1892cb98eSJohn-Mark Gurney.\" 27f3dea24SPeter Wemm.\" $FreeBSD$ 3892cb98eSJohn-Mark Gurney.\" 42a81fd7cSJulian Elischer.Dd June 22, 1997 5b805452cSMike Pritchard.Dt IPFIREWALL 4 6a53227ffSUgen J.S. Antsilevich.Os 7a53227ffSUgen J.S. Antsilevich.Sh NAME 82a81fd7cSJulian Elischer.Nm ipfirewall 92a81fd7cSJulian Elischer.Nd IP packet filter and traffic accounting 10a53227ffSUgen J.S. Antsilevich.Sh SYNOPSIS 11ddbd0698SBruce Evans.Fd #include <sys/types.h> 12ddbd0698SBruce Evans.Fd #include <sys/queue.h> 13ddbd0698SBruce Evans.Fd #include <netinet/in.h> 14b805452cSMike Pritchard.Fd #include <netinet/ip_fw.h> 15b805452cSMike Pritchard.Ft int 162a81fd7cSJulian Elischer.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size 172a81fd7cSJulian Elischer.Sh DESCRIPTION 182a81fd7cSJulian ElischerIpfirewall (alias ipfw) is a system facility which allows filtering, 192a81fd7cSJulian Elischerredirecting, and other operations on IP packets travelling through 202a81fd7cSJulian Elischersystem interfaces. Packets are matched by applying an ordered list 212a81fd7cSJulian Elischerof pattern rules against each packet until a match is found, at 222a81fd7cSJulian Elischerwhich point the corresponding action is taken. Rules are numbered 232a81fd7cSJulian Elischerfrom 1 to 65534; multiple rules may share the same number. 242a81fd7cSJulian Elischer.Pp 252a81fd7cSJulian ElischerThere is one rule that always exists, rule number 65535. This rule 26d6fd8b89SPeter Wemmnormally causes all packets to be dropped. Hence, any packet which does not 27d6fd8b89SPeter Wemmmatch a lower numbered rule will be dropped. However, a kernel compile 28d6fd8b89SPeter Wemmtime option 29d6fd8b89SPeter Wemm.Dq IPFIREWALL_DEFAULT_TO_ACCEPT 30d6fd8b89SPeter Wemmallows the administrator to change this fixed rule to permit everything. 312a81fd7cSJulian Elischer.Pp 322a81fd7cSJulian ElischerThe value passed to 332a81fd7cSJulian Elischer.Fn setsockopt 342a81fd7cSJulian Elischeris a struct ip_fw describing the rule (see below). In some cases 352a81fd7cSJulian Elischer(such as IP_FW_DEL), only the rule number is significant. 362a81fd7cSJulian Elischer.Sh COMMANDS 372a81fd7cSJulian ElischerThe following socket options are used to manage the rule list: 382a81fd7cSJulian Elischer.Pp 392a81fd7cSJulian ElischerIP_FW_ADD inserts the rule into the rule list. 402a81fd7cSJulian Elischer.Pp 412a81fd7cSJulian ElischerIP_FW_DEL deletes all rules having the matching rule number. 422a81fd7cSJulian Elischer.Pp 432a81fd7cSJulian ElischerIP_FW_GET returns the (first) rule having the matching rule number. 442a81fd7cSJulian Elischer.Pp 452a81fd7cSJulian ElischerIP_FW_ZERO zeros the statistics associated with all rules having the 462a81fd7cSJulian Elischermatching rule number. If the rule number is zero, all rules are zeroed. 472a81fd7cSJulian Elischer.Pp 482a81fd7cSJulian ElischerIP_FW_FLUSH removes all rules (except 65535). 492a81fd7cSJulian Elischer.Pp 502a81fd7cSJulian ElischerWhen the kernel security level is greater than 2, only IP_FW_GET 512a81fd7cSJulian Elischeris allowed. 