mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-25 01:55:19 +01:00
manuals: fix "PP after SS | SH" warnings
The full mandoc warnings were: skipping paragraph macro: PP after SS skipping paragraph macro: PP after SH The rendered output (in ascii and html) is not affected by this commit. Fixes made by script in https://github.com/Tarsnap/freebsd-doc-scripts Signed-off-by: Graham Percival <gperciva@tarsnap.com> Reviewed by: jlduran, mhorne MFC after: 1 week Sponsored by: Tarsnap Backup Inc. Pull Request: https://github.com/freebsd/freebsd-src/pull/1524
This commit is contained in:
parent
bc919e81e0
commit
e413da1358
@ -6,7 +6,6 @@ ipf \- packet filtering kernel interface
|
|||||||
.br
|
.br
|
||||||
#include <netinet/ip_fil.h>
|
#include <netinet/ip_fil.h>
|
||||||
.SH IOCTLS
|
.SH IOCTLS
|
||||||
.PP
|
|
||||||
To add and delete rules to the filter list, three 'basic' ioctls are provided
|
To add and delete rules to the filter list, three 'basic' ioctls are provided
|
||||||
for use. The ioctl's are called as:
|
for use. The ioctl's are called as:
|
||||||
.LP
|
.LP
|
||||||
|
@ -2,7 +2,6 @@
|
|||||||
.SH NAME
|
.SH NAME
|
||||||
ipf, ipf.conf \- IPFilter firewall rules file format
|
ipf, ipf.conf \- IPFilter firewall rules file format
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
The ipf.conf file is used to specify rules for the firewall, packet
|
The ipf.conf file is used to specify rules for the firewall, packet
|
||||||
authentication and packet accounting components of IPFilter. To load rules
|
authentication and packet accounting components of IPFilter. To load rules
|
||||||
specified in the ipf.conf file, the ipf(8) program is used.
|
specified in the ipf.conf file, the ipf(8) program is used.
|
||||||
@ -29,7 +28,6 @@ the direction of the packet (in or out)
|
|||||||
address patterns or "all" to match any address information
|
address patterns or "all" to match any address information
|
||||||
.RE
|
.RE
|
||||||
.SS Long lines
|
.SS Long lines
|
||||||
.PP
|
|
||||||
For rules lines that are particularly long, it is possible to split
|
For rules lines that are particularly long, it is possible to split
|
||||||
them over multiple lines implicitly like this:
|
them over multiple lines implicitly like this:
|
||||||
.PP
|
.PP
|
||||||
@ -45,7 +43,6 @@ pass in on bgeo proto tcp from 1.1.1.1 port > 1000 \\
|
|||||||
to 2.2.2.2 port < 5000 flags S keep state
|
to 2.2.2.2 port < 5000 flags S keep state
|
||||||
.fi
|
.fi
|
||||||
.SS Comments
|
.SS Comments
|
||||||
.PP
|
|
||||||
Comments in the ipf.conf file are indicated by the use of the '#' character.
|
Comments in the ipf.conf file are indicated by the use of the '#' character.
|
||||||
This can either be at the start of the line, like this:
|
This can either be at the start of the line, like this:
|
||||||
.PP
|
.PP
|
||||||
@ -60,7 +57,6 @@ Or at the end of a like, like this:
|
|||||||
pass in proto icmp from any to any # Allow all ICMP packets in
|
pass in proto icmp from any to any # Allow all ICMP packets in
|
||||||
.fi
|
.fi
|
||||||
.SH Firewall rules
|
.SH Firewall rules
|
||||||
.PP
|
|
||||||
This section goes into detail on how to construct firewall rules that
|
This section goes into detail on how to construct firewall rules that
|
||||||
are placed in the ipf.conf file.
|
are placed in the ipf.conf file.
|
||||||
.PP
|
.PP
|
||||||
@ -69,7 +65,6 @@ firewall rule set or which packets should be blocked or allowed in.
|
|||||||
Some suggestions will be provided but further reading is expected to
|
Some suggestions will be provided but further reading is expected to
|
||||||
fully understand what is safe and unsafe to allow in/out.
|
fully understand what is safe and unsafe to allow in/out.
|
||||||
.SS Filter rule keywords
|
.SS Filter rule keywords
|
||||||
.PP
|
|
||||||
The first word found in any filter rule describes what the eventual outcome
|
The first word found in any filter rule describes what the eventual outcome
|
||||||
of a packet that matches it will be. Descriptions of the many and various
|
of a packet that matches it will be. Descriptions of the many and various
|
||||||
sections that can be used to match on the contents of packet headers will
|
sections that can be used to match on the contents of packet headers will
|
||||||
@ -131,7 +126,6 @@ rule to match a packet is a pass, if there is a later matching rule
|
|||||||
that is a block and no further rules match the packet, then it will
|
that is a block and no further rules match the packet, then it will
|
||||||
be blocked.
|
be blocked.
|
||||||
.SS Matching Network Interfaces
|
.SS Matching Network Interfaces
|
||||||
.PP
|
|
||||||
On systems with more than one network interface, it is necessary
|
On systems with more than one network interface, it is necessary
|
||||||
to be able to specify different filter rules for each of them.
|
to be able to specify different filter rules for each of them.
|
||||||
In the first instance, this is because different networks will send us
|
In the first instance, this is because different networks will send us
|
||||||
@ -158,7 +152,6 @@ block in on bge0 all
|
|||||||
pass out on bge0 all
|
pass out on bge0 all
|
||||||
.fi
|
.fi
|
||||||
.SS Address matching (basic)
|
.SS Address matching (basic)
|
||||||
.PP
|
|
||||||
The first and most basic part of matching for filtering rules is to
|
The first and most basic part of matching for filtering rules is to
|
||||||
specify IP addresses and TCP/UDP port numbers. The source address
|
specify IP addresses and TCP/UDP port numbers. The source address
|
||||||
information is matched by the "from" information in a filter rule
|
information is matched by the "from" information in a filter rule
|
||||||
@ -197,7 +190,6 @@ is processing that part of the configuration file, leading to long
|
|||||||
delays, if not errors, in loading the filter rules.
|
delays, if not errors, in loading the filter rules.
