ipfw.8 revision 16819
1.Dd February 24, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm ipfw 9.Ar file 10.Nm ipfw 11flush 12.Nm ipfw 13zero 14.Oo 15.Ar number 16.Oc 17.Nm ipfw 18delete 19.Ar number 20.Nm ipfw 21.Oo 22.Fl atN 23.Oc 24list 25.Nm ipfw 26add 27.Oo 28.Ar number 29.Oc 30.Ar action 31.Oo 32log 33.Oc 34.Ar proto 35from 36.Ar src 37to 38.Ar dst 39.Oo 40via 41.Ar name|ipno 42.Oc 43.Oo 44.Ar options 45.Oc 46.Sh DESCRIPTION 47If used as shown in the first synopsis line, the 48.Ar file 49will be read line by line and applied as arguments to the 50.Nm ipfw 51command. 52.Pp 53The ipfw code works by going through the rule-list for each packet, 54until a match is found. 55All rules have two counters associated with them, a packet count and 56a byte count. 57These counters are updated when a packet matches the rule. 58.Pp 59The rules are ordered by a ``line-number'' that is used to order and 60delete rules. 61If a rule is added without a number, it is put at the end, just before 62the terminal ``policy-rule'', and numbered 100 higher than the previous 63rule. 64.Pp 65One rule is always present: 66.Bd -literal -offset center 6765535 deny all from any to any 68.Ed 69 70this rule is the default policy, ie. don't allow anything at all. 71Your job in setting up rules is to modify this policy to match your 72needs. 73.Pp 74The following options are available: 75.Bl -tag -width flag 76.It Fl a 77While listing, show counter values. This option is the only way to see 78accounting records. 79.It Fl t 80While listing, show last match timestamp. 81.It Fl N 82Try to resolve addresses and service names. 83.El 84.Pp 85.Ar action : 86.Bl -hang -offset flag -width 1234567890123456 87.It Nm allow 88Allow packets that match rule. 89The search terminates. 90.It Nm pass 91Same as allow. 92.It Nm accept 93Same as allow. 94.It Nm count 95Update counters for all packets that match rule. 96The search continues with next rule. 97.It Nm deny 98Discard packets that match this rule. 99The search terminates. 100.It Nm reject 101Discard packets that match this rule, try to send ICMP notice. 102The search terminates. 103.El 104.Pp 105When a packet matches a rule with the 106.Nm log 107keyword, a message will be printed on the console. 108If the kernel was compiled with the 109.Nm IP_FIREWALL_VERBOSE_LIMIT 110option, then logging will cease after the number of packets 111specified by the option are recieved for that particular 112chain entry. Logging may then be re-enabled by clearing 113the packet counter for that entry. 114.Pp 115.Ar proto : 116.Bl -hang -offset flag -width 1234567890123456 117.It Nm ip 118All packets match. 119.It Nm all 120All packets match. 121.It Nm tcp 122Only TCP packets match. 123.It Nm udp 124Only UDP packets match. 125.It Nm icmp 126Only ICMP packets match. 127.El 128.Pp 129.Ar src 130and 131.Ar dst : 132.Pp 133.Bl -hang -offset flag 134.It <address/mask> [ports] 135.El 136.Pp 137The 138.Em <address/mask> 139may be specified as: 140.Bl -hang -offset flag -width 1234567890123456 141.It Ar ipno 142An ipnumber of the form 1.2.3.4. 143Only this exact ip number match the rule. 144.It Ar ipno/bits 145An ipnumber with a mask width of the form 1.2.3.4/24. 146In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 147.It Ar ipno:mask 148An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0 149In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 150.El 151.Pp 152With the TCP and UDP 153.Em protocols , 154an optional 155.Em port 156may be specified as: 157.Pp 158.Bl -hang -offset flag 159.It Ns {port|port-port} Ns Op ,port Ns Op ,... 160.El 161.Pp 162Service names (from 163.Pa /etc/services ) 164may not be used instead of a numeric port value. 165Also, note that a range may only be specified as the first value, 166and the port list is limited to 167.Nm IP_FW_MAX_PORTS 168(as defined in /usr/src/sys/netinet/ip_fw.h) 169ports. 