ipfw.8 revision 17072
1.Dd February 24, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm ipfw 9.Ar file 10.Nm ipfw 11flush 12.Nm ipfw 13zero 14.Oo 15.Ar number 16.Oc 17.Nm ipfw 18delete 19.Ar number 20.Nm ipfw 21.Oo 22.Fl atN 23.Oc 24list 25.Nm ipfw 26add 27.Oo 28.Ar number 29.Oc 30.Ar action 31.Oo 32log 33.Oc 34.Ar proto 35from 36.Ar src 37to 38.Ar dst 39.Oo 40via 41.Ar name|ipno 42.Oc 43.Oo 44.Ar options 45.Oc 46.Sh DESCRIPTION 47If used as shown in the first synopsis line, the 48.Ar file 49will be read line by line and applied as arguments to the 50.Nm ipfw 51command. 52.Pp 53The ipfw code works by going through the rule-list for each packet, 54until a match is found. 55All rules have two associated counters, a packet count and 56a byte count. 57These counters are updated when a packet matches the rule. 58.Pp 59The rules are ordered by a ``line-number'' from 1 to 65534 that is used 60to order and delete rules. Rules are tried in increasing order, and the 61first rule that matches a packet applies. 62Multiple rules may share the same number and apply in 63the order in which they were added. 64.Pp 65If a rule is added without a number, it numbered 100 higher 66than the previous rule. If the highest defined rule number is 67greater than 65434, new rules are appended to the last rule. 68.Pp 69The delete operation deletes the first rule with number 70.Ar number , 71if any. 72.Pp 73The list command prints out the current rule set. 74.Pp 75The zero operation zeroes the counters associated with rule number 76.Ar number . 77.Pp 78The flush operation removes all rules. 79.Pp 80One rule is always present: 81.Bd -literal -offset center 8265535 deny all from any to any 83.Ed 84 85This rule is the default policy, i.e., don't allow anything at all. 86Your job in setting up rules is to modify this policy to match your needs. 87.Pp 88The following options are available: 89.Bl -tag -width flag 90.It Fl a 91While listing, show counter values. This option is the only way to see 92accounting records. 93.It Fl t 94While listing, show last match timestamp. 95.It Fl N 96Try to resolve addresses and service names. 97.El 98.Pp 99.Ar action : 100.Bl -hang -offset flag -width 1234567890123456 101.It Nm allow 102Allow packets that match rule. 103The search terminates. 104.It Nm pass 105Same as allow. 106.It Nm accept 107Same as allow. 108.It Nm count 109Update counters for all packets that match rule. 110The search continues with the next rule. 111.It Nm deny 112Discard packets that match this rule. 113The search terminates. 114.It Nm reject 115Discard packets that match this rule, and try to send an ICMP notice. 116The search terminates. 117.It Nm divert port 118Divert packets that match this rule to the divert socket bound to port 119.Ar port . 120The search terminates. 121.El 122.Pp 123When a packet matches a rule with the 124.Nm log 125keyword, a message will be printed on the console. 126If the kernel was compiled with the 127.Nm IP_FIREWALL_VERBOSE_LIMIT 128option, then logging will cease after the number of packets 129specified by the option are recieved for that particular 130chain entry. Logging may then be re-enabled by clearing 131the packet counter for that entry. 132.Pp 133.Ar proto : 134.Bl -hang -offset flag -width 1234567890123456 135.It Nm ip 136All packets match. 137.It Nm all 138All packets match. 139.It Nm tcp 140Only TCP packets match. 141.It Nm udp 142Only UDP packets match. 143.It Nm icmp 144Only ICMP packets match. 145.El 146.Pp 147.Ar src 148and 149.Ar dst : 150.Pp 151.Bl -hang -offset flag 152.It <address/mask> [ports] 153.El 154.Pp 155The 156.Em <address/mask> 157may be specified as: 158.Bl -hang -offset flag -width 1234567890123456 159.It Ar ipno 160An ipnumber of the form 1.2.3.4. 161Only this exact ip number match the rule. 162.It Ar ipno/bits 163An ipnumber with a mask width of the form 1.2.3.4/24. 164In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 165.It Ar ipno:mask 166An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 167In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 168.El 169.Pp 170With the TCP and UDP 171.Em protocols , 172an optional 173.Em port 174may be specified as: 175.Pp 176.Bl -hang -offset flag 177.It Ns {port|port-port} Ns Op ,port Ns Op ,... 178.El 179.Pp 180Service names (from 181.Pa /etc/services ) 182may not be used instead of a numeric port value. 183Also, note that a range may only be specified as the first value, 184and the port list is limited to 185.Nm IP_FW_MAX_PORTS 186(as defined in /usr/src/sys/netinet/ip_fw.h) 187ports. 