ipfw.8 revision 21785
1214501Srpaulo.Dd July 20, 1996 2214501Srpaulo.Dt IPFW 8 SMM 3214501Srpaulo.Os FreeBSD 4214501Srpaulo.Sh NAME 5214501Srpaulo.Nm ipfw 6214501Srpaulo.Nd controlling utility for IP firewall 7252726Srpaulo.Sh SYNOPSIS 8252726Srpaulo.Nm 9214501Srpaulo.Ar file 10214501Srpaulo.Nm ipfw 11214501Srpauloflush 12214501Srpaulo.Nm ipfw 13214501Srpaulozero 14214501Srpaulo.Op Ar number 15214501Srpaulo.Nm ipfw 16214501Srpaulodelete 17214501Srpaulo.Ar number 18214501Srpaulo.Nm ipfw 19281806Srpaulo.Op Fl aftN 20214501Srpaulolist 21214501Srpaulo.Nm ipfw 22214501Srpauloadd 23214501Srpaulo.Op Ar number 24214501Srpaulo.Ar action 25214501Srpaulo.Op log 26214501Srpaulo.Ar proto 27214501Srpaulofrom 28214501Srpaulo.Ar src 29214501Srpauloto 30214501Srpaulo.Ar dst 31214501Srpaulo.Op via Ar name | ipno 32214501Srpaulo.Op Ar options 33214501Srpaulo.Sh DESCRIPTION 34214501SrpauloIf used as shown in the first synopsis line, the 35214501Srpaulo.Ar file 36214501Srpaulowill be read line by line and applied as arguments to the 37214501Srpaulo.Nm 38214501Srpaulocommand. 39214501Srpaulo.Pp 40214501SrpauloThe 41214501Srpaulo.Nm 42214501Srpaulocode works by going through the rule-list for each packet, 43214501Srpaulountil a match is found. 44214501SrpauloAll rules have two associated counters, a packet count and 45214501Srpauloa byte count. 46214501SrpauloThese counters are updated when a packet matches the rule. 47214501Srpaulo.Pp 48214501SrpauloThe rules are ordered by a ``line-number'' from 1 to 65534 that is used 49214501Srpauloto order and delete rules. Rules are tried in increasing order, and the 50214501Srpaulofirst rule that matches a packet applies. 51214501SrpauloMultiple rules may share the same number and apply in 52214501Srpaulothe order in which they were added. 53214501Srpaulo.Pp 54214501SrpauloIf a rule is added without a number, it numbered 100 higher 55214501Srpaulothan the previous rule. If the highest defined rule number is 56214501Srpaulogreater than 65434, new rules are appended to the last rule. 57214501Srpaulo.Pp 58214501SrpauloThe delete operation deletes the first rule with number 59214501Srpaulo.Ar number , 60214501Srpauloif any. 61214501Srpaulo.Pp 62337817ScyThe list command prints out the current rule set. 63214501Srpaulo.Pp 64214501SrpauloThe zero operation zeroes the counters associated with rule number 65214501Srpaulo.Ar number . 66214501Srpaulo.Pp 67214501SrpauloThe flush operation removes all rules. 68214501Srpaulo.Pp 69214501SrpauloOne rule is always present: 70214501Srpaulo.Bd -literal -offset center 71214501Srpaulo65535 deny all from any to any 72214501Srpaulo.Ed 73214501Srpaulo.Pp 74214501SrpauloThis rule is the default policy, i.e., don't allow anything at all. 75214501SrpauloYour job in setting up rules is to modify this policy to match your needs. 76214501Srpaulo.Pp 77214501SrpauloThe following options are available: 78214501Srpaulo.Bl -tag -width flag 79214501Srpaulo.It Fl a 80214501SrpauloWhile listing, show counter values. This option is the only way to see 81214501Srpauloaccounting records. 82214501Srpaulo.It Fl f 83214501SrpauloDon't ask for confirmation for commands that can cause problems if misused 84214501Srpaulo(ie; flush). 85281806Srpaulo.Ar Note , 86281806Srpauloif there is no tty associated with the process, this is implied. 87214501Srpaulo.It Fl t 88214501SrpauloWhile listing, show last match timestamp. 89214501Srpaulo.It Fl N 90214501SrpauloTry to resolve addresses and service names in output. 91214501Srpaulo.El 92214501Srpaulo.Pp 93214501Srpaulo.Ar action : 94214501Srpaulo.Bl -hang -offset flag -width 1234567890123456 95214501Srpaulo.It Ar allow 96214501SrpauloAllow packets that match rule. 97214501SrpauloThe search terminates. 98214501Srpaulo.It Ar pass 99214501SrpauloSame as allow. 100214501Srpaulo.It Ar accept 101214501SrpauloSame as allow. 