522a81fd7cSJulian Elischer.Sh RULE STRUCTURE 532a81fd7cSJulian ElischerRules are described by the following structure: 542a81fd7cSJulian Elischer.Bd -literal 552a81fd7cSJulian Elischer/* Specify an interface */ 562a81fd7cSJulian Elischerunion ip_fw_if { 572a81fd7cSJulian Elischer struct in_addr fu_via_ip; /* Specified by IP address */ 582a81fd7cSJulian Elischer struct { /* Specified by interface name */ 592a81fd7cSJulian Elischer#define FW_IFNLEN 6 /* To keep structure on 2^x boundary */ 602a81fd7cSJulian Elischer char name[FW_IFNLEN]; 612a81fd7cSJulian Elischer short unit; /* -1 means match any unit */ 622a81fd7cSJulian Elischer } fu_via_if; 632a81fd7cSJulian Elischer}; 64a53227ffSUgen J.S. Antsilevich 652a81fd7cSJulian Elischer/* One ipfw rule */ 66a53227ffSUgen J.S. Antsilevichstruct ip_fw { 672a81fd7cSJulian Elischer u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */ 682a81fd7cSJulian Elischer struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ 692a81fd7cSJulian Elischer struct in_addr fw_smsk, fw_dmsk;/* Mask for src and dest IP addr */ 702a81fd7cSJulian Elischer u_short fw_number; /* Rule number */ 712a81fd7cSJulian Elischer u_short fw_flg; /* Flags word */ 722a81fd7cSJulian Elischer#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ 732a81fd7cSJulian Elischer u_short fw_pts[IP_FW_MAX_PORTS];/* Array of port numbers to match */ 742a81fd7cSJulian Elischer u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ 752a81fd7cSJulian Elischer u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 762a81fd7cSJulian Elischer#define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8)) 772a81fd7cSJulian Elischer unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 782a81fd7cSJulian Elischer long timestamp; /* timestamp (tv_sec) of last match */ 792a81fd7cSJulian Elischer union ip_fw_if fw_in_if, fw_out_if;/* Incoming / outgoing interfaces */ 802a81fd7cSJulian Elischer union { 812a81fd7cSJulian Elischer u_short fu_divert_port; /* Divert/tee port */ 822a81fd7cSJulian Elischer u_short fu_skipto_rule; /* SKIPTO command rule number */ 832a81fd7cSJulian Elischer u_short fu_reject_code; /* REJECT response code */ 842a81fd7cSJulian Elischer } fw_un; 852a81fd7cSJulian Elischer u_char fw_prot; /* IP protocol */ 862a81fd7cSJulian Elischer u_char fw_nports; /* N'of src ports and # of dst ports */ 872a81fd7cSJulian Elischer /* in ports array (dst ports follow */ 882a81fd7cSJulian Elischer /* src ports; max of 10 ports in all */ 892a81fd7cSJulian Elischer /* count of 0 means match all ports) */ 902a81fd7cSJulian Elischer}; 91a53227ffSUgen J.S. Antsilevich 922a81fd7cSJulian Elischer/* Encoding of number of source/dest ports from "fw_nports" */ 93a53227ffSUgen J.S. Antsilevich 942a81fd7cSJulian Elischer#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) 952a81fd7cSJulian Elischer#define IP_FW_SETNSRCP(rule, n) do { \\ 962a81fd7cSJulian Elischer (rule)->fw_nports &= ~0x0f; \\ 972a81fd7cSJulian Elischer (rule)->fw_nports |= (n); \\ 982a81fd7cSJulian Elischer } while (0) 992a81fd7cSJulian Elischer#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) 