1892cb98eSJohn-Mark Gurney.\" 27f3dea24SPeter Wemm.\" $FreeBSD$ 3892cb98eSJohn-Mark Gurney.\" 42a81fd7cSJulian Elischer.Dd June 22, 1997 5b805452cSMike Pritchard.Dt IPFIREWALL 4 6a53227ffSUgen J.S. Antsilevich.Os 7a53227ffSUgen J.S. Antsilevich.Sh NAME 82a81fd7cSJulian Elischer.Nm ipfirewall 92a81fd7cSJulian Elischer.Nd IP packet filter and traffic accounting 10a53227ffSUgen J.S. Antsilevich.Sh SYNOPSIS 11ddbd0698SBruce Evans.Fd #include <sys/types.h> 12ddbd0698SBruce Evans.Fd #include <sys/queue.h> 13ddbd0698SBruce Evans.Fd #include <netinet/in.h> 14b805452cSMike Pritchard.Fd #include <netinet/ip_fw.h> 15b805452cSMike Pritchard.Ft int 162a81fd7cSJulian Elischer.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size 172a81fd7cSJulian Elischer.Sh DESCRIPTION 182a81fd7cSJulian ElischerIpfirewall (alias ipfw) is a system facility which allows filtering, 192a81fd7cSJulian Elischerredirecting, and other operations on IP packets travelling through 206d249eeeSSheldon Hearnsystem interfaces. 216d249eeeSSheldon HearnPackets are matched by applying an ordered list 222a81fd7cSJulian Elischerof pattern rules against each packet until a match is found, at 236d249eeeSSheldon Hearnwhich point the corresponding action is taken. 246d249eeeSSheldon HearnRules are numbered 252a81fd7cSJulian Elischerfrom 1 to 65534; multiple rules may share the same number. 262a81fd7cSJulian Elischer.Pp 274e86fcacSSheldon HearnThere is one rule that always exists, rule number 65535. 284e86fcacSSheldon HearnThis rule 296d249eeeSSheldon Hearnnormally causes all packets to be dropped. 306d249eeeSSheldon HearnHence, any packet which does not 31d6fd8b89SPeter Wemmmatch a lower numbered rule will be dropped. However, a kernel compile 32d6fd8b89SPeter Wemmtime option 33d6fd8b89SPeter Wemm.Dq IPFIREWALL_DEFAULT_TO_ACCEPT 34d6fd8b89SPeter Wemmallows the administrator to change this fixed rule to permit everything. 352a81fd7cSJulian Elischer.Pp 362a81fd7cSJulian ElischerThe value passed to 372a81fd7cSJulian Elischer.Fn setsockopt 384e86fcacSSheldon Hearnis a struct ip_fw describing the rule (see below). 394e86fcacSSheldon HearnIn some cases 402fd93bffSSheldon Hearn(such as 412fd93bffSSheldon Hearn.Dv IP_FW_DEL ) , 422fd93bffSSheldon Hearnonly the rule number is significant. 432fd93bffSSheldon Hearn.Ss Commands 442a81fd7cSJulian ElischerThe following socket options are used to manage the rule list: 452fd93bffSSheldon Hearn.Bl -tag -width "IP_FW_FLUSH" 462fd93bffSSheldon Hearn.It Dv IP_FW_ADD 472fd93bffSSheldon Hearninserts the rule into the rule list 482fd93bffSSheldon Hearn.It Dv IP_FW_DEL 492fd93bffSSheldon Hearndeletes all rules having the matching rule number 502fd93bffSSheldon Hearn.It Dv IP_FW_GET 512fd93bffSSheldon Hearnreturns the (first) rule having the matching rule number 522fd93bffSSheldon Hearn.It Dv IP_FW_ZERO 532fd93bffSSheldon Hearnzeros the statistics associated with all rules having the 546d249eeeSSheldon Hearnmatching rule number. 