mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-21 16:32:25 +01:00
129 lines
5.1 KiB
Groff
129 lines
5.1 KiB
Groff
.Dd November 16, 1994
|
|
.Dt IPFW 8
|
|
.Os
|
|
.Sh NAME
|
|
ipfw - controlling utility for ipfw/ipacct facilities.
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
ipfw [-n] <entry-action> <chain entry pattern>
|
|
ipfw [-ans] <chain-action> <chain[s] type>
|
|
|
|
.Sh DESCRIPTION
|
|
In the first synopsis form, the ipfw utility allows control of firewall
|
|
and accounting chains.
|
|
In the second synopsis form, the ipfw utility allows setting of global
|
|
firewall/accounting properties and listing of chain contents.
|
|
|
|
The following options are available:
|
|
|
|
-a While listing,show counter values-this option is the only way to
|
|
see accounting records.Works only with -s.
|
|
|
|
-n Do not resolve anything. When setting entries, do not try to resolve
|
|
a given address. When listing, display addresses in numeric form.
|
|
|
|
-s Short listing form.By default listing format is compatible with ipfw
|
|
input string format,so you can save listings to file and then reuse
|
|
them. With this option list format is much more short but
|
|
incompatible with ipfw syntacs.
|
|
|
|
These are <entry-actions>:
|
|
|
|
addf[irewall] - add entry to firewall chain.
|
|
delf[irewall] - remove entry from firewall chain.
|
|
adda[ccounting] - add entry to accounting chain.
|
|
dela[ccounting] - remove entry from accounting chain.
|
|
clr[accounting] - clear counters for accounting chain entry.
|
|
|
|
These are <chain-actions>:
|
|
f[lush] - remove all entries in firewall/accounting chains.
|
|
l[ist] - show all entries in firewall/accounting chains.
|
|
z[ero] - clear chain counters(accounting only).
|
|
p[olicy] - set default policy properties.
|
|
|
|
This is <chain-entry pattern> structure:
|
|
For forwarding/blocking chains:
|
|
vr[eject] <proto/addr pattern> reject packet,send ICMP unreachable and log.
|
|
r[eject] <proto/addr pattern> reject packet,send ICMP unreachable.
|
|
vd[eny] <proto/addr pattern> reject packet,log it.
|
|
d[eny] <proto/addr pattern> reject packet.
|
|
l[og] <proto/addr pattern> allow packet,log it.
|
|
va[ccept] <proto/addr pattern> allow packet,log it.
|
|
a[ccept] <proto/addr pattern> allow packet.
|
|
For accounting chain:
|
|
s[ingle] <proto/addr pattern> log packets matching entry.
|
|
b[idirectional] <proto/addr pattern> log packets matching entry and
|
|
those going in opposite direction (from entry
|
|
"dst" to "src").
|
|
|
|
The <proto/addr pattern> is:
|
|
all|icmp from <src addr/mask> to <dst addr/mask> [via <addr>]
|
|
tcp[syn]|udp from <src addr/mask>[ports] to <dst addr/mask>[ports][via <addr>]
|
|
all matches any IP packet.
|
|
icmp,tcp and udp - packets for corresponding protocols.
|
|
tcpsyn - tcp SYN packets (which used when initiating connection).
|
|
|
|
The <src addr/mask>:
|
|
<INET IP addr | domain name> [/mask bits | :mask pattern]
|
|
Mask bits is a decimal number of bits set in the address mask.
|
|
Mask pattern has form of IP address and AND'ed logically with address given.
|
|
[ports]: [ port,port....|port:port]
|
|
Name of service can be used instead of port numeric value.
|
|
|
|
The via <addr> is optional and may specify IP address/name of one of local
|
|
IP interfaces to match only packets coming through it.The IP given is NOT
|
|
checked,and wrong value of IP causes entry to not match anything.
|
|
|
|
To l[ist] command may be passed:
|
|
f[irewall] | a[ccounting] to list specific chain or none to list
|
|
all of chains.Long output format compatible with utility input syntacs.
|
|
|
|
To f[lush] command may be passed:
|
|
f[irewall] | a[ccounting] to remove all entries from firewall or
|
|
from accounting chain.Without arguments removes all chain entries.
|
|
|
|
To z[ero] command no arguments needed,this command clears counters for
|
|
whole accounting chain.
|
|
|
|
The p[olicy] command can be given a[ccept]|d[eny] to set default policy
|
|
as denial/accepting.Without arguments current default policy displayed.
|
|
|
|
.Sh EXAMPLES
|
|
|
|
This command add entry which denies all tcp packets from
|
|
hacker.evil.org to telnet port of wolf.tambov.su from being
|
|
forwarded by the host:
|
|
ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
|
|
|
|
This one disallows any connection from entire hackers network
|
|
to my host:
|
|
ipfw addf deny all from 123.45.67.8/24 to my.host.org
|
|
|
|
Here is good usage of list command to see accounting records:
|
|
ipfw -sa list accounting (or in short form ipfw -sa l a ).
|
|
|
|
Much more examples can be found in files:
|
|
/usr/share/FAQ/ipfw.FAQ (missing for the moment)
|
|
|
|
.Sh SEE ALSO
|
|
ip(4),ipfirewall(4),ipaccounting(4),reboot(8)
|
|
|
|
.Sh BUGS
|
|
WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
|
This programm can put your computer in rather unusable state.
|
|
First time try using it from console and do *NOT* do anything
|
|
you don't understand.
|
|
Remember that "ipfw flush" can solve all the problemms.
|
|
Also take in your mind that "ipfw policy deny" combined with
|
|
some wrong chain entry(possible the only entry which designed
|
|
to deny some external packets), can close your computer from
|
|
outer world for good.
|
|
|
|
.Sh HISTORY
|
|
Initially this utility was written for BSDI by:
|
|
Daniel Boulet <danny@BouletFermat.ab.ca>
|
|
The FreeBSD version is written completely by:
|
|
Ugen J.S.Antsilevich <ugen@NetVision.net.il>
|
|
while synopsis partially compatible with old one.
|