1.\" 2.\" $FreeBSD$ 3.\" 4.Dd July 20, 1996 5.Dt IPFW 8 6.Os FreeBSD 7.Sh NAME 8.Nm ipfw 9.Nd controlling utility for IP firewall 10.Sh SYNOPSIS 11.Nm ipfw 12.Op Fl q 13.Oo 14.Fl p Ar preproc 15.Op Fl D Ar macro Ns Op Ns =value 16.Op Fl U Ar macro 17.Oc 18.Ar file 19.Nm ipfw 20.Oo 21.Fl f 22| 23.Fl q 24.Oc 25flush 26.Nm ipfw 27.Oo 28.Fl q 29.Oc 30zero 31.Op Ar number ... 32.Nm ipfw 33.Oo 34.Fl q 35.Oc 36resetlog 37.Op Ar number ... 38.Nm ipfw 39delete 40.Ar number ... 41.Nm ipfw 42.Op Fl aftN 43list 44.Op Ar number ... 45.Nm ipfw 46.Oo 47.Fl ftN 48.Oc 49show 50.Op Ar number ... 51.Nm ipfw 52.Oo 53.Fl q 54.Oc 55add 56.Op Ar number 57.Op prob match_probability 58.Ar action 59.Op log Op Ar logamount Ar number 60.Ar proto 61from 62.Ar src 63to 64.Ar dst 65.Op via Ar name | ipno 66.Op Ar options 67.Sh DESCRIPTION 68If used as shown in the first synopsis line, the 69.Ar file 70will be read line by line and applied as arguments to the 71.Nm 72command. 73.Pp 74Optionally, a preprocessor can be specified using 75.Fl p Ar preproc 76where 77.Ar file 78is to be piped through. Useful preprocessors include 79.Xr cpp 1 80and 81.Xr m4 1 . 82If 83.Ar preproc 84doesn't start with a slash as its first character, the usual 85.Ev PATH 86name search is performed. Care should be taken with this in environments 87where not all filesystems are mounted (yet) by the time 88.Nm 89is being run (e. g. since they are mounted over NFS). Once 90.Fl p 91has been specified, optional 92.Fl D 93and 94.Fl U 95specifications can follow and will be passed on to the preprocessor. 96This allows for flexible configuration files (like conditionalizing 97them on the local hostname) and the use of macros to centralize 98frequently required arguments like IP addresses. 99.Pp 100Each packet that has been received or is about to be sent goes through 101the 102.Nm 103rules. In the case of a host acting as a gateway, packets that are 104forwarded by the host are processed by 105.Nm 106twice 107.Po 108once when entering, and once when leaving 109.Pc . 110Each packet can be filtered based on the following information that is 111associated with it: 112.Pp 113.Bl -tag -offset indent -compact -width xxxx 114.It Receive Interface Pq Ar recv 115Interface over which the packet was received 116.It Transmit Interface Pq Ar xmit 117Interface over which the packet would be transmitted 118.It Incoming Pq Ar in 119Packet was just received 120.It Outgoing Pq Ar out 121Packet would be transmitted 122.It Source IP Address 123Sender's IP Address 124.It Destination IP Address 125Target's IP Address 126.It Protocol 127IP protocol, including but not limited to IP 128.Pq Ar ip , 129UDP 130.Pq Ar udp , 131TCP 132.Pq Ar tcp , 133or 134ICMP 135.Pq Ar icmp 136.It Source Port 137Sender's UDP or TCP port 138.It Destination Port 139Target's UDP or TCP port 140.It Connection Setup Flag Pq Ar setup 141This packet is a request to setup a TCP connection 142.It Connection Established Flag Pq Ar established 143This packet is part of an established TCP connection 144.It All TCP Flags Pq Ar tcpflags 145One or more of the TCP flags: close connection 146.Pq Ar fin , 147open connection 148.Pq Ar syn , 149reset connection 150.Pq Ar rst , 151push 152.Pq Ar psh , 153acknowledgment 154.Pq Ar ack , 155and 156urgent 157.Pq Ar urg 158.It Fragment Flag Pq Ar frag 159This packet is a fragment of an IP packet 160.It IP Options Pq Ar ipoptions 161One or more of the IP options: strict source route 162.Pq Ar ssrr , 163loose source route 164.Pq Ar lsrr , 165record route 166.Pq Ar rr , 167and timestamp 168.Pq Ar ts 169.It ICMP Types Pq Ar icmptypes 170One or more of the ICMP types: echo reply 171.Pq Ar 0 , 172destination unreachable 173.Pq Ar 3 , 174source quench 175.Pq Ar 4 , 176redirect 177.Pq Ar 5 , 178echo request 179.Pq Ar 8 , 180router advertisement 181.Pq Ar 9 , 182router solicitation 183.Pq Ar 10 , 184time-to-live exceeded 185.Pq Ar 11 , 186IP header bad 187.Pq Ar 12 , 188timestamp request 189.Pq Ar 13 , 190timestamp reply 191.Pq Ar 14 , 192information request 193.Pq Ar 15 , 194information reply 195.Pq Ar 16 , 196address mask request 197.Pq Ar 17 , 198and address mask reply 199.Pq Ar 18 200.El 201.Pp 202Note that may be dangerous to filter on the source IP address or 203source TCP/UDP port because either or both could easily be spoofed. 