xref: /freebsd/sbin/ipfw/ipfw.8 (revision 0de89efe5c443f213c7ea28773ef2dc6cf3af2ed)
1.Dd July 20, 1996
2.Dt IPFW 8 SMM
3.Os FreeBSD
4.Sh NAME
5.Nm ipfw
6.Nd controlling utility for IP firewall
7.Sh SYNOPSIS
8.Nm
9.Ar file
10.Nm ipfw
11.Oo
12.Fl f
13|
14.Fl q
15.Oc
16flush
17.Nm ipfw
18.Oo
19.Fl q
20.Oc
21zero
22.Op Ar number ...
23.Nm ipfw
24delete
25.Ar number ...
26.Nm ipfw
27.Op Fl aftN
28list
29.Nm ipfw
30.Oo
31.Fl ftN
32.Oc
33show
34.Nm ipfw
35.Oo
36.Fl q
37.Oc
38add
39.Op Ar number
40.Ar action
41.Op log
42.Ar proto
43from
44.Ar src
45to
46.Ar dst
47.Op via Ar name | ipno
48.Op Ar options
49.Sh DESCRIPTION
50If used as shown in the first synopsis line, the
51.Ar file
52will be read line by line and applied as arguments to the
53.Nm
54command.
55.Pp
56The
57.Nm
58code works by going through the rule-list for each packet,
59until a match is found.
60All rules have two associated counters, a packet count and
61a byte count.
62These counters are updated when a packet matches the rule.
63.Pp
64The rules are ordered by a ``line-number'' from 1 to 65534 that is used
65to order and delete rules. Rules are tried in increasing order, and the
66first rule that matches a packet applies.
67Multiple rules may share the same number and apply in
68the order in which they were added.
69.Pp
70If a rule is added without a number, it is numbered 100 higher
71than the previous rule. If the highest defined rule number is
72greater than 65534, new rules are appended to the last rule.
73.Pp
74The delete operation deletes the first rule with number
75.Ar number ,
76if any.
77.Pp
78The list command prints out the current rule set.
79.Pp
80The show command is equivalent to `ipfw -a list'.
81.Pp
82The zero operation zeroes the counters associated with rule number
83.Ar number .
84.Pp
85The flush operation removes all rules.
86.Pp
87One rule is always present:
88.Bd -literal -offset center
8965535 deny all from any to any
90.Ed
91.Pp
92This rule is the default policy, i.e., don't allow anything at all.
93Your job in setting up rules is to modify this policy to match your
94needs.
95.Pp
96However, if the kernel option
97.Dq IPFIREWALL_DEFAULT_TO_ACCEPT
98is active, the rule is instead:
99.Bd -literal -offset center
10065535 allow all from any to any
101.Ed
102.Pp
103This variation lets everything pass through.  This option should only be
104activated in particular circumstances, such as if your you use the firewall
105system as an on-demand denial-of-service filter that is normally wide open.
106.Pp
107The following options are available:
108.Bl -tag -width flag
109.It Fl a
110While listing, show counter values.  See also ``show'' command.
111.It Fl f
112Don't ask for confirmation for commands that can cause problems if misused
113(ie; flush).
114.Ar Note ,
115if there is no tty associated with the process, this is implied.
116.It Fl q
117While adding or flushing, be quiet about actions (implies '-f').  This is
118useful for adjusting rules by executing multiple ipfw commands in a script
119(e.g. sh /etc/rc.firewall), or by processing a file of many ipfw rules,
120across a remote login session.  If a flush is performed in normal
121(verbose) mode (with the default kernel configuration), it prints a message.
122Because all rules are flushed, the
123message cannot be delivered to the login session, the login session is
124closed and the remainder of the ruleset is not processed.  Access to the
125console is required to recover.
126.It Fl t
127While listing, show last match timestamp.
128.It Fl N
129Try to resolve addresses and service names in output.
130.El
131.Pp
132.Ar action :
133.Bl -hang -offset flag -width 1234567890123456
134.It Ar allow
135Allow packets that match rule.
136The search terminates. Aliases are
137.Ar pass ,
138.Ar permit ,
139and
140.Ar accept .
141.It Ar deny
142Discard packets that match this rule.
143The search terminates.
144.Ar Drop
145is an alias for
146.Ar deny .
147.It Ar reject
148(Deprecated.) Discard packets that match this rule, and try to send an ICMP
149host unreachable notice.
150The search terminates.
151.It Ar unreach code
152Discard packets that match this rule, and try to send an ICMP
153unreachable notice with code
154.Ar code ,
155where
156.Ar code
157is a number from zero to 255, or one of these aliases:
158.Ar net ,
159.Ar host ,
160.Ar protocol ,
161.Ar port ,
162.Ar needfrag ,
163.Ar srcfail ,
164.Ar net-unknown ,
165.Ar host-unknown ,
166.Ar isolated ,
167.Ar net-prohib ,
168.Ar host-prohib ,
169.Ar tosnet ,
170.Ar toshost ,
171.Ar filter-prohib ,
172.Ar host-precedence ,
173or
174.Ar precedence-cutoff .