102214501Srpaulo.It Ar count 103214501SrpauloUpdate counters for all packets that match rule. 104214501SrpauloThe search continues with the next rule. 105214501Srpaulo.It Ar deny 106214501SrpauloDiscard packets that match this rule. 107214501SrpauloThe search terminates. 108214501Srpaulo.It Ar reject 109214501SrpauloDiscard packets that match this rule, and try to send an ICMP notice. 110337817ScyThe search terminates. 111214501Srpaulo.It Ar divert port 112214501SrpauloDivert packets that match this rule to the divert socket bound to port 113214501Srpaulo.Ar port . 114214501SrpauloThe search terminates. 115214501Srpaulo.El 116214501Srpaulo.Pp 117214501SrpauloWhen a packet matches a rule with the ``log'' 118214501Srpaulokeyword, a message will be printed on the console. 119214501SrpauloIf the kernel was compiled with the 120214501Srpaulo.Dv IP_FIREWALL_VERBOSE_LIMIT 121214501Srpaulooption, then logging will cease after the number of packets 122214501Srpaulospecified by the option are received for that particular 123214501Srpaulochain entry. Logging may then be re-enabled by clearing 124214501Srpaulothe packet counter for that entry. 125214501Srpaulo.Pp 126214501Srpaulo.Ar proto : 127214501Srpaulo.Bl -hang -offset flag -width 1234567890123456 128214501Srpaulo.It Ar ip 129214501SrpauloAll packets match. 130214501Srpaulo.It Ar all 131214501SrpauloAll packets match. 132214501Srpaulo.It Ar tcp 133214501SrpauloOnly TCP packets match. 134214501Srpaulo.It Ar udp 135337817ScyOnly UDP packets match. 136214501Srpaulo.It Ar icmp 137214501SrpauloOnly ICMP packets match. 138214501Srpaulo.It Ar <number|name> 139214501SrpauloOnly packets for the specified protocol matches (see 140214501Srpaulo.Pa /etc/protocols 141214501Srpaulofor a complete list). 142214501Srpaulo.El 143214501Srpaulo.Pp 144214501Srpaulo.Ar src 145214501Srpauloand 146214501Srpaulo.Ar dst : 147214501Srpaulo.Pp 148214501Srpaulo.Bl -hang -offset flag 149214501Srpaulo.It Ar <address/mask> 150214501Srpaulo.Op Ar ports 151214501Srpaulo.El 152214501Srpaulo.Pp 153214501SrpauloThe 154214501Srpaulo.Em <address/mask> 155214501Srpaulomay be specified as: 156214501Srpaulo.Bl -hang -offset flag -width 1234567890123456 157214501Srpaulo.It Ar ipno 158214501SrpauloAn ipnumber of the form 1.2.3.4. 159214501SrpauloOnly this exact ip number match the rule. 160214501Srpaulo.It Ar ipno/bits 161214501SrpauloAn ipnumber with a mask width of the form 1.2.3.4/24. 162214501SrpauloIn this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 163214501Srpaulo.It Ar ipno:mask 164214501SrpauloAn ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 165214501SrpauloIn this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 166214501Srpaulo.El 167214501Srpaulo.Pp 168214501SrpauloThe sense of the match can be inverted by preceding an address with the 169214501Srpaulo``not'' modifier, causing all other addresses to be matched instead. This 170214501Srpaulodoes not affect the selection of port numbers. 171214501Srpaulo.Pp 172214501SrpauloWith the TCP and UDP 173214501Srpaulo.Em protocols , 174214501Srpaulooptional 175214501Srpaulo.Em ports 176214501Srpaulomay be specified as: 177214501Srpaulo.Pp 178214501Srpaulo.Bl -hang -offset flag 179214501Srpaulo.It Ns {port|port-port} Ns Op ,port Ns Op ,... 180214501Srpaulo.El 181214501Srpaulo.Pp 182Service names (from 183.Pa /etc/services ) 184may not be used instead of a numeric port value. 185Also, note that a range may only be specified as the first value, 186and the port list is limited to 187.Dv IP_FW_MAX_PORTS 188(as defined in 189.Pa /usr/src/sys/netinet/ip_fw.h ) 190ports. 191.Pp 192If ``via'' 193.Ar name 194is specified, only packets received via or on their way out of an interface 195matching 196.Ar name 197will match this rule. 198.Pp 199If ``via'' 200.Ar ipno 201is specified, only packets received via or on their way out of an interface 202having the address 203.Ar ipno 204will match this rule. 205.Pp 206.Ar options : 207.Bl -hang -offset flag -width 1234567890123456 208.It frag 209Matches if the packet is a fragment and this is not the first fragment 210of the datagram. 