204.Pp 205The 206.Nm 207code works by going through the rule-list for each packet 208until a match is found. 209All rules have two associated counters, a packet count and 210a byte count. 211These counters are updated when a packet matches the rule. 212.Pp 213If a rule has the optional 214.Dq prob match_probability 215specifier, where the match_probability is a floating point number 216between 0 and 1, a match is only declared with the specified 217probability. This can be useful for a number of applications 218such as random packet drop or (in conjunction with 219.Xr dummynet 4 220) to simulate the effect of multiple paths leading to out-of-order 221packet delivery. 222.Pp 223The rules are ordered by a 224.Dq line-number 225from 1 to 65534 that is used 226to order and delete rules. Rules are tried in increasing order, and the 227first rule that matches a packet applies. 228Multiple rules may share the same number and apply in 229the order in which they were added. 230.Pp 231If a rule is added without a number, it is numbered 100 higher than the highest 232defined rule number, unless the highest defined rule number is 65435 or 233greater, in which case new rules are given that same number. 234.Pp 235The delete operation deletes the first rule with number 236.Ar number , 237if any. 238.Pp 239The list command prints out the current rule set. 240.Pp 241The show command is equivalent to 242.Sq ipfw -a list . 243.Pp 244The zero operation zeroes the counters associated with rule number 245.Ar number . 246.Pp 247The resetlog operation resets the logging counters associated with 248rule number 249.Ar number . 250.Pp 251The flush operation removes all rules. 252.Pp 253Any command beginning with a 254.Sq # , 255or being all blank, is ignored. 256.Pp 257One rule is always present: 258.Bd -literal -offset center 25965535 deny all from any to any 260.Ed 261.Pp 262This rule is the default policy, i.e., don't allow anything at all. 263Your job in setting up rules is to modify this policy to match your 264needs. 265.Pp 266However, if the kernel option 267.Dq IPFIREWALL_DEFAULT_TO_ACCEPT 268is active, the rule is instead: 269.Bd -literal -offset center 27065535 allow all from any to any 271.Ed 272.Pp 273This variation lets everything pass through. This option should only be 274activated in particular circumstances, such as if you use the firewall 275system as an on-demand denial-of-service filter that is normally wide open. 276.Pp 277The following options are available: 278.Bl -tag -width indent 279.It Fl a 280While listing, show counter values. See also 281.Dq show 282command. 283.It Fl f 284Don't ask for confirmation for commands that can cause problems if misused 285(i.e. flush). 286.Ar Note , 287if there is no tty associated with the process, this is implied. 288.It Fl q 289While adding, zeroing, resetlogging or flushing, be quiet about actions (implies 290.Fl f Ns ). 291This is useful for adjusting rules by executing multiple 292.Nm 293commands in a script 294.Po 295e.g., 296.Sq sh /etc/rc.firewall 297.Pc , 298or by processing a file of many 299.Nm 300rules, 301across a remote login session. If a flush is performed in normal 302(verbose) mode (with the default kernel configuration), it prints a message. 303Because all rules are flushed, the 304message cannot be delivered to the login session. This causes the 305remote login session to be closed and the remainder of the ruleset is 306not processed. Access to the console is required to recover. 307.It Fl t 308While listing, show last match timestamp. 309.It Fl N 310Try to resolve addresses and service names in output. 311.El 312.Pp 313.Ar action : 314.Bl -hang -offset flag -width 1234567890123456 315.It Ar allow 316Allow packets that match rule. 317The search terminates. Aliases are 318.Ar pass , 319.Ar permit , 320and 321.Ar accept . 322.It Ar deny 323Discard packets that match this rule. 324The search terminates. 325.Ar Drop 326is an alias for 327.Ar deny . 328.It Ar reject 329(Deprecated.) Discard packets that match this rule, and try to send an ICMP 330host unreachable notice. 331The search terminates. 