1.Dd July 20, 1996 2.Dt IPFW 8 SMM 3.Os FreeBSD 4.Sh NAME 5.Nm ipfw 6.Nd controlling utility for IP firewall 7.Sh SYNOPSIS 8.Nm 9.Ar file 10.Nm ipfw 11flush 12.Nm ipfw 13zero 14.Oo 15.Ar number 16.Oc 17.Nm ipfw 18delete 19.Ar number 20.Nm ipfw 21.Oo 22.Fl aftN 23.Oc 24list 25.Nm ipfw 26add 27.Oo 28.Ar number 29.Oc 30.Ar action 31.Oo 32log 33.Oc 34.Ar proto 35from 36.Ar src 37to 38.Ar dst 39.Oo 40via 41.Ar name|ipno 42.Oc 43.Oo 44.Ar options 45.Oc 46.Sh DESCRIPTION 47If used as shown in the first synopsis line, the 48.Ar file 49will be read line by line and applied as arguments to the 50.Nm 51command. 52.Pp 53The 54.Nm 55code works by going through the rule-list for each packet, 56until a match is found. 57All rules have two associated counters, a packet count and 58a byte count. 59These counters are updated when a packet matches the rule. 60.Pp 61The rules are ordered by a ``line-number'' from 1 to 65534 that is used 62to order and delete rules. Rules are tried in increasing order, and the 63first rule that matches a packet applies. 64Multiple rules may share the same number and apply in 65the order in which they were added. 66.Pp 67If a rule is added without a number, it numbered 100 higher 68than the previous rule. If the highest defined rule number is 69greater than 65434, new rules are appended to the last rule. 70.Pp 71The delete operation deletes the first rule with number 72.Ar number , 73if any. 74.Pp 75The list command prints out the current rule set. 76.Pp 77The zero operation zeroes the counters associated with rule number 78.Ar number . 79.Pp 80The flush operation removes all rules. 81.Pp 82One rule is always present: 83.Bd -literal -offset center 8465535 deny all from any to any 85.Ed 86 87This rule is the default policy, i.e., don't allow anything at all. 88Your job in setting up rules is to modify this policy to match your needs. 89.Pp 90The following options are available: 91.Bl -tag -width flag 92.It Fl a 93While listing, show counter values. This option is the only way to see 94accounting records. 95.It Fl f 96Don't ask for confirmation for commands that can cause problems if misused 97(ie; flush). 98.Ar Note , 99if there is no tty associated with the process, this is implied. 100.It Fl t 101While listing, show last match timestamp. 102.It Fl N 103Try to resolve addresses and service names in output. 104.El 105.Pp 106.Ar action : 107.Bl -hang -offset flag -width 1234567890123456 108.It Nm allow 109Allow packets that match rule. 110The search terminates. 111.It Nm pass 112Same as allow. 113.It Nm accept 114Same as allow. 115.It Nm count 116Update counters for all packets that match rule. 117The search continues with the next rule. 118.It Nm deny 119Discard packets that match this rule. 120The search terminates. 121.It Nm reject 122Discard packets that match this rule, and try to send an ICMP notice. 123The search terminates. 124.It Nm divert port 125Divert packets that match this rule to the divert socket bound to port 126.Ar port . 127The search terminates. 128.El 129.Pp 130When a packet matches a rule with the 131.Nm log 132keyword, a message will be printed on the console. 133If the kernel was compiled with the 134.Nm IP_FIREWALL_VERBOSE_LIMIT 135option, then logging will cease after the number of packets 136specified by the option are recieved for that particular 137chain entry. Logging may then be re-enabled by clearing 138the packet counter for that entry. 139.Pp 140.Ar proto : 141.Bl -hang -offset flag -width 1234567890123456 142.It Nm ip 143All packets match. 144.It Nm all 145All packets match. 146.It Nm tcp 147Only TCP packets match. 148.It Nm udp 149Only UDP packets match. 150.It Nm icmp 151Only ICMP packets match. 152.It Nm <number|name> 153Only packets for the specified protocol matches (see 154.Pa /etc/protocols 155for a complete list). 156.El 157.Pp 158.Ar src 159and 160.Ar dst : 161.Pp 162.Bl -hang -offset flag 163.It <address/mask> [ports] 164.El 165.Pp 166The 167.Em <address/mask> 168may be specified as: 169.Bl -hang -offset flag -width 1234567890123456 170.It Ar ipno 171An ipnumber of the form 1.2.3.4. 172Only this exact ip number match the rule. 173.It Ar ipno/bits 174An ipnumber with a mask width of the form 1.2.3.4/24. 175In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match. 176.It Ar ipno:mask 177An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. 178In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. 179.El 180.Pp 181With the TCP and UDP 182.Em protocols , 183an optional 184.Em port 185may be specified as: 186.Pp 187.Bl -hang -offset flag 188.It Ns {port|port-port} Ns Op ,port Ns Op ,... 189.El 190.Pp 191Service names (from 192.Pa /etc/services ) 193may not be used instead of a numeric port value. 