|
||||||
.RE
|
.RE
|
||||||
.SS Protocol Matching
|
.SS Protocol Matching
|
||||||
.PP
|
|
||||||
To match packets based on TCP/UDP port information, it is first necessary
|
To match packets based on TCP/UDP port information, it is first necessary
|
||||||
to indicate which protocol the packet must be. This is done using the
|
to indicate which protocol the packet must be. This is done using the
|
||||||
"proto" keyword, followed by either the protocol number or a name which
|
"proto" keyword, followed by either the protocol number or a name which
|
||||||
@ -209,7 +201,6 @@ block out proto udp from any to 10.1.1.1
|
|||||||
pass in proto icmp from any to 192.168.0.0/16
|
pass in proto icmp from any to 192.168.0.0/16
|
||||||
.fi
|
.fi
|
||||||
.SS Sending back error packets
|
.SS Sending back error packets
|
||||||
.PP
|
|
||||||
When a packet is just discarded using a block rule, there is no feedback given
|
When a packet is just discarded using a block rule, there is no feedback given
|
||||||
to the host that sent the packet. This is both good and bad. If this is the
|
to the host that sent the packet. This is both good and bad. If this is the
|
||||||
desired behaviour and it is not desirable to send any feedback about packets
|
desired behaviour and it is not desirable to send any feedback about packets
|
||||||
@ -317,7 +308,6 @@ block return-icmp-as-dest(port-unr) in proto udp \\
|
|||||||
from any to 192.168.1.0/24
|
from any to 192.168.1.0/24
|
||||||
.fi
|
.fi
|
||||||
.SS TCP/UDP Port Matching
|
.SS TCP/UDP Port Matching
|
||||||
.PP
|
|
||||||
Having specified which protocol is being matched, it is then possible to
|
Having specified which protocol is being matched, it is then possible to
|
||||||
indicate which port numbers a packet must have in order to match the rule.
|
indicate which port numbers a packet must have in order to match the rule.
|
||||||
Due to port numbers being used differently to addresses, it is therefore
|
Due to port numbers being used differently to addresses, it is therefore
|
||||||
@ -361,7 +351,6 @@ If there is no desire to mention any specific source or destintion
|
|||||||
information in a filter rule then the word "all" can be used to
|
information in a filter rule then the word "all" can be used to
|
||||||
indicate that all addresses are considered to match the rule.
|
indicate that all addresses are considered to match the rule.
|
||||||
.SS IPv4 or IPv6
|
.SS IPv4 or IPv6
|
||||||
.PP
|
|
||||||
If a filter rule is constructed without any addresses then IPFilter
|
If a filter rule is constructed without any addresses then IPFilter
|
||||||
will attempt to match both IPv4 and IPv6 packets with it. In the
|
will attempt to match both IPv4 and IPv6 packets with it. In the
|
||||||
next list of rules, each one can be applied to either network protocol
|
next list of rules, each one can be applied to either network protocol
|
||||||
@ -399,13 +388,11 @@ protocol family qualifier:
|
|||||||
pass in family inet6 proto udp from any to any port = 53
|
pass in family inet6 proto udp from any to any port = 53
|
||||||
.fi
|
.fi
|
||||||
.SS First match vs last match
|
.SS First match vs last match
|
||||||
.PP
|
|
||||||
To change the default behaviour from being the last matched rule decides
|
To change the default behaviour from being the last matched rule decides
|
||||||
the outcome to being the first matched rule, the word "quick" is inserted
|
the outcome to being the first matched rule, the word "quick" is inserted
|
||||||
to the rule.
|
to the rule.
|
||||||
.SH Extended Packet Matching
|
.SH Extended Packet Matching
|
||||||
.SS Beyond using plain addresses
|
.SS Beyond using plain addresses
|
||||||
.PP
|
|
||||||
On firewalls that are working with large numbers of hosts and networks
|
On firewalls that are working with large numbers of hosts and networks
|
||||||
or simply trying to filter discretely against various hosts, it can
|
or simply trying to filter discretely against various hosts, it can
|
||||||
be an easier administration task to define a pool of addresses and have
|
be an easier administration task to define a pool of addresses and have
|
||||||
@ -475,7 +462,6 @@ with.
|
|||||||
pass in proto icmp from any to (bge0)/32
|
pass in proto icmp from any to (bge0)/32
|
||||||
.fi
|
.fi
|
||||||
.SS Using address pools
|
.SS Using address pools
|
||||||
.PP
|
|
||||||
Rather than list out multiple rules that either allow or deny specific
|
Rather than list out multiple rules that either allow or deny specific
|
||||||
addresses, it is possible to create a single object, call an address
|
addresses, it is possible to create a single object, call an address
|
||||||
pool, that contains all of those addresses and reference that in the
|
pool, that contains all of those addresses and reference that in the
|
||||||
@ -505,7 +491,6 @@ There are different operational characteristics with each, so there
|
|||||||
may be some situations where a pool works better than hash and vice
|
may be some situations where a pool works better than hash and vice
|
||||||
versa.
|
versa.
|
||||||
.SS Matching TCP flags
|
.SS Matching TCP flags
|
||||||
.PP
|
|
||||||
The TCP header contains a field of flags that is used to decide if the
|
The TCP header contains a field of flags that is used to decide if the
|
||||||
packet is a connection request, connection termination, data, etc.
|
packet is a connection request, connection termination, data, etc.
|
||||||
By matching on the flags in conjunction with port numbers, it is
|
By matching on the flags in conjunction with port numbers, it is
|
||||||
@ -562,7 +547,6 @@ pass out quick proto tcp from any port = 22 to any flags SA
|
|||||||
By itself, filtering based on the TCP flags becomes more work but when
|
By itself, filtering based on the TCP flags becomes more work but when
|
||||||
combined with stateful filtering (see below), the situation changes.
|
combined with stateful filtering (see below), the situation changes.
|
||||||
.SS Matching on ICMP header information
|
.SS Matching on ICMP header information
|
||||||
.PP
|
|
||||||
The TCP and UDP are not the only protocols for which filtering beyond
|
The TCP and UDP are not the only protocols for which filtering beyond
|
||||||
just the IP header is possible, extended matching on ICMP packets is
|
just the IP header is possible, extended matching on ICMP packets is
|
||||||
also available. The list of valid ICMP types is different for IPv4
|
also available. The list of valid ICMP types is different for IPv4
|
||||||
@ -627,7 +611,6 @@ unreach (unreachable,
|
|||||||
whoreq (WRU request),
|
whoreq (WRU request),
|
||||||
whorep (WRU reply).
|
whorep (WRU reply).
|
||||||
.SH Stateful Packet Filtering
|
.SH Stateful Packet Filtering
|
||||||
.PP
|
|
||||||
Stateful packet filtering is where IPFilter remembers some information from
|
Stateful packet filtering is where IPFilter remembers some information from
|
||||||
one or more packets that it has seen and is able to apply it to future
|
one or more packets that it has seen and is able to apply it to future
|
||||||
packets that it receives from the network.
|
packets that it receives from the network.
|
||||||
@ -694,7 +677,6 @@ use of these protocols being more for query-response than for ongoing
|
|||||||
connections. For all other protocols the
|
connections. For all other protocols the
|
||||||
timeout is 60 seconds in both directions.
