1.Dd July 20, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm 9.Ar file 10.Nm ipfw 11flush 12.Nm ipfw 13zero 14.Op Ar number 15.Nm ipfw 16delete 17.Ar number 18.Nm ipfw 19.Op Fl aftN 20list 21.Nm ipfw 22add 23.Op Ar number 24.Ar action 25.Op Ar log 26.Ar proto 27from 28.Ar src 29to 30.Ar dst 31.Oo 32via 33.Ar name | ipno 34.Oc 35.Op Ar options 36.Sh DESCRIPTION 37If used as shown in the first synopsis line, the 38.Ar file 39will be read line by line and applied as arguments to the 40.Nm 41command. 42.Pp 43The 44.Nm 45code works by going through the rule-list for each packet, 46until a match is found. 47All rules have two associated counters, a packet count and 48a byte count. 49These counters are updated when a packet matches the rule. 50.Pp 51The rules are ordered by a ``line-number'' from 1 to 65534 that is used 52to order and delete rules. Rules are tried in increasing order, and the 53first rule that matches a packet applies. 54Multiple rules may share the same number and apply in 55the order in which they were added. 56.Pp 57If a rule is added without a number, it numbered 100 higher 58than the previous rule. If the highest defined rule number is 59greater than 65434, new rules are appended to the last rule. 60.Pp 61The delete operation deletes the first rule with number 62.Ar number , 63if any. 64.Pp 65The list command prints out the current rule set. 66.Pp 67The zero operation zeroes the counters associated with rule number 68.Ar number . 69.Pp 70The flush operation removes all rules. 71.Pp 72One rule is always present: 73.Bd -literal -offset center 7465535 deny all from any to any 75.Ed 76.Pp 77This rule is the default policy, i.e., don't allow anything at all. 78Your job in setting up rules is to modify this policy to match your needs. 79.Pp 80The following options are available: 81.Bl -tag -width flag 82.It Fl a 83While listing, show counter values. This option is the only way to see 84accounting records. 85.It Fl f 86Don't ask for confirmation for commands that can cause problems if misused 87(ie; flush). 88.Ar Note , 89if there is no tty associated with the process, this is implied. 90.It Fl t 91While listing, show last match timestamp. 92.It Fl N 93Try to resolve addresses and service names in output. 94.El 95.Pp 96.Ar action : 97.Bl -hang -offset flag -width 1234567890123456 98.It Ar allow 99Allow packets that match rule. 100The search terminates. 101.It Ar pass 102Same as allow. 103.It Ar accept 104Same as allow. 105.It Ar count 106Update counters for all packets that match rule. 107The search continues with the next rule. 108.It Ar deny 109Discard packets that match this rule. 110The search terminates. 111.It Ar reject 112Discard packets that match this rule, and try to send an ICMP notice. 113The search terminates. 114.It Ar divert port 115Divert packets that match this rule to the divert socket bound to port 116.Ar port . 117The search terminates. 118.El 119.Pp 120When a packet matches a rule with the 121.Ar log 122keyword, a message will be printed on the console. 123If the kernel was compiled with the 124.Dv IP_FIREWALL_VERBOSE_LIMIT 125option, then logging will cease after the number of packets 126specified by the option are received for that particular 127chain entry. Logging may then be re-enabled by clearing 128the packet counter for that entry. 129.Pp 130.Ar proto : 131.Bl -hang -offset flag -width 1234567890123456 132.It Ar ip 133All packets match. 134.It Ar all 135All packets match. 136.It Ar tcp 137Only TCP packets match. 138.It Ar udp 139Only UDP packets match. 140.It Ar icmp 141Only ICMP packets match. 142.It Ar <number|name> 143Only packets for the specified protocol matches (see 144.Pa /etc/protocols 145for a complete list). 146.El 147.Pp 148.Ar src 149and 150.Ar dst : 151.Pp 152.Bl -hang -offset flag 153.It <address/mask> [ports] 154.El 155.Pp 156The 157.Em <address/mask> 158may be specified as: 159.Bl -hang -offset flag -width 1234567890123456 160.It Ar ipno 161An ipnumber of the form 1.2.3.4. 162Only this exact ip number match the rule. 163.It Ar ipno/bits 164An ipnumber with a mask width of the form 1.2.3.4/24. 165In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 166.It Ar ipno:mask 167An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 168In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 169.El 170.Pp 171With the TCP and UDP 172.Em protocols , 173an optional 174.Em port 175may be specified as: 176.Pp 177.Bl -hang -offset flag 178.It Ns {port|port-port} Ns Op ,port Ns Op ,... 179.El 180.Pp 181Service names (from 182.Pa /etc/services ) 183may not be used instead of a numeric port value. 