ipfw.8 revision 16380
1280849Scy.Dd February 24, 1996 2258945Sroberto.Dt IPFW 8 SMM 3280849Scy.Os FreeBSD 4362716Scy.Sh NAME 5258945Sroberto.Nm ipfw 6258945Sroberto.Nd controlling utility for IP firewall 7258945Sroberto.Sh SYNOPSIS 8344884Scy.Nm ipfw 9258945Sroberto.Ar file 10258945Sroberto.Nm ipfw 11258945Srobertoflush 12258945Sroberto.Nm ipfw 13258945Srobertozero 14258945Sroberto.Oo 15258945Sroberto.Ar number 16258945Sroberto.Oc 17258945Sroberto.Nm ipfw 18280849Scydelete 19280849Scy.Ar number 20258945Sroberto.Nm ipfw 21358659Scy.Oo 22280849Scy.Fl atN 23280849Scy.Oc 24280849Scylist 25280849Scy.Nm ipfw 26280849Scyadd 27280849Scy.Oo 28280849Scy.Ar number 29280849Scy.Oc 30280849Scy.Ar action 31280849Scy.Oo 32280849Scylog 33280849Scy.Oc 34280849Scy.Ar proto 35280849Scyfrom 36280849Scy.Ar src 37258945Srobertoto 38258945Sroberto.Ar dst 39280849Scy.Oo 40280849Scyvia 41280849Scy.Ar name|ipno 42258945Sroberto.Oc 43258945Sroberto.Oo 44258945Sroberto.Ar options 45258945Sroberto.Oc 46258945Sroberto.Sh DESCRIPTION 47258945SrobertoIf used as shown in the first synopsis line, the 48258945Sroberto.Ar file 49258945Srobertowill be read line by line and applied as arguments to the 50258945Sroberto.Nm ipfw 51258945Srobertocommand. 52280849Scy.Pp 53316068SdelphijThe ipfw code works by going through the rule-list for each packet, 54258945Srobertountil a match is found. 55258945SrobertoAll rules have two counters associated with them, a packet count and 56258945Srobertoa byte count. 57258945SrobertoThese counters are updated when a packet matches the rule. 58258945Sroberto.Pp 59258945SrobertoThe rules are ordered by a ``line-number'' that is used to order and 60280849Scydelete rules. 61280849ScyIf a rule is added without a number, it is put at the end, just before 62258945Srobertothe terminal ``policy-rule'', and numbered 100 higher than the previous 63316068Sdelphijrule. 64362716Scy.Pp 65358659ScyOne rule is always present: 66280849Scy.Bd -literal -offset center 67280849Scy65535 deny all from any to any 68280849Scy.Ed 69280849Scy 70280849Scythis rule is the default policy, ie. don't allow anything at all. 71316068SdelphijYour job in setting up rules is to modify this policy to match your 72280849Scyneeds. 73280849Scy.Pp 74280849ScyThe following options are available: 75280849Scy.Bl -tag -width flag 76280849Scy.It Fl a 77280849ScyWhile listing, show counter values. This option is the only way to see 78280849Scyaccounting records. 79280849Scy.It Fl t 80280849ScyWhile listing, show last match timestamp. 81316068Sdelphij.It Fl N 82316068SdelphijTry to resolve addresses and service names. 83316068Sdelphij.El 84316068Sdelphij.Pp 85316068Sdelphij.Ar action : 86316068Sdelphij.Bl -hang -offset flag -width 1234567890123456 87316068Sdelphij.It Nm allow 88316068SdelphijAllow packets that match rule. 89316068SdelphijThe search terminates. 90316068Sdelphij.It Nm pass 91316068SdelphijSame as allow. 92316068Sdelphij.It Nm accept 93316068SdelphijSame as allow. 94316068Sdelphij.It Nm count 95316068SdelphijUpdate counters for all packets that match rule. 96316068SdelphijThe search continues with next rule. 97316068Sdelphij.It Nm deny 98316068SdelphijDiscard packets that match this rule. 99316068SdelphijThe search terminates. 100316068Sdelphij.It Nm reject 101316068SdelphijDiscard packets that match this rule, try to send ICMP notice. 102316068SdelphijThe search terminates. 103316068Sdelphij.El 104362716Scy.Pp 105280849ScyWhen a packet matches a rule with the 106316068Sdelphij.Nm log 107316068Sdelphijkeyword, a message will be printed on the console. 108316068SdelphijIf the kernel was compiled with the 109316068Sdelphij.Nm IP_FIREWALL_VERBOSE_LIMIT 110316068Sdelphijoption, then logging will cease after the number of packets 111362716Scyspecified by the option are recieved for that particular 112258945Srobertochain entry. Logging may then be re-enabled by clearing 113280849Scythe packet counter for that entry. 114280849Scy.Pp 115258945Sroberto.Ar proto : 116280849Scy.Bl -hang -offset flag -width 1234567890123456 117316068Sdelphij.It Nm ip 118280849ScyAll packets match. 