HardenedBSD/sbin/ipfw/ipfw.8
1996-02-24 13:39:46 +00:00

491 lines
11 KiB
Groff

.Dd February 24, 1996
.Dt IPFW 8 SMM
.Os FreeBSD
.Sh NAME
.Nm ipfw
.Nd controlling utility for IP firewall
.Sh SYNOPSIS
.Nm ipfw
.Ar file
.Nm ipfw
flush
.Nm ipfw
zero
.Nm ipfw
delete
.Ar number
.Nm ipfw
.Oo
.Fl aN
.Oc
list
.Nm ipfw
add
.Oo
.Ar number
.Oc
.Ar action
.Oo
log
.Oc
.Ar proto
from
.Ar src
to
.Ar dst
.Oo
via
.Ar name|ipno
.Oc
.Oo
.Ar options
.Oc
.Sh DESCRIPTION
If used as shown in the first synopsis line, the
.Ar file
will be read line by line and applied as arguments to the
.Nm ipfw
command.
.Pp
The ipfw code works by going through the rule-list for each packet,
until a match is found.
All rules have two counters associated with them, a packet count and
a byte count.
These counters are updated when a packet matches the rule.
.Pp
The rules are ordered by a ``line-number'' that is used to order and
delete rules.
If a rule is added without a number, it is put at the end, just before
the terminal ``policy-rule'', and numbered 100 higher than the previous
rule.
.Pp
One rule is always present:
.Bd -literal -offset center
65535 deny all from any to any
.Ed
this is rule is the default policy, ie. don't allow anything at all.
Your job in setting up rules is to modify this policy to match your
needs.
.Pp
The following options are available:
.Bl -tag -width flag
.It Fl a
While listing, show counter values. This option is the only way to see
accounting records.
.It Fl N
Try to resolve addresses.
.El
.Pp
.Ar action :
.Bl -hang -offset flag -width 1234567890123456
.It Nm accept
Accept packets that match rule.
The search terminates.
.It Nm pass
same as accept.
.It Nm count
update counters for all packets that match rule.
The search continues with next rule.
.It Nm deny
Discard packets that match this rule.
The search terminates.
.It Nm reject
Discard packets that match this rule, try to send ICMP notice.
The search terminates.
.El
.Pp
When a packet matches a rule with the
.Nm log
keyword, a message will be printed on the console.
.Pp
.Ar proto :
.Bl -hang -offset flag -width 1234567890123456
.It Nm ip
All packets match.
.It Nm all
All packets match.
.It Nm tcp
Only TCP packets match.
.It Nm udp
Only UDP packets match.
.It Nm icmp
Only ICMP packets match.
.El
.Pp
.Ar src
and
.Ar dst :
.Bl -hang -offset flag -width 1234567890123456
.It Ar ipno
An ipnumber of the form 1.2.3.4.
Only this exact ip number match the rule.
.It Ar ipno/bits
An ipnumber with a mask width of the form 1.2.3.4/24.
In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
.It Ar ipno:mask
An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0
In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
.El
.Pp
If ``via''
.Ar name
is specified, only packets received via or on their way out of an interface
matching
.Ar name
will match this rule.
.Pp
If ``via''
.Ar ipno
is specified, only packets received via or on their way out of an interface
having the address
.Ar ipno
will match this rule.
.Pp
.Ar options :
.Bl -hang -offset flag -width 1234567890123456
.It frag
Matches is the packet is a fragment and this is not the first fragment
of the datagram.
.It in
Matches if this packet was on the way in.
.It out
Matches if this packet was on the way out.
.It ipoptions Ar spec
Not yet documented. Look in the source: src/sys/netnet/ipfw.c.
.It established
Matches packets that do not have the SYN bit set.
TCP packets only.
.It setup
Matches packets that have the SYN bit set but no ACK bit.
TCP packets only.
.It tcpflags Ar spec
Not yet documented. Look in the source: src/sys/netnet/ipfw.c.
TCP packets only.