556d249eeeSSheldon HearnIf the rule number is zero, all rules are zeroed. 562fd93bffSSheldon Hearn.It Dv IP_FW_FLUSH 572fd93bffSSheldon Hearnremoves all rules (except 65535). 582fd93bffSSheldon Hearn.El 592a81fd7cSJulian Elischer.Pp 602fd93bffSSheldon HearnWhen the kernel security level is greater than 2, only 612fd93bffSSheldon Hearn.Dv IP_FW_GET 622a81fd7cSJulian Elischeris allowed. 632fd93bffSSheldon Hearn.Ss Rule Structure 642a81fd7cSJulian ElischerRules are described by the following structure: 652a81fd7cSJulian Elischer.Bd -literal 662a81fd7cSJulian Elischer/* Specify an interface */ 672a81fd7cSJulian Elischerunion ip_fw_if { 682a81fd7cSJulian Elischer struct in_addr fu_via_ip; /* Specified by IP address */ 692a81fd7cSJulian Elischer struct { /* Specified by interface name */ 702a81fd7cSJulian Elischer#define FW_IFNLEN 6 /* To keep structure on 2^x boundary */ 712a81fd7cSJulian Elischer char name[FW_IFNLEN]; 722a81fd7cSJulian Elischer short unit; /* -1 means match any unit */ 732a81fd7cSJulian Elischer } fu_via_if; 742a81fd7cSJulian Elischer}; 75a53227ffSUgen J.S. Antsilevich 762a81fd7cSJulian Elischer/* One ipfw rule */ 77a53227ffSUgen J.S. Antsilevichstruct ip_fw { 782a81fd7cSJulian Elischer u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */ 792a81fd7cSJulian Elischer struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ 802a81fd7cSJulian Elischer struct in_addr fw_smsk, fw_dmsk;/* Mask for src and dest IP addr */ 812a81fd7cSJulian Elischer u_short fw_number; /* Rule number */ 822a81fd7cSJulian Elischer u_short fw_flg; /* Flags word */ 832a81fd7cSJulian Elischer#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ 842a81fd7cSJulian Elischer u_short fw_pts[IP_FW_MAX_PORTS];/* Array of port numbers to match */ 852a81fd7cSJulian Elischer u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ 862a81fd7cSJulian Elischer u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 872a81fd7cSJulian Elischer#define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8)) 882a81fd7cSJulian Elischer unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 892a81fd7cSJulian Elischer long timestamp; /* timestamp (tv_sec) of last match */ 902a81fd7cSJulian Elischer union ip_fw_if fw_in_if, fw_out_if;/* Incoming / outgoing interfaces */ 912a81fd7cSJulian Elischer union { 922a81fd7cSJulian Elischer u_short fu_divert_port; /* Divert/tee port */ 932a81fd7cSJulian Elischer u_short fu_skipto_rule; /* SKIPTO command rule number */ 942a81fd7cSJulian Elischer u_short fu_reject_code; /* REJECT response code */ 952a81fd7cSJulian Elischer } fw_un; 962a81fd7cSJulian Elischer u_char fw_prot; /* IP protocol */ 972a81fd7cSJulian Elischer u_char fw_nports; /* N'of src ports and # of dst ports */ 982a81fd7cSJulian Elischer /* in ports array (dst ports follow */ 992a81fd7cSJulian Elischer /* src ports; max of 10 ports in all */ 1002a81fd7cSJulian Elischer /* count of 0 means match all ports) */ 1012a81fd7cSJulian Elischer}; 102a53227ffSUgen J.S. Antsilevich 1032a81fd7cSJulian