xref: /freebsd/share/man/man4/ipfirewall.4 (revision 6d249eee2769b135d56fac673f6b297b9416ed42)
1892cb98eSJohn-Mark Gurney.\"
27f3dea24SPeter Wemm.\" $FreeBSD$
3892cb98eSJohn-Mark Gurney.\"
42a81fd7cSJulian Elischer.Dd June 22, 1997
5b805452cSMike Pritchard.Dt IPFIREWALL 4
6a53227ffSUgen J.S. Antsilevich.Os
7a53227ffSUgen J.S. Antsilevich.Sh NAME
82a81fd7cSJulian Elischer.Nm ipfirewall
92a81fd7cSJulian Elischer.Nd IP packet filter and traffic accounting
10a53227ffSUgen J.S. Antsilevich.Sh SYNOPSIS
11ddbd0698SBruce Evans.Fd #include <sys/types.h>
12ddbd0698SBruce Evans.Fd #include <sys/queue.h>
13ddbd0698SBruce Evans.Fd #include <netinet/in.h>
14b805452cSMike Pritchard.Fd #include <netinet/ip_fw.h>
15b805452cSMike Pritchard.Ft int
162a81fd7cSJulian Elischer.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size
172a81fd7cSJulian Elischer.Sh DESCRIPTION
182a81fd7cSJulian ElischerIpfirewall (alias ipfw) is a system facility which allows filtering,
192a81fd7cSJulian Elischerredirecting, and other operations on IP packets travelling through
206d249eeeSSheldon Hearnsystem interfaces.
216d249eeeSSheldon HearnPackets are matched by applying an ordered list
222a81fd7cSJulian Elischerof pattern rules against each packet until a match is found, at
236d249eeeSSheldon Hearnwhich point the corresponding action is taken.
246d249eeeSSheldon HearnRules are numbered
252a81fd7cSJulian Elischerfrom 1 to 65534; multiple rules may share the same number.
262a81fd7cSJulian Elischer.Pp
272a81fd7cSJulian ElischerThere is one rule that always exists, rule number 65535. This rule
286d249eeeSSheldon Hearnnormally causes all packets to be dropped.
296d249eeeSSheldon HearnHence, any packet which does not
30d6fd8b89SPeter Wemmmatch a lower numbered rule will be dropped.  However, a kernel compile
31d6fd8b89SPeter Wemmtime option
32d6fd8b89SPeter Wemm.Dq IPFIREWALL_DEFAULT_TO_ACCEPT
33d6fd8b89SPeter Wemmallows the administrator to change this fixed rule to permit everything.
342a81fd7cSJulian Elischer.Pp
352a81fd7cSJulian ElischerThe value passed to
362a81fd7cSJulian Elischer.Fn setsockopt
372a81fd7cSJulian Elischeris a struct ip_fw describing the rule (see below). In some cases
382a81fd7cSJulian Elischer(such as IP_FW_DEL), only the rule number is significant.
392a81fd7cSJulian Elischer.Sh COMMANDS
402a81fd7cSJulian ElischerThe following socket options are used to manage the rule list:
412a81fd7cSJulian Elischer.Pp
422a81fd7cSJulian ElischerIP_FW_ADD inserts the rule into the rule list.
432a81fd7cSJulian Elischer.Pp
442a81fd7cSJulian ElischerIP_FW_DEL deletes all rules having the matching rule number.
452a81fd7cSJulian Elischer.Pp
462a81fd7cSJulian ElischerIP_FW_GET returns the (first) rule having the matching rule number.
472a81fd7cSJulian Elischer.Pp
482a81fd7cSJulian ElischerIP_FW_ZERO zeros the statistics associated with all rules having the
496d249eeeSSheldon Hearnmatching rule number.
506d249eeeSSheldon HearnIf the rule number is zero, all rules are zeroed.
512a81fd7cSJulian Elischer.Pp
522a81fd7cSJulian ElischerIP_FW_FLUSH removes all rules (except 65535).
532a81fd7cSJulian Elischer.Pp
542a81fd7cSJulian ElischerWhen the kernel security level is greater than 2, only IP_FW_GET
552a81fd7cSJulian Elischeris allowed.