|
timeout is 60 seconds in both directions.
|
||||||
.SS Stateful filtering options
|
.SS Stateful filtering options
|
||||||
.PP
|
|
||||||
The following options can be used with stateful filtering:
|
The following options can be used with stateful filtering:
|
||||||
.HP
|
.HP
|
||||||
limit
|
limit
|
||||||
@ -812,7 +794,6 @@ If there is no IP protocol implied by addresses or other features of
|
|||||||
the rule, IPFilter will assume that no netmask is an all ones netmask
|
the rule, IPFilter will assume that no netmask is an all ones netmask
|
||||||
for both IPv4 and IPv6.
|
for both IPv4 and IPv6.
|
||||||
.SS Tieing down a connection
|
.SS Tieing down a connection
|
||||||
.PP
|
|
||||||
For any connection that transits a firewall, each packet will be seen
|
For any connection that transits a firewall, each packet will be seen
|
||||||
twice: once going in and once going out. Thus a connection has 4 flows
|
twice: once going in and once going out. Thus a connection has 4 flows
|
||||||
of packets:
|
of packets:
|
||||||
@ -851,7 +832,6 @@ pass in on bge0,bge1 out-via bge1,bge0 proto tcp \\
|
|||||||
from any to any port = 22 flags S keep state
|
from any to any port = 22 flags S keep state
|
||||||
.fi
|
.fi
|
||||||
.SS Working with packet fragments
|
.SS Working with packet fragments
|
||||||
.PP
|
|
||||||
Fragmented packets result in 1 packet containing all of the layer 3 and 4
|
Fragmented packets result in 1 packet containing all of the layer 3 and 4
|
||||||
header information whilst the data is split across a number of other packets.
|
header information whilst the data is split across a number of other packets.
|
||||||
.PP
|
.PP
|
||||||
@ -883,7 +863,6 @@ An example of how this is done is as follows:
|
|||||||
pass in proto udp from any port = 2049 to any with frags keep frags
|
pass in proto udp from any port = 2049 to any with frags keep frags
|
||||||
.fi
|
.fi
|
||||||
.SH Building a tree of rules
|
.SH Building a tree of rules
|
||||||
.PP
|
|
||||||
Writing your filter rules as one long list of rules can be both inefficient
|
Writing your filter rules as one long list of rules can be both inefficient
|
||||||
in terms of processing the rules and difficult to understand. To make the
|
in terms of processing the rules and difficult to understand. To make the
|
||||||
construction of filter rules easier, it is possible to place them in groups.
|
construction of filter rules easier, it is possible to place them in groups.
|
||||||
@ -947,7 +926,6 @@ to deliver spam, I could load the following rule to complement the above:
|
|||||||
block in quick from 10.1.1.1 to any group spammers
|
block in quick from 10.1.1.1 to any group spammers
|
||||||
.fi
|
.fi
|
||||||
.SS Decapsulation
|
.SS Decapsulation
|
||||||
.PP
|
|
||||||
Rule groups also form a different but vital role for decapsulation rules.
|
Rule groups also form a different but vital role for decapsulation rules.
|
||||||
With the following simple rule, if IPFilter receives an IP packet that has
|
With the following simple rule, if IPFilter receives an IP packet that has
|
||||||
an AH header as its layer 4 payload, IPFilter would adjust its view of the
|
an AH header as its layer 4 payload, IPFilter would adjust its view of the
|
||||||
@ -982,7 +960,6 @@ It is possible to construct a decapsulate rule without the group
|
|||||||
head at the end that ipf(8) will accept but such rules will not
|
head at the end that ipf(8) will accept but such rules will not
|
||||||
result in anything happening.
|
result in anything happening.
|
||||||
.SS Policy Based Routing
|
.SS Policy Based Routing
|
||||||
.PP
|
|
||||||
With firewalls being in the position they often are, at the boundary
|
With firewalls being in the position they often are, at the boundary
|
||||||
of different networks connecting together and multiple connections that
|
of different networks connecting together and multiple connections that
|
||||||
have different properties, it is often desirable to have packets flow
|
have different properties, it is often desirable to have packets flow
|
||||||
@ -1034,7 +1011,6 @@ pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\
|
|||||||
to any port = 80 flags S keep state
|
to any port = 80 flags S keep state
|
||||||
.fi
|
.fi
|
||||||
.SS Matching IPv4 options
|
.SS Matching IPv4 options
|
||||||
.PP
|
|
||||||
The design for IPv4 allows for the header to be upto 64 bytes long,
|
The design for IPv4 allows for the header to be upto 64 bytes long,
|
||||||
however most traffic only uses the basic header which is 20 bytes long.
|
however most traffic only uses the basic header which is 20 bytes long.
|
||||||
The other 44 bytes can be used to store IP options. These options are
|
The other 44 bytes can be used to store IP options. These options are
|
||||||
@ -1115,7 +1091,6 @@ ump (Upstream Multicast Packet),
|
|||||||
visa (Experimental Access Control)
|
visa (Experimental Access Control)
|
||||||
and zsu (Experimental Measurement).
|
and zsu (Experimental Measurement).
|
||||||
.SS Security with CIPSO and IPSO
|
.SS Security with CIPSO and IPSO
|
||||||
.PP
|
|
||||||
IPFilter supports filtering on IPv4 packets using security attributes embedded
|
IPFilter supports filtering on IPv4 packets using security attributes embedded
|
||||||
in the IP options part of the packet. These options are usually only used on
|
in the IP options part of the packet. These options are usually only used on
|
||||||
networks and systems that are using lablled security. Unless you know that
|
networks and systems that are using lablled security. Unless you know that
|
||||||
@ -1139,7 +1114,6 @@ block in quick all with opt sec-class unclass
|
|||||||
pass in all with opt sec-class secret
|
pass in all with opt sec-class secret
|
||||||
.fi
|
.fi
|
||||||
.SS Matching IPv6 extension headers
|
.SS Matching IPv6 extension headers
|
||||||
.PP
|
|
||||||
Just as it is possible to filter on the various IPv4 header options,
|
Just as it is possible to filter on the various IPv4 header options,
|
||||||
so too it is possible to filter on the IPv6 extension headers that are
|
so too it is possible to filter on the IPv6 extension headers that are
|
||||||
placed between the IPv6 header and the transport protocol header.
|
placed between the IPv6 header and the transport protocol header.
|
||||||
@ -1153,7 +1127,6 @@ mobility (IP mobility),
|
|||||||
none,
|
none,
|
||||||
routing.
|
routing.