Elischer/* Encoding of number of source/dest ports from "fw_nports" */ 104a53227ffSUgen J.S. Antsilevich 1052a81fd7cSJulian Elischer#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) 1062a81fd7cSJulian Elischer#define IP_FW_SETNSRCP(rule, n) do { \\ 1072a81fd7cSJulian Elischer (rule)->fw_nports &= ~0x0f; \\ 1082a81fd7cSJulian Elischer (rule)->fw_nports |= (n); \\ 1092a81fd7cSJulian Elischer } while (0) 1102a81fd7cSJulian Elischer#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) 1112a81fd7cSJulian Elischer#define IP_FW_SETNDSTP(rule, n) do { \\ 1122a81fd7cSJulian Elischer (rule)->fw_nports &= ~0xf0; \\ 1132a81fd7cSJulian Elischer (rule)->fw_nports |= (n) << 4;\\ 1142a81fd7cSJulian Elischer } while (0) 115a53227ffSUgen J.S. Antsilevich 1162a81fd7cSJulian Elischer/* Flags values for "flags" field */ 1172a81fd7cSJulian Elischer 1182a81fd7cSJulian Elischer#define IP_FW_F_IN 0x0001 /* Check inbound packets */ 1192a81fd7cSJulian Elischer#define IP_FW_F_OUT 0x0002 /* Check outbound packets */ 1202a81fd7cSJulian Elischer#define IP_FW_F_IIFACE 0x0004 /* Apply inbound interface test */ 1212a81fd7cSJulian Elischer#define IP_FW_F_OIFACE 0x0008 /* Apply outbound interface test */ 1222a81fd7cSJulian Elischer 1232a81fd7cSJulian Elischer#define IP_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */ 1242a81fd7cSJulian Elischer#define IP_FW_F_DENY 0x0000 /* This is a deny rule */ 1252a81fd7cSJulian Elischer#define IP_FW_F_REJECT 0x0010 /* Deny and send a response packet */ 1262a81fd7cSJulian Elischer#define IP_FW_F_ACCEPT 0x0020 /* This is an accept rule */ 1272a81fd7cSJulian Elischer#define IP_FW_F_COUNT 0x0030 /* This is a count rule */ 1282a81fd7cSJulian Elischer#define IP_FW_F_DIVERT 0x0040 /* This is a divert rule */ 1292a81fd7cSJulian Elischer#define IP_FW_F_TEE 0x0050 /* This is a tee rule */ 1302a81fd7cSJulian Elischer#define IP_FW_F_SKIPTO 0x0060 /* This is a skipto rule */ 1312a81fd7cSJulian Elischer 1322a81fd7cSJulian Elischer#define IP_FW_F_PRN 0x0080 /* Print if this rule matches */ 1332a81fd7cSJulian Elischer 1342a81fd7cSJulian Elischer#define IP_FW_F_SRNG 0x0100 /* The first two src ports are a min * 1352a81fd7cSJulian Elischer * and max range (stored in host byte * 1362a81fd7cSJulian Elischer * order). */ 1372a81fd7cSJulian Elischer 1382a81fd7cSJulian Elischer#define IP_FW_F_DRNG 0x0200 /* The first two dst ports are a min * 1392a81fd7cSJulian Elischer * and max range (stored in host byte * 1402a81fd7cSJulian Elischer * order). */ 1412a81fd7cSJulian Elischer 1422a81fd7cSJulian Elischer#define IP_FW_F_IIFNAME 0x0400 /* In interface by name/unit (not IP) */ 1432a81fd7cSJulian Elischer#define IP_FW_F_OIFNAME 0x0800 /* Out interface by name/unit (not IP) */ 1442a81fd7cSJulian Elischer 1452a81fd7cSJulian Elischer#define IP_FW_F_INVSRC 0x1000 /* Invert sense of src check */ 1462a81fd7cSJulian Elischer#define IP_FW_F_INVDST 0x2000 /* Invert sense of dst check */ 1472a81fd7cSJulian Elischer 1482a81fd7cSJulian Elischer#define