562a81fd7cSJulian Elischer.Sh RULE STRUCTURE
572a81fd7cSJulian ElischerRules are described by the following structure:
582a81fd7cSJulian Elischer.Bd -literal
592a81fd7cSJulian Elischer/* Specify an interface */
602a81fd7cSJulian Elischerunion ip_fw_if {
612a81fd7cSJulian Elischer    struct in_addr fu_via_ip;   /* Specified by IP address */
622a81fd7cSJulian Elischer    struct {                    /* Specified by interface name */
632a81fd7cSJulian Elischer#define FW_IFNLEN       6       /* To keep structure on 2^x boundary */
642a81fd7cSJulian Elischer            char  name[FW_IFNLEN];
652a81fd7cSJulian Elischer            short unit;         /* -1 means match any unit */
662a81fd7cSJulian Elischer    } fu_via_if;
672a81fd7cSJulian Elischer};
68a53227ffSUgen J.S. Antsilevich
692a81fd7cSJulian Elischer/* One ipfw rule */
70a53227ffSUgen J.S. Antsilevichstruct ip_fw {
712a81fd7cSJulian Elischer    u_long fw_pcnt,fw_bcnt;         /* Packet and byte counters */
722a81fd7cSJulian Elischer    struct in_addr fw_src, fw_dst;  /* Source and destination IP addr */
732a81fd7cSJulian Elischer    struct in_addr fw_smsk, fw_dmsk;/* Mask for src and dest IP addr */
742a81fd7cSJulian Elischer    u_short fw_number;              /* Rule number */
752a81fd7cSJulian Elischer    u_short fw_flg;                 /* Flags word */
762a81fd7cSJulian Elischer#define IP_FW_MAX_PORTS 10          /* A reasonable maximum */
772a81fd7cSJulian Elischer    u_short fw_pts[IP_FW_MAX_PORTS];/* Array of port numbers to match */
782a81fd7cSJulian Elischer    u_char fw_ipopt,fw_ipnopt;      /* IP options set/unset */
792a81fd7cSJulian Elischer    u_char fw_tcpf,fw_tcpnf;        /* TCP flags set/unset */
802a81fd7cSJulian Elischer#define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
812a81fd7cSJulian Elischer    unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
822a81fd7cSJulian Elischer    long timestamp;                 /* timestamp (tv_sec) of last match */
832a81fd7cSJulian Elischer    union ip_fw_if fw_in_if, fw_out_if;/* Incoming / outgoing interfaces */
842a81fd7cSJulian Elischer    union {
852a81fd7cSJulian Elischer        u_short fu_divert_port;     /* Divert/tee port */
862a81fd7cSJulian Elischer        u_short fu_skipto_rule;     /* SKIPTO command rule number */
872a81fd7cSJulian Elischer        u_short fu_reject_code;     /* REJECT response code */
882a81fd7cSJulian Elischer    } fw_un;
892a81fd7cSJulian Elischer    u_char fw_prot;                 /* IP protocol */
902a81fd7cSJulian Elischer    u_char fw_nports;               /* N'of src ports and # of dst ports */
912a81fd7cSJulian Elischer                                    /* in ports array (dst ports follow */
922a81fd7cSJulian Elischer                                    /* src ports; max of 10 ports in all */
932a81fd7cSJulian Elischer                                    /* count of 0 means match all ports) */
942a81fd7cSJulian Elischer};
95a53227ffSUgen J.S. Antsilevich
962a81fd7cSJulian Elischer/* Encoding of number of source/dest ports from "fw_nports" */
97a53227ffSUgen J.S. Antsilevich
982a81fd7cSJulian Elischer#define IP_FW_GETNSRCP(rule)            ((rule)->fw_nports & 0x0f)
992a81fd7cSJulian Elischer#define IP_FW_SETNSRCP(rule, n)         do {                            \\
1002a81fd7cSJulian Elischer                                          (rule)->fw_nports &= ~0x0f;   \\
1012a81fd7cSJulian Elischer                                          (rule)->fw_nports |= (n);     \\
1022a81fd7cSJulian Elischer                                        } while (0)
1032a81fd7cSJulian Elischer#define IP_FW_GETNDSTP(rule)            ((rule)->fw_nports >> 4)
1042a81fd7cSJulian Elischer#define IP_FW_SETNDSTP(rule, n)         do {                            \\
1052a81fd7cSJulian Elischer                                          (rule)->fw_nports &= ~0xf0;   \\
1062a81fd7cSJulian Elischer                                          (rule)->fw_nports |= (n) << 4;\\
1072a81fd7cSJulian Elischer                                        } while (0)
108a53227ffSUgen J.S. Antsilevich
1092a81fd7cSJulian Elischer/* Flags values for "flags" field */