|
||||||
.SS Logging
|
.SS Logging
|
||||||
.PP
|
|
||||||
There are two ways in which packets can be logged with IPFilter. The
|
There are two ways in which packets can be logged with IPFilter. The
|
||||||
first is with a rule that specifically says log these types of packets
|
first is with a rule that specifically says log these types of packets
|
||||||
and the second is a qualifier to one of the other keywords. Thus it is
|
and the second is a qualifier to one of the other keywords. Thus it is
|
||||||
@ -1211,7 +1184,6 @@ pass in log level local1.info proto tcp \\
|
|||||||
ipfstat(8) reports how many packets have been successfully logged and how
|
ipfstat(8) reports how many packets have been successfully logged and how
|
||||||
many failed attempts to log a packet there were.
|
many failed attempts to log a packet there were.
|
||||||
.SS Filter rule comments
|
.SS Filter rule comments
|
||||||
.PP
|
|
||||||
If there is a desire to associate a text string, be it an administrative
|
If there is a desire to associate a text string, be it an administrative
|
||||||
comment or otherwise, with an IPFilter rule, this can be achieved by giving
|
comment or otherwise, with an IPFilter rule, this can be achieved by giving
|
||||||
the filter rule a comment. The comment is loaded with the rule into the
|
the filter rule a comment. The comment is loaded with the rule into the
|
||||||
@ -1224,7 +1196,6 @@ pass out quick proto tcp from any port = 80 \\
|
|||||||
to any comment "all web server traffic is ok"
|
to any comment "all web server traffic is ok"
|
||||||
.fi
|
.fi
|
||||||
.SS Tags
|
.SS Tags
|
||||||
.PP
|
|
||||||
To enable filtering and NAT to correctly match up packets with rules,
|
To enable filtering and NAT to correctly match up packets with rules,
|
||||||
tags can be added at with NAT (for inbound packets) and filtering (for
|
tags can be added at with NAT (for inbound packets) and filtering (for
|
||||||
outbound packets.) This allows a filter to be correctly mated with its
|
outbound packets.) This allows a filter to be correctly mated with its
|
||||||
@ -1249,7 +1220,6 @@ such as grep, extracting log records of interest is simplified.
|
|||||||
block in quick log ... set-tag(log=33)
|
block in quick log ... set-tag(log=33)
|
||||||
.fi
|
.fi
|
||||||
.SH Filter Rule Expiration
|
.SH Filter Rule Expiration
|
||||||
.PP
|
|
||||||
IPFilter allows rules to be added into the kernel that it will remove after
|
IPFilter allows rules to be added into the kernel that it will remove after
|
||||||
a specific period of time by specifying rule-ttl at the end of a rule.
|
a specific period of time by specifying rule-ttl at the end of a rule.
|
||||||
When listing rules in the kernel using ipfstat(8), rules that are going
|
When listing rules in the kernel using ipfstat(8), rules that are going
|
||||||
@ -1264,7 +1234,6 @@ pass in on fxp0 proto tcp from any \\
|
|||||||
to port = 22 flags S keep state rule-ttl 30
|
to port = 22 flags S keep state rule-ttl 30
|
||||||
.fi
|
.fi
|
||||||
.SH Internal packet attributes
|
.SH Internal packet attributes
|
||||||
.PP
|
|
||||||
In addition to being able to filter on very specific network and transport
|
In addition to being able to filter on very specific network and transport
|
||||||
header fields, it is possible to filter on other attributes that IPFilter
|
header fields, it is possible to filter on other attributes that IPFilter
|
||||||
attaches to a packet. These attributes are placed in a rule after the
|
attaches to a packet. These attributes are placed in a rule after the
|
||||||
@ -1332,7 +1301,6 @@ block in all
|
|||||||
pass in all with not bad
|
pass in all with not bad
|
||||||
.fi
|
.fi
|
||||||
.SH Tuning IPFilter
|
.SH Tuning IPFilter
|
||||||
.PP
|
|
||||||
The ipf.conf file can also be used to tune the behaviour of IPFilter,
|
The ipf.conf file can also be used to tune the behaviour of IPFilter,
|
||||||
allowing, for example, timeouts for the NAT/state table(s) to be set
|
allowing, for example, timeouts for the NAT/state table(s) to be set
|
||||||
along with their sizes. The presence and names of tunables may change
|
along with their sizes. The presence and names of tunables may change
|
||||||
@ -1543,7 +1511,6 @@ update_ipid
|
|||||||
when set, turns on changing the IP id field in NAT'd packets to a random
|
when set, turns on changing the IP id field in NAT'd packets to a random
|
||||||
number.
|
number.
|
||||||
.SS Table of visible variables
|
.SS Table of visible variables
|
||||||
.PP
|
|
||||||
A list of all of the tunables, their minimum, maximum and current
|
A list of all of the tunables, their minimum, maximum and current
|
||||||
values is as follows.
|
values is as follows.
|
||||||
.PP
|
.PP
|
||||||
@ -1602,7 +1569,6 @@ udp_timeout 1 MAXINT 240
|
|||||||
update_ipid 0 1 0
|
update_ipid 0 1 0
|
||||||
.fi
|
.fi
|
||||||
.SH Calling out to internal functions
|
.SH Calling out to internal functions
|
||||||
.PP
|
|
||||||
IPFilter provides a pair of functions that can be called from a rule
|
IPFilter provides a pair of functions that can be called from a rule
|
||||||
that allow for a single rule to jump out to a group rather than walk
|
that allow for a single rule to jump out to a group rather than walk
|
||||||
through a list of rules to find the group. If you've got multiple
|
through a list of rules to find the group. If you've got multiple
|
||||||
@ -1637,7 +1603,6 @@ group-map in role=ipf number=1010
|
|||||||
{ 1.1.1.1 group = 1020, 3.3.0.0/16 group = 1030; };
|
{ 1.1.1.1 group = 1020, 3.3.0.0/16 group = 1030; };
|
||||||
.fi
|
.fi
|
||||||
.SS IPFilter matching expressions
|
.SS IPFilter matching expressions
|
||||||
.PP
|
|
||||||
An experimental feature that has been added to filter rules is to use
|
An experimental feature that has been added to filter rules is to use
|
||||||
the same expression matching that is available with various commands
|
the same expression matching that is available with various commands
|
||||||
to flush and list state/NAT table entries. The use of such an expression
|
to flush and list state/NAT table entries. The use of such an expression
|
||||||
@ -1647,7 +1612,6 @@ precludes the filter rule from using the normal IP header matching.
