ipfw.8 revision 17441 
1.Dd July 20, 1996
2.Dt IPFW 8 SMM
3.Os FreeBSD
4.Sh NAME
5.Nm ipfw
6.Nd controlling utility for IP firewall
7.Sh SYNOPSIS
8.Nm ipfw
9.Ar file
10.Nm ipfw
11flush
12.Nm ipfw
13zero
14.Oo
15.Ar number
16.Oc
17.Nm ipfw
18delete
19.Ar number
20.Nm ipfw
21.Oo
22.Fl atN
23.Oc
24list
25.Nm ipfw
26add
27.Oo
28.Ar number
29.Oc
30.Ar action 
31.Oo
32log
33.Oc
34.Ar proto
35from
36.Ar src
37to
38.Ar dst
39.Oo 
40via
41.Ar name|ipno
42.Oc
43.Oo 
44.Ar options
45.Oc
46.Sh DESCRIPTION
47If used as shown in the first synopsis line, the
48.Ar file
49will be read line by line and applied as arguments to the 
50.Nm ipfw
51command.
52.Pp
53The ipfw code works by going through the rule-list for each packet,
54until a match is found.
55All rules have two associated counters, a packet count and
56a byte count.
57These counters are updated when a packet matches the rule.
58.Pp
59The rules are ordered by a ``line-number'' from 1 to 65534 that is used
60to order and delete rules. Rules are tried in increasing order, and the
61first rule that matches a packet applies.
62Multiple rules may share the same number and apply in
63the order in which they were added.
64.Pp
65If a rule is added without a number, it numbered 100 higher
66than the previous rule. If the highest defined rule number is
67greater than 65434, new rules are appended to the last rule.
68.Pp
69The delete operation deletes the first rule with number
70.Ar number ,
71if any.
72.Pp
73The list command prints out the current rule set.
74.Pp
75The zero operation zeroes the counters associated with rule number
76.Ar number .
77.Pp
78The flush operation removes all rules.
79.Pp
80One rule is always present:
81.Bd -literal -offset center
8265535 deny all from any to any
83.Ed
84
85This rule is the default policy, i.e., don't allow anything at all.
86Your job in setting up rules is to modify this policy to match your needs.
87.Pp
88The following options are available:
89.Bl -tag -width flag
90.It Fl a
91While listing, show counter values. This option is the only way to see
92accounting records.
93.It Fl t
94While listing, show last match timestamp.
95.It Fl N
96Try to resolve addresses and service names.
97.El
98.Pp
99.Ar action :
100.Bl -hang -offset flag -width 1234567890123456
101.It Nm allow
102Allow packets that match rule.
103The search terminates.
104.It Nm pass
105Same as allow.
106.It Nm accept
107Same as allow.
108.It Nm count
109Update counters for all packets that match rule.
110The search continues with the next rule.
111.It Nm deny
112Discard packets that match this rule.
113The search terminates.
114.It Nm reject
115Discard packets that match this rule, and try to send an ICMP notice.
116The search terminates.
117.It Nm divert port
118Divert packets that match this rule to the divert socket bound to port
119.Ar port .
120The search terminates.
121.El
122.Pp
123When a packet matches a rule with the
124.Nm log
125keyword, a message will be printed on the console.
126If the kernel was compiled with the
127.Nm IP_FIREWALL_VERBOSE_LIMIT
128option, then logging will cease after the number of packets
129specified by the option are recieved for that particular
130chain entry.  Logging may then be re-enabled by clearing
131the packet counter for that entry.
132.Pp
133.Ar proto :
134.Bl -hang -offset flag -width 1234567890123456
135.It Nm ip
136All packets match.
137.It Nm all
138All packets match.
139.It Nm tcp
140Only TCP packets match.
141.It Nm udp
142Only UDP packets match.
143.It Nm icmp
144Only ICMP packets match.
145.El
146.Pp
147.Ar src 
148and
149.Ar dst :
150.Pp
151.Bl -hang -offset flag
152.It <address/mask> [ports]
153.El
154.Pp
155The
156.Em <address/mask>
157may be specified as:
158.Bl -hang -offset flag -width 1234567890123456
159.It Ar ipno
160An ipnumber of the form 1.2.3.4.
161Only this exact ip number match the rule.
162.It Ar ipno/bits
163An ipnumber with a mask width of the form 1.2.3.4/24.
164In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
165.It Ar ipno:mask
166An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0.
167In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
168.El
169.Pp
170With the TCP and UDP
171.Em protocols ,
172an optional
173.Em port
174may be specified as:
175.Pp
176.Bl -hang -offset flag
177.It Ns {port|port-port} Ns Op ,port Ns Op ,...
178.El
179.Pp
180Service names (from 
181.Pa /etc/services )
182may not be used instead of a numeric port value.
183Also, note that a range may only be specified as the first value,
184and the port list is limited to
185.Nm IP_FW_MAX_PORTS
186(as defined in /usr/src/sys/netinet/ip_fw.h)
187ports.