1102a81fd7cSJulian Elischer
1112a81fd7cSJulian Elischer#define IP_FW_F_IN      0x0001  /* Check inbound packets                */
1122a81fd7cSJulian Elischer#define IP_FW_F_OUT     0x0002  /* Check outbound packets               */
1132a81fd7cSJulian Elischer#define IP_FW_F_IIFACE  0x0004  /* Apply inbound interface test         */
1142a81fd7cSJulian Elischer#define IP_FW_F_OIFACE  0x0008  /* Apply outbound interface test        */
1152a81fd7cSJulian Elischer
1162a81fd7cSJulian Elischer#define IP_FW_F_COMMAND 0x0070  /* Mask for type of chain entry:        */
1172a81fd7cSJulian Elischer#define IP_FW_F_DENY    0x0000  /* This is a deny rule                  */
1182a81fd7cSJulian Elischer#define IP_FW_F_REJECT  0x0010  /* Deny and send a response packet      */
1192a81fd7cSJulian Elischer#define IP_FW_F_ACCEPT  0x0020  /* This is an accept rule               */
1202a81fd7cSJulian Elischer#define IP_FW_F_COUNT   0x0030  /* This is a count rule                 */
1212a81fd7cSJulian Elischer#define IP_FW_F_DIVERT  0x0040  /* This is a divert rule                */
1222a81fd7cSJulian Elischer#define IP_FW_F_TEE     0x0050  /* This is a tee rule                   */
1232a81fd7cSJulian Elischer#define IP_FW_F_SKIPTO  0x0060  /* This is a skipto rule                */
1242a81fd7cSJulian Elischer
1252a81fd7cSJulian Elischer#define IP_FW_F_PRN     0x0080  /* Print if this rule matches           */
1262a81fd7cSJulian Elischer
1272a81fd7cSJulian Elischer#define IP_FW_F_SRNG    0x0100  /* The first two src ports are a min    *
1282a81fd7cSJulian Elischer                                 * and max range (stored in host byte   *
1292a81fd7cSJulian Elischer                                 * order).                              */
1302a81fd7cSJulian Elischer
1312a81fd7cSJulian Elischer#define IP_FW_F_DRNG    0x0200  /* The first two dst ports are a min    *
1322a81fd7cSJulian Elischer                                 * and max range (stored in host byte   *
1332a81fd7cSJulian Elischer                                 * order).                              */
1342a81fd7cSJulian Elischer
1352a81fd7cSJulian Elischer#define IP_FW_F_IIFNAME 0x0400  /* In interface by name/unit (not IP)   */
1362a81fd7cSJulian Elischer#define IP_FW_F_OIFNAME 0x0800  /* Out interface by name/unit (not IP)  */
1372a81fd7cSJulian Elischer
1382a81fd7cSJulian Elischer#define IP_FW_F_INVSRC  0x1000  /* Invert sense of src check            */
1392a81fd7cSJulian Elischer#define IP_FW_F_INVDST  0x2000  /* Invert sense of dst check            */
1402a81fd7cSJulian Elischer
1412a81fd7cSJulian Elischer#define IP_FW_F_FRAG    0x4000  /* Fragment                             */
1422a81fd7cSJulian Elischer
1432a81fd7cSJulian Elischer#define IP_FW_F_ICMPBIT 0x8000  /* ICMP type bitmap is valid            */
1442a81fd7cSJulian Elischer
1452a81fd7cSJulian Elischer#define IP_FW_F_MASK    0xFFFF  /* All possible flag bits mask          */
1462a81fd7cSJulian Elischer.Ed
1472a81fd7cSJulian Elischer
1482a81fd7cSJulian Elischer.Sh RULE ACTIONS
1492a81fd7cSJulian ElischerEach rule has an action described by the IP_FW_F_COMMAND bits in the
1502a81fd7cSJulian Elischerflags word:
1512a81fd7cSJulian Elischer
1522a81fd7cSJulian Elischer  IP_FW_F_DENY          - drop packet
1532a81fd7cSJulian Elischer  IP_FW_F_REJECT        - drop packet; send rejection via ICMP or TCP
1542a81fd7cSJulian Elischer  IP_FW_F_ACCEPT        - accept packet
1552a81fd7cSJulian Elischer  IP_FW_F_COUNT         - increment counters; continue matching
1562a81fd7cSJulian Elischer  IP_FW_F_DIVERT        - divert packet to a divert(4) socket
1572a81fd7cSJulian Elischer  IP_FW_F_TEE           - copy packet to a divert(4) socket; continue
1582a81fd7cSJulian Elischer  IP_FW_F_SKIPTO        - skip to rule number fu_skipto_rule
1592a81fd7cSJulian Elischer.Pp
1602a81fd7cSJulian ElischerIn the case of IP_FW_F_REJECT, if the fu_reject_code is a number
1612a81fd7cSJulian Elischerfrom 0 to 255, then an ICMP unreachable packet is sent back to the
1622a81fd7cSJulian Elischeroriginal packet's source IP address, with the corresponding code.