|
|||||||
pass in exp { "tcp.sport 23 or tcp.sport 50" } keep state
|
pass in exp { "tcp.sport 23 or tcp.sport 50" } keep state
|
||||||
.fi
|
.fi
|
||||||
.SS Filter rules with BPF
|
.SS Filter rules with BPF
|
||||||
.PP
|
|
||||||
On platforms that have the BPF built into the kernel, IPFilter can be
|
On platforms that have the BPF built into the kernel, IPFilter can be
|
||||||
built to allow BPF expressions in filter rules. This allows for packet
|
built to allow BPF expressions in filter rules. This allows for packet
|
||||||
matching to be on arbitrary data in the packt. The use of a BPF expression
|
matching to be on arbitrary data in the packt. The use of a BPF expression
|
||||||
@ -1665,7 +1629,6 @@ accurately reconstruct the original text filter. The end result is that
|
|||||||
while ipf.conf() can be easy to read, understanding the output from
|
while ipf.conf() can be easy to read, understanding the output from
|
||||||
ipfstat might not be.
|
ipfstat might not be.
|
||||||
.SH VARIABLES
|
.SH VARIABLES
|
||||||
.PP
|
|
||||||
This configuration file, like all others used with IPFilter, supports the
|
This configuration file, like all others used with IPFilter, supports the
|
||||||
use of variable substitution throughout the text.
|
use of variable substitution throughout the text.
|
||||||
.PP
|
.PP
|
||||||
|
@ -22,7 +22,6 @@ ipf \- alters packet filtering lists for IP packet input and output
|
|||||||
<\fIfilename\fP>
|
<\fIfilename\fP>
|
||||||
[...]]
|
[...]]
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
|
\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
|
||||||
file for a set of rules which are to be added or removed from the packet
|
file for a set of rules which are to be added or removed from the packet
|
||||||
filter rule set.
|
filter rule set.
|
||||||
@ -176,9 +175,7 @@ IPF_PREDEFINED='my_server="10.1.1.1"; my_client="10.1.1.2";'
|
|||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
|
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
|
||||||
.SH DIAGNOSTICS
|
.SH DIAGNOSTICS
|
||||||
.PP
|
|
||||||
Needs to be run as root for the packet filtering lists to actually
|
Needs to be run as root for the packet filtering lists to actually
|
||||||
be affected inside the kernel.
|
be affected inside the kernel.
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
.PP
|
|
||||||
If you find any, please send email to me at darrenr@pobox.com
|
If you find any, please send email to me at darrenr@pobox.com
|
||||||
|
@ -2,7 +2,6 @@
|
|||||||
.SH NAME
|
.SH NAME
|
||||||
IP Filter
|
IP Filter
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
IP Filter is a package providing packet filtering capabilities for a variety
|
IP Filter is a package providing packet filtering capabilities for a variety
|
||||||
of operating systems. On a properly setup system, it can be used to build a
|
of operating systems. On a properly setup system, it can be used to build a
|
||||||
firewall.
|
firewall.
|
||||||
|
@ -40,7 +40,6 @@ ipfs \- saves and restores information for NAT and state tables.
|
|||||||
.B \-i
|
.B \-i
|
||||||
<if1>,<if2>
|
<if1>,<if2>
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipfs\fP allows state information created for NAT entries and rules using
|
\fBipfs\fP allows state information created for NAT entries and rules using
|
||||||
\fIkeep state\fP to be locked (modification prevented) and then saved to disk,
|
\fIkeep state\fP to be locked (modification prevented) and then saved to disk,
|
||||||
allowing for the system to experience a reboot, followed by the restoration
|
allowing for the system to experience a reboot, followed by the restoration
|
||||||
@ -117,10 +116,8 @@ operation and unlocked once complete.
|
|||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipf(8), ipl(4), ipmon(8), ipnat(8)
|
ipf(8), ipl(4), ipmon(8), ipnat(8)
|
||||||
.SH DIAGNOSTICS
|
.SH DIAGNOSTICS
|
||||||
.PP
|
|
||||||
Perhaps the -W and -R operations should set the locking but rather than
|
Perhaps the -W and -R operations should set the locking but rather than
|
||||||
undo it, restore it to what it was previously. Fragment table information
|
undo it, restore it to what it was previously. Fragment table information
|
||||||
is currently not saved.
|
is currently not saved.
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
.PP
|
|
||||||
If you find any, please send email to me at darrenr@pobox.com
|
If you find any, please send email to me at darrenr@pobox.com
|
||||||
|
@ -34,7 +34,6 @@ interface
|
|||||||
<optionlist>
|
<optionlist>
|
||||||
]
|
]
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipftest\fP is provided for the purpose of being able to test a set of
|
\fBipftest\fP is provided for the purpose of being able to test a set of
|
||||||
filter rules without having to put them in place, in operation and proceed
|
filter rules without having to put them in place, in operation and proceed
|
||||||
to test their effectiveness. The hope is that this minimises disruptions
|
to test their effectiveness. The hope is that this minimises disruptions
|
||||||
|
@ -52,7 +52,6 @@ The lines above would save all ipf log entries to /var/log/ipf-log, send
|
|||||||
all of the entries for NAT (ipnat related) to syslog and generate an email
|
all of the entries for NAT (ipnat related) to syslog and generate an email
|
||||||
to root for each log entry from the state tables.
|
to root for each log entry from the state tables.
|
||||||
.SH SYNTAX - MATCHING
|
.SH SYNTAX - MATCHING
|
||||||
.PP
|
|
||||||
In the above example, the matching segment was confined to matching on
|
In the above example, the matching segment was confined to matching on
|
||||||
the type of log entry generated. The full list of fields that can be
|
the type of log entry generated. The full list of fields that can be
|
||||||
used here is:
|
used here is:
|
||||||
@ -189,7 +188,6 @@ it can then be used in any
|
|||||||
.I do
|
.I do
|
||||||
statement.
|
statement.
|
||||||
.SH EXAMPLES
|
.SH EXAMPLES
|
||||||
.PP
|
|
||||||
Some further examples are:
|
Some further examples are:
|
||||||
.nf
|
.nf
|
||||||
|
|
||||||
@ -208,7 +206,6 @@ match { dstip 127.0.0.1; } do { local("local options"); };
|
|||||||
#
|
#
|
||||||
.fi
|
.fi
|
||||||
.SH MATCHING
|
.SH MATCHING
|
||||||
.PP
|
|
||||||
All entries of the rules present in the file are
|
All entries of the rules present in the file are
|
||||||
compared for matches - there is no first or last rule match.
|
compared for matches - there is no first or last rule match.
|
||||||
.SH FILES
|
.SH FILES
|
||||||
|
@ -27,7 +27,6 @@ ipmon \- monitors /dev/ipl for logged packets
|
|||||||
.B <filename>
|
.B <filename>
|
||||||
]
|
]
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.LP
|
|
||||||
\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from
|
\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from
|
||||||
the packet filter. The binary data read from the device is reprinted in
|
the packet filter. The binary data read from the device is reprinted in
|
||||||
human readable form, however, IP#'s are not mapped back to hostnames, nor are
|
human readable form, however, IP#'s are not mapped back to hostnames, nor are
|
||||||
@ -191,5 +190,4 @@ recorded data.
