1.Dd July 20, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm 9.Ar file 10.Nm ipfw 11.Oo 12.Fl f 13| 14.Fl q 15.Oc 16flush 17.Nm ipfw 18.Oo 19.Fl q 20.Oc 21zero 22.Op Ar number ... 23.Nm ipfw 24delete 25.Ar number ... 26.Nm ipfw 27.Op Fl aftN 28list 29.Nm ipfw 30.Oo 31.Fl ftN 32.Oc 33show 34.Nm ipfw 35.Oo 36.Fl q 37.Oc 38add 39.Op Ar number 40.Ar action 41.Op log 42.Ar proto 43from 44.Ar src 45to 46.Ar dst 47.Op via Ar name | ipno 48.Op Ar options 49.Sh DESCRIPTION 50If used as shown in the first synopsis line, the 51.Ar file 52will be read line by line and applied as arguments to the 53.Nm 54command. 55.Pp 56The 57.Nm 58code works by going through the rule-list for each packet, 59until a match is found. 60All rules have two associated counters, a packet count and 61a byte count. 62These counters are updated when a packet matches the rule. 63.Pp 64The rules are ordered by a ``line-number'' from 1 to 65534 that is used 65to order and delete rules. Rules are tried in increasing order, and the 66first rule that matches a packet applies. 67Multiple rules may share the same number and apply in 68the order in which they were added. 69.Pp 70If a rule is added without a number, it is numbered 100 higher 71than the previous rule. If the highest defined rule number is 72greater than 65534, new rules are appended to the last rule. 73.Pp 74The delete operation deletes the first rule with number 75.Ar number , 76if any. 77.Pp 78The list command prints out the current rule set. 79.Pp 80The show command is equivalent to `ipfw -a list'. 81.Pp 82The zero operation zeroes the counters associated with rule number 83.Ar number . 84.Pp 85The flush operation removes all rules. 86.Pp 87One rule is always present: 88.Bd -literal -offset center 8965535 deny all from any to any 90.Ed 91.Pp 92This rule is the default policy, i.e., don't allow anything at all. 93Your job in setting up rules is to modify this policy to match your 94needs. 95.Pp 96However, if the kernel option 97.Dq IPFIREWALL_DEFAULT_TO_ACCEPT 98is active, the rule is instead: 99.Bd -literal -offset center 10065535 allow all from any to any 101.Ed 102.Pp 103This variation lets everything pass through. This option should only be 104activated in particular circumstances, such as if your you use the firewall 105system as an on-demand denial-of-service filter that is normally wide open. 106.Pp 107The following options are available: 108.Bl -tag -width flag 109.It Fl a 110While listing, show counter values. See also ``show'' command. 111.It Fl f 112Don't ask for confirmation for commands that can cause problems if misused 113(ie; flush). 114.Ar Note , 115if there is no tty associated with the process, this is implied. 116.It Fl q 117While adding or flushing, be quiet about actions (implies '-f'). This is 118useful for adjusting rules by executing multiple ipfw commands in a script 119(e.g. sh /etc/rc.firewall), or by processing a file of many ipfw rules, 120across a remote login session. If a flush is performed in normal 121(verbose) mode (with the default kernel configuration), it prints a message. 122Because all rules are flushed, the 123message cannot be delivered to the login session, the login session is 124closed and the remainder of the ruleset is not processed. Access to the 125console is required to recover. 126.It Fl t 127While listing, show last match timestamp. 128.It Fl N 129Try to resolve addresses and service names in output. 130.El 131.Pp 132.Ar action : 133.Bl -hang -offset flag -width 1234567890123456 134.It Ar allow 135Allow packets that match rule. 136The search terminates. Aliases are 137.Ar pass , 138.Ar permit , 139and 140.Ar accept . 141.It Ar deny 142Discard packets that match this rule. 143The search terminates. 144.Ar Drop 145is an alias for 146.Ar deny . 147.It Ar reject 148(Deprecated.) Discard packets that match this rule, and try to send an ICMP 149host unreachable notice. 150The search terminates. 151.It Ar unreach code 152Discard packets that match this rule, and try to send an ICMP 153unreachable notice with code 154.Ar code , 155where 156.Ar code 157is a number from zero to 255, or one of these aliases: 158.Ar net , 159.Ar host , 160.Ar protocol , 161.Ar port , 162.Ar needfrag , 163.Ar srcfail , 164.Ar net-unknown , 165.Ar host-unknown , 166.Ar isolated , 167.Ar net-prohib , 168.Ar host-prohib , 169.Ar tosnet , 170.Ar toshost , 171.Ar filter-prohib , 172.Ar host-precedence , 173or 174.Ar precedence-cutoff . 175The search terminates. 176.It Ar reset 177TCP packets only. Discard packets that match this rule, 178and try to send a TCP reset (RST) notice. 