ipfw.8 revision 17441
1.Dd July 20, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm ipfw 9.Ar file 10.Nm ipfw 11flush 12.Nm ipfw 13zero 14.Oo 15.Ar number 16.Oc 17.Nm ipfw 18delete 19.Ar number 20.Nm ipfw 21.Oo 22.Fl atN 23.Oc 24list 25.Nm ipfw 26add 27.Oo 28.Ar number 29.Oc 30.Ar action 31.Oo 32log 33.Oc 34.Ar proto 35from 36.Ar src 37to 38.Ar dst 39.Oo 40via 41.Ar name|ipno 42.Oc 43.Oo 44.Ar options 45.Oc 46.Sh DESCRIPTION 47If used as shown in the first synopsis line, the 48.Ar file 49will be read line by line and applied as arguments to the 50.Nm ipfw 51command. 52.Pp 53The ipfw code works by going through the rule-list for each packet, 54until a match is found. 55All rules have two associated counters, a packet count and 56a byte count. 57These counters are updated when a packet matches the rule. 58.Pp 59The rules are ordered by a ``line-number'' from 1 to 65534 that is used 60to order and delete rules. Rules are tried in increasing order, and the 61first rule that matches a packet applies. 62Multiple rules may share the same number and apply in 63the order in which they were added. 64.Pp 65If a rule is added without a number, it numbered 100 higher 66than the previous rule. If the highest defined rule number is 67greater than 65434, new rules are appended to the last rule. 68.Pp 69The delete operation deletes the first rule with number 70.Ar number , 71if any. 72.Pp 73The list command prints out the current rule set. 74.Pp 75The zero operation zeroes the counters associated with rule number 76.Ar number . 77.Pp 78The flush operation removes all rules. 79.Pp 80One rule is always present: 81.Bd -literal -offset center 8265535 deny all from any to any 83.Ed 84 85This rule is the default policy, i.e., don't allow anything at all. 86Your job in setting up rules is to modify this policy to match your needs. 87.Pp 88The following options are available: 89.Bl -tag -width flag 90.It Fl a 91While listing, show counter values. This option is the only way to see 92accounting records. 93.It Fl t 94While listing, show last match timestamp. 95.It Fl N 96Try to resolve addresses and service names. 97.El 98.Pp 99.Ar action : 100.Bl -hang -offset flag -width 1234567890123456 101.It Nm allow 102Allow packets that match rule. 103The search terminates. 104.It Nm pass 105Same as allow. 106.It Nm accept 107Same as allow. 108.It Nm count 109Update counters for all packets that match rule. 110The search continues with the next rule. 111.It Nm deny 112Discard packets that match this rule. 113The search terminates. 114.It Nm reject 115Discard packets that match this rule, and try to send an ICMP notice. 116The search terminates. 117.It Nm divert port 118Divert packets that match this rule to the divert socket bound to port 119.Ar port . 120The search terminates. 121.El 122.Pp 123When a packet matches a rule with the 124.Nm log 125keyword, a message will be printed on the console. 126If the kernel was compiled with the 127.Nm IP_FIREWALL_VERBOSE_LIMIT 128option, then logging will cease after the number of packets 129specified by the option are recieved for that particular 130chain entry. Logging may then be re-enabled by clearing 131the packet counter for that entry. 132.Pp 133.Ar proto : 134.Bl -hang -offset flag -width 1234567890123456 135.It Nm ip 136All packets match. 137.It Nm all 138All packets match. 139.It Nm tcp 140Only TCP packets match. 141.It Nm udp 142Only UDP packets match. 143.It Nm icmp 144Only ICMP packets match. 145.El 146.Pp 147.Ar src 148and 149.Ar dst : 150.Pp 151.Bl -hang -offset flag 152.It <address/mask> [ports] 153.El 154.Pp 155The 156.Em <address/mask> 157may be specified as: 158.Bl -hang -offset flag -width 1234567890123456 159.It Ar ipno 160An ipnumber of the form 1.2.3.4. 161Only this exact ip number match the rule. 162.It Ar ipno/bits 163An ipnumber with a mask width of the form 1.2.3.4/24. 164In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 165.It Ar ipno:mask 166An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 167In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 168.El 169.Pp 170With the TCP and UDP 171.Em protocols , 172an optional 173.Em port 174may be specified as: 175.Pp 176.Bl -hang -offset flag 177.It Ns {port|port-port} Ns Op ,port Ns Op ,... 178.El 179.Pp 180Service names (from 181.Pa /etc/services ) 182may not be used instead of a numeric port value. 183Also, note that a range may only be specified as the first value, 184and the port list is limited to 185.Nm IP_FW_MAX_PORTS 186(as defined in /usr/src/sys/netinet/ip_fw.h) 187ports. 