|
|||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipl(4), ipmon(5), ipf(8), ipfstat(8), ipnat(8)
|
ipl(4), ipmon(5), ipf(8), ipfstat(8), ipnat(8)
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
.PP
|
|
||||||
If you find any, please send email to me at darrenr@pobox.com
|
If you find any, please send email to me at darrenr@pobox.com
|
||||||
|
@ -8,7 +8,6 @@ ipnat \- user interface to the NAT
|
|||||||
]
|
]
|
||||||
.B \-f <\fIfilename\fP>
|
.B \-f <\fIfilename\fP>
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
|
\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
|
||||||
file for a set of rules which are to be added or removed from the IP NAT.
|
file for a set of rules which are to be added or removed from the IP NAT.
|
||||||
.PP
|
.PP
|
||||||
|
@ -10,7 +10,6 @@ ipnat \- Network Address Translation kernel interface
|
|||||||
.br
|
.br
|
||||||
#include <netinet/ip_nat.h>
|
#include <netinet/ip_nat.h>
|
||||||
.SH IOCTLS
|
.SH IOCTLS
|
||||||
.PP
|
|
||||||
To add and delete rules to the NAT list, two 'basic' ioctls are provided
|
To add and delete rules to the NAT list, two 'basic' ioctls are provided
|
||||||
for use. The ioctl's are called as:
|
for use. The ioctl's are called as:
|
||||||
.LP
|
.LP
|
||||||
|
@ -3,7 +3,6 @@
|
|||||||
.SH NAME
|
.SH NAME
|
||||||
ipnat, ipnat.conf \- IPFilter NAT file format
|
ipnat, ipnat.conf \- IPFilter NAT file format
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
The
|
The
|
||||||
.B ipnat.conf
|
.B ipnat.conf
|
||||||
file is used to specify rules for the Network Address Translation (NAT)
|
file is used to specify rules for the Network Address Translation (NAT)
|
||||||
@ -30,7 +29,6 @@ to text that appears before the "->" and the "right hand side" (RHS) for text
|
|||||||
that appears after it. In essence, the LHS is the packet matching and the
|
that appears after it. In essence, the LHS is the packet matching and the
|
||||||
RHS is the new data to be used.
|
RHS is the new data to be used.
|
||||||
.SH VARIABLES
|
.SH VARIABLES
|
||||||
.PP
|
|
||||||
This configuration file, like all others used with IPFilter, supports the
|
This configuration file, like all others used with IPFilter, supports the
|
||||||
use of variable substitution throughout the text.
|
use of variable substitution throughout the text.
|
||||||
.nf
|
.nf
|
||||||
@ -280,7 +278,6 @@ of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
|
|||||||
be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
|
be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
|
||||||
IP address with the \fBmap\fP command.
|
IP address with the \fBmap\fP command.
|
||||||
.SS Extended matching
|
.SS Extended matching
|
||||||
.PP
|
|
||||||
If it is desirable to match on both the source and destination of a packet
|
If it is desirable to match on both the source and destination of a packet
|
||||||
before applying an address translation to it, this can be achieved by using
|
before applying an address translation to it, this can be achieved by using
|
||||||
the same from-to syntax as is used in \fBipf.conf\fP(5). What follows
|
the same from-to syntax as is used in \fBipf.conf\fP(5). What follows
|
||||||
@ -322,7 +319,6 @@ the defined pool only has /24's or /32's. Pools may also be used
|
|||||||
.I wherever
|
.I wherever
|
||||||
the from-to syntax in \fBipnat.conf\fR(5) is allowed.
|
the from-to syntax in \fBipnat.conf\fR(5) is allowed.
|
||||||
.SH INBOUND DESTINATION TRANSLATION (redirection)
|
.SH INBOUND DESTINATION TRANSLATION (redirection)
|
||||||
.PP
|
|
||||||
Redirection of packets is used to change the destination fields in a packet
|
Redirection of packets is used to change the destination fields in a packet
|
||||||
and is supported for packets that are moving \fIin\fP on a network interface.
|
and is supported for packets that are moving \fIin\fP on a network interface.
|
||||||
While the same general syntax for
|
While the same general syntax for
|
||||||
@ -465,7 +461,6 @@ rdr le0,ppp0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp
|
|||||||
round-robin frag age 40/40 sticky mssclamp 1000 tag tagged
|
round-robin frag age 40/40 sticky mssclamp 1000 tag tagged
|
||||||
.fi
|
.fi
|
||||||
.SH REWRITING SOURCE AND DESTINATION
|
.SH REWRITING SOURCE AND DESTINATION
|
||||||
.PP
|
|
||||||
Whilst the above two commands provide a lot of flexibility in changing
|
Whilst the above two commands provide a lot of flexibility in changing
|
||||||
addressing fields in packets, often it can be of benefit to translate
|
addressing fields in packets, often it can be of benefit to translate
|
||||||
\fIboth\fP source \fBand\fR destination at the same time or to change
|
\fIboth\fP source \fBand\fR destination at the same time or to change
|
||||||
@ -549,7 +544,6 @@ rewrite from any to any port = 80 ->
|
|||||||
src 1.1.2.3 - 1.1.2.6 dst 2.2.3.4 - 2.2.3.6;
|
src 1.1.2.3 - 1.1.2.6 dst 2.2.3.4 - 2.2.3.6;
|
||||||
.fi
|
.fi
|
||||||
.SH DIVERTING PACKETS
|
.SH DIVERTING PACKETS
|
||||||
.PP
|
|
||||||
If you'd like to send packets to a UDP socket rather than just another
|
If you'd like to send packets to a UDP socket rather than just another
|
||||||
computer to be decapsulated, this can be achieved using a
|
computer to be decapsulated, this can be achieved using a
|
||||||
.B divert
|
.B divert
|
||||||
@ -598,7 +592,6 @@ are flushed out, it is expected that the operator will similarly
|
|||||||
flush the NAT table and thus NAT sessions are not removed when the
|
flush the NAT table and thus NAT sessions are not removed when the
|
||||||
NAT rules are flushed out.
|
NAT rules are flushed out.
|
||||||
.SH RULE ORDERING
|
.SH RULE ORDERING
|
||||||
.PP
|
|
||||||
.B NOTE:
|
.B NOTE:
|
||||||
Rules in
|
Rules in
|
||||||
.B ipnat.conf
|
.B ipnat.conf
|
||||||
@ -655,7 +648,6 @@ rdr le0 from 1.1.1.0/24 to 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp
|
|||||||
.PP
|
.PP
|
||||||
Then no packets will match the 2nd rule, they'll all match the first.