.El
.Sh CHECKLIST
Here are some important points to consider when designing your
rules:
.Bl -bullet -hang -offset flag -width 1234567890123456
.It
Remember that you filter both packets going in and out.
Most connections needs packets going in both directions.
.It
Remember to test very carefully.
It is a good idea to be near the console when doint this.
.It
Don't forget the loopback interface.
.El
.Sh FINE POINTS
There is one kind of packet that the firewall will always discard,
that is an IP fragment with a fragment offset of one.
This is a valid packet, but it only has one use, to try to circumvent
firewalls.
.Pp
If you are logged in over a network, loading the LKM version of
.Nm
is probably not as straightforward as you would think.
I recommend this command line:
.Bd -literal -offset center
modload /lkm/ipfw_mod.o && \e
ipfw add 32000 allow all from any to any
.Ed
Along the same lines, doing a
.Bd -literal -offset center
ipfw flush
.Ed
in similar surroundings is also a bad idea.
.Sh WARNING
This manual page is out of date beyond this point!
It is left here until some new text can be written.
.Sh OLD
In the first synopsis form,
.Nm
controls the firewall and accounting chains. In the second
synopsis form,
.Nm
sets the global firewall / accounting properties and
show the chain list's contents.
.Pp
.Pp
These are the valid
.Ar entry_actions :
.Bl -hang -offset flag -width 1234567890123456
.It Nm addf[irewall]
add entry to firewall chain.
.It Nm delf[irewall]
remove entry from firewall chain.
.It Nm adda[ccounting]
add entry to accounting chain.
.It Nm dela[ccounting]
remove entry from accounting chain.
.It Nm clr[accounting]
clear counters for accounting chain entry.
.El
.Pp
If no
.Ar entry_action
is specified, it will default to
.Nm addf[irewall]
or
.Nm adda[ccounting] ,
depending on the
.Ar chain_entry_pattern
specified.
.Pp
The valid
.Ar chain_actions
are:
.Bl -hang -offset flag -width 123456789
.It Nm f[lush]
remove all entries in firewall / accounting chains.
.It Nm l[ist]
display all entries in firewall / accounting chains.
.It Nm z[ero]
clear chain counters (accounting only).
.It Nm p[olicy]
set default policy properties.
.El
.Pp
The
.Ar chain_entry_pattern
structure is:
.Pp
.Dl [keyword] [protocol] [address pattern]
.Pp
For the firewall chain, valid
.Em keywords
are:
.Bl -hang -offset flag -width 12345678
.It Nm reject
Reject the packet, and send an
.Tn ICMP HOST_UNREACHABLE
packet to the source.
.It Nm lreject
The same as
.Nm reject ,
but also log the packets details.
.It Nm deny
Reject the packet.
.It Nm ldeny
The same as
.Nm deny ,
but also log the packets details.
.It Nm log
Accept the packet, and log it.
.It Nm accept
Accept the packet (obviously).
.It Nm pass
A synonym for accept.
.El
.Pp
For the accounting chain, valid
.Em keywords
are:
.Bl -tag -width flag
.It Nm single
Log packets matching entry.
.It Nm bidirectional
Log packets matching entry and also those going in the
opposite direction (from
.Dq dst
to
.Dq src ) .
.El
.Pp
Each keyword will be recognized by the shortest unambiguous prefix.
.Pp
Recognized
.Em protocols
are:
.Bl -hang -offset flag -width 123456
.It Nm all
Matches any IP packet.
.It Nm icmp
Matches ICMP packets.
.It Nm tcp
Matches TCP packets.
.It Nm udp
Matches UDP packets.
.It Nm syn
Matches the TCP SYN packet used in initiating a TCP connection. It
does not match the packet returned from a destination machine which
has the SYN and ACK bits set.
.El
.Pp
The
.Em address pattern
is:
.Pp
.Dl from <address/mask>[ports] to <address/mask][ports] [via <interface>]
.Pp
You can only specify
.Em ports
with
.Em protocols
which actually have ports (TCP, UDP and SYN).