175The search terminates.
176.It Ar reset
177TCP packets only. Discard packets that match this rule,
178and try to send a TCP reset (RST) notice.
179The search terminates.
180.It Ar count
181Update counters for all packets that match rule.
182The search continues with the next rule.
183.It Ar divert port
184Divert packets that match this rule to the
185.Xr divert 4
186socket bound to port
187.Ar port .
188The search terminates.
189.It Ar tee port
190Send a copy of packets matching this rule to the
191.Xr divert 4
192socket bound to port
193.Ar port .
194The search continues with the next rule.
195.It Ar skipto number
196Skip all subsequent rules numbered less than
197.Ar number .
198The search continues with the first rule numbered
199.Ar number
200or higher.
201.El
202.Pp
203If a packet matches more than one
204.Ar divert
205and/or
206.Ar tee
207rule, all but the last are ignored.
208.Pp
209If the kernel was compiled with
210.Dv IPFIREWALL_VERBOSE ,
211then when a packet matches a rule with the ``log''
212keyword a message will be printed on the console.
213If the kernel was compiled with the
214.Dv IPFIREWALL_VERBOSE_LIMIT
215option, then logging will cease after the number of packets
216specified by the option are received for that particular
217chain entry.  Logging may then be re-enabled by clearing
218the packet counter for that entry.
219.Pp
220Console logging and the log limit are adjustable dynamically
221through the
222.Xr sysctl 8
223interface.
224.Pp
225.Ar proto :
226.Bl -hang -offset flag -width 1234567890123456
227.It Ar ip
228All packets match. The alias
229.Ar all
230has the same effect.
231.It Ar tcp
232Only TCP packets match.
233.It Ar udp
234Only UDP packets match.
235.It Ar icmp
236Only ICMP packets match.
237.It Ar <number|name>
238Only packets for the specified protocol matches (see
239.Pa /etc/protocols
240for a complete list).
241.El
242.Pp
243.Ar src
244and
245.Ar dst :
246.Bl -hang -offset flag
247.It Ar <address/mask>
248.Op Ar ports
249.El
250.Pp
251The
252.Em <address/mask>
253may be specified as:
254.Bl -hang -offset flag -width 1234567890123456
255.It Ar ipno
256An ipnumber of the form 1.2.3.4.
257Only this exact ip number match the rule.
258.It Ar ipno/bits
259An ipnumber with a mask width of the form 1.2.3.4/24.
260In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
261.It Ar ipno:mask
262An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0.
263In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
264.El
265.Pp
266The sense of the match can be inverted by preceding an address with the
267``not'' modifier, causing all other addresses to be matched instead. This
268does not affect the selection of port numbers.
269.Pp
270With the TCP and UDP protocols, optional
271.Em ports
272may be specified as:
273.Pp
274.Bl -hang -offset flag
275.It Ns {port|port-port} Ns Op ,port Ns Op ,...
276.El
277.Pp
278Service names (from
279.Pa /etc/services )
280may be used instead of numeric port values.
281A range may only be specified as the first value,
282and the length of the port list is limited to
283.Dv IP_FW_MAX_PORTS
284(as defined in
285.Pa /usr/src/sys/netinet/ip_fw.h )
286ports.
287.Pp
288Rules can apply to packets when they are incoming, or outgoing, or both.
289The
290.Ar in
291keyword indicates the rule should only match incoming packets.
292The
293.Ar out
294keyword indicates the rule should only match outgoing packets.
295.Pp
296To match packets going through a certain interface, specify
297the interface using
298.Ar via :
299.Bl -hang -offset flag -width 1234567890123456
300.It Ar via ifX
301Packet must be going through interface
302.Ar ifX.
303.It Ar via if*
304Packet must be going through interface
305.Ar ifX ,
306where X is any unit number.
307.It Ar via any
308Packet must be going through
309.Em some
310interface.
311.It Ar via ipno
312Packet must be going through the interface having IP address
313.Ar ipno .
314.El
315.Pp
316The
317.Ar via
318keyword causes the interface to always be checked.
319If
320.Ar recv
321or
322.Ar xmit
323is used instead of
324.Ar via ,
325then the only receive or transmit interface (respectively) is checked.
326By specifying both, it is possible to match packets based on both receive
327and transmit interface, e.g.:
328.Pp
329.Dl "ipfw add 100 deny ip from any to any out recv ed0 xmit ed1"
330.Pp
331The
332.Ar recv
333interface can be tested on either incoming or outgoing packets, while the
334.Ar xmit
335interface can only be tested on outgoing packets. So
336.Ar out
337is required (and
338.Ar in
339invalid) whenver
340.Ar xmit
341is used. Specifying
342.Ar via
343together with
344.Ar xmit
345or
346.Ar recv
347is invalid.