332.It Ar unreach code 333Discard packets that match this rule, and try to send an ICMP 334unreachable notice with code 335.Ar code , 336where 337.Ar code 338is a number from zero to 255, or one of these aliases: 339.Ar net , 340.Ar host , 341.Ar protocol , 342.Ar port , 343.Ar needfrag , 344.Ar srcfail , 345.Ar net-unknown , 346.Ar host-unknown , 347.Ar isolated , 348.Ar net-prohib , 349.Ar host-prohib , 350.Ar tosnet , 351.Ar toshost , 352.Ar filter-prohib , 353.Ar host-precedence , 354or 355.Ar precedence-cutoff . 356The search terminates. 357.It Ar reset 358TCP packets only. Discard packets that match this rule, 359and try to send a TCP reset 360.Pq RST 361notice. 362The search terminates. 363.It Ar count 364Update counters for all packets that match rule. 365The search continues with the next rule. 366.It Ar divert port 367Divert packets that match this rule to the 368.Xr divert 4 369socket bound to port 370.Ar port . 371The search terminates. 372.It Ar tee port 373Send a copy of packets matching this rule to the 374.Xr divert 4 375socket bound to port 376.Ar port . 377The search continues with the next rule. This feature is not yet implemented. 378.It Ar fwd ipaddr Op ,port 379Change the next-hop on matching packets to 380.Ar ipaddr , 381which can be an IP address in dotted quad or a host name. 382If 383.Ar ipaddr 384is not a directly-reachable address, the route 385as found in the local routing table for that IP is used 386instead. 387If 388.Ar ipaddr 389is a local address, then on a packet entering the system from a remote 390host it will be diverted to 391.Ar port 392on the local machine, keeping the local address of the socket set 393to the original IP address the packet was destined for. This is intended 394for use with transparent proxy servers. If the IP is not 395a local address then the port number (if specified) is ignored and 396the rule only applies to packets leaving the system. This will 397also map addresses to local ports when packets are generated locally. 398The search terminates if this rule matches. If the port number is not 399given then the port number in the packet is used, so that a packet for 400an external machine port Y would be forwarded to local port Y. The kernel 401must have been compiled with options IPFIREWALL_FORWARD. 402.It Ar pipe pipe_nr 403Pass packet to a 404.Xr dummynet 4 405``pipe'' (for bandwidth limitation, delay etc.). See the 406.Xr dummynet 4 407manpage for further information. The search terminates; however, 408on exit from the pipe and if the sysctl variable 409net.inet.ip.fw.one_pass is not set, the packet is passed again to 410the firewall code starting from the next rule. 411.It Ar skipto number 412Skip all subsequent rules numbered less than 413.Ar number . 414The search continues with the first rule numbered 415.Ar number 416or higher. 417.It Ar uid user 418Match all TCP or UDP packets sent by or received for a 419.Ar user . 420A 421.Ar user 422may be matched by name or identification number. 423.It Ar gid group 424Match all TCP or UDP packets sent by or received for a 425.Ar group . 426A 427.Ar group 428may be matched by name or identification number. 429.El 430.Pp 431If a packet matches more than one 432.Ar divert 433and/or 434.Ar tee 435rule, all but the last are ignored. 436.Pp 437If the kernel was compiled with 438.Dv IPFIREWALL_VERBOSE , 439then when a packet matches a rule with the 440.Ar log 441keyword or a clear/resetlog is performed, a message will be logged to 442.Xr syslogd 8 , 443or, if that fails, to the console. If the kernel was compiled with the 444.Dv IPFIREWALL_VERBOSE_LIMIT 445option, then by default logging will cease after the number 446of packets specified by the option are received for that 447particular chain entry. However, if 448.Ar logamount Ar number 449is used, that 450.Ar number 451will be the default logging limit rather than 452.Dv IPFIREWALL_VERBOSE_LIMIT . 453When this limit is reached, the limit and rule number will be logged. 454Logging may then be re-enabled by clearing the logging counter 455or the packet counter for that entry. 456.Pp 457The 458.Xr syslogd 8 459logging and the default log limit are adjustable dynamically through the 460.Xr sysctl 8 461interface in the MIB base of 462.Dv net.inet.ip.fw . 463.Pp 464.Ar proto : 465.Bl -hang -offset flag -width 1234567890123456 466.It Ar ip 467All packets match. The alias 468.Ar all 469has the same effect. 470.It Ar tcp 471Only TCP packets match. 472.It Ar udp 473Only UDP packets match. 474.It Ar icmp 475Only ICMP packets match. 