188.Pp 189If ``via'' 190.Ar name 191is specified, only packets received via or on their way out of an interface 192matching 193.Ar name 194will match this rule. 195.Pp 196If ``via'' 197.Ar ipno 198is specified, only packets received via or on their way out of an interface 199having the address 200.Ar ipno 201will match this rule. 202.Pp 203.Ar options : 204.Bl -hang -offset flag -width 1234567890123456 205.It frag 206Matches if the packet is a fragment and this is not the first fragment 207of the datagram. 208.It in 209Matches if this packet was on the way in. 210.It out 211Matches if this packet was on the way out. 212.It ipoptions Ar spec 213Matches if the IP header contains the comma separated list of 214options specified in 215.Ar spec . 216The supported IP options are: 217.Nm ssrr 218(strict source route), 219.Nm lsrr 220(loose source route), 221.Nm rr 222(record packet route), and 223.Nm ts 224(timestamp). 225The absence of a particular option may be denoted 226with a ``!''. 227.It established 228Matches packets that have the RST or ACK bits set. 229TCP packets only. 230.It setup 231Matches packets that have the SYN bit set but no ACK bit. 232TCP packets only. 233.It tcpflags Ar spec 234Matches if the TCP header contains the comma separated list of 235flags specified in 236.Ar spec . 237The supported TCP flags are: 238.Nm fin , 239.Nm syn , 240.Nm rst , 241.Nm psh , 242.Nm ack , 243and 244.Nm urg . 245The absence of a particular flag may be denoted 246with a ``!''. 247.It icmptypes Ar types 248Matches if the ICMP type is in the list 249.Ar types . 250The list may be specified as any combination of ranges 251or individual types separated by commas. 252.It proto Ar ipproto 253Matches if the protocol field in the IP header matches 254any of the protocol numbers specified by the list 255.Ar ipproto 256(see 257.Pa /etc/protocols 258for a complete list). 259Protocol ranges may not be used. 260.El 261.Sh CHECKLIST 262Here are some important points to consider when designing your 263rules: 264.Bl -bullet -hang -offset flag -width 1234567890123456 265.It 266Remember that you filter both packets going in and out. 267Most connections need packets going in both directions. 268.It 269Remember to test very carefully. 270It is a good idea to be near the console when doing this. 271.It 272Don't forget the loopback interface. 273.El 274.Sh FINE POINTS 275There is one kind of packet that the firewall will always discard, 276that is an IP fragment with a fragment offset of one. 277This is a valid packet, but it only has one use, to try to circumvent 278firewalls. 279.Pp 280If you are logged in over a network, loading the LKM version of 281.Nm 282is probably not as straightforward as you would think. 283I recommend this command line: 284.Bd -literal -offset center 285modload /lkm/ipfw_mod.o && \e 286ipfw add 32000 allow all from any to any 287.Ed 288 289Along the same lines, doing an 290.Bd -literal -offset center 291ipfw flush 292.Ed 293 294in similar surroundings is also a bad idea. 295.Sh PACKET DIVERSION 296A divert socket bound to the specified port will receive all packets diverted 297to that port; see 298.Xr divert 4 . 299If no socket is bound to the destination port, or if the kernel 300wasn't compiled with divert socket support, diverted packets are dropped. 301.Sh EXAMPLES 302This command adds an entry which denies all tcp packets from 303.Em hacker.evil.org 304to the telnet port of 305.Em wolf.tambov.su 306from being forwarded by the host: 307.Pp 308.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 309.Pp 310This one disallows any connection from the entire hackers network to 311my host: 312.Pp 313.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 314.Pp 315Here is good usage of list command to see accounting records: 316.Pp 317.Dl ipfw -at l 318.Pp 319or in short form 320.Pp 321.Dl ipfw -a l 322.Pp 323This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 324.Pp 325.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 326.Sh SEE ALSO 327.Xr gethostbyname 3 , 328.Xr getservbyport 3 , 329.Xr divert 4 , 330.Xr ip 4 , 331.Xr ipfirewall 4 , 332.Xr protocols 5 , 333.Xr services 5 , 334.Xr reboot 8 , 335.Xr syslogd 8 336.Sh BUGS 337.Pp 338.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 339.Pp 340This program can put your computer in rather unusable state. When 341using it for the first time, work on the console of the computer, and 342do 343.Em NOT 344do anything you don't understand. 345.Pp 346When manipulating/adding chain entries, service and protocol names are 347not accepted. 348.Sh HISTORY 349Initially this utility was written for BSDI by: 350.Pp 351.Dl Daniel Boulet <danny@BouletFermat.ab.ca> 352.Pp 353The FreeBSD version is written completely by: 354.Pp 355.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG> 356.Pp 357This has all been extensively rearranged by Poul-Henning Kamp and 358Alex Nash. 359.Pp 360Packet diversion added by Archie Cobbs <archie@whistle.com>. 361