mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-30 15:38:06 +01:00
129 lines
4.6 KiB
Groff
129 lines
4.6 KiB
Groff
.Dd November 16, 1994
|
|
.Dt IPFW 8
|
|
.Os
|
|
.Sh NAME
|
|
ipfw - controlling utility for ipfw/ipacct facilities.
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
ipfw [-vn] <entry-action> <chain entry pattern>
|
|
ipfw [-vn] <check-action> <packet pattern>
|
|
ipfw [-vn] <chain-action> <chain[s] type>
|
|
|
|
.Sh DESCRIPTION
|
|
In the first synopsis form, the ipfw utility allows adding/removing of
|
|
entries of blocking/forwarding/accounting chains.
|
|
In the second synopsis form, the ipfw utility checks whenever a given
|
|
IP packet type is accepted or denied by a blocking/forwarding firewall.
|
|
In the third synopsis form, the ipfw utility allows global actions
|
|
on chain-zeroing of counters, and flushing or listing of chain entries
|
|
and their counter values.
|
|
|
|
The following options are available:
|
|
|
|
-v be verbose. The meaning of this option varies depending on ipfw
|
|
usage.
|
|
|
|
-n do not resolve anything. When setting entries, do not try to resolve
|
|
a given address. When listing, display addresses in numeric form.
|
|
|
|
These are <entry-actions>:
|
|
|
|
addb[locking] - add entry to blocking firewall.
|
|
delb[locking] - remove entry from blocking firewall.
|
|
addf[orwarding] - add entry to forwarding firewall.
|
|
delf[orwarding] - remove entry from forwarding firewall.
|
|
adda[ccounting] - add entry to accounting chain.
|
|
dela[ccounting] - remove entry from accounting chain.
|
|
|
|
These are <check-actions>:
|
|
checkb[locking] - check packet against blocking firewall.
|
|
checkf[orwarding] - check packet against forwarding firewall.
|
|
|
|
These are <chain-actions>:
|
|
f[lush] - remove all entries in firewall/accounting chains.
|
|
l[ist] - show all entries in blocking/forwarding/accounting chains.
|
|
z[ero] - clear chain counters(for now accounting only).
|
|
p[olicy] - define default firewall policy.
|
|
|
|
The <chain-entry pattern> build like this:
|
|
For forwarding/blocking chains:
|
|
d[eny] <proto/addr pattern>
|
|
a[ccept] <proto/addr pattern>
|
|
For accounting chain:
|
|
s[ingle] <proto/addr pattern>
|
|
b[idirectional] <proto/addr pattern>
|
|
|
|
The <proto/addr pattern> is:
|
|
all|icmp from <src addr/mask> to <dst addr/mask>
|
|
tcp|udp from <src addr/mask> [ports] to <dst addr/mask> [ports]
|
|
|
|
<src addr/mask>:
|
|
<INET IP addr | domain name> [/mask bits | :mask pattern]
|
|
[ports]:
|
|
[ port,port....|port:port] where name of service can be
|
|
used instead of port numeric value.
|
|
|
|
When entry added to chain and -v option used,entry added with
|
|
PRN flag set.
|
|
|
|
The <packet pattern> build exactly like <chain-entry pattern>.
|
|
|
|
To l[ist] command may be passed:
|
|
f[orwarding]|b[locking]|a[ccounting] to list specific chain or none
|
|
to list all of them.Option -v causes output format to change so that
|
|
packet/bytes counters printed.Standart output format fully suitable
|
|
to be used as <chain-entry pattern>.
|
|
|
|
To f[lush] command may be passed:
|
|
f[irewall]|a[ccounting] to remove all entries from forwarding/blocking
|
|
chains or from accounting chain.No arguments removes all chain entries.
|
|
|
|
To z[ero] command no arguments needed,and all counters of accounting
|
|
chain zeroed.
|
|
|
|
To p[olicy] command accepts a[ccept]|d[eny] to define default policy
|
|
as denial/accepting.Withno arguments current default policy displayed.
|
|
|
|
.Sh EXAMPLES
|
|
|
|
This command add entry which denies all tcp packets from
|
|
hacker.evil.org to telnet port of wolf.tambov.su from being
|
|
forwarded by the host:
|
|
ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
|
|
|
|
This one disallows any connection from entire hackers network
|
|
to my host:
|
|
ipfw addb deny all from 123.45.67.8/24 to my.host.org
|
|
|
|
Here is useful usage of lt] command to see accounting records:
|
|
ipfw -v list accounting (or in short form ipfw -v l a ).
|
|
|
|
Much more examples can be found in files:
|
|
/usr/share/misc/ipfw.samp.filters
|
|
/usr/share/misc/ipfw.samp.scripts
|
|
|
|
.Sh SEE ALSO
|
|
ipfirewall(4),ipaccounting(4),reboot(8)
|
|
|
|
.Sh BUGS
|
|
WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
|
|
This programm can put your computer in rather unusable state.
|
|
First time try using it from console and do *NOT* do anything
|
|
you don't understand.
|
|
Remember that "ipfw flush" can solve all the problemms.
|
|
Also take in your mind that "ipfw policy deny" combined with
|
|
some wrong chain entry(possible the only entry which designed
|
|
to deny some external packets) can close your computer from
|
|
outer world for good.
|
|
Besides of misuse the only known bug is that entry added
|
|
with -v option set should be deleted with same option,
|
|
but there is no way to see this in list command.
|
|
|
|
.Sh HISTORY
|
|
Initially this utility was written for BSDI by:
|
|
Daniel Boulet <danny@BouletFermat.ab.ca>
|
|
The FreeBSD version is written completely by:
|
|
Ugen J.S.Antsilevich <ugen@NetVision.net.il>
|
|
while synopsis partially compatible with old one.
|