476.It Ar <number|name> 477Only packets for the specified protocol matches (see 478.Pa /etc/protocols 479for a complete list). 480.El 481.Pp 482.Ar src 483and 484.Ar dst : 485.Bl -hang -offset flag 486.It Ar <address/mask> 487.Op Ar ports 488.El 489.Pp 490The 491.Em <address/mask> 492may be specified as: 493.Bl -hang -offset flag -width 1234567890123456 494.It Ar ipno 495An ipnumber of the form 1.2.3.4. 496Only this exact ip number match the rule. 497.It Ar ipno/bits 498An ipnumber with a mask width of the form 1.2.3.4/24. 499In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 500.It Ar ipno:mask 501An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 502In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 503.El 504.Pp 505The sense of the match can be inverted by preceding an address with the 506.Dq not 507modifier, causing all other addresses to be matched instead. This 508does not affect the selection of port numbers. 509.Pp 510With the TCP and UDP protocols, optional 511.Em ports 512may be specified as: 513.Pp 514.Bl -hang -offset flag 515.It Ns {port|port-port} Ns Op ,port Ns Op ,... 516.El 517.Pp 518Service names (from 519.Pa /etc/services ) 520may be used instead of numeric port values. 521A range may only be specified as the first value, 522and the length of the port list is limited to 523.Dv IP_FW_MAX_PORTS 524(as defined in 525.Pa /usr/src/sys/netinet/ip_fw.h ) 526ports. 527A 528.Ql \e 529can be used to escape the 530.Ql - 531character in a service name: 532.Pp 533.Dl ipfw add count tcp from any ftp\e\e-data-ftp to any 534.Pp 535Fragmented packets which have a non-zero offset (i.e. not the first 536fragment) will never match a rule which has one or more port 537specifications. See the 538.Ar frag 539option for details on matching fragmented packets. 540.Pp 541Rules can apply to packets when they are incoming, or outgoing, or both. 542The 543.Ar in 544keyword indicates the rule should only match incoming packets. 545The 546.Ar out 547keyword indicates the rule should only match outgoing packets. 548.Pp 549To match packets going through a certain interface, specify 550the interface using 551.Ar via : 552.Bl -hang -offset flag -width 1234567890123456 553.It Ar via ifX 554Packet must be going through interface 555.Ar ifX. 556.It Ar via if* 557Packet must be going through interface 558.Ar ifX , 559where X is any unit number. 560.It Ar via any 561Packet must be going through 562.Em some 563interface. 564.It Ar via ipno 565Packet must be going through the interface having IP address 566.Ar ipno . 567.El 568.Pp 569The 570.Ar via 571keyword causes the interface to always be checked. 572If 573.Ar recv 574or 575.Ar xmit 576is used instead of 577.Ar via , 578then the only receive or transmit interface (respectively) is checked. 579By specifying both, it is possible to match packets based on both receive 580and transmit interface, e.g.: 581.Pp 582.Dl "ipfw add 100 deny ip from any to any out recv ed0 xmit ed1" 583.Pp 584The 585.Ar recv 586interface can be tested on either incoming or outgoing packets, while the 587.Ar xmit 588interface can only be tested on outgoing packets. So 589.Ar out 590is required (and 591.Ar in 592invalid) whenever 593.Ar xmit 594is used. Specifying 595.Ar via 596together with 597.Ar xmit 598or 599.Ar recv 600is invalid. 601.Pp 602A packet may not have a receive or transmit interface: packets originating 603from the local host have no receive interface. while packets destined for 604the local host have no transmit interface. 605.Pp 606Additional 607.Ar options : 608.Bl -hang -offset flag -width 1234567890123456 609.It frag 610Match if the packet is a fragment and this is not the first fragment 611of the datagram. 612.Ar frag 613may not be used in conjunction with either 614.Ar tcpflags 615or TCP/UDP port specifications. 616.It in 617Match if this packet was on the way in. 618.It out 619Match if this packet was on the way out. 620.It ipoptions Ar spec 621Match if the IP header contains the comma separated list of 622options specified in 623.Ar spec . 624The supported IP options are: 625.Ar ssrr 626(strict source route), 627.Ar lsrr 628(loose source route), 629.Ar rr 630(record packet route), and 631.Ar ts 632(timestamp). 633The absence of a particular option may be denoted 634with a 635.Dq ! . 