1.Dd February 24, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm ipfw 9.Ar file 10.Nm ipfw 11flush 12.Nm ipfw 13zero 14.Nm ipfw 15delete 16.Ar number 17.Nm ipfw 18.Oo 19.Fl aN 20.Oc 21list 22.Nm ipfw 23add 24.Oo 25.Ar number 26.Oc 27.Ar action 28.Oo 29log 30.Oc 31.Ar proto 32from 33.Ar src 34to 35.Ar dst 36.Oo 37via 38.Ar name|ipno 39.Oc 40.Oo 41.Ar options 42.Oc 43.Sh DESCRIPTION 44If used as shown in the first synopsis line, the 45.Ar file 46will be read line by line and applied as arguments to the 47.Nm ipfw 48command. 49.Pp 50The ipfw code works by going through the rule-list for each packet, 51until a match is found. 52All rules have two counters associated with them, a packet count and 53a byte count. 54These counters are updated when a packet matches the rule. 55.Pp 56The rules are ordered by a ``line-number'' that is used to order and 57delete rules. 58If a rule is added without a number, it is put at the end, just before 59the terminal ``policy-rule'', and numbered 100 higher than the previous 60rule. 61.Pp 62One rule is always present: 63.Bd -literal -offset center 6465535 deny all from any to any 65.Ed 66 67this is rule is the default policy, ie. don't allow anything at all. 68Your job in setting up rules is to modify this policy to match your 69needs. 70.Pp 71The following options are available: 72.Bl -tag -width flag 73.It Fl a 74While listing, show counter values. This option is the only way to see 75accounting records. 76.It Fl N 77Try to resolve addresses. 78.El 79.Pp 80.Ar action : 81.Bl -hang -offset flag -width 1234567890123456 82.It Nm accept 83Accept packets that match rule. 84The search terminates. 85.It Nm pass 86same as accept. 87.It Nm count 88update counters for all packets that match rule. 89The search continues with next rule. 90.It Nm deny 91Discard packets that match this rule. 92The search terminates. 93.It Nm reject 94Discard packets that match this rule, try to send ICMP notice. 95The search terminates. 96.El 97.Pp 98When a packet matches a rule with the 99.Nm log 100keyword, a message will be printed on the console. 101.Pp 102.Ar proto : 103.Bl -hang -offset flag -width 1234567890123456 104.It Nm ip 105All packets match. 106.It Nm all 107All packets match. 108.It Nm tcp 109Only TCP packets match. 110.It Nm udp 111Only UDP packets match. 112.It Nm icmp 113Only ICMP packets match. 114.El 115.Pp 116.Ar src 117and 118.Ar dst : 119.Bl -hang -offset flag -width 1234567890123456 120.It Ar ipno 121An ipnumber of the form 1.2.3.4. 122Only this exact ip number match the rule. 123.It Ar ipno/bits 124An ipnumber with a mask width of the form 1.2.3.4/24. 125In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 126.It Ar ipno:mask 127An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0 128In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 129.El 130.Pp 131If ``via'' 132.Ar name 133is specified, only packets received via or on their way out of an interface 134matching 135.Ar name 136will match this rule. 137.Pp 138If ``via'' 139.Ar ipno 140is specified, only packets received via or on their way out of an interface 141having the address 142.Ar ipno 143will match this rule. 144.Pp 145.Ar options : 146.Bl -hang -offset flag -width 1234567890123456 147.It frag 148Matches is the packet is a fragment and this is not the first fragment 149of the datagram. 150.It in 151Matches if this packet was on the way in. 152.It out 153Matches if this packet was on the way out. 154.It ipoptions Ar spec 155Not yet documented. Look in the source: src/sys/netnet/ipfw.c. 156.It established 157Matches packets that do not have the SYN bit set. 158TCP packets only. 159.It setup 160Matches packets that have the SYN bit set but no ACK bit. 161TCP packets only. 162.It tcpflags Ar spec 163Not yet documented. Look in the source: src/sys/netnet/ipfw.c. 164TCP packets only. 165.El 166.Sh CHECKLIST 167Here are some important points to consider when designing your 168rules: 169.Bl -bullet -hang -offset flag -width 1234567890123456 170.It 171Remember that you filter both packets going in and out. 172Most connections needs packets going in both directions. 173.It 174Remember to test very carefully. 