ipfw.8 revision 18303 
1.Dd July 20, 1996
2.Dt IPFW 8 SMM
3.Os FreeBSD
4.Sh NAME
5.Nm ipfw
6.Nd controlling utility for IP firewall
7.Sh SYNOPSIS
8.Nm
9.Ar file
10.Nm ipfw
11flush
12.Nm ipfw
13zero
14.Oo
15.Ar number
16.Oc
17.Nm ipfw
18delete
19.Ar number
20.Nm ipfw
21.Oo
22.Fl aftN
23.Oc
24list
25.Nm ipfw
26add
27.Oo
28.Ar number
29.Oc
30.Ar action 
31.Oo
32log
33.Oc
34.Ar proto
35from
36.Ar src
37to
38.Ar dst
39.Oo 
40via
41.Ar name|ipno
42.Oc
43.Oo 
44.Ar options
45.Oc
46.Sh DESCRIPTION
47If used as shown in the first synopsis line, the
48.Ar file
49will be read line by line and applied as arguments to the 
50.Nm
51command.
52.Pp
53The
54.Nm
55code works by going through the rule-list for each packet,
56until a match is found.
57All rules have two associated counters, a packet count and
58a byte count.
59These counters are updated when a packet matches the rule.
60.Pp
61The rules are ordered by a ``line-number'' from 1 to 65534 that is used
62to order and delete rules. Rules are tried in increasing order, and the
63first rule that matches a packet applies.
64Multiple rules may share the same number and apply in
65the order in which they were added.
66.Pp
67If a rule is added without a number, it numbered 100 higher
68than the previous rule. If the highest defined rule number is
69greater than 65434, new rules are appended to the last rule.
70.Pp
71The delete operation deletes the first rule with number
72.Ar number ,
73if any.
74.Pp
75The list command prints out the current rule set.
76.Pp
77The zero operation zeroes the counters associated with rule number
78.Ar number .
79.Pp
80The flush operation removes all rules.
81.Pp
82One rule is always present:
83.Bd -literal -offset center
8465535 deny all from any to any
85.Ed
86
87This rule is the default policy, i.e., don't allow anything at all.
88Your job in setting up rules is to modify this policy to match your needs.
89.Pp
90The following options are available:
91.Bl -tag -width flag
92.It Fl a
93While listing, show counter values. This option is the only way to see
94accounting records.
95.It Fl f
96Don't ask for confirmation for commands that can cause problems if misused
97(ie; flush).
98.Ar Note ,
99if there is no tty associated with the process, this is implied.
100.It Fl t
101While listing, show last match timestamp.
102.It Fl N
103Try to resolve addresses and service names in output.
104.El
105.Pp
106.Ar action :
107.Bl -hang -offset flag -width 1234567890123456
108.It Nm allow
109Allow packets that match rule.
110The search terminates.
111.It Nm pass
112Same as allow.
113.It Nm accept
114Same as allow.
115.It Nm count
116Update counters for all packets that match rule.
117The search continues with the next rule.
118.It Nm deny
119Discard packets that match this rule.
120The search terminates.
121.It Nm reject
122Discard packets that match this rule, and try to send an ICMP notice.
123The search terminates.
124.It Nm divert port
125Divert packets that match this rule to the divert socket bound to port
126.Ar port .
127The search terminates.
128.El
129.Pp
130When a packet matches a rule with the
131.Nm log
132keyword, a message will be printed on the console.
133If the kernel was compiled with the
134.Nm IP_FIREWALL_VERBOSE_LIMIT
135option, then logging will cease after the number of packets
136specified by the option are recieved for that particular
137chain entry.  Logging may then be re-enabled by clearing
138the packet counter for that entry.
139.Pp
140.Ar proto :
141.Bl -hang -offset flag -width 1234567890123456
142.It Nm ip
143All packets match.
144.It Nm all
145All packets match.
146.It Nm tcp
147Only TCP packets match.
148.It Nm udp
149Only UDP packets match.
150.It Nm icmp
151Only ICMP packets match.
152.It Nm <number|name>
153Only packets for the specified protocol matches (see
154.Pa /etc/protocols
155for a complete list).
156.El
157.Pp
158.Ar src 
159and
160.Ar dst :
161.Pp
162.Bl -hang -offset flag
163.It <address/mask> [ports]
164.El
165.Pp
166The
167.Em <address/mask>
168may be specified as:
169.Bl -hang -offset flag -width 1234567890123456
170.It Ar ipno
171An ipnumber of the form 1.2.3.4.
172Only this exact ip number match the rule.
173.It Ar ipno/bits
174An ipnumber with a mask width of the form 1.2.3.4/24.
175In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
176.It Ar ipno:mask
177An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0.
178In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
179.El
180.Pp
181With the TCP and UDP
182.Em protocols ,
183an optional
184.Em port
185may be specified as:
186.Pp
187.Bl -hang -offset flag
188.It Ns {port|port-port} Ns Op ,port Ns Op ,...