179The search terminates. 180.It Ar count 181Update counters for all packets that match rule. 182The search continues with the next rule. 183.It Ar divert port 184Divert packets that match this rule to the 185.Xr divert 4 186socket bound to port 187.Ar port . 188The search terminates. 189.It Ar tee port 190Send a copy of packets matching this rule to the 191.Xr divert 4 192socket bound to port 193.Ar port . 194The search continues with the next rule. 195.It Ar skipto number 196Skip all subsequent rules numbered less than 197.Ar number . 198The search continues with the first rule numbered 199.Ar number 200or higher. 201.El 202.Pp 203If a packet matches more than one 204.Ar divert 205and/or 206.Ar tee 207rule, all but the last are ignored. 208.Pp 209If the kernel was compiled with 210.Dv IPFIREWALL_VERBOSE , 211then when a packet matches a rule with the ``log'' 212keyword a message will be printed on the console. 213If the kernel was compiled with the 214.Dv IPFIREWALL_VERBOSE_LIMIT 215option, then logging will cease after the number of packets 216specified by the option are received for that particular 217chain entry. Logging may then be re-enabled by clearing 218the packet counter for that entry. 219.Pp 220Console logging and the log limit are adjustable dynamically 221through the 222.Xr sysctl 8 223interface. 224.Pp 225.Ar proto : 226.Bl -hang -offset flag -width 1234567890123456 227.It Ar ip 228All packets match. The alias 229.Ar all 230has the same effect. 231.It Ar tcp 232Only TCP packets match. 233.It Ar udp 234Only UDP packets match. 235.It Ar icmp 236Only ICMP packets match. 237.It Ar <number|name> 238Only packets for the specified protocol matches (see 239.Pa /etc/protocols 240for a complete list). 241.El 242.Pp 243.Ar src 244and 245.Ar dst : 246.Bl -hang -offset flag 247.It Ar <address/mask> 248.Op Ar ports 249.El 250.Pp 251The 252.Em <address/mask> 253may be specified as: 254.Bl -hang -offset flag -width 1234567890123456 255.It Ar ipno 256An ipnumber of the form 1.2.3.4. 257Only this exact ip number match the rule. 258.It Ar ipno/bits 259An ipnumber with a mask width of the form 1.2.3.4/24. 260In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 261.It Ar ipno:mask 262An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 263In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 264.El 265.Pp 266The sense of the match can be inverted by preceding an address with the 267``not'' modifier, causing all other addresses to be matched instead. This 268does not affect the selection of port numbers. 269.Pp 270With the TCP and UDP protocols, optional 271.Em ports 272may be specified as: 273.Pp 274.Bl -hang -offset flag 275.It Ns {port|port-port} Ns Op ,port Ns Op ,... 276.El 277.Pp 278Service names (from 279.Pa /etc/services ) 280may be used instead of numeric port values. 281A range may only be specified as the first value, 282and the length of the port list is limited to 283.Dv IP_FW_MAX_PORTS 284(as defined in 285.Pa /usr/src/sys/netinet/ip_fw.h ) 286ports. 287.Pp 288Rules can apply to packets when they are incoming, or outgoing, or both. 289The 290.Ar in 291keyword indicates the rule should only match incoming packets. 292The 293.Ar out 294keyword indicates the rule should only match outgoing packets. 295.Pp 296To match packets going through a certain interface, specify 297the interface using 298.Ar via : 299.Bl -hang -offset flag -width 1234567890123456 300.It Ar via ifX 301Packet must be going through interface 302.Ar ifX. 303.It Ar via if* 304Packet must be going through interface 305.Ar ifX , 306where X is any unit number. 307.It Ar via any 308Packet must be going through 309.Em some 310interface. 311.It Ar via ipno 312Packet must be going through the interface having IP address 313.Ar ipno . 314.El 315.Pp 316The 317.Ar via 318keyword causes the interface to always be checked. 319If 320.Ar recv 321or 322.Ar xmit 323is used instead of 324.Ar via , 325then the only receive or transmit interface (respectively) is checked. 326By specifying both, it is possible to match packets based on both receive 327and transmit interface, e.g.: 328.Pp 329.Dl "ipfw add 100 deny ip from any to any out recv ed0 xmit ed1" 330.Pp 331The 332.Ar recv 333interface can be tested on either incoming or outgoing packets, while the 334.Ar xmit 335interface can only be tested on outgoing packets. So 336.Ar out 337is required (and 338.Ar in 339invalid) whenver 340.Ar xmit 341is used. Specifying 342.Ar via 343together with 344.Ar xmit 345or 346.Ar recv 347is invalid. 