188.Pp
189If ``via''
190.Ar name
191is specified, only packets received via or on their way out of an interface
192matching
193.Ar name
194will match this rule.
195.Pp
196If ``via''
197.Ar ipno
198is specified, only packets received via or on their way out of an interface
199having the address
200.Ar ipno
201will match this rule.
202.Pp
203.Ar options :
204.Bl -hang -offset flag -width 1234567890123456
205.It frag
206Matches if the packet is a fragment and this is not the first fragment
207of the datagram.
208.It in
209Matches if this packet was on the way in.
210.It out
211Matches if this packet was on the way out.
212.It ipoptions Ar spec
213Matches if the IP header contains the comma separated list of 
214options specified in
215.Ar spec .
216The supported IP options are:
217.Nm ssrr 
218(strict source route),
219.Nm lsrr 
220(loose source route),
221.Nm rr 
222(record packet route), and
223.Nm ts 
224(timestamp).
225The absence of a particular option may be denoted
226with a ``!''.
227.It established
228Matches packets that have the RST or ACK bits set.
229TCP packets only.
230.It setup
231Matches packets that have the SYN bit set but no ACK bit.
232TCP packets only.
233.It tcpflags Ar spec
234Matches if the TCP header contains the comma separated list of
235flags specified in
236.Ar spec .
237The supported TCP flags are:
238.Nm fin ,
239.Nm syn ,
240.Nm rst ,
241.Nm psh ,
242.Nm ack ,
243and
244.Nm urg .
245The absence of a particular flag may be denoted
246with a ``!''.
247.It icmptypes Ar types
248Matches if the ICMP type is in the list
249.Ar types .
250The list may be specified as any combination of ranges
251or individual types separated by commas.
252.It proto Ar ipproto
253Matches if the protocol field in the IP header matches
254any of the protocol numbers specified by the list
255.Ar ipproto
256(see
257.Pa /etc/protocols
258for a complete list).
259Protocol ranges may not be used.
260.El
261.Sh CHECKLIST
262Here are some important points to consider when designing your
263rules:
264.Bl -bullet -hang -offset flag -width 1234567890123456
265.It 
266Remember that you filter both packets going in and out.
267Most connections need packets going in both directions.
268.It
269Remember to test very carefully.
270It is a good idea to be near the console when doing this.
271.It
272Don't forget the loopback interface.
273.El
274.Sh FINE POINTS
275There is one kind of packet that the firewall will always discard,
276that is an IP fragment with a fragment offset of one.
277This is a valid packet, but it only has one use, to try to circumvent
278firewalls.
279.Pp
280If you are logged in over a network, loading the LKM version of
281.Nm
282is probably not as straightforward as you would think.
283I recommend this command line:
284.Bd -literal -offset center
285modload /lkm/ipfw_mod.o && \e
286ipfw add 32000 allow all from any to any
287.Ed
288
289Along the same lines, doing an
290.Bd -literal -offset center
291ipfw flush
292.Ed
293
294in similar surroundings is also a bad idea.
295.Sh PACKET DIVERSION
296A divert socket bound to the specified port will receive all packets diverted
297to that port; see
298.Xr divert 4 .
299If no socket is bound to the destination port, or if the kernel
300wasn't compiled with divert socket support, diverted packets are dropped.
301.Sh EXAMPLES
302This command adds an entry which denies all tcp packets from
303.Em hacker.evil.org
304to the telnet port of
305.Em wolf.tambov.su
306from being forwarded by the host:
307.Pp
308.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23
309.Pp 
310This one disallows any connection from the entire hackers network to
311my host:
312.Pp
313.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
314.Pp
315Here is good usage of list command to see accounting records:
316.Pp
317.Dl ipfw -at l
318.Pp
319or in short form
320.Pp
321.Dl ipfw -a l
322.Pp
323This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
324.Pp
325.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in
326.Sh SEE ALSO
327.Xr gethostbyname 3 ,
328.Xr getservbyport 3 ,
329.Xr divert 4 ,
330.Xr ip 4 ,
331.Xr ipfirewall 4 ,
332.Xr protocols 5 ,
333.Xr services 5 ,
334.Xr reboot 8 ,
335.Xr syslogd 8
336.Sh BUGS
337.Pp
338.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
339.Pp
340This program can put your computer in rather unusable state. When
341using it for the first time, work on the console of the computer, and
342do
343.Em NOT
344do anything you don't understand.
345.Pp
346When manipulating/adding chain entries, service and protocol names are
347not accepted.
348.Sh HISTORY
349Initially this utility was written for BSDI by:
350.Pp
351.Dl Daniel Boulet <danny@BouletFermat.ab.ca>
352.Pp
353The FreeBSD version is written completely by:
354.Pp
355.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG>
356.Pp
357This has all been extensively rearranged by Poul-Henning Kamp and
358Alex Nash.
359.Pp
360Packet diversion added by Archie Cobbs <archie@whistle.com>.
361