211.It in 212Matches if this packet was on the way in. 213.It out 214Matches if this packet was on the way out. 215.It ipoptions Ar spec 216Matches if the IP header contains the comma separated list of 217options specified in 218.Ar spec . 219The supported IP options are: 220.Ar ssrr 221(strict source route), 222.Ar lsrr 223(loose source route), 224.Ar rr 225(record packet route), and 226.Ar ts 227(timestamp). 228The absence of a particular option may be denoted 229with a ``!''. 230.It established 231Matches packets that have the RST or ACK bits set. 232TCP packets only. 233.It setup 234Matches packets that have the SYN bit set but no ACK bit. 235TCP packets only. 236.It tcpflags Ar spec 237Matches if the TCP header contains the comma separated list of 238flags specified in 239.Ar spec . 240The supported TCP flags are: 241.Ar fin , 242.Ar syn , 243.Ar rst , 244.Ar psh , 245.Ar ack , 246and 247.Ar urg . 248The absence of a particular flag may be denoted 249with a ``!''. 250.It icmptypes Ar types 251Matches if the ICMP type is in the list 252.Ar types . 253The list may be specified as any combination of ranges 254or individual types separated by commas. 255.El 256.Sh CHECKLIST 257Here are some important points to consider when designing your 258rules: 259.Bl -bullet -hang -offset flag 260.It 261Remember that you filter both packets going in and out. 262Most connections need packets going in both directions. 263.It 264Remember to test very carefully. 265It is a good idea to be near the console when doing this. 266.It 267Don't forget the loopback interface. 268.El 269.Sh FINE POINTS 270There is one kind of packet that the firewall will always discard, 271that is an IP fragment with a fragment offset of one. 272This is a valid packet, but it only has one use, to try to circumvent 273firewalls. 274.Pp 275If you are logged in over a network, loading the LKM version of 276.Nm 277is probably not as straightforward as you would think. 278I recommend this command line: 279.Bd -literal -offset center 280modload /lkm/ipfw_mod.o && \e 281ipfw add 32000 allow all from any to any 282.Ed 283.Pp 284Along the same lines, doing an 285.Bd -literal -offset center 286ipfw flush 287.Ed 288.Pp 289in similar surroundings is also a bad idea. 290.Sh PACKET DIVERSION 291A divert socket bound to the specified port will receive all packets diverted 292to that port; see 293.Xr divert 4 . 294If no socket is bound to the destination port, or if the kernel 295wasn't compiled with divert socket support, diverted packets are dropped. 296.Sh EXAMPLES 297This command adds an entry which denies all tcp packets from 298.Em hacker.evil.org 299to the telnet port of 300.Em wolf.tambov.su 301from being forwarded by the host: 302.Pp 303.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 304.Pp 305This one disallows any connection from the entire hackers network to 306my host: 307.Pp 308.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 309.Pp 310Here is good usage of list command to see accounting records: 311.Pp 312.Dl ipfw -at l 313.Pp 314or in short form 315.Pp 316.Dl ipfw -a l 317.Pp 318This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 319.Pp 320.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 321.Sh SEE ALSO 322.Xr divert 4 , 323.Xr ip 4 , 324.Xr ipfirewall 4 , 325.Xr protocols 5 , 326.Xr services 5 , 327.Xr reboot 8 , 328.Xr syslogd 8 329.Sh BUGS 330.Pp 331.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 332.Pp 333This program can put your computer in rather unusable state. When 334using it for the first time, work on the console of the computer, and 335do 336.Em NOT 337do anything you don't understand. 338.Pp 339When manipulating/adding chain entries, service and protocol names are 340not accepted. 341.Sh AUTHORS 342Ugen J. S. Antsilevich, 343Poul-Henning Kamp, 344Alex Nash, 345Archie Cobbs. 346API based upon code written by Daniel Boulet for BSDI. 347.Sh HISTORY 348.Nm 349first appeared in 350.Fx 2.0 . 351