184Also, note that a range may only be specified as the first value, 185and the port list is limited to 186.Dv IP_FW_MAX_PORTS 187(as defined in 188.Pa /usr/src/sys/netinet/ip_fw.h ) 189ports. 190.Pp 191If ``via'' 192.Ar name 193is specified, only packets received via or on their way out of an interface 194matching 195.Ar name 196will match this rule. 197.Pp 198If ``via'' 199.Ar ipno 200is specified, only packets received via or on their way out of an interface 201having the address 202.Ar ipno 203will match this rule. 204.Pp 205.Ar options : 206.Bl -hang -offset flag -width 1234567890123456 207.It frag 208Matches if the packet is a fragment and this is not the first fragment 209of the datagram. 210.It in 211Matches if this packet was on the way in. 212.It out 213Matches if this packet was on the way out. 214.It ipoptions Ar spec 215Matches if the IP header contains the comma separated list of 216options specified in 217.Ar spec . 218The supported IP options are: 219.Ar ssrr 220(strict source route), 221.Ar lsrr 222(loose source route), 223.Ar rr 224(record packet route), and 225.Ar ts 226(timestamp). 227The absence of a particular option may be denoted 228with a ``!''. 229.It established 230Matches packets that have the RST or ACK bits set. 231TCP packets only. 232.It setup 233Matches packets that have the SYN bit set but no ACK bit. 234TCP packets only. 235.It tcpflags Ar spec 236Matches if the TCP header contains the comma separated list of 237flags specified in 238.Ar spec . 239The supported TCP flags are: 240.Ar fin , 241.Ar syn , 242.Ar rst , 243.Ar psh , 244.Ar ack , 245and 246.Ar urg . 247The absence of a particular flag may be denoted 248with a ``!''. 249.It icmptypes Ar types 250Matches if the ICMP type is in the list 251.Ar types . 252The list may be specified as any combination of ranges 253or individual types separated by commas. 254.El 255.Sh CHECKLIST 256Here are some important points to consider when designing your 257rules: 258.Bl -bullet -hang -offset flag 259.It 260Remember that you filter both packets going in and out. 261Most connections need packets going in both directions. 262.It 263Remember to test very carefully. 264It is a good idea to be near the console when doing this. 265.It 266Don't forget the loopback interface. 267.El 268.Sh FINE POINTS 269There is one kind of packet that the firewall will always discard, 270that is an IP fragment with a fragment offset of one. 271This is a valid packet, but it only has one use, to try to circumvent 272firewalls. 273.Pp 274If you are logged in over a network, loading the LKM version of 275.Nm 276is probably not as straightforward as you would think. 277I recommend this command line: 278.Bd -literal -offset center 279modload /lkm/ipfw_mod.o && \e 280ipfw add 32000 allow all from any to any 281.Ed 282.Pp 283Along the same lines, doing an 284.Bd -literal -offset center 285ipfw flush 286.Ed 287.Pp 288in similar surroundings is also a bad idea. 289.Sh PACKET DIVERSION 290A divert socket bound to the specified port will receive all packets diverted 291to that port; see 292.Xr divert 4 . 293If no socket is bound to the destination port, or if the kernel 294wasn't compiled with divert socket support, diverted packets are dropped. 295.Sh EXAMPLES 296This command adds an entry which denies all tcp packets from 297.Em hacker.evil.org 298to the telnet port of 299.Em wolf.tambov.su 300from being forwarded by the host: 301.Pp 302.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 303.Pp 304This one disallows any connection from the entire hackers network to 305my host: 306.Pp 307.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 308.Pp 309Here is good usage of list command to see accounting records: 310.Pp 311.Dl ipfw -at l 312.Pp 313or in short form 314.Pp 315.Dl ipfw -a l 316.Pp 317This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 318.Pp 319.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 320.Sh SEE ALSO 321.Xr divert 4 , 322.Xr ip 4 , 323.Xr ipfirewall 4 , 324.Xr protocols 5 , 325.Xr services 5 , 326.Xr reboot 8 , 327.Xr syslogd 8 328.Sh BUGS 329.Pp 330.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 331.Pp 332This program can put your computer in rather unusable state. When 333using it for the first time, work on the console of the computer, and 334do 335.Em NOT 336do anything you don't understand. 337.Pp 338When manipulating/adding chain entries, service and protocol names are 339not accepted. 340.Sh AUTHORS 341Ugen J. S. Antsilevich, 342Poul-Henning Kamp, 343Alex Nash, 344Archie Cobbs. 345API based upon code written by Daniel Boulet for BSDI. 346.Sh HISTORY 347.Nm 348first appeared in 349.Fx 2.0 . 350