xref: /freebsd/sbin/ipfw/ipfw.8 (revision 17ee9d00bc1ae1e598c38f25826f861e4bc6c3ce) 
1.Dd November 16, 1994
2.Dt IPFW 8
3.Os
4.Sh NAME
5ipfw - controlling utility for ipfw/ipacct facilities.
6
7.Sh SYNOPSIS
8
9 ipfw [-n]   <entry-action>  <chain entry pattern>
10 ipfw [-ans] <chain-action>  <chain[s] type>
11
12.Sh DESCRIPTION
13 In the first synopsis form, the ipfw utility allows control of firewall
14and accounting chains.
15 In the second synopsis form, the ipfw utility allows setting of global
16firewall/accounting properties and listing of chain contents.
17
18The following options are available:
19
20-a   While listing,show counter values-this option is the only way to
21     see accounting records.Works only with -s.
22
23-n   Do not resolve anything.  When setting entries, do not try to resolve
24     a given address.   When listing, display addresses in numeric form.
25
26-s   Short listing form.By default listing format is compatible with ipfw
27     input string format,so you can save listings to file and then reuse
28     them. With this option list format is much more short but
29     incompatible with ipfw syntacs.
30
31These are <entry-actions>:
32
33  addf[irewall] - add entry to firewall chain.
34  delf[irewall] - remove entry from firewall chain.
35  adda[ccounting] - add entry to accounting chain.
36  dela[ccounting] - remove entry from accounting chain.
37  clr[accounting] - clear counters for accounting chain entry.
38
39These are <chain-actions>:
40  f[lush] - remove all entries in firewall/accounting chains.
41  l[ist] - show all entries in firewall/accounting chains.
42  z[ero] - clear chain counters(accounting only).
43  p[olicy] - set default policy properties.
44
45This is <chain-entry pattern> structure:
46 For forwarding/blocking chains:
47  vr[eject] <proto/addr pattern>    reject packet,send ICMP unreachable and log.
48  r[eject]  <proto/addr pattern>    reject packet,send ICMP unreachable.
49  vd[eny]   <proto/addr pattern>    reject packet,log it.
50  d[eny]    <proto/addr pattern>    reject packet.
51  l[og]     <proto/addr pattern>    allow packet,log it.
52  va[ccept] <proto/addr pattern>    allow packet,log it.
53  a[ccept]  <proto/addr pattern>    allow packet.
54 For accounting chain:
55  s[ingle]        <proto/addr pattern>   log packets matching entry.
56  b[idirectional] <proto/addr pattern>   log packets matching entry and
57                  those going in opposite direction (from entry
58                  "dst" to "src").
59
60The <proto/addr pattern> is:
61 all|icmp     from <src addr/mask>        to <dst addr/mask>       [via <addr>]
62 tcp[syn]|udp from <src addr/mask>[ports] to <dst addr/mask>[ports][via <addr>]
63 all matches any IP packet.
64 icmp,tcp and udp - packets for corresponding protocols.
65 tcpsyn - tcp SYN packets (which used when initiating connection).
66
67The <src addr/mask>:
68 <INET IP addr | domain name> [/mask bits | :mask pattern]
69  Mask bits is a decimal number of bits set in the address  mask.
70  Mask pattern has form of IP address and AND'ed logically with address given.
71 [ports]: [ port,port....|port:port]
72  Name of service can be used instead of port numeric value.
73
74The via <addr> is optional and may specify IP address/name of one of local
75 IP interfaces to match only packets coming through it.The IP given is NOT
76 checked,and wrong value of IP causes entry to not match anything.
77
78To l[ist] command may be passed:
79 f[irewall] | a[ccounting] to list specific chain or none to list
80all of chains.Long output format compatible with utility input syntacs.
81
82To f[lush] command may be passed:
83 f[irewall] | a[ccounting] to remove all entries from firewall or
84from accounting chain.Without arguments removes all chain entries.
85
86To z[ero] command no arguments needed,this command clears counters for
87whole accounting chain.
88
89The p[olicy] command can be given a[ccept]|d[eny] to set  default policy
90as denial/accepting.Without arguments current default policy displayed.
91
92.Sh EXAMPLES
93
94 This command add entry which denies all tcp packets from
95hacker.evil.org to telnet port of wolf.tambov.su from being
96forwarded by the host:
97  ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
98
99 This one disallows any connection from entire hackers network
100to my host:
101  ipfw addf deny all from 123.45.67.8/24 to my.host.org
102
103 Here is good usage of list command to see accounting records:
104  ipfw -sa list accounting (or in short form ipfw -sa l a ).
105
106 Much more examples can be found in files:
107  /usr/share/FAQ/ipfw.FAQ (missing for the moment)
108
109.Sh SEE ALSO
110ip(4),ipfirewall(4),ipaccounting(4),reboot(8)
111
112.Sh BUGS
113 WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
114 This programm can put your computer in rather unusable state.
115First time try using it from console and do *NOT* do anything
116you don't understand.
117 Remember that "ipfw flush" can solve all the problemms.
118Also take in your mind that "ipfw policy deny" combined with
119some wrong chain entry(possible the only entry which designed
120to deny some external packets), can close your computer from
121outer world for good.
122
123.Sh HISTORY
124 Initially this utility was written for BSDI by:
125  Daniel Boulet    <danny@BouletFermat.ab.ca>
126 The FreeBSD version is written completely by:
127  Ugen J.S.Antsilevich <ugen@NetVision.net.il>
128 while synopsis partially compatible with old one.
129