IP_FW_F_FRAG 0x4000 /* Fragment */ 1492a81fd7cSJulian Elischer 1502a81fd7cSJulian Elischer#define IP_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */ 1512a81fd7cSJulian Elischer 1522a81fd7cSJulian Elischer#define IP_FW_F_MASK 0xFFFF /* All possible flag bits mask */ 1532a81fd7cSJulian Elischer.Ed 1542fd93bffSSheldon Hearn.Ss Rule Actions 1552a81fd7cSJulian ElischerEach rule has an action described by the IP_FW_F_COMMAND bits in the 1562a81fd7cSJulian Elischerflags word: 1572fd93bffSSheldon Hearn.Bl -tag -width "IP_FW_F_DIVERT" 1582fd93bffSSheldon Hearn.It Dv IP_FW_F_DENY 1592fd93bffSSheldon Hearndrop packet 1602fd93bffSSheldon Hearn.It Dv IP_FW_F_REJECT 1612fd93bffSSheldon Hearndrop packet; send rejection via ICMP or TCP 1622fd93bffSSheldon Hearn.It Dv IP_FW_F_ACCEPT 1632fd93bffSSheldon Hearnaccept packet 1642fd93bffSSheldon Hearn.It Dv IP_FW_F_COUNT 1652fd93bffSSheldon Hearnincrement counters; continue matching 1662fd93bffSSheldon Hearn.It Dv IP_FW_F_DIVERT 1672fd93bffSSheldon Hearndivert packet to a 1682fd93bffSSheldon Hearn.Xr divert 4 1692fd93bffSSheldon Hearnsocket 1702fd93bffSSheldon Hearn.It Dv IP_FW_F_TEE 1712fd93bffSSheldon Hearncopy packet to a 1722fd93bffSSheldon Hearn.Xr divert 4 1732fd93bffSSheldon Hearnsocket; continue 1742fd93bffSSheldon Hearn.It Dv IP_FW_F_SKIPTO 1752fd93bffSSheldon Hearnskip to rule number 1762fd93bffSSheldon Hearn.Va fu_skipto_rule 1772fd93bffSSheldon Hearn.El 1782a81fd7cSJulian Elischer.Pp 1792fd93bffSSheldon HearnIn the case of 1802fd93bffSSheldon Hearn.Dv IP_FW_F_REJECT , 1812fd93bffSSheldon Hearnif the 1822fd93bffSSheldon Hearn.Va fu_reject_code 1832fd93bffSSheldon Hearnis a number 1842a81fd7cSJulian Elischerfrom 0 to 255, then an ICMP unreachable packet is sent back to the 1852a81fd7cSJulian Elischeroriginal packet's source IP address, with the corresponding code. 1862fd93bffSSheldon HearnOtherwise, the value must be 256 and the protocol 1872fd93bffSSheldon Hearn.Dv IPPROTO_TCP , 1882a81fd7cSJulian Elischerin which case a TCP reset packet is sent instead. 1892a81fd7cSJulian Elischer.Pp 1902fd93bffSSheldon HearnWith 1912fd93bffSSheldon Hearn.Dv IP_FW_F_SKIPTO , 1922fd93bffSSheldon Hearnall succeeding rules having rule number less 1932fd93bffSSheldon Hearnthan 1942fd93bffSSheldon Hearn.Va fu_skipto_rule 1952fd93bffSSheldon Hearnare skipped. 1962fd93bffSSheldon Hearn.Ss Kernel Options 197a53227ffSUgen J.S. AntsilevichOptions in the kernel configuration file: 1982fd93bffSSheldon Hearn.Bl -tag -width "optionsXIPFIREWALL_VERBOSE_LIMIT" 1992fd93bffSSheldon Hearn.It Cd options IPFIREWALL 2002fd93bffSSheldon Hearnenable 2012fd93bffSSheldon Hearn.Nm 2022fd93bffSSheldon Hearn.It Cd options IPFIREWALL_VERBOSE 2032fd93bffSSheldon Hearnenable firewall output 2042fd93bffSSheldon Hearn.It Cd options IPFIREWALL_VERBOSE_LIMIT 2052fd93bffSSheldon Hearnlimit firewall output 2062fd93bffSSheldon Hearn.It Cd options IPDIVERT 2072fd93bffSSheldon Hearnenable 2082fd93bffSSheldon Hearn.Xr divert 4 2092fd93bffSSheldon