|
Then no packets will match the 2nd rule, they'll all match the first.
|
||||||
.SH IPv6
|
.SH IPv6
|
||||||
.PP
|
|
||||||
In all of the examples above, where an IPv4 address is present, an IPv6
|
In all of the examples above, where an IPv4 address is present, an IPv6
|
||||||
address can also be used. All rules must use either IPv4 addresses with
|
address can also be used. All rules must use either IPv4 addresses with
|
||||||
both halves of the NAT rule or IPv6 addresses for both halves. Mixing
|
both halves of the NAT rule or IPv6 addresses for both halves. Mixing
|
||||||
@ -667,7 +659,6 @@ For shorthand notations such as "0/32", the equivalent for IPv6 is
|
|||||||
implicit direction that the address should be IPv6, not IPv4.
|
implicit direction that the address should be IPv6, not IPv4.
|
||||||
To be unambiguous with 0/0, for IPv6 use ::0/0.
|
To be unambiguous with 0/0, for IPv6 use ::0/0.
|
||||||
.SH KERNEL PROXIES
|
.SH KERNEL PROXIES
|
||||||
.PP
|
|
||||||
IP Filter comes with a few, simple, proxies built into the code that is loaded
|
IP Filter comes with a few, simple, proxies built into the code that is loaded
|
||||||
into the kernel to allow secondary channels to be opened without forcing the
|
into the kernel to allow secondary channels to be opened without forcing the
|
||||||
packets through a user program. The current state of the proxies is listed
|
packets through a user program. The current state of the proxies is listed
|
||||||
|
@ -15,7 +15,6 @@ ipnat \- user interface to the NAT subsystem
|
|||||||
]
|
]
|
||||||
.B \-f <\fIfilename\fP>
|
.B \-f <\fIfilename\fP>
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
|
\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
|
||||||
file for a set of rules which are to be added or removed from the IP NAT.
|
file for a set of rules which are to be added or removed from the IP NAT.
|
||||||
.PP
|
.PP
|
||||||
|
@ -38,7 +38,6 @@ heirarchical matching, so it is possible to define a subnet as matching
|
|||||||
but then exclude specific addresses from it.
|
but then exclude specific addresses from it.
|
||||||
.SS
|
.SS
|
||||||
Evolving Configuration
|
Evolving Configuration
|
||||||
.PP
|
|
||||||
Over time the configuration syntax used by ippool.conf(5) has evolved.
|
Over time the configuration syntax used by ippool.conf(5) has evolved.
|
||||||
Originally the syntax used was more verbose about what a particular
|
Originally the syntax used was more verbose about what a particular
|
||||||
value was being used for, for example:
|
value was being used for, for example:
|
||||||
@ -65,7 +64,6 @@ configuration syntax and all output using "ippool -l" will also be in the
|
|||||||
new configuration syntax.
|
new configuration syntax.
|
||||||
.SS
|
.SS
|
||||||
IPFilter devices and pools
|
IPFilter devices and pools
|
||||||
.PP
|
|
||||||
To cater to different administration styles, ipool.conf(5) allows you to
|
To cater to different administration styles, ipool.conf(5) allows you to
|
||||||
tie a pool to a specific role in IPFilter. The recognised role names are:
|
tie a pool to a specific role in IPFilter. The recognised role names are:
|
||||||
.HP
|
.HP
|
||||||
@ -89,7 +87,6 @@ all
|
|||||||
pools that are defined for the "all" role are available to all types of
|
pools that are defined for the "all" role are available to all types of
|
||||||
rules, be they NAT rules in ipnat.conf(5) or firewall rules in ipf.conf(5).
|
rules, be they NAT rules in ipnat.conf(5) or firewall rules in ipf.conf(5).
|
||||||
.SH Address Pools
|
.SH Address Pools
|
||||||
.PP
|
|
||||||
An address pool can be used in ipf.conf(5) and ipnat.conf(5) for matching
|
An address pool can be used in ipf.conf(5) and ipnat.conf(5) for matching
|
||||||
the source or destination address of packets. They can be referred to either
|
the source or destination address of packets. They can be referred to either
|
||||||
by name or number and can hold an arbitrary number of address patterns to
|
by name or number and can hold an arbitrary number of address patterns to
|
||||||
@ -163,7 +160,6 @@ block in from pool/microsoft to any
|
|||||||
Note that there are limitations on the output returned by whois servers
|
Note that there are limitations on the output returned by whois servers
|
||||||
so be aware that their output may not be 100% perfect for your goal.
|
so be aware that their output may not be 100% perfect for your goal.
|
||||||
.SH Destination Lists
|
.SH Destination Lists
|
||||||
.PP
|
|
||||||
Destination lists are provided for use primarily with NAT redirect rules
|
Destination lists are provided for use primarily with NAT redirect rules
|
||||||
(rdr). Their purpose is to allow more sophisticated methods of selecting
|
(rdr). Their purpose is to allow more sophisticated methods of selecting
|
||||||
which host to send traffic to next than the simple round-robin technique
|
which host to send traffic to next than the simple round-robin technique
|
||||||
@ -242,7 +238,6 @@ pool all/dstlist (name servers; policy weighted connection;)
|
|||||||
{ bge0:1.1.1.2; bge0:1.1.1.4; bge1:1.1.1.5; bge1:1.1.1.9; };
|
{ bge0:1.1.1.2; bge0:1.1.1.4; bge1:1.1.1.5; bge1:1.1.1.9; };
|
||||||
.fi
|
.fi
|
||||||
.SH Group maps
|
.SH Group maps
|
||||||
.PP
|
|
||||||
Group maps are provided to allow more efficient processing of packets
|
Group maps are provided to allow more efficient processing of packets
|
||||||
where there are a larger number of subnets and groups of rules for those
|
where there are a larger number of subnets and groups of rules for those
|
||||||
subnets. Group maps are used with "call" rules in ipf.conf(5) that
|
subnets. Group maps are used with "call" rules in ipf.conf(5) that
|
||||||
@ -282,7 +277,6 @@ The limitation with group maps is that only the source address or the
|
|||||||
destination address can be used to map the packet to the starting group,
|
destination address can be used to map the packet to the starting group,
|
||||||
not both, in your ipf.conf(5) file.
|
not both, in your ipf.conf(5) file.