348.Pp 349A packet may not have a receive or transmit interface: packets originating 350from the local host have no receive interface. while packets destined for 351the local host have no transmit interface. 352.Pp 353Additional 354.Ar options : 355.Bl -hang -offset flag -width 1234567890123456 356.It frag 357Matches if the packet is a fragment and this is not the first fragment 358of the datagram. 359.It in 360Matches if this packet was on the way in. 361.It out 362Matches if this packet was on the way out. 363.It ipoptions Ar spec 364Matches if the IP header contains the comma separated list of 365options specified in 366.Ar spec . 367The supported IP options are: 368.Ar ssrr 369(strict source route), 370.Ar lsrr 371(loose source route), 372.Ar rr 373(record packet route), and 374.Ar ts 375(timestamp). 376The absence of a particular option may be denoted 377with a ``!''. 378.It established 379Matches packets that have the RST or ACK bits set. 380TCP packets only. 381.It setup 382Matches packets that have the SYN bit set but no ACK bit. 383TCP packets only. 384.It tcpflags Ar spec 385Matches if the TCP header contains the comma separated list of 386flags specified in 387.Ar spec . 388The supported TCP flags are: 389.Ar fin , 390.Ar syn , 391.Ar rst , 392.Ar psh , 393.Ar ack , 394and 395.Ar urg . 396The absence of a particular flag may be denoted 397with a ``!''. 398.It icmptypes Ar types 399Matches if the ICMP type is in the list 400.Ar types . 401The list may be specified as any combination of ranges 402or individual types separated by commas. 403.El 404.Sh CHECKLIST 405Here are some important points to consider when designing your 406rules: 407.Bl -bullet -hang -offset flag 408.It 409Remember that you filter both packets going in and out. 410Most connections need packets going in both directions. 411.It 412Remember to test very carefully. 413It is a good idea to be near the console when doing this. 414.It 415Don't forget the loopback interface. 416.El 417.Sh FINE POINTS 418There is one kind of packet that the firewall will always discard, 419that is an IP fragment with a fragment offset of one. 420This is a valid packet, but it only has one use, to try to circumvent 421firewalls. 422.Pp 423If you are logged in over a network, loading the LKM version of 424.Nm 425is probably not as straightforward as you would think. 426I recommend this command line: 427.Bd -literal -offset center 428modload /lkm/ipfw_mod.o && \e 429ipfw add 32000 allow all from any to any 430.Ed 431.Pp 432Along the same lines, doing an 433.Bd -literal -offset center 434ipfw flush 435.Ed 436.Pp 437in similar surroundings is also a bad idea. 438.Sh PACKET DIVERSION 439A divert socket bound to the specified port will receive all packets diverted 440to that port; see 441.Xr divert 4 . 442If no socket is bound to the destination port, or if the kernel 443wasn't compiled with divert socket support, diverted packets are dropped. 444.Sh EXAMPLES 445This command adds an entry which denies all tcp packets from 446.Em hacker.evil.org 447to the telnet port of 448.Em wolf.tambov.su 449from being forwarded by the host: 450.Pp 451.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 452.Pp 453This one disallows any connection from the entire hackers network to 454my host: 455.Pp 456.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 457.Pp 458Here is a good usage of the list command to see accounting records 459and timestamp information: 460.Pp 461.Dl ipfw -at l 462.Pp 463or in short form without timestamps: 464.Pp 465.Dl ipfw -a l 466.Pp 467This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 468.Pp 469.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 470.Sh SEE ALSO 471.Xr divert 4 , 472.Xr ip 4 , 473.Xr ipfirewall 4 , 474.Xr protocols 5 , 475.Xr services 5 , 476.Xr reboot 8 , 477.Xr sysctl 8 , 478.Xr syslogd 8 479.Sh BUGS 480.Pp 481.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 482.Pp 483This program can put your computer in rather unusable state. When 484using it for the first time, work on the console of the computer, and 485do 486.Em NOT 487do anything you don't understand. 488.Pp 489When manipulating/adding chain entries, service and protocol names are 490not accepted. 491.Pp 492Incoming packet fragments diverted by 493.Ar divert 494are reassembled before delivery to the socket, whereas fragments diverted via 495.Ar tee 496are not. 497.Pp 498Port aliases containing dashes cannot be first in a list. 499.Sh AUTHORS 500Ugen J. S. Antsilevich, 501Poul-Henning Kamp, 502Alex Nash, 503Archie Cobbs. 504API based upon code written by Daniel Boulet for BSDI. 505.Sh HISTORY 506.Nm 507first appeared in 508.Fx 2.0 . 509