xref: /freebsd/sbin/ipfw/ipfw.8 (revision 7f3dea244c40159a41ab22da77a434d7c5b5e85a)
1.\"
2.\" $FreeBSD$
3.\"
4.Dd July 20, 1996
5.Dt IPFW 8
6.Os FreeBSD
7.Sh NAME
8.Nm ipfw
9.Nd controlling utility for IP firewall
10.Sh SYNOPSIS
11.Nm ipfw
12.Op Fl q
13.Oo
14.Fl p Ar preproc
15.Op Fl D Ar macro Ns Op Ns =value
16.Op Fl U Ar macro
17.Oc
18.Ar file
19.Nm ipfw
20.Oo
21.Fl f
22|
23.Fl q
24.Oc
25flush
26.Nm ipfw
27.Oo
28.Fl q
29.Oc
30zero
31.Op Ar number ...
32.Nm ipfw
33.Oo
34.Fl q
35.Oc
36resetlog
37.Op Ar number ...
38.Nm ipfw
39delete
40.Ar number ...
41.Nm ipfw
42.Op Fl aftN
43list
44.Op Ar number ...
45.Nm ipfw
46.Oo
47.Fl ftN
48.Oc
49show
50.Op Ar number ...
51.Nm ipfw
52.Oo
53.Fl q
54.Oc
55add
56.Op Ar number
57.Op prob match_probability
58.Ar action
59.Op log Op Ar logamount Ar number
60.Ar proto
61from
62.Ar src
63to
64.Ar dst
65.Op via Ar name | ipno
66.Op Ar options
67.Sh DESCRIPTION
68If used as shown in the first synopsis line, the
69.Ar file
70will be read line by line and applied as arguments to the
71.Nm
72command.
73.Pp
74Optionally, a preprocessor can be specified using
75.Fl p Ar preproc
76where
77.Ar file
78is to be piped through.  Useful preprocessors include
79.Xr cpp 1
80and
81.Xr m4 1 .
82If
83.Ar preproc
84doesn't start with a slash as its first character, the usual
85.Ev PATH
86name search is performed.  Care should be taken with this in environments
87where not all filesystems are mounted (yet) by the time
88.Nm
89is being run (e. g. since they are mounted over NFS).  Once
90.Fl p
91has been specified, optional
92.Fl D
93and
94.Fl U
95specifications can follow and will be passed on to the preprocessor.
96This allows for flexible configuration files (like conditionalizing
97them on the local hostname) and the use of macros to centralize
98frequently required arguments like IP addresses.
99.Pp
100Each packet that has been received or is about to be sent goes through
101the
102.Nm
103rules. In the case of a host acting as a gateway, packets that are
104forwarded by the host are processed by
105.Nm
106twice
107.Po
108once when entering, and once when leaving
109.Pc .
110Each packet can be filtered based on the following information that is
111associated with it:
112.Pp
113.Bl -tag -offset indent -compact -width xxxx
114.It Receive Interface Pq Ar recv
115Interface over which the packet was received
116.It Transmit Interface Pq Ar xmit
117Interface over which the packet would be transmitted
118.It Incoming Pq Ar in
119Packet was just received
120.It Outgoing Pq Ar out
121Packet would be transmitted
122.It Source IP Address
123Sender's IP Address
124.It Destination IP Address
125Target's IP Address
126.It Protocol
127IP protocol, including but not limited to IP
128.Pq Ar ip ,
129UDP
130.Pq Ar udp ,
131TCP
132.Pq Ar tcp ,
133or
134ICMP
135.Pq Ar icmp
136.It Source Port
137Sender's UDP or TCP port
138.It Destination Port
139Target's UDP or TCP port
140.It Connection Setup Flag Pq Ar setup
141This packet is a request to setup a TCP connection
142.It Connection Established Flag Pq Ar established
143This packet is part of an established TCP connection
144.It All TCP Flags Pq Ar tcpflags
145One or more of the TCP flags: close connection
146.Pq Ar fin ,
147open connection
148.Pq Ar syn ,
149reset connection
150.Pq Ar rst ,
151push
152.Pq Ar psh ,
153acknowledgment
154.Pq Ar ack ,
155and
156urgent
157.Pq Ar urg
158.It Fragment Flag Pq Ar frag
159This packet is a fragment of an IP packet
160.It IP Options Pq Ar ipoptions
161One or more of the IP options: strict source route
162.Pq Ar ssrr ,
163loose source route
164.Pq Ar lsrr ,
165record route
166.Pq Ar rr ,
167and timestamp
168.Pq Ar ts
169.It ICMP Types Pq Ar icmptypes
170One or more of the ICMP types: echo reply
171.Pq Ar 0 ,
172destination unreachable
173.Pq Ar 3 ,
174source quench
175.Pq Ar 4 ,
176redirect
177.Pq Ar 5 ,
178echo request
179.Pq Ar 8 ,
180router advertisement
181.Pq Ar 9 ,
182router solicitation
183.Pq Ar 10 ,
184time-to-live exceeded
185.Pq Ar 11 ,
186IP header bad
187.Pq Ar 12 ,
188timestamp request
189.Pq Ar 13 ,
190timestamp reply
191.Pq Ar 14 ,
192information request
193.Pq Ar 15 ,
194information reply
195.Pq Ar 16 ,
196address mask request
197.Pq Ar 17 ,
198and address mask reply
199.Pq Ar 18
200.El
201.Pp
202Note that may be dangerous to filter on the source IP address or
203source TCP/UDP port because either or both could easily be spoofed.
