | | 238 | | V | 239 | | Network Address Translation | 240 | | | | 241 | | V | 242 | +-------------------------+--------------------------+ 243 | | 244 | pass only 245 V | 246 +--------------------------->| 247 V 248 OUT 249.fi 250 251.Sh MORE INFORMATION 252More information (including pointers to the FAQ and the mailing list) can be 253obtained from the sofware's official homepage: www.ipfilter.org 254 255.Sh SEE ALSO 256.Xr ipf 4 , 257.Xr ipf 5 , 258.Xr ipf 8 , 259.Xr ipfilter 5 , 260.Xr ipfs 8 , 261.Xr ipfstat 8 , 262.Xr ipftest 1 , 263.Xr ipl 4 , 264.Xr ipmon 8 , 265.Xr ipnat 4 , 266.Xr ipnat 8 , 267 268