170.Pp 171If ``via'' 172.Ar name 173is specified, only packets received via or on their way out of an interface 174matching 175.Ar name 176will match this rule. 177.Pp 178If ``via'' 179.Ar ipno 180is specified, only packets received via or on their way out of an interface 181having the address 182.Ar ipno 183will match this rule. 184.Pp 185.Ar options : 186.Bl -hang -offset flag -width 1234567890123456 187.It frag 188Matches if the packet is a fragment and this is not the first fragment 189of the datagram. 190.It in 191Matches if this packet was on the way in. 192.It out 193Matches if this packet was on the way out. 194.It ipoptions Ar spec 195Matches if the IP header contains the comma separated list of 196options specified in 197.Ar spec . 198The supported IP options are: 199.Nm ssrr 200(strict source route), 201.Nm lsrr 202(loose source route), 203.Nm rr 204(record packet route), and 205.Nm ts 206(timestamp). 207The absence of a particular option may be denoted 208with a ``!''. 209.It established 210Matches packets that do not have the SYN bit set. 211TCP packets only. 212.It setup 213Matches packets that have the SYN bit set but no ACK bit. 214TCP packets only. 215.It tcpflags Ar spec 216Matches if the TCP header contains the comma separated list of 217flags specified in 218.Ar spec . 219The supported TCP flags are: 220.Nm fin , 221.Nm syn , 222.Nm rst , 223.Nm psh , 224.Nm ack , 225and 226.Nm urg . 227The absence of a particular flag may be denoted 228with a ``!''. 229.It icmptypes Ar types 230Matches if the ICMP type is in the list 231.Ar types . 232The list may be specified as any combination of ranges 233or individual types separated by commas. 234.El 235.Sh CHECKLIST 236Here are some important points to consider when designing your 237rules: 238.Bl -bullet -hang -offset flag -width 1234567890123456 239.It 240Remember that you filter both packets going in and out. 241Most connections need packets going in both directions. 242.It 243Remember to test very carefully. 244It is a good idea to be near the console when doing this. 245.It 246Don't forget the loopback interface. 247.It 248Don't filter 249.Nm all 250if you are also specifying a port. 251.El 252.Sh FINE POINTS 253There is one kind of packet that the firewall will always discard, 254that is an IP fragment with a fragment offset of one. 255This is a valid packet, but it only has one use, to try to circumvent 256firewalls. 257.Pp 258If you are logged in over a network, loading the LKM version of 259.Nm 260is probably not as straightforward as you would think. 261I recommend this command line: 262.Bd -literal -offset center 263modload /lkm/ipfw_mod.o && \e 264ipfw add 32000 allow all from any to any 265.Ed 266 267Along the same lines, doing an 268.Bd -literal -offset center 269ipfw flush 270.Ed 271 272in similar surroundings is also a bad idea. 273.Sh EXAMPLES 274This command adds an entry which denies all tcp packets from 275.Em hacker.evil.org 276to the telnet port of 277.Em wolf.tambov.su 278from being forwarded by the host: 279.Pp 280.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 281.Pp 282This one disallows any connection from the entire hackers network to 283my host: 284.Pp 285.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 286.Pp 287Here is good usage of list command to see accounting records: 288.Pp 289.Dl ipfw -at l 290.Pp 291or in short form 292.Pp 293.Dl ipfw -a l 294.Pp 295.Sh SEE ALSO 296.Xr gethostbyname 3 , 297.Xr getservbyport 3 , 298.Xr ip 4 , 299.Xr ipfirewall 4 , 300.Xr ipaccounting 4 , 301.Xr reboot 8 , 302.Xr syslogd 8 303.Sh BUGS 304.Pp 305.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 306.Pp 307This program can put your computer in rather unusable state. When 308using it for the first time, work on the console of the computer, and 309do 310.Em NOT 311do anything you don't understand. 312.Pp 313When manipulating/adding chain entries, service names are 314not accepted. 315.Sh HISTORY 316Initially this utility was written for BSDI by: 317.Pp 318.Dl Daniel Boulet <danny@BouletFermat.ab.ca> 319.Pp 320The FreeBSD version is written completely by: 321.Pp 322.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG> 323.Pp 324This has all been extensively rearranged by Poul-Henning Kamp and 325Alex Nash. 326