.Pp
The order of
.Sq from/to/via
keywords is unimportant. You can skip any of them, which will be
then substituted by default entry matching any
.Sq from/to/via
packet kind.
.Pp
The
.Em <address/mask>
is defined as:
.Pp
.Dl <address|name>[/mask_bits|:mask_pattern]
.Pp
.Em mask bits
is the decimal number of bits set in the address mask.
.Em mask pattern
has the form of an IP address to be AND'ed logically with the address
given. The keyword
.Em any
can be used to specify
.Dq any IP .
The IP address or name given is
.Em NOT
checked, and the wrong value
causes the entry to not match anything.
.Pp
The
.Em ports
to be blocked are specified as:
.Dl Ns port Ns Op ,port Ns Op ,...
or:
.Dl port:port
.Pp
to specify a range of ports. The name of a service (from
.Pa /etc/services )
can be used instead of
a numeric port value.
.Pp
The
.Em via <interface>
entry is optional and may specify IP address/domain name of local IP
interface, or interface name (e.g.
.Em ed0 )
to match only packets coming
through this interface. The keyword
.Em via
can be substituted by
.Em on ,
for readability reasons.
.Pp
The
.Em l[ist]
command may be passed:
.Pp
.Dl f[irewall] | a[ccounting]
.Pp
to list specific chain or none to list all of chains. The long output
format (default) is compatible with the syntax used by the
.Nm
utility.
.Pp
The
.Em f[lush]
command may be passed:
.Pp
.Dl f[irewall] | a[ccounting]
.Pp
to remove all entries from firewall or from accounting chain. Without
an argument it will remove all entries from both chains.
.Pp
The
.Em z[ero]
command needs no arguments. This command clears all counters for the
entire accounting chain.
.Pp
The
.Em p[olicy]
command can be given
.Pp
.Dl a[ccept] | d[eny]
.Pp
to set default policy as denial/acceptance. Without an argument, the
current policy status is displayed.
.Sh EXAMPLES
This command adds an entry which denies all tcp packets from
.Em hacker.evil.org
to the telnet port of
.Em wolf.tambov.su
from being forwarded by the host:
.Pp
.Dl ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
.Pp
This one disallows any connection from the entire hackers network to
my host:
.Pp
.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
.Pp
Here is good usage of list command to see accounting records:
.Pp
.Dl ipfw -sa list accounting
.Pp
or in short form
.Pp
.Dl ipfw -sa l a
.Pp
Many more examples can be found in the file:
.Dl Pa /usr/share/FAQ/ipfw.FAQ
(missing for the moment)
.Sh SEE ALSO
.Xr gethostbyname 3 ,
.Xr getservbyport 3 ,
.Xr ip 4 ,
.Xr ipfirewall 4 ,
.Xr ipaccounting 4 ,
.Xr reboot 8 ,
.Xr syslogd 8
.Sh BUGS
Currently there is no method for filtering out specific types of ICMP
packets. Either you don't filter ICMP at all, or all ICMP packets are
filtered.
.Pp
The system has an optional rule weighting system for the firewall chain.
This means that rules are not used in the order that they are specified.
To enable this feature, you need to recompile your kernel, see the
.I LINT
configuration for details.
In general you do not want that.
.Pp
To see what rule ordering is used, use the
.Em list
command.
.Pp
.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
.Pp
This program can put your computer in rather unusable state. When
using it for the first time, work on the console of the computer, and
do
.Em NOT
do anything you don't understand.
.Pp
Remember that
.Dq ipfw flush
can solve all the problems. Bear in mind that
.Dq ipfw policy deny
combined with some wrong chain entry (possible the only entry, which
is designed to deny some external packets), can close your computer
from the outer world for good (or at least until you can get to the
console).
.Sh HISTORY
Initially this utility was written for BSDI by:
.Pp
.Dl Daniel Boulet <danny@BouletFermat.ab.ca>
.Pp
The FreeBSD version is written completely by:
.Pp
.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG>
.Pp
while the synopsis is partially compatible with the old one.
.Pp
This has all been extensively rearranged by Poul-Henning Kamp.