1.Dd November 16, 1994 2.Dt IPFW 8 3.Os 4.Sh NAME 5ipfw - controlling utility for ipfw/ipacct facilities. 6 7.Sh SYNOPSIS 8 9 ipfw [-vn] <entry-action> <chain entry pattern> 10 ipfw [-vn] <check-action> <packet pattern> 11 ipfw [-vn] <chain-action> <chain[s] type> 12 13.Sh DESCRIPTION 14 In the first synopsis form, the ipfw utility allows adding/removing of 15entries of blocking/forwarding/accounting chains. 16 In the second synopsis form, the ipfw utility checks whenever a given 17IP packet type is accepted or denied by a blocking/forwarding firewall. 18 In the third synopsis form, the ipfw utility allows global actions 19on chain-zeroing of counters, and flushing or listing of chain entries 20and their counter values. 21 22The following options are available: 23 24-v be verbose. The meaning of this option varies depending on ipfw 25 usage. 26 27-n do not resolve anything. When setting entries, do not try to resolve 28 a given address. When listing, display addresses in numeric form. 29 30These are <entry-actions>: 31 32 addb[locking] - add entry to blocking firewall. 33 delb[locking] - remove entry from blocking firewall. 34 addf[orwarding] - add entry to forwarding firewall. 35 delf[orwarding] - remove entry from forwarding firewall. 36 adda[ccounting] - add entry to accounting chain. 37 dela[ccounting] - remove entry from accounting chain. 38 39These are <check-actions>: 40 checkb[locking] - check packet against blocking firewall. 41 checkf[orwarding] - check packet against forwarding firewall. 42 43These are <chain-actions>: 44 f[lush] - remove all entries in firewall/accounting chains. 45 l[ist] - show all entries in blocking/forwarding/accounting chains. 46 z[ero] - clear chain counters(for now accounting only). 47 p[olicy] - define default firewall policy. 48 49 The <chain-entry pattern> build like this: 50 For forwarding/blocking chains: 51 d[eny] <proto/addr pattern> 52 a[ccept] <proto/addr pattern> 53 For accounting chain: 54 s[ingle] <proto/addr pattern> 55 b[idirectional] <proto/addr pattern> 56 57 The <proto/addr pattern> is: 58 all|icmp from <src addr/mask> to <dst addr/mask> 59 tcp|udp from <src addr/mask> [ports] to <dst addr/mask> [ports] 60 61 <src addr/mask>: 62 <INET IP addr | domain name> [/mask bits | :mask pattern] 63 [ports]: 64 [ port,port....|port:port] where name of service can be 65 used instead of port numeric value. 66 67When entry added to chain and -v option used,entry added with 68PRN flag set. 69 70The <packet pattern> build exactly like <chain-entry pattern>. 71 72 To l[ist] command may be passed: 73f[orwarding]|b[locking]|a[ccounting] to list specific chain or none 74to list all of them.Option -v causes output format to change so that 75packet/bytes counters printed.Standart output format fully suitable 76to be used as <chain-entry pattern>. 77 78 To f[lush] command may be passed: 79f[irewall]|a[ccounting] to remove all entries from forwarding/blocking 80chains or from accounting chain.No arguments removes all chain entries. 81 82 To z[ero] command no arguments needed,and all counters of accounting 83chain zeroed. 84 85 To p[olicy] command accepts a[ccept]|d[eny] to define default policy 86as denial/accepting.Withno arguments current default policy displayed. 87 88.Sh EXAMPLES 89 90 This command add entry which denies all tcp packets from 91hacker.evil.org to telnet port of wolf.tambov.su from being 92forwarded by the host: 93 ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet 94 95 This one disallows any connection from entire hackers network 96to my host: 97 ipfw addb deny all from 123.45.67.8/24 to my.host.org 98 99 Here is useful usage of lt] command to see accounting records: 100 ipfw -v list accounting (or in short form ipfw -v l a ). 101 102 Much more examples can be found in files: 103 /usr/share/misc/ipfw.samp.filters 104 /usr/share/misc/ipfw.samp.scripts 105 106.Sh SEE ALSO 107ipfirewall(4),ipaccounting(4),reboot(8) 108 109.Sh BUGS 110 WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 111 This programm can put your computer in rather unusable state. 112First time try using it from console and do *NOT* do anything 113you don't understand. 114 Remember that "ipfw flush" can solve all the problemms. 115Also take in your mind that "ipfw policy deny" combined with 116some wrong chain entry(possible the only entry which designed 117to deny some external packets) can close your computer from 118outer world for good. 119 Besides of misuse the only known bug is that entry added 120with -v option set should be deleted with same option, 121but there is no way to see this in list command. 122 123.Sh HISTORY 124 Initially this utility was written for BSDI by: 125 Daniel Boulet <danny@BouletFermat.ab.ca> 126 The FreeBSD version is written completely by: 127 Ugen J.S.Antsilevich <ugen@NetVision.net.il> 128 while synopsis partially compatible with old one. 129