194Also, note that a range may only be specified as the first value, 195and the port list is limited to 196.Nm IP_FW_MAX_PORTS 197(as defined in /usr/src/sys/netinet/ip_fw.h) 198ports. 199.Pp 200If ``via'' 201.Ar name 202is specified, only packets received via or on their way out of an interface 203matching 204.Ar name 205will match this rule. 206.Pp 207If ``via'' 208.Ar ipno 209is specified, only packets received via or on their way out of an interface 210having the address 211.Ar ipno 212will match this rule. 213.Pp 214.Ar options : 215.Bl -hang -offset flag -width 1234567890123456 216.It frag 217Matches if the packet is a fragment and this is not the first fragment 218of the datagram. 219.It in 220Matches if this packet was on the way in. 221.It out 222Matches if this packet was on the way out. 223.It ipoptions Ar spec 224Matches if the IP header contains the comma separated list of 225options specified in 226.Ar spec . 227The supported IP options are: 228.Nm ssrr 229(strict source route), 230.Nm lsrr 231(loose source route), 232.Nm rr 233(record packet route), and 234.Nm ts 235(timestamp). 236The absence of a particular option may be denoted 237with a ``!''. 238.It established 239Matches packets that have the RST or ACK bits set. 240TCP packets only. 241.It setup 242Matches packets that have the SYN bit set but no ACK bit. 243TCP packets only. 244.It tcpflags Ar spec 245Matches if the TCP header contains the comma separated list of 246flags specified in 247.Ar spec . 248The supported TCP flags are: 249.Nm fin , 250.Nm syn , 251.Nm rst , 252.Nm psh , 253.Nm ack , 254and 255.Nm urg . 256The absence of a particular flag may be denoted 257with a ``!''. 258.It icmptypes Ar types 259Matches if the ICMP type is in the list 260.Ar types . 261The list may be specified as any combination of ranges 262or individual types separated by commas. 263.El 264.Sh CHECKLIST 265Here are some important points to consider when designing your 266rules: 267.Bl -bullet -hang -offset flag -width 1234567890123456 268.It 269Remember that you filter both packets going in and out. 270Most connections need packets going in both directions. 271.It 272Remember to test very carefully. 273It is a good idea to be near the console when doing this. 274.It 275Don't forget the loopback interface. 276.El 277.Sh FINE POINTS 278There is one kind of packet that the firewall will always discard, 279that is an IP fragment with a fragment offset of one. 280This is a valid packet, but it only has one use, to try to circumvent 281firewalls. 282.Pp 283If you are logged in over a network, loading the LKM version of 284.Nm 285is probably not as straightforward as you would think. 286I recommend this command line: 287.Bd -literal -offset center 288modload /lkm/ipfw_mod.o && \e 289ipfw add 32000 allow all from any to any 290.Ed 291 292Along the same lines, doing an 293.Bd -literal -offset center 294ipfw flush 295.Ed 296 297in similar surroundings is also a bad idea. 298.Sh PACKET DIVERSION 299A divert socket bound to the specified port will receive all packets diverted 300to that port; see 301.Xr divert 4 . 302If no socket is bound to the destination port, or if the kernel 303wasn't compiled with divert socket support, diverted packets are dropped. 304.Sh EXAMPLES 305This command adds an entry which denies all tcp packets from 306.Em hacker.evil.org 307to the telnet port of 308.Em wolf.tambov.su 309from being forwarded by the host: 310.Pp 311.Dl ipfw add deny tcp from hacker.evil.org to wolf.tambov.su 23 312.Pp 313This one disallows any connection from the entire hackers network to 314my host: 315.Pp 316.Dl ipfw addf deny all from 123.45.67.0/24 to my.host.org 317.Pp 318Here is good usage of list command to see accounting records: 319.Pp 320.Dl ipfw -at l 321.Pp 322or in short form 323.Pp 324.Dl ipfw -a l 325.Pp 326This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000: 327.Pp 328.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in 329.Sh SEE ALSO 330.Xr divert 4 , 331.Xr ip 4 , 332.Xr ipfirewall 4 , 333.Xr protocols 5 , 334.Xr services 5 , 335.Xr reboot 8 , 336.Xr syslogd 8 337.Sh BUGS 338.Pp 339.Em WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!! 340.Pp 341This program can put your computer in rather unusable state. When 342using it for the first time, work on the console of the computer, and 343do 344.Em NOT 345do anything you don't understand. 346.Pp 347When manipulating/adding chain entries, service and protocol names are 348not accepted. 349.Sh AUTHORS 350Ugen J. S. Antsilevich, 351Poul-Henning Kamp, 352Alex Nash, 353Archie Cobbs. 354API based upon code written by Daniel Boulet for BSDI. 355.Sh HISTORY 356.Nm 357first appeared in 358.Fx 2.0 . 359