1632a81fd7cSJulian ElischerOtherwise, the value must be 256 and the protocol IPPROTO_TCP,
1642a81fd7cSJulian Elischerin which case a TCP reset packet is sent instead.
1652a81fd7cSJulian Elischer.Pp
1662a81fd7cSJulian ElischerWith IP_FW_F_SKIPTO, all succeeding rules having rule number less
1672a81fd7cSJulian Elischerthan fu_skipto_rule are skipped.
1682a81fd7cSJulian Elischer.Sh KERNEL OPTIONS
169a53227ffSUgen J.S. AntsilevichOptions in the kernel configuration file:
170a53227ffSUgen J.S. Antsilevich  IPFIREWALL               - enable ipfirewall.
1712a81fd7cSJulian Elischer  IPFIREWALL_VERBOSE       - enable firewall output
1722a81fd7cSJulian Elischer  IPFIREWALL_VERBOSE_LIMIT - limit firewall output
173b1915357SAlexey Zelkin  IPDIVERT                 - enable divert(4) sockets.
174b805452cSMike Pritchard.Pp
1752a81fd7cSJulian ElischerWhen packets match a rule with the IP_FW_F_PRN bit set, a message
1762a81fd7cSJulian Elischeris logged to the console if IPFIREWALL_VERBOSE has been enabled;
1772a81fd7cSJulian ElischerIPFIREWALL_VERBOSE_LIMIT limits the maximum number of times each
1786d249eeeSSheldon Hearnrule can cause a log message.
1796d249eeeSSheldon HearnThese variables are also
1802a81fd7cSJulian Elischeravailable via the
1812a81fd7cSJulian Elischer.Xr sysctl 3
1822a81fd7cSJulian Elischerinterface.
183a53227ffSUgen J.S. Antsilevich.Sh DIAGNOSTICS
184a53227ffSUgen J.S. Antsilevich
185a53227ffSUgen J.S. Antsilevich[EINVAL]  The IP option field was improperly formed; an option
186a53227ffSUgen J.S. Antsilevich          field was shorter than the minimum value or longer than
1872a81fd7cSJulian Elischer          the option buffer provided.  A structural error in
18809b4b086SMike Pritchard          ip_fw structure occurred (n_src_p+n_dst_p too big,
1892a81fd7cSJulian Elischer          ports set for ALL/ICMP protocols etc.). An invalid
1902a81fd7cSJulian Elischer          rule number was used.
191a53227ffSUgen J.S. Antsilevich.Sh SEE ALSO
192b805452cSMike Pritchard.Xr setsockopt 2 ,
1932a81fd7cSJulian Elischer.Xr divert 4 ,
194bceb8aedSWolfram Schneider.Xr ip 4 ,
1952a81fd7cSJulian Elischer.Xr ipfw 8 ,
1962a81fd7cSJulian Elischer.Xr sysctl 8 .
197a53227ffSUgen J.S. Antsilevich.Sh BUGS
1982a81fd7cSJulian ElischerThe ``tee'' rule is not yet implemented (currently it has no effect).
199b805452cSMike Pritchard.Pp
2002a81fd7cSJulian ElischerThis man page still needs work.
201a53227ffSUgen J.S. Antsilevich.Sh HISTORY
2022a81fd7cSJulian ElischerThe ipfw facility was initially written as package to BSDI
203a53227ffSUgen J.S. Antsilevichby Daniel Boulet <danny@BouletFermat.ab.ca>.
2042a81fd7cSJulian ElischerIt has been heavily modified and ported to FreeBSD
2052a81fd7cSJulian Elischerby Ugen J.S.Antsilevich <ugen@NetVision.net.il>.
2062a81fd7cSJulian Elischer.Pp
2072a81fd7cSJulian ElischerSeveral enhancements added by Archie Cobbs <archie@whistle.com>.
208