1002a81fd7cSJulian Elischer#define IP_FW_SETNDSTP(rule, n) do { \\ 1012a81fd7cSJulian Elischer (rule)->fw_nports &= ~0xf0; \\ 1022a81fd7cSJulian Elischer (rule)->fw_nports |= (n) << 4;\\ 1032a81fd7cSJulian Elischer } while (0) 104a53227ffSUgen J.S. Antsilevich 1052a81fd7cSJulian Elischer/* Flags values for "flags" field */ 1062a81fd7cSJulian Elischer 1072a81fd7cSJulian Elischer#define IP_FW_F_IN 0x0001 /* Check inbound packets */ 1082a81fd7cSJulian Elischer#define IP_FW_F_OUT 0x0002 /* Check outbound packets */ 1092a81fd7cSJulian Elischer#define IP_FW_F_IIFACE 0x0004 /* Apply inbound interface test */ 1102a81fd7cSJulian Elischer#define IP_FW_F_OIFACE 0x0008 /* Apply outbound interface test */ 1112a81fd7cSJulian Elischer 1122a81fd7cSJulian Elischer#define IP_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */ 1132a81fd7cSJulian Elischer#define IP_FW_F_DENY 0x0000 /* This is a deny rule */ 1142a81fd7cSJulian Elischer#define IP_FW_F_REJECT 0x0010 /* Deny and send a response packet */ 1152a81fd7cSJulian Elischer#define IP_FW_F_ACCEPT 0x0020 /* This is an accept rule */ 1162a81fd7cSJulian Elischer#define IP_FW_F_COUNT 0x0030 /* This is a count rule */ 1172a81fd7cSJulian Elischer#define IP_FW_F_DIVERT 0x0040 /* This is a divert rule */ 1182a81fd7cSJulian Elischer#define IP_FW_F_TEE 0x0050 /* This is a tee rule */ 1192a81fd7cSJulian Elischer#define IP_FW_F_SKIPTO 0x0060 /* This is a skipto rule */ 1202a81fd7cSJulian Elischer 1212a81fd7cSJulian Elischer#define IP_FW_F_PRN 0x0080 /* Print if this rule matches */ 1222a81fd7cSJulian Elischer 1232a81fd7cSJulian Elischer#define IP_FW_F_SRNG 0x0100 /* The first two src ports are a min * 1242a81fd7cSJulian Elischer * and max range (stored in host byte * 1252a81fd7cSJulian Elischer * order). */ 1262a81fd7cSJulian Elischer 1272a81fd7cSJulian Elischer#define IP_FW_F_DRNG 0x0200 /* The first two dst ports are a min * 1282a81fd7cSJulian Elischer * and max range (stored in host byte * 1292a81fd7cSJulian Elischer * order). */ 1302a81fd7cSJulian Elischer 1312a81fd7cSJulian Elischer#define IP_FW_F_IIFNAME 0x0400 /* In interface by name/unit (not IP) */ 1322a81fd7cSJulian Elischer#define IP_FW_F_OIFNAME 0x0800 /* Out interface by name/unit (not IP) */ 1332a81fd7cSJulian Elischer 1342a81fd7cSJulian Elischer#define IP_FW_F_INVSRC 0x1000 /* Invert sense of src check */ 1352a81fd7cSJulian Elischer#define IP_FW_F_INVDST 0x2000 /* Invert sense of dst check */ 1362a81fd7cSJulian Elischer 1372a81fd7cSJulian Elischer#define IP_FW_F_FRAG 0x4000 /* Fragment */ 1382a81fd7cSJulian Elischer 1392a81fd7cSJulian Elischer#define IP_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */ 1402a81fd7cSJulian Elischer 1412a81fd7cSJulian Elischer#define IP_FW_F_MASK 0xFFFF /* All possible flag bits mask */ 1422a81fd7cSJulian Elischer.Ed 1432a81fd7cSJulian Elischer 1442a81fd7cSJulian Elischer.Sh RULE ACTIONS 1452a81fd7cSJulian ElischerEach rule has an action described by the IP_FW_F_COMMAND bits in the 1462a81fd7cSJulian Elischerflags word: 1472a81fd7cSJulian Elischer 1482a81fd7cSJulian