Hearnsockets 2102fd93bffSSheldon Hearn.El 211b805452cSMike Pritchard.Pp 2122fd93bffSSheldon HearnWhen packets match a rule with the 2132fd93bffSSheldon Hearn.Dv IP_FW_F_PRN 2142fd93bffSSheldon Hearnbit set, a message 2152fd93bffSSheldon Hearnis logged to the console if 2162fd93bffSSheldon Hearn.Dv IPFIREWALL_VERBOSE 2172fd93bffSSheldon Hearnhas been enabled; 2182fd93bffSSheldon HearnDq IPFIREWALL_VERBOSE_LIMIT 2192fd93bffSSheldon Hearnlimits the maximum number of times each 2206d249eeeSSheldon Hearnrule can cause a log message. 2216d249eeeSSheldon HearnThese variables are also 2222a81fd7cSJulian Elischeravailable via the 2232a81fd7cSJulian Elischer.Xr sysctl 3 2242a81fd7cSJulian Elischerinterface. 2251a22b190SSheldon Hearn.Sh RETURN VALUES 2261a22b190SSheldon HearnThe 2271a22b190SSheldon Hearn.Fn setsockopt 2281a22b190SSheldon Hearnfunction returns 0 on success. 2291a22b190SSheldon HearnOtherwise, -1 is returned and the global variable 2301a22b190SSheldon Hearn.Va errno 2311a22b190SSheldon Hearnis set to indicate the error. 2321a22b190SSheldon Hearn.Sh ERRORS 2331a22b190SSheldon HearnThe 2341a22b190SSheldon Hearn.Fn setsockopt 2351a22b190SSheldon Hearnfunction will fail if: 2361a22b190SSheldon Hearn.Bl -tag -width Er 2371a22b190SSheldon Hearn.It Bq Er EINVAL 2381a22b190SSheldon HearnThe IP option field was improperly formed; 2391a22b190SSheldon Hearnan option field was shorter than the minimum value 2401a22b190SSheldon Hearnor longer than the option buffer provided. 2411a22b190SSheldon Hearn.It Bq Er EINVAL 2421a22b190SSheldon HearnA structural error in ip_fw structure occurred 2431a22b190SSheldon Hearn(n_src_p+n_dst_p too big, ports set for ALL/ICMP protocols etc.). 2441a22b190SSheldon Hearn.It Bq Er EINVAL 2451a22b190SSheldon HearnAn invalid rule number was used. 2461a22b190SSheldon Hearn.El 247a53227ffSUgen J.S. Antsilevich.Sh SEE ALSO 248b805452cSMike Pritchard.Xr setsockopt 2 , 2492a81fd7cSJulian Elischer.Xr divert 4 , 250bceb8aedSWolfram Schneider.Xr ip 4 , 2512a81fd7cSJulian Elischer.Xr ipfw 8 , 2522a81fd7cSJulian Elischer.Xr sysctl 8 . 253a53227ffSUgen J.S. Antsilevich.Sh BUGS 2542a81fd7cSJulian ElischerThe ``tee'' rule is not yet implemented (currently it has no effect). 255b805452cSMike Pritchard.Pp 2562a81fd7cSJulian ElischerThis man page still needs work. 257a53227ffSUgen J.S. Antsilevich.Sh HISTORY 2582a81fd7cSJulian ElischerThe ipfw facility was initially written as package to BSDI 2592fd93bffSSheldon Hearnby 2602fd93bffSSheldon Hearn.An Daniel Boulet 2612fd93bffSSheldon Hearn.Aq danny@BouletFermat.ab.ca . 2622fd93bffSSheldon HearnIt has been heavily modified and ported to 2632fd93bffSSheldon Hearn.Fx 2642fd93bffSSheldon Hearnby 2652fd93bffSSheldon Hearn.Ar Ugen J.S.Antsilevich 2662fd93bffSSheldon Hearn.Aq ugen@NetVision.net.il . 2672a81fd7cSJulian Elischer.Pp 2682fd93bffSSheldon HearnSeveral enhancements added by 2692fd93bffSSheldon Hearn.An Archie Cobbs 2702fd93bffSSheldon Hearn.Aq archie@whistle.com . 271