119316068Sdelphij.It Nm all 120280849ScyAll packets match. 121316068Sdelphij.It Nm tcp 122280849ScyOnly TCP packets match. 123280849Scy.It Nm udp 124258945SrobertoOnly UDP packets match. 125280849Scy.It Nm icmp 126280849ScyOnly ICMP packets match. 127258945Sroberto.El 128280849Scy.Pp 129316068Sdelphij.Ar src 130280849Scyand 131316068Sdelphij.Ar dst : 132280849Scy.Pp 133316068Sdelphij.Bl -hang -offset flag 134280849Scy.It <address/mask> [ports] 135280849Scy.El 136280849Scy.Pp 137280849ScyThe 138280849Scy.Em <address/mask> 139280849Scymay be specified as: 140280849Scy.Bl -hang -offset flag -width 1234567890123456 141316068Sdelphij.It Ar ipno 142280849ScyAn ipnumber of the form 1.2.3.4. 143316068SdelphijOnly this exact ip number match the rule. 144280849Scy.It Ar ipno/bits 145316068SdelphijAn ipnumber with a mask width of the form 1.2.3.4/24. 146280849ScyIn this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 147316068Sdelphij.It Ar ipno:mask 148280849ScyAn ipnumber with a mask width of the form 1.2.3.4:255.255.240.0 149280849ScyIn this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 150258945Sroberto.El 151258945Sroberto.Pp 152258945SrobertoWith the TCP and UDP 153258945Sroberto.Em protocols , 154258945Srobertoan optional 155316068Sdelphij.Em port 156316068Sdelphijmay be specified as: 157258945Sroberto.Pp 158316068Sdelphij.Bl -hang -offset flag 159316068Sdelphij.It Ns {port|port:port} Ns Op ,port Ns Op ,... 160280849Scy.El 161258945Sroberto.Pp 162280849ScyService names (from 163280849Scy.Pa /etc/services ) 164280849Scymay not be used instead of a numeric port value. 165258945SrobertoAlso, note that a range may only be specified as the first value, 166258945Srobertoand the port list is limited to 167280849Scy.Nm IP_FW_MAX_PORTS 168258945Sroberto(as defined in /usr/src/sys/netinet/ip_fw.h) 169280849Scyports. 170280849Scy.Pp 171258945SrobertoIf ``via'' 172316068Sdelphij.Ar name 173316068Sdelphijis specified, only packets received via or on their way out of an interface 174316068Sdelphijmatching 175316068Sdelphij.Ar name 176316068Sdelphijwill match this rule. 177316068Sdelphij.Pp 178316068SdelphijIf ``via'' 179316068Sdelphij.Ar ipno 180280849Scyis specified, only packets received via or on their way out of an interface 181280849Scyhaving the address 182258945Sroberto.Ar ipno 183258945Srobertowill match this rule. 184258945Sroberto.Pp 185280849Scy.Ar options : 186280849Scy.Bl -hang -offset flag -width 1234567890123456 187280849Scy.It frag 188280849ScyMatches if the packet is a fragment and this is not the first fragment 189258945Srobertoof the datagram. 190258945Sroberto.It in 191280849ScyMatches if this packet was on the way in. 192258945Sroberto.It out 193280849ScyMatches if this packet was on the way out. 194280849Scy.It ipoptions Ar spec 195280849ScyMatches if the IP header contains the comma separated list of 196280849Scyoptions specified in 197280849Scy.Ar spec . 198258945SrobertoThe supported IP options are: 199258945Sroberto.Nm ssrr 200258945Sroberto(strict source route), 201258945Sroberto.Nm lsrr 202258945Sroberto(loose source route), 203258945Sroberto.Nm rr 204258945Sroberto(record packet route), and 205280849Scy.Nm ts 206258945Sroberto(timestamp). 207258945SrobertoThe absence of a particular option may be denoted 208258945Srobertowith a ``!''. 209280849Scy.It established 210258945SrobertoMatches packets that do not have the SYN bit set. 211258945SrobertoTCP packets only. 212258945Sroberto.It setup 213258945SrobertoMatches packets that have the SYN bit set but no ACK bit. 214258945SrobertoTCP packets only. 215258945Sroberto.It tcpflags Ar spec 216258945SrobertoMatches if the TCP header contains the comma separated list of 217280849Scyflags specified in 218258945Sroberto.Ar spec . 219258945SrobertoThe supported TCP flags are: 220258945Sroberto.Nm fin , 221280849Scy.Nm syn , 222258945Sroberto.Nm rst , 223258945Sroberto.Nm psh , 224258945Sroberto.Nm ack , 225258945Srobertoand 226258945Sroberto.Nm urg . 