204.Pp
205The
206.Nm
207code works by going through the rule-list for each packet
208until a match is found.
209All rules have two associated counters, a packet count and
210a byte count.
211These counters are updated when a packet matches the rule.
212.Pp
213If a rule has the optional
214.Dq prob match_probability
215specifier, where the match_probability is a floating point number
216between 0 and 1, a match is only declared with the specified
217probability. This can be useful for a number of applications
218such as random packet drop or (in conjunction with
219.Xr dummynet 4
220) to simulate the effect of multiple paths leading to out-of-order
221packet delivery.
222.Pp
223The rules are ordered by a
224.Dq line-number
225from 1 to 65534 that is used
226to order and delete rules. Rules are tried in increasing order, and the
227first rule that matches a packet applies.
228Multiple rules may share the same number and apply in
229the order in which they were added.
230.Pp
231If a rule is added without a number, it is numbered 100 higher than the highest
232defined rule number, unless the highest defined rule number is 65435 or
233greater, in which case new rules are given that same number.
234.Pp
235The delete operation deletes the first rule with number
236.Ar number ,
237if any.
238.Pp
239The list command prints out the current rule set.
240.Pp
241The show command is equivalent to
242.Sq ipfw -a list .
243.Pp
244The zero operation zeroes the counters associated with rule number
245.Ar number .
246.Pp
247The resetlog operation resets the logging counters associated with
248rule number
249.Ar number .
250.Pp
251The flush operation removes all rules.
252.Pp
253Any command beginning with a
254.Sq # ,
255or being all blank, is ignored.
256.Pp
257One rule is always present:
258.Bd -literal -offset center
25965535 deny all from any to any
260.Ed
261.Pp
262This rule is the default policy, i.e., don't allow anything at all.
263Your job in setting up rules is to modify this policy to match your
264needs.
265.Pp
266However, if the kernel option
267.Dq IPFIREWALL_DEFAULT_TO_ACCEPT
268is active, the rule is instead:
269.Bd -literal -offset center
27065535 allow all from any to any
271.Ed
272.Pp
273This variation lets everything pass through.  This option should only be
274activated in particular circumstances, such as if you use the firewall
275system as an on-demand denial-of-service filter that is normally wide open.
276.Pp
277The following options are available:
278.Bl -tag -width indent
279.It Fl a
280While listing, show counter values.  See also
281.Dq show
282command.
283.It Fl f
284Don't ask for confirmation for commands that can cause problems if misused
285(i.e. flush).
286.Ar Note ,
287if there is no tty associated with the process, this is implied.
288.It Fl q
289While adding, zeroing, resetlogging or flushing, be quiet about actions (implies
290.Fl f Ns ).
291This is useful for adjusting rules by executing multiple
292.Nm
293commands in a script
294.Po
295e.g.,
296.Sq sh /etc/rc.firewall
297.Pc ,
298or by processing a file of many
299.Nm
300rules,
301across a remote login session.  If a flush is performed in normal
302(verbose) mode (with the default kernel configuration), it prints a message.
303Because all rules are flushed, the
304message cannot be delivered to the login session.  This causes the
305remote login session to be closed and the remainder of the ruleset is
306not processed.  Access to the console is required to recover.
307.It Fl t
308While listing, show last match timestamp.
309.It Fl N
310Try to resolve addresses and service names in output.
311.El
312.Pp
313.Ar action :
314.Bl -hang -offset flag -width 1234567890123456
315.It Ar allow
316Allow packets that match rule.
317The search terminates. Aliases are
318.Ar pass ,
319.Ar permit ,
320and
321.Ar accept .
322.It Ar deny
323Discard packets that match this rule.