|
||||||
.SH Hash Tables
|
.SH Hash Tables
|
||||||
.PP
|
|
||||||
The hash table is operationally similar to the address pool. It is
|
The hash table is operationally similar to the address pool. It is
|
||||||
used as a store for a collection of address to match on, saving the
|
used as a store for a collection of address to match on, saving the
|
||||||
need to write a lengthy list of rules. As with address pools, searching
|
need to write a lengthy list of rules. As with address pools, searching
|
||||||
|
@ -28,7 +28,6 @@ ippool \- user interface to the IPFilter pools
|
|||||||
.B ippool
|
.B ippool
|
||||||
-s [-dtv]
|
-s [-dtv]
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
.B Ippool
|
.B Ippool
|
||||||
is used to manage information stored in the IP pools subsystem of IPFilter.
|
is used to manage information stored in the IP pools subsystem of IPFilter.
|
||||||
Configuration file information may be parsed and loaded into the kernel,
|
Configuration file information may be parsed and loaded into the kernel,
|
||||||
|
@ -3,7 +3,6 @@
|
|||||||
.SH NAME
|
.SH NAME
|
||||||
ipscan, ipscan.conf \- ipscan file format
|
ipscan, ipscan.conf \- ipscan file format
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
WARNING: This feature is to be considered experimental and may change
|
WARNING: This feature is to be considered experimental and may change
|
||||||
significantly until a final implementation is drawn up.
|
significantly until a final implementation is drawn up.
|
||||||
.PP
|
.PP
|
||||||
|
@ -10,7 +10,6 @@ ipscan \- user interface to the IPFilter content scanning
|
|||||||
]
|
]
|
||||||
.B \-f <\fIfilename\fP>
|
.B \-f <\fIfilename\fP>
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipscan\fP opens the filename given (treating "\-" as stdin) and parses the
|
\fBipscan\fP opens the filename given (treating "\-" as stdin) and parses the
|
||||||
file to build up a content scanning configuration to load into the kernel.
|
file to build up a content scanning configuration to load into the kernel.
|
||||||
Currently only the first 16 bytes of a connection can be compared.
|
Currently only the first 16 bytes of a connection can be compared.
|
||||||
|
@ -20,7 +20,6 @@ ipresend \- resend IP packets out to network
|
|||||||
<\fIfilename\fP>
|
<\fIfilename\fP>
|
||||||
]
|
]
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipresend\fP was designed to allow packets to be resent, once captured,
|
\fBipresend\fP was designed to allow packets to be resent, once captured,
|
||||||
back out onto the network for use in testing. \fIipresend\fP supports a
|
back out onto the network for use in testing. \fIipresend\fP supports a
|
||||||
number of different file formats as input, including saved snoop/tcpdump
|
number of different file formats as input, including saved snoop/tcpdump
|
||||||
@ -97,10 +96,8 @@ The input file is composed of text descriptions of IP packets.
|
|||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
|
snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p)
|
||||||
.SH DIAGNOSTICS
|
.SH DIAGNOSTICS
|
||||||
.PP
|
|
||||||
Needs to be run as root.
|
Needs to be run as root.
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
.PP
|
|
||||||
Not all of the input formats are sufficiently capable of introducing a
|
Not all of the input formats are sufficiently capable of introducing a
|
||||||
wide enough variety of packets for them to be all useful in testing.
|
wide enough variety of packets for them to be all useful in testing.
|
||||||
If you find any, please send email to me at darrenr@pobox.com
|
If you find any, please send email to me at darrenr@pobox.com
|
||||||
|
@ -35,7 +35,6 @@ ipsend \- sends IP packets
|
|||||||
<\fIwindow\fP>
|
<\fIwindow\fP>
|
||||||
] <destination> [TCP-flags]
|
] <destination> [TCP-flags]
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBipsend\fP can be compiled in two ways. The first is used to send one-off
|
\fBipsend\fP can be compiled in two ways. The first is used to send one-off
|
||||||
packets to a destination host, using command line options to specify various
|
packets to a destination host, using command line options to specify various
|
||||||
attributes present in the headers. The \fIdestination\fP must be given as
|
attributes present in the headers. The \fIdestination\fP must be given as
|
||||||
@ -103,8 +102,6 @@ enable verbose mode.
|
|||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
|
ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p)
|
||||||
.SH DIAGNOSTICS
|
.SH DIAGNOSTICS
|
||||||
.PP
|
|
||||||
Needs to be run as root.
|
Needs to be run as root.
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
.PP
|
|
||||||
If you find any, please send email to me at darrenr@pobox.com
|
If you find any, please send email to me at darrenr@pobox.com
|
||||||
|
@ -7,7 +7,6 @@ text file which fits the grammar described below. The purpose of this
|
|||||||
grammar is to allow IP packets to be described in an arbitary way which
|
grammar is to allow IP packets to be described in an arbitary way which
|
||||||
also allows encapsulation to be so done to an arbitary level.
|
also allows encapsulation to be so done to an arbitary level.
|
||||||
.SH GRAMMAR
|
.SH GRAMMAR
|
||||||
.LP
|
|
||||||
.nf
|
.nf
|
||||||
line ::= iface | arp | send | defrouter | ipv4line .
|
line ::= iface | arp | send | defrouter | ipv4line .
|
||||||
|
|
||||||
@ -80,7 +79,6 @@ databodyopts ::= "len" number | "value" string | "file" filename .
|
|||||||
icmpechoopts ::= "icmpseq" number | "icmpid" number .
|
icmpechoopts ::= "icmpseq" number | "icmpid" number .
|
||||||
.fi
|
.fi
|
||||||
.SH COMMANDS
|
.SH COMMANDS
|
||||||
.PP
|
|
||||||
Before sending any packets or defining any packets, it is necessary to
|
Before sending any packets or defining any packets, it is necessary to
|
||||||
describe the interface(s) which will be used to send packets out.
|
describe the interface(s) which will be used to send packets out.
|
||||||
.TP
|
.TP
|
||||||
|
@ -23,7 +23,6 @@ iptest \- automatically generate a packets to test IP functionality
|
|||||||
<\fIsource\fP>
|
<\fIsource\fP>
|
||||||
] <destination>
|
] <destination>
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
|
||||||
\fBiptest\fP ...
|
\fBiptest\fP ...
|
||||||
.SH OPTIONS
|
.SH OPTIONS
|
||||||
.TP
|
.TP
|
||||||
@ -98,5 +97,4 @@ Only one of the numeric test options may be given when \fIiptest\fP is run.
|
|||||||
.PP
|
.PP
|
||||||
Needs to be run as root.
|
Needs to be run as root.
|
||||||
.SH BUGS
|
.SH BUGS
|
||||||
.PP
|
|
||||||
If you find any, please send email to me at darrenr@pobox.com
|
If you find any, please send email to me at darrenr@pobox.com
|
||||||
|
Loading…
Reference in New Issue
Block a user