636.It established 637Match packets that have the RST or ACK bits set. 638TCP packets only. 639.It setup 640Match packets that have the SYN bit set but no ACK bit. 641TCP packets only. 642.It tcpflags Ar spec 643Match if the TCP header contains the comma separated list of 644flags specified in 645.Ar spec . 646The supported TCP flags are: 647.Ar fin , 648.Ar syn , 649.Ar rst , 650.Ar psh , 651.Ar ack , 652and 653.Ar urg . 654The absence of a particular flag may be denoted 655with a 656.Dq ! . 657A rule which contains a 658.Ar tcpflags 659specification can never match a fragmented packet which has 660a non-zero offset. See the 661.Ar frag 662option for details on matching fragmented packets. 663.It icmptypes Ar types 664Match if the ICMP type is in the list 665.Ar types . 666The list may be specified as any combination of ranges 667or individual types separated by commas. 668.El 669.Sh CHECKLIST 670Here are some important points to consider when designing your 671rules: 672.Bl -bullet -hang -offset flag 673.It 674Remember that you filter both packets going in and out. 675Most connections need packets going in both directions. 676.It 677Remember to test very carefully. 678It is a good idea to be near the console when doing this. 679.It 680Don't forget the loopback interface. 681.El 682.Sh FINE POINTS 683There is one kind of packet that the firewall will always discard, 684that is an IP fragment with a fragment offset of one. 685This is a valid packet, but it only has one use, to try to circumvent 686firewalls. 687.Pp 688If you are logged in over a network, loading the KLD version of 689.Nm 690is probably not as straightforward as you would think. 691I recommend this command line: 692.Bd -literal -offset center 693kldload /modules/ipfw.ko && \e 694ipfw add 32000 allow all from any to any 695.Ed 696.Pp 697Along the same lines, doing an 698.Bd -literal -offset center 699ipfw flush 700.Ed 701.Pp 702in similar surroundings is also a bad idea. 703.Pp 704The IP filter list may not be modified if the system security level 705is set to 3 or higher 706.Po 707see 708.Xr init 8 709for information on system security levels 710.Pc . 711.Sh PACKET DIVERSION 712A divert socket bound to the specified port will receive all packets diverted 713to that port; see 714.Xr divert 4 . 715If no socket is bound to the destination port, or if the kernel 716wasn't compiled with divert socket support, diverted packets are dropped. 717.Sh EXAMPLES 718This command adds an entry which denies all tcp packets from 719.Em cracker.evil.org 720to the telnet port of 721.Em wolf.tambov.su 722from being forwarded by the host: 723.Pp 724.Dl ipfw add deny tcp from cracker.evil.org to wolf.tambov.su 23 725.Pp 726This one disallows any connection from the entire crackers network to 727my host: 728.Pp 729.Dl ipfw add deny all from 123.45.67.0/24 to my.host.org 730.Pp 731Here is a good usage of the 732.Ar list 733command to see accounting records 734and timestamp information: 735.Pp 736.Dl ipfw -at l 737.Pp 738or in short form without timestamps: 739.Pp 740.Dl ipfw -a l 741.Pp 742This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 743.Pp 744.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 745.Sh SEE ALSO 746.Xr cpp 1 , 747.Xr m4 1 , 748.Xr divert 4 , 749.Xr dummynet 4 , 750.Xr ip 4 , 751.Xr ipfirewall 4 , 752.Xr protocols 5 , 753.Xr services 5 , 754.Xr init 8 , 755.Xr kldload 8 , 756.Xr reboot 8 , 757.Xr sysctl 8 , 758.Xr syslogd 8 . 759.Sh BUGS 760.Pp 761.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 762.Pp 763This program can put your computer in rather unusable state. When 764using it for the first time, work on the console of the computer, and 765do 766.Em NOT 767do anything you don't understand. 768.Pp 769When manipulating/adding chain entries, service and protocol names are 770not accepted. 771.Pp 772Incoming packet fragments diverted by 773.Ar divert 774are reassembled before delivery to the socket, whereas fragments diverted via 775.Ar tee 776are not. 777.Pp 778Port aliases containing dashes cannot be first in a list. 779.Pp 780The 781.Dq tee 782action is unimplemented. 783.Sh AUTHORS 784.An Ugen J. S. Antsilevich , 785.An Poul-Henning Kamp , 786.An Alex Nash , 787.An Archie Cobbs . 788API based upon code written by 789.An Daniel Boulet 790for BSDI. 791.Sh HISTORY 792.Nm Ipfw 793first appeared in 794.Fx 2.0 . 795