175It is a good idea to be near the console when doint this. 176.It 177Don't forget the loopback interface. 178.El 179.Sh FINE POINTS 180There is one kind of packet that the firewall will always discard, 181that is an IP fragment with a fragment offset of one. 182This is a valid packet, but it only has one use, to try to circumvent 183firewalls. 184.Pp 185If you are logged in over a network, loading the LKM version of 186.Nm 187is probably not as straightforward as you would think. 188I recommend this command line: 189.Bd -literal -offset center 190modload /lkm/ipfw_mod.o && \e 191ipfw add 32000 allow all from any to any 192.Ed 193 194Along the same lines, doing a 195.Bd -literal -offset center 196ipfw flush 197.Ed 198 199in similar surroundings is also a bad idea. 200.Sh WARNING 201This manual page is out of date beyond this point! 202It is left here until some new text can be written. 203.Sh OLD 204In the first synopsis form, 205.Nm 206controls the firewall and accounting chains. In the second 207synopsis form, 208.Nm 209sets the global firewall / accounting properties and 210show the chain list's contents. 211.Pp 212.Pp 213These are the valid 214.Ar entry_actions : 215.Bl -hang -offset flag -width 1234567890123456 216.It Nm addf[irewall] 217add entry to firewall chain. 218.It Nm delf[irewall] 219remove entry from firewall chain. 220.It Nm adda[ccounting] 221add entry to accounting chain. 222.It Nm dela[ccounting] 223remove entry from accounting chain. 224.It Nm clr[accounting] 225clear counters for accounting chain entry. 226.El 227.Pp 228If no 229.Ar entry_action 230is specified, it will default to 231.Nm addf[irewall] 232or 233.Nm adda[ccounting] , 234depending on the 235.Ar chain_entry_pattern 236specified. 237.Pp 238The valid 239.Ar chain_actions 240are: 241.Bl -hang -offset flag -width 123456789 242.It Nm f[lush] 243remove all entries in firewall / accounting chains. 244.It Nm l[ist] 245display all entries in firewall / accounting chains. 246.It Nm z[ero] 247clear chain counters (accounting only). 248.It Nm p[olicy] 249set default policy properties. 250.El 251.Pp 252The 253.Ar chain_entry_pattern 254structure is: 255.Pp 256.Dl [keyword] [protocol] [address pattern] 257.Pp 258For the firewall chain, valid 259.Em keywords 260are: 261.Bl -hang -offset flag -width 12345678 262.It Nm reject 263Reject the packet, and send an 264.Tn ICMP HOST_UNREACHABLE 265packet to the source. 266.It Nm lreject 267The same as 268.Nm reject , 269but also log the packets details. 270.It Nm deny 271Reject the packet. 272.It Nm ldeny 273The same as 274.Nm deny , 275but also log the packets details. 276.It Nm log 277Accept the packet, and log it. 278.It Nm accept 279Accept the packet (obviously). 280.It Nm pass 281A synonym for accept. 282.El 283 284.Pp 285For the accounting chain, valid 286.Em keywords 287are: 288.Bl -tag -width flag 289.It Nm single 290Log packets matching entry. 291.It Nm bidirectional 292Log packets matching entry and also those going in the 293opposite direction (from 294.Dq dst 295to 296.Dq src ) . 297.El 298.Pp 299Each keyword will be recognized by the shortest unambiguous prefix. 300.Pp 301Recognized 302.Em protocols 303are: 304.Bl -hang -offset flag -width 123456 305.It Nm all 306Matches any IP packet. 307.It Nm icmp 308Matches ICMP packets. 309.It Nm tcp 310Matches TCP packets. 311.It Nm udp 312Matches UDP packets. 313.It Nm syn 314Matches the TCP SYN packet used in initiating a TCP connection. It 315does not match the packet returned from a destination machine which 316has the SYN and ACK bits set. 317.El 318.Pp 319The 320.Em address pattern 321is: 322.Pp 323.Dl from <address/mask>[ports] to <address/mask][ports] [via <interface>] 324.Pp 325You can only specify 326.Em ports 327with 328.Em protocols 329which actually have ports (TCP, UDP and SYN). 330.Pp 331The order of 332.Sq from/to/via 333keywords is unimportant. You can skip any of them, which will be 334then substituted by default entry matching any 335.Sq from/to/via 336packet kind. 337.Pp 338The 339.Em <address/mask> 340is defined as: 341.Pp 342.Dl <address|name>[/mask_bits|:mask_pattern] 343.Pp 344.Em mask bits 345is the decimal number of bits set in the address mask. 346.Em mask pattern 347has the form of an IP address to be AND'ed logically with the address 348given. The keyword 349.Em any 350can be used to specify 351.Dq any IP . 