348.Pp
349A packet may not have a receive or transmit interface: packets originating
350from the local host have no receive interface. while packets destined for
351the local host have no transmit interface.
352.Pp
353Additional
354.Ar options :
355.Bl -hang -offset flag -width 1234567890123456
356.It frag
357Matches if the packet is a fragment and this is not the first fragment
358of the datagram.
359.It in
360Matches if this packet was on the way in.
361.It out
362Matches if this packet was on the way out.
363.It ipoptions Ar spec
364Matches if the IP header contains the comma separated list of
365options specified in
366.Ar spec .
367The supported IP options are:
368.Ar ssrr
369(strict source route),
370.Ar lsrr
371(loose source route),
372.Ar rr
373(record packet route), and
374.Ar ts
375(timestamp).
376The absence of a particular option may be denoted
377with a ``!''.
378.It established
379Matches packets that have the RST or ACK bits set.
380TCP packets only.
381.It setup
382Matches packets that have the SYN bit set but no ACK bit.
383TCP packets only.
384.It tcpflags Ar spec
385Matches if the TCP header contains the comma separated list of
386flags specified in
387.Ar spec .
388The supported TCP flags are:
389.Ar fin ,
390.Ar syn ,
391.Ar rst ,
392.Ar psh ,
393.Ar ack ,
394and
395.Ar urg .
396The absence of a particular flag may be denoted
397with a ``!''.
398.It icmptypes Ar types
399Matches if the ICMP type is in the list
400.Ar types .
401The list may be specified as any combination of ranges
402or individual types separated by commas.
403.El
404.Sh CHECKLIST
405Here are some important points to consider when designing your
406rules:
407.Bl -bullet -hang -offset flag
408.It
409Remember that you filter both packets going in and out.
410Most connections need packets going in both directions.
411.It
412Remember to test very carefully.
413It is a good idea to be near the console when doing this.
414.It
415Don't forget the loopback interface.
416.El
417.Sh FINE POINTS
418There is one kind of packet that the firewall will always discard,
419that is an IP fragment with a fragment offset of one.
420This is a valid packet, but it only has one use, to try to circumvent
421firewalls.
422.Pp
423If you are logged in over a network, loading the LKM version of
424.Nm
425is probably not as straightforward as you would think.
426I recommend this command line:
427.Bd -literal -offset center
428modload /lkm/ipfw_mod.o && \e
429ipfw add 32000 allow all from any to any
430.Ed
431.Pp
432Along the same lines, doing an
433.Bd -literal -offset center
434ipfw flush
435.Ed
436.Pp
437in similar surroundings is also a bad idea.
438.Sh PACKET DIVERSION
439A divert socket bound to the specified port will receive all packets diverted
440to that port; see
441.Xr divert 4 .
442If no socket is bound to the destination port, or if the kernel
443wasn't compiled with divert socket support, diverted packets are dropped.
444.Sh EXAMPLES
445This command adds an entry which denies all tcp packets from
446.Em hacker.evil.org
447to the telnet port of
448.Em wolf.tambov.su
449from being forwarded by the host:
450.Pp
451.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23
452.Pp
453This one disallows any connection from the entire hackers network to
454my host:
455.Pp
456.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org
457.Pp
458Here is a good usage of the list command to see accounting records
459and timestamp information:
460.Pp
461.Dl ipfw -at l
462.Pp
463or in short form without timestamps:
464.Pp
465.Dl ipfw -a l
466.Pp
467This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
468.Pp
469.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in
470.Sh SEE ALSO
471.Xr divert 4 ,
472.Xr ip 4 ,
473.Xr ipfirewall 4 ,
474.Xr protocols 5 ,
475.Xr services 5 ,
476.Xr reboot 8 ,
477.Xr sysctl 8 ,
478.Xr syslogd 8
479.Sh BUGS
480.Pp
481.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
482.Pp
483This program can put your computer in rather unusable state. When
484using it for the first time, work on the console of the computer, and
485do
486.Em NOT
487do anything you don't understand.
488.Pp
489When manipulating/adding chain entries, service and protocol names are
490not accepted.
491.Pp
492Incoming packet fragments diverted by
493.Ar divert
494are reassembled before delivery to the socket, whereas fragments diverted via
495.Ar tee
496are not.
497.Pp
498Port aliases containing dashes cannot be first in a list.
499.Sh AUTHORS
500Ugen J. S. Antsilevich,
501Poul-Henning Kamp,
502Alex Nash,
503Archie Cobbs.
504API based upon code written by Daniel Boulet for BSDI.
505.Sh HISTORY
506.Nm
507first appeared in
508.Fx 2.0 .
509