xref: /freebsd/sbin/ipfw/ipfw.8 (revision 953a3198a35204535cc9d450f04da982a4fea59b) 
1.Dd November 16, 1994
2.Dt IPFW 8
3.Os
4.Sh NAME
5ipfw - controlling utility for ipfw/ipacct facilities.
6
7.Sh SYNOPSIS
8
9 ipfw [-n]   <entry-action>  <chain entry pattern>
10 ipfw [-ans] <chain-action>  <chain[s] type>
11
12.Sh DESCRIPTION
13 In the first synopsis form, the ipfw utility allows control of firewall
14and accounting chains.
15 In the second synopsis form, the ipfw utility allows setting of global
16firewall/accounting properties and listing of chain contents.
17
18The following options are available:
19
20-a   While listing,show counter values-this option is the only way to
21     see accounting records.Works only with -s.
22
23-n   Do not resolve anything.  When setting entries, do not try to resolve
24     a given address.   When listing, display addresses in numeric form.
25
26-s   Short listing form.By default listing format is compatible with ipfw
27     input string format,so you can save listings to file and then reuse
28     them. With this option list format is much more short but
29     incompatible with ipfw syntacs.
30
31These are <entry-actions>:
32
33  addf[irewall] - add entry to firewall chain.
34  delf[irewall] - remove entry from firewall chain.
35  adda[ccounting] - add entry to accounting chain.
36  dela[ccounting] - remove entry from accounting chain.
37  clr[accounting] - clear counters for accounting chain entry.
38
39If no <entry-action> specified,default addf[irewall] or add[accounting]
40will be used,depending on <chain-entry pattern> specified.
41
42These are <chain-actions>:
43  f[lush] - remove all entries in firewall/accounting chains.
44  l[ist] - show all entries in firewall/accounting chains.
45  z[ero] - clear chain counters(accounting only).
46  p[olicy] - set default policy properties.
47
48This is <chain-entry pattern> structure:
49 For forwarding/blocking chains:
50  lreject <proto/addr pattern>    reject packet,send ICMP unreachable and log.
51  reject  <proto/addr pattern>    reject packet,send ICMP unreachable.
52  ldeny   <proto/addr pattern>    reject packet,log it.
53  deny    <proto/addr pattern>    reject packet.
54  log     <proto/addr pattern>    allow packet,log it.
55  accept  <proto/addr pattern>    allow packet.
56  pass	    <proto/addr pattern>    allow packet.
57 For accounting chain:
58  single        <proto/addr pattern>   log packets matching entry.
59  bidirectional <proto/addr pattern>   log packets matching entry and
60                  those going in opposite direction (from entry
61                  "dst" to "src").
62
63Each keyword will be recognized by the shortest unambigious prefix.
64
65The <proto/addr pattern> is:
66 all|icmp     from <src addr/mask>        to <dst addr/mask>       [via <via>]
67 tcp[syn]|udp from <src addr/mask>[ports] to <dst addr/mask>[ports][via <via>]
68 all matches any IP packet.
69 icmp,tcp and udp - packets for corresponding protocols.
70 syn - tcp SYN packets (which used when initiating connection).
71
72
73The order of from/to/via keywords is unimportant.You can skip any
74of them,which will be then substituted by default entry matching
75any from/to/via packet kind.
76
77The <src addr/mask>:
78 <INET IP addr | domain name> [/mask bits | :mask pattern]
79  Mask bits is a decimal number of bits set in the address  mask.
80  Mask pattern has form of IP address and AND'ed logically with address given.
81  Keyword "any" can be used to specify 'any IP'.
82 [ports]: [ port,port....|port:port]
83  Name of service can be used instead of port numeric value.
84
85The via <via> is optional and may specify IP address/domain name of local
86 IP interface, or interface name (e.g. ed0) to match only packets coming
87 through this interface.The IP or name given is NOT checked, and wrong
88 value of IP causes entry to not match anything.
89 Keyword 'via' can be substituted by 'on',for readability reasons.
90
91To l[ist] command may be passed:
92 f[irewall] | a[ccounting] to list specific chain or none to list
93all of chains.Long output format compatible with utility input syntacs.
94
95To f[lush] command may be passed:
96 f[irewall] | a[ccounting] to remove all entries from firewall or
97from accounting chain.Without arguments removes all chain entries.
98
99To z[ero] command no arguments needed,this command clears counters for
100whole accounting chain.
101
102The p[olicy] command can be given a[ccept]|d[eny] to set  default policy
103as denial/accepting.Without arguments current default policy displayed.
104
105.Sh EXAMPLES
106
107 This command add entry which denies all tcp packets from
108hacker.evil.org to telnet port of wolf.tambov.su from being
109forwarded by the host:
110  ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
111
112 This one disallows any connection from entire hackers network
113to my host:
114  ipfw addf deny all from 123.45.67.8/24 to my.host.org
115
116 Here is good usage of list command to see accounting records:
117  ipfw -sa list accounting (or in short form ipfw -sa l a ).
118
119 Much more examples can be found in files:
120  /usr/share/FAQ/ipfw.FAQ (missing for the moment)
121
122.Sh SEE ALSO
123ip(4),ipfirewall(4),ipaccounting(4),reboot(8)
124
125.Sh BUGS
126 WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
127 This programm can put your computer in rather unusable state.
128First time try using it from console and do *NOT* do anything
129you don't understand.
130 Remember that "ipfw flush" can solve all the problemms.
131Also take in your mind that "ipfw policy deny" combined with
132some wrong chain entry(possible the only entry which designed
133to deny some external packets), can close your computer from
134outer world for good.
135
136.Sh HISTORY
137 Initially this utility was written for BSDI by:
138  Daniel Boulet    <danny@BouletFermat.ab.ca>
139 The FreeBSD version is written completely by:
140  Ugen J.S.Antsilevich <ugen@NetVision.net.il>
141 while synopsis partially compatible with old one.
142