188.Pp 189If ``via'' 190.Ar name 191is specified, only packets received via or on their way out of an interface 192matching 193.Ar name 194will match this rule. 195.Pp 196If ``via'' 197.Ar ipno 198is specified, only packets received via or on their way out of an interface 199having the address 200.Ar ipno 201will match this rule. 202.Pp 203.Ar options : 204.Bl -hang -offset flag -width 1234567890123456 205.It frag 206Matches if the packet is a fragment and this is not the first fragment 207of the datagram. 208.It in 209Matches if this packet was on the way in. 210.It out 211Matches if this packet was on the way out. 212.It ipoptions Ar spec 213Matches if the IP header contains the comma separated list of 214options specified in 215.Ar spec . 216The supported IP options are: 217.Nm ssrr 218(strict source route), 219.Nm lsrr 220(loose source route), 221.Nm rr 222(record packet route), and 223.Nm ts 224(timestamp). 225The absence of a particular option may be denoted 226with a ``!''. 227.It established 228Matches packets that have the RST or ACK bits set. 229TCP packets only. 230.It setup 231Matches packets that have the SYN bit set but no ACK bit. 232TCP packets only. 233.It tcpflags Ar spec 234Matches if the TCP header contains the comma separated list of 235flags specified in 236.Ar spec . 237The supported TCP flags are: 238.Nm fin , 239.Nm syn , 240.Nm rst , 241.Nm psh , 242.Nm ack , 243and 244.Nm urg . 245The absence of a particular flag may be denoted 246with a ``!''. 247.It icmptypes Ar types 248Matches if the ICMP type is in the list 249.Ar types . 250The list may be specified as any combination of ranges 251or individual types separated by commas. 252.El 253.Sh CHECKLIST 254Here are some important points to consider when designing your 255rules: 256.Bl -bullet -hang -offset flag -width 1234567890123456 257.It 258Remember that you filter both packets going in and out. 259Most connections need packets going in both directions. 260.It 261Remember to test very carefully. 262It is a good idea to be near the console when doing this. 263.It 264Don't forget the loopback interface. 265.It 266Don't filter 267.Nm all 268if you are also specifying a port. 269.El 270.Sh FINE POINTS 271There is one kind of packet that the firewall will always discard, 272that is an IP fragment with a fragment offset of one. 273This is a valid packet, but it only has one use, to try to circumvent 274firewalls. 275.Pp 276If you are logged in over a network, loading the LKM version of 277.Nm 278is probably not as straightforward as you would think. 279I recommend this command line: 280.Bd -literal -offset center 281modload /lkm/ipfw_mod.o && \e 282ipfw add 32000 allow all from any to any 283.Ed 284 285Along the same lines, doing an 286.Bd -literal -offset center 287ipfw flush 288.Ed 289 290in similar surroundings is also a bad idea. 291.Sh PACKET DIVERSION 292A divert socket bound to the specified port will receive all packets diverted 293to that port; see 294.Xr divert 4 . 295If no socket is bound to the destination port, or if the kernel 296wasn't compiled with divert socket support, diverted packets are dropped. 297.Sh EXAMPLES 298This command adds an entry which denies all tcp packets from 299.Em hacker.evil.org 300to the telnet port of 301.Em wolf.tambov.su 302from being forwarded by the host: 303.Pp 304.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 305.Pp 306This one disallows any connection from the entire hackers network to 307my host: 308.Pp 309.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 310.Pp 311Here is good usage of list command to see accounting records: 312.Pp 313.Dl ipfw -at l 314.Pp 315or in short form 316.Pp 317.Dl ipfw -a l 318.Pp 319This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 320.Pp 321.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 322.Sh SEE ALSO 323.Xr gethostbyname 3 , 324.Xr getservbyport 3 , 325.Xr ip 4 , 326.Xr ipfirewall 4 , 327.Xr ipaccounting 4 , 328.Xr divert 4 , 329.Xr reboot 8 , 330.Xr syslogd 8 331.Sh BUGS 332.Pp 333.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 334.Pp 335This program can put your computer in rather unusable state. When 336using it for the first time, work on the console of the computer, and 337do 338.Em NOT 339do anything you don't understand. 340.Pp 341When manipulating/adding chain entries, service names are 342not accepted. 343.Sh HISTORY 344Initially this utility was written for BSDI by: 345.Pp 346.Dl Daniel Boulet <danny@BouletFermat.ab.ca> 347.Pp 348The FreeBSD version is written completely by: 349.Pp 350.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG> 351.Pp 352This has all been extensively rearranged by Poul-Henning Kamp and 353Alex Nash. 354.Pp 355Packet diversion added by Archie Cobbs <archie@whistle.com>. 356