352The IP address or name given is 353.Em NOT 354checked, and the wrong value 355causes the entry to not match anything. 356.Pp 357The 358.Em ports 359to be blocked are specified as: 360.Dl Ns port Ns Op ,port Ns Op ,... 361or: 362.Dl port:port 363.Pp 364to specify a range of ports. The name of a service (from 365.Pa /etc/services ) 366can be used instead of 367a numeric port value. 368.Pp 369The 370.Em via <interface> 371entry is optional and may specify IP address/domain name of local IP 372interface, or interface name (e.g. 373.Em ed0 ) 374to match only packets coming 375through this interface. The keyword 376.Em via 377can be substituted by 378.Em on , 379for readability reasons. 380.Pp 381The 382.Em l[ist] 383command may be passed: 384.Pp 385.Dl f[irewall] | a[ccounting] 386.Pp 387to list specific chain or none to list all of chains. The long output 388format (default) is compatible with the syntax used by the 389.Nm 390utility. 391.Pp 392The 393.Em f[lush] 394command may be passed: 395.Pp 396.Dl f[irewall] | a[ccounting] 397.Pp 398to remove all entries from firewall or from accounting chain. Without 399an argument it will remove all entries from both chains. 400.Pp 401The 402.Em z[ero] 403command needs no arguments. This command clears all counters for the 404entire accounting chain. 405.Pp 406The 407.Em p[olicy] 408command can be given 409.Pp 410.Dl a[ccept] | d[eny] 411.Pp 412to set default policy as denial/acceptance. Without an argument, the 413current policy status is displayed. 414.Sh EXAMPLES 415This command adds an entry which denies all tcp packets from 416.Em hacker.evil.org 417to the telnet port of 418.Em wolf.tambov.su 419from being forwarded by the host: 420.Pp 421.Dl ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet 422.Pp 423This one disallows any connection from the entire hackers network to 424my host: 425.Pp 426.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 427.Pp 428Here is good usage of list command to see accounting records: 429.Pp 430.Dl ipfw -sa list accounting 431.Pp 432or in short form 433.Pp 434.Dl ipfw -sa l a 435.Pp 436Many more examples can be found in the file: 437.Dl Pa /usr/share/FAQ/ipfw.FAQ 438(missing for the moment) 439.Sh SEE ALSO 440.Xr gethostbyname 3 , 441.Xr getservbyport 3 , 442.Xr ip 4 , 443.Xr ipfirewall 4 , 444.Xr ipaccounting 4 , 445.Xr reboot 8 , 446.Xr syslogd 8 447.Sh BUGS 448Currently there is no method for filtering out specific types of ICMP 449packets. Either you don't filter ICMP at all, or all ICMP packets are 450filtered. 451.Pp 452The system has an optional rule weighting system for the firewall chain. 453This means that rules are not used in the order that they are specified. 454To enable this feature, you need to recompile your kernel, see the 455.I LINT 456configuration for details. 457In general you do not want that. 458.Pp 459To see what rule ordering is used, use the 460.Em list 461command. 462.Pp 463.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 464.Pp 465This program can put your computer in rather unusable state. When 466using it for the first time, work on the console of the computer, and 467do 468.Em NOT 469do anything you don't understand. 470.Pp 471Remember that 472.Dq ipfw flush 473can solve all the problems. Bear in mind that 474.Dq ipfw policy deny 475combined with some wrong chain entry (possible the only entry, which 476is designed to deny some external packets), can close your computer 477from the outer world for good (or at least until you can get to the 478console). 479.Sh HISTORY 480Initially this utility was written for BSDI by: 481.Pp 482.Dl Daniel Boulet <danny@BouletFermat.ab.ca> 483.Pp 484The FreeBSD version is written completely by: 485.Pp 486.Dl Ugen J.S.Antsilevich <ugen@FreeBSD.ORG> 487.Pp 488while the synopsis is partially compatible with the old one. 489.Pp 490This has all been extensively rearranged by Poul-Henning Kamp. 491