324The search terminates.
325.Ar Drop
326is an alias for
327.Ar deny .
328.It Ar reject
329(Deprecated.) Discard packets that match this rule, and try to send an ICMP
330host unreachable notice.
331The search terminates.
332.It Ar unreach code
333Discard packets that match this rule, and try to send an ICMP
334unreachable notice with code
335.Ar code ,
336where
337.Ar code
338is a number from zero to 255, or one of these aliases:
339.Ar net ,
340.Ar host ,
341.Ar protocol ,
342.Ar port ,
343.Ar needfrag ,
344.Ar srcfail ,
345.Ar net-unknown ,
346.Ar host-unknown ,
347.Ar isolated ,
348.Ar net-prohib ,
349.Ar host-prohib ,
350.Ar tosnet ,
351.Ar toshost ,
352.Ar filter-prohib ,
353.Ar host-precedence ,
354or
355.Ar precedence-cutoff .
356The search terminates.
357.It Ar reset
358TCP packets only. Discard packets that match this rule,
359and try to send a TCP reset
360.Pq RST
361notice.
362The search terminates.
363.It Ar count
364Update counters for all packets that match rule.
365The search continues with the next rule.
366.It Ar divert port
367Divert packets that match this rule to the
368.Xr divert 4
369socket bound to port
370.Ar port .
371The search terminates.
372.It Ar tee port
373Send a copy of packets matching this rule to the
374.Xr divert 4
375socket bound to port
376.Ar port .
377The search continues with the next rule. This feature is not yet implemented.
378.It Ar fwd ipaddr Op ,port
379Change the next-hop on matching packets to
380.Ar ipaddr ,
381which can be an IP address in dotted quad or a host name.
382If
383.Ar ipaddr
384is not a directly-reachable address, the route
385as found in the local routing table for that IP is used
386instead.
387If
388.Ar ipaddr
389is a local address, then on a packet entering the system from a remote
390host it will be diverted to
391.Ar port
392on the local machine, keeping the local address of the socket set
393to the original IP address the packet was destined for. This is intended
394for use with transparent proxy servers. If the IP is not
395a local address then the port number (if specified) is ignored and
396the rule only applies to packets leaving the system. This will
397also map addresses to local ports when packets are generated locally.
398The search terminates if this rule matches. If the port number is not
399given then the port number in the packet is used, so that a packet for
400an external machine port Y would be forwarded to local port Y. The kernel
401must have been compiled with options IPFIREWALL_FORWARD.
402.It Ar pipe pipe_nr
403Pass packet to a
404.Xr dummynet 4
405``pipe'' (for bandwidth limitation, delay etc.). See the
406.Xr dummynet 4
407manpage for further information. The search terminates; however,
408on exit from the pipe and if the sysctl variable
409net.inet.ip.fw.one_pass is not set, the packet is passed again to
410the firewall code starting from the next rule.
411.It Ar skipto number
412Skip all subsequent rules numbered less than
413.Ar number .
414The search continues with the first rule numbered
415.Ar number
416or higher.
417.It Ar uid user
418Match all TCP or UDP packets sent by or received for a
419.Ar user .
420A
421.Ar user
422may be matched by name or identification number.
423.It Ar gid group
424Match all TCP or UDP packets sent by or received for a
425.Ar group .
426A
427.Ar group
428may be matched by name or identification number.
429.El
430.Pp
431If a packet matches more than one
432.Ar divert
433and/or
434.Ar tee
435rule, all but the last are ignored.
436.Pp
437If the kernel was compiled with
438.Dv IPFIREWALL_VERBOSE ,
439then when a packet matches a rule with the
440.Ar log
441keyword or a clear/resetlog is performed, a message will be logged to
442.Xr syslogd 8 ,
443or, if that fails, to the console.  If the kernel was compiled with the
444.Dv IPFIREWALL_VERBOSE_LIMIT
445option, then by default logging will cease after the number
446of packets specified by the option are received for that
447particular chain entry. However, if
448.Ar logamount Ar number
449is used, that
450.Ar number
451will be the default logging limit rather than
452.Dv IPFIREWALL_VERBOSE_LIMIT .
453When this limit is reached, the limit and rule number will be logged.
454Logging may then be re-enabled by clearing the logging counter
455or the packet counter for that entry.
456.Pp
457The
458.Xr syslogd 8
459logging and the default log limit are adjustable dynamically through the
460.Xr sysctl 8
461interface in the MIB base of
462.Dv net.inet.ip.fw .
463.Pp
464.Ar proto :
465.Bl -hang -offset flag -width 1234567890123456
466.It Ar ip
467All packets match. The alias
468.Ar all
469has the same effect.