227258945SrobertoThe absence of a particular flag may be denoted 228258945Srobertowith a ``!''. 229280849Scy.It icmptypes Ar types 230258945SrobertoMatches if the ICMP type is in the list 231258945Sroberto.Ar types . 232258945SrobertoThe list may be specified as any combination of ranges 233280849Scyor individual types separated by commas. 234258945Sroberto.El 235258945Sroberto.Sh CHECKLIST 236258945SrobertoHere are some important points to consider when designing your 237280849Scyrules: 238258945Sroberto.Bl -bullet -hang -offset flag -width 1234567890123456 239258945Sroberto.It 240280849ScyRemember that you filter both packets going in and out. 241258945SrobertoMost connections need packets going in both directions. 242258945Sroberto.It 243258945SrobertoRemember to test very carefully. 244280849ScyIt is a good idea to be near the console when doing this. 245280849Scy.It 246258945SrobertoDon't forget the loopback interface. 247258945Sroberto.It 248258945SrobertoDon't filter 249258945Sroberto.Nm all 250258945Srobertoif you are also specifying a port. 251280849Scy.El 252258945Sroberto.Sh FINE POINTS 253258945SrobertoThere is one kind of packet that the firewall will always discard, 254280849Scythat is an IP fragment with a fragment offset of one. 255258945SrobertoThis is a valid packet, but it only has one use, to try to circumvent 256258945Srobertofirewalls. 257258945Sroberto.Pp 258258945SrobertoIf you are logged in over a network, loading the LKM version of 259280849Scy.Nm 260258945Srobertois probably not as straightforward as you would think. 261258945SrobertoI recommend this command line: 262258945Sroberto.Bd -literal -offset center 263280849Scymodload /lkm/ipfw_mod.o && \e 264258945Srobertoipfw add 32000 allow all from any to any 265258945Sroberto.Ed 266280849Scy 267258945SrobertoAlong the same lines, doing an 268258945Sroberto.Bd -literal -offset center 269258945Srobertoipfw flush 270258945Sroberto.Ed 271280849Scy 272258945Srobertoin similar surroundings is also a bad idea. 273258945Sroberto.Sh EXAMPLES 274258945SrobertoThis command adds an entry which denies all tcp packets from 275280849Scy.Em hacker.evil.org 276258945Srobertoto the telnet port of 277258945Sroberto.Em wolf.tambov.su 278258945Srobertofrom being forwarded by the host: 279280849Scy.Pp 280258945Sroberto.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 281258945Sroberto.Pp 282258945SrobertoThis one disallows any connection from the entire hackers network to 283258945Srobertomy host: 284280849Scy.Pp 285258945Sroberto.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 286258945Sroberto.Pp 287258945SrobertoHere is good usage of list command to see accounting records: 288280849Scy.Pp 289258945Sroberto.Dl ipfw -aT l 290258945Sroberto.Pp 291258945Srobertoor in short form 292280849Scy.Pp 293258945Sroberto.Dl ipfw -a l 294258945Sroberto.Pp 295258945Sroberto.Sh SEE ALSO 296258945Sroberto.Xr gethostbyname 3 , 297280849Scy.Xr getservbyport 3 , 298280849Scy.Xr ip 4 , 299258945Sroberto.Xr ipfirewall 4 , 300258945Sroberto.Xr ipaccounting 4 , 301280849Scy.Xr reboot 8 , 302280849Scy.Xr syslogd 8 303280849Scy.Sh BUGS 304316068Sdelphij.Pp 305280849Scy.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 306316068Sdelphij.Pp 307280849ScyThis program can put your computer in rather unusable state. When 308316068Sdelphijusing it for the first time, work on the console of the computer, and 309280849Scydo 310258945Sroberto.Em NOT 311316068Sdelphijdo anything you don't understand. 312316068Sdelphij.Pp 313258945SrobertoWhen manipulating/adding chain entries, service names are 314280849Scynot accepted. 315316068Sdelphij.Sh HISTORY 316280849ScyInitially this utility was written for BSDI by: 317316068Sdelphij.Pp 318280849Scy.Dl Daniel Boulet <danny@BouletFermat.ab.ca> 319280849Scy.Pp 320280849ScyThe FreeBSD version is written completely by: 321316068Sdelphij.Pp 322280849Scy.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG> 323258945Sroberto.Pp 324258945SrobertoThis has all been extensively rearranged by Poul-Henning Kamp and 325258945SrobertoAlex Nash. 326258945Sroberto