189.El
190.Pp
191Service names (from 
192.Pa /etc/services )
193may not be used instead of a numeric port value.
194Also, note that a range may only be specified as the first value,
195and the port list is limited to
196.Nm IP_FW_MAX_PORTS
197(as defined in /usr/src/sys/netinet/ip_fw.h)
198ports.
199.Pp
200If ``via''
201.Ar name
202is specified, only packets received via or on their way out of an interface
203matching
204.Ar name
205will match this rule.
206.Pp
207If ``via''
208.Ar ipno
209is specified, only packets received via or on their way out of an interface
210having the address
211.Ar ipno
212will match this rule.
213.Pp
214.Ar options :
215.Bl -hang -offset flag -width 1234567890123456
216.It frag
217Matches if the packet is a fragment and this is not the first fragment
218of the datagram.
219.It in
220Matches if this packet was on the way in.
221.It out
222Matches if this packet was on the way out.
223.It ipoptions Ar spec
224Matches if the IP header contains the comma separated list of 
225options specified in
226.Ar spec .
227The supported IP options are:
228.Nm ssrr 
229(strict source route),
230.Nm lsrr 
231(loose source route),
232.Nm rr 
233(record packet route), and
234.Nm ts 
235(timestamp).
236The absence of a particular option may be denoted
237with a ``!''.
238.It established
239Matches packets that have the RST or ACK bits set.
240TCP packets only.
241.It setup
242Matches packets that have the SYN bit set but no ACK bit.
243TCP packets only.
244.It tcpflags Ar spec
245Matches if the TCP header contains the comma separated list of
246flags specified in
247.Ar spec .
248The supported TCP flags are:
249.Nm fin ,
250.Nm syn ,
251.Nm rst ,
252.Nm psh ,
253.Nm ack ,
254and
255.Nm urg .
256The absence of a particular flag may be denoted
257with a ``!''.
258.It icmptypes Ar types
259Matches if the ICMP type is in the list
260.Ar types .
261The list may be specified as any combination of ranges
262or individual types separated by commas.
263.El
264.Sh CHECKLIST
265Here are some important points to consider when designing your
266rules:
267.Bl -bullet -hang -offset flag -width 1234567890123456
268.It 
269Remember that you filter both packets going in and out.
270Most connections need packets going in both directions.
271.It
272Remember to test very carefully.
273It is a good idea to be near the console when doing this.
274.It
275Don't forget the loopback interface.
276.El
277.Sh FINE POINTS
278There is one kind of packet that the firewall will always discard,
279that is an IP fragment with a fragment offset of one.
280This is a valid packet, but it only has one use, to try to circumvent
281firewalls.
282.Pp
283If you are logged in over a network, loading the LKM version of
284.Nm
285is probably not as straightforward as you would think.
286I recommend this command line:
287.Bd -literal -offset center
288modload /lkm/ipfw_mod.o && \e
289ipfw add 32000 allow all from any to any
290.Ed
291
292Along the same lines, doing an
293.Bd -literal -offset center
294ipfw flush
295.Ed
296
297in similar surroundings is also a bad idea.
298.Sh PACKET DIVERSION
299A divert socket bound to the specified port will receive all packets diverted
300to that port; see
301.Xr divert 4 .
302If no socket is bound to the destination port, or if the kernel
303wasn't compiled with divert socket support, diverted packets are dropped.
304.Sh EXAMPLES
305This command adds an entry which denies all tcp packets from
306.Em hacker.evil.org
307to the telnet port of
308.Em wolf.tambov.su
309from being forwarded by the host:
310.Pp
311.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23
312.Pp 
313This one disallows any connection from the entire hackers network to
314my host:
315.Pp
316.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
317.Pp
318Here is good usage of list command to see accounting records:
319.Pp
320.Dl ipfw -at l
321.Pp
322or in short form
323.Pp
324.Dl ipfw -a l
325.Pp
326This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
327.Pp
328.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in
329.Sh SEE ALSO
330.Xr divert 4 ,
331.Xr ip 4 ,
332.Xr ipfirewall 4 ,
333.Xr protocols 5 ,
334.Xr services 5 ,
335.Xr reboot 8 ,
336.Xr syslogd 8
337.Sh BUGS
338.Pp
339.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
340.Pp
341This program can put your computer in rather unusable state. When
342using it for the first time, work on the console of the computer, and
343do
344.Em NOT
345do anything you don't understand.
346.Pp
347When manipulating/adding chain entries, service and protocol names are
348not accepted.
349.Sh AUTHORS
350Ugen J. S. Antsilevich,
351Poul-Henning Kamp,
352Alex Nash,
353Archie Cobbs.
354API based upon code written by Daniel Boulet for BSDI.
355.Sh HISTORY
356.Nm
357first appeared in
358.Fx 2.0 .
359