470.It Ar tcp
471Only TCP packets match.
472.It Ar udp
473Only UDP packets match.
474.It Ar icmp
475Only ICMP packets match.
476.It Ar <number|name>
477Only packets for the specified protocol matches (see
478.Pa /etc/protocols
479for a complete list).
480.El
481.Pp
482.Ar src
483and
484.Ar dst :
485.Bl -hang -offset flag
486.It Ar <address/mask>
487.Op Ar ports
488.El
489.Pp
490The
491.Em <address/mask>
492may be specified as:
493.Bl -hang -offset flag -width 1234567890123456
494.It Ar ipno
495An ipnumber of the form 1.2.3.4.
496Only this exact ip number match the rule.
497.It Ar ipno/bits
498An ipnumber with a mask width of the form 1.2.3.4/24.
499In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
500.It Ar ipno:mask
501An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0.
502In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
503.El
504.Pp
505The sense of the match can be inverted by preceding an address with the
506.Dq not
507modifier, causing all other addresses to be matched instead. This
508does not affect the selection of port numbers.
509.Pp
510With the TCP and UDP protocols, optional
511.Em ports
512may be specified as:
513.Pp
514.Bl -hang -offset flag
515.It Ns {port|port-port} Ns Op ,port Ns Op ,...
516.El
517.Pp
518Service names (from
519.Pa /etc/services )
520may be used instead of numeric port values.
521A range may only be specified as the first value,
522and the length of the port list is limited to
523.Dv IP_FW_MAX_PORTS
524(as defined in
525.Pa /usr/src/sys/netinet/ip_fw.h )
526ports.
527A
528.Ql \e
529can be used to escape the
530.Ql -
531character in a service name:
532.Pp
533.Dl ipfw add count tcp from any ftp\e\e-data-ftp to any
534.Pp
535Fragmented packets which have a non-zero offset (i.e. not the first
536fragment) will never match a rule which has one or more port
537specifications.  See the
538.Ar frag
539option for details on matching fragmented packets.
540.Pp
541Rules can apply to packets when they are incoming, or outgoing, or both.
542The
543.Ar in
544keyword indicates the rule should only match incoming packets.
545The
546.Ar out
547keyword indicates the rule should only match outgoing packets.
548.Pp
549To match packets going through a certain interface, specify
550the interface using
551.Ar via :
552.Bl -hang -offset flag -width 1234567890123456
553.It Ar via ifX
554Packet must be going through interface
555.Ar ifX.
556.It Ar via if*
557Packet must be going through interface
558.Ar ifX ,
559where X is any unit number.
560.It Ar via any
561Packet must be going through
562.Em some
563interface.
564.It Ar via ipno
565Packet must be going through the interface having IP address
566.Ar ipno .
567.El
568.Pp
569The
570.Ar via
571keyword causes the interface to always be checked.
572If
573.Ar recv
574or
575.Ar xmit
576is used instead of
577.Ar via ,
578then the only receive or transmit interface (respectively) is checked.
579By specifying both, it is possible to match packets based on both receive
580and transmit interface, e.g.:
581.Pp
582.Dl "ipfw add 100 deny ip from any to any out recv ed0 xmit ed1"
583.Pp
584The
585.Ar recv
586interface can be tested on either incoming or outgoing packets, while the
587.Ar xmit
588interface can only be tested on outgoing packets. So
589.Ar out
590is required (and
591.Ar in
592invalid) whenever
593.Ar xmit
594is used. Specifying
595.Ar via
596together with
597.Ar xmit
598or
599.Ar recv
600is invalid.
601.Pp
602A packet may not have a receive or transmit interface: packets originating
603from the local host have no receive interface. while packets destined for
604the local host have no transmit interface.
605.Pp
606Additional
607.Ar options :
608.Bl -hang -offset flag -width 1234567890123456
609.It frag
610Match if the packet is a fragment and this is not the first fragment
611of the datagram.
612.Ar frag
613may not be used in conjunction with either
614.Ar tcpflags
615or TCP/UDP port specifications.
616.It in
617Match if this packet was on the way in.
618.It out
619Match if this packet was on the way out.
620.It ipoptions Ar spec
621Match if the IP header contains the comma separated list of
622options specified in
623.Ar spec .
624The supported IP options are:
625.Ar ssrr
626(strict source route),
627.Ar lsrr
628(loose source route),
629.Ar rr
630(record packet route), and
631.Ar ts
632(timestamp).
633The absence of a particular option may be denoted
634with a
635.Dq ! .
636.It established
637Match packets that have the RST or ACK bits set.
638TCP packets only.
639.It setup
640Match packets that have the SYN bit set but no ACK bit.
641TCP packets only.
642.It tcpflags Ar spec
643Match if the TCP header contains the comma separated list of
644flags specified in
645.Ar spec .
646The supported TCP flags are:
647.Ar fin ,
648.Ar syn ,
649.Ar rst ,
650.Ar psh ,
651.Ar ack ,
652and
653.Ar urg .
654The absence of a particular flag may be denoted
655with a
656.Dq ! .
657A rule which contains a
658.Ar tcpflags
659specification can never match a fragmented packet which has
660a non-zero offset.  See the
661.Ar frag
662option for details on matching fragmented packets.
663.It icmptypes Ar types
664Match if the ICMP type is in the list
665.Ar types .
666The list may be specified as any combination of ranges
667or individual types separated by commas.
668.El
669.Sh CHECKLIST
670Here are some important points to consider when designing your
671rules:
672.Bl -bullet -hang -offset flag
673.It
674Remember that you filter both packets going in and out.
675Most connections need packets going in both directions.
676.It
677Remember to test very carefully.
678It is a good idea to be near the console when doing this.
679.It
680Don't forget the loopback interface.
681.El
682.Sh FINE POINTS
683There is one kind of packet that the firewall will always discard,
684that is an IP fragment with a fragment offset of one.
685This is a valid packet, but it only has one use, to try to circumvent
686firewalls.
687.Pp
688If you are logged in over a network, loading the KLD version of
689.Nm
690is probably not as straightforward as you would think.
691I recommend this command line:
692.Bd -literal -offset center
693kldload /modules/ipfw.ko && \e
694ipfw add 32000 allow all from any to any
695.Ed
696.Pp
697Along the same lines, doing an
698.Bd -literal -offset center
699ipfw flush
700.Ed
701.Pp
702in similar surroundings is also a bad idea.
703.Pp
704The IP filter list may not be modified if the system security level
705is set to 3 or higher
706.Po
707see
708.Xr init 8
709for information on system security levels
710.Pc .
711.Sh PACKET DIVERSION
712A divert socket bound to the specified port will receive all packets diverted
713to that port; see
714.Xr divert 4 .
715If no socket is bound to the destination port, or if the kernel
716wasn't compiled with divert socket support, diverted packets are dropped.
717.Sh EXAMPLES
718This command adds an entry which denies all tcp packets from
719.Em cracker.evil.org
720to the telnet port of
721.Em wolf.tambov.su
722from being forwarded by the host:
723.Pp
724.Dl ipfw add deny tcp from cracker.evil.org to wolf.tambov.su 23
725.Pp
726This one disallows any connection from the entire crackers network to
727my host:
728.Pp
729.Dl ipfw add deny all from 123.45.67.0/24 to my.host.org
730.Pp
731Here is a good usage of the
732.Ar list
733command to see accounting records
734and timestamp information:
735.Pp
736.Dl ipfw -at l
737.Pp
738or in short form without timestamps:
739.Pp
740.Dl ipfw -a l
741.Pp
742This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
743.Pp
744.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in
745.Sh SEE ALSO
746.Xr cpp 1 ,
747.Xr m4 1 ,
748.Xr divert 4 ,
749.Xr dummynet 4 ,
750.Xr ip 4 ,
751.Xr ipfirewall 4 ,
752.Xr protocols 5 ,
753.Xr services 5 ,
754.Xr init 8 ,
755.Xr kldload 8 ,
756.Xr reboot 8 ,
757.Xr sysctl 8 ,
758.Xr syslogd 8 .
759.Sh BUGS
760.Pp
761.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
762.Pp
763This program can put your computer in rather unusable state. When
764using it for the first time, work on the console of the computer, and
765do
766.Em NOT
767do anything you don't understand.
768.Pp
769When manipulating/adding chain entries, service and protocol names are
770not accepted.
771.Pp
772Incoming packet fragments diverted by
773.Ar divert
774are reassembled before delivery to the socket, whereas fragments diverted via
775.Ar tee
776are not.
777.Pp
778Port aliases containing dashes cannot be first in a list.
779.Pp
780The
781.Dq tee
782action is unimplemented.
783.Sh AUTHORS
784.An Ugen J. S. Antsilevich ,
785.An Poul-Henning Kamp ,
786.An Alex Nash ,
787.An Archie Cobbs .
788API based upon code written by
789.An Daniel Boulet
790for BSDI.
791.Sh HISTORY
792.Nm Ipfw
793first appeared in
794.Fx 2.0 .
795