Elischer IP_FW_F_DENY - drop packet 1492a81fd7cSJulian Elischer IP_FW_F_REJECT - drop packet; send rejection via ICMP or TCP 1502a81fd7cSJulian Elischer IP_FW_F_ACCEPT - accept packet 1512a81fd7cSJulian Elischer IP_FW_F_COUNT - increment counters; continue matching 1522a81fd7cSJulian Elischer IP_FW_F_DIVERT - divert packet to a divert(4) socket 1532a81fd7cSJulian Elischer IP_FW_F_TEE - copy packet to a divert(4) socket; continue 1542a81fd7cSJulian Elischer IP_FW_F_SKIPTO - skip to rule number fu_skipto_rule 1552a81fd7cSJulian Elischer.Pp 1562a81fd7cSJulian ElischerIn the case of IP_FW_F_REJECT, if the fu_reject_code is a number 1572a81fd7cSJulian Elischerfrom 0 to 255, then an ICMP unreachable packet is sent back to the 1582a81fd7cSJulian Elischeroriginal packet's source IP address, with the corresponding code. 1592a81fd7cSJulian ElischerOtherwise, the value must be 256 and the protocol IPPROTO_TCP, 1602a81fd7cSJulian Elischerin which case a TCP reset packet is sent instead. 1612a81fd7cSJulian Elischer.Pp 1622a81fd7cSJulian ElischerWith IP_FW_F_SKIPTO, all succeeding rules having rule number less 1632a81fd7cSJulian Elischerthan fu_skipto_rule are skipped. 1642a81fd7cSJulian Elischer.Sh KERNEL OPTIONS 165a53227ffSUgen J.S. AntsilevichOptions in the kernel configuration file: 166a53227ffSUgen J.S. Antsilevich IPFIREWALL - enable ipfirewall. 1672a81fd7cSJulian Elischer IPFIREWALL_VERBOSE - enable firewall output 1682a81fd7cSJulian Elischer IPFIREWALL_VERBOSE_LIMIT - limit firewall output 169b1915357SAlexey Zelkin IPDIVERT - enable divert(4) sockets. 170b805452cSMike Pritchard.Pp 1712a81fd7cSJulian ElischerWhen packets match a rule with the IP_FW_F_PRN bit set, a message 1722a81fd7cSJulian Elischeris logged to the console if IPFIREWALL_VERBOSE has been enabled; 1732a81fd7cSJulian ElischerIPFIREWALL_VERBOSE_LIMIT limits the maximum number of times each 17443d1df33SAlexander Langerrule can cause a log message. These variables are also 1752a81fd7cSJulian Elischeravailable via the 1762a81fd7cSJulian Elischer.Xr sysctl 3 1772a81fd7cSJulian Elischerinterface. 178a53227ffSUgen J.S. Antsilevich.Sh DIAGNOSTICS 179a53227ffSUgen J.S. Antsilevich 180a53227ffSUgen J.S. Antsilevich[EINVAL] The IP option field was improperly formed; an option 181a53227ffSUgen J.S. Antsilevich field was shorter than the minimum value or longer than 1822a81fd7cSJulian Elischer the option buffer provided. A structural error in 18309b4b086SMike Pritchard ip_fw structure occurred (n_src_p+n_dst_p too big, 1842a81fd7cSJulian Elischer ports set for ALL/ICMP protocols etc.). An invalid 1852a81fd7cSJulian Elischer rule number was used. 186a53227ffSUgen J.S. Antsilevich.Sh SEE ALSO 187b805452cSMike Pritchard.Xr setsockopt 2 , 1882a81fd7cSJulian Elischer.Xr divert 4 , 189bceb8aedSWolfram Schneider.Xr ip 4 , 1902a81fd7cSJulian Elischer.Xr ipfw 8 , 1912a81fd7cSJulian Elischer.Xr sysctl 8 . 192a53227ffSUgen J.S. Antsilevich.Sh BUGS 1932a81fd7cSJulian ElischerThe ``tee'' rule is not yet implemented (currently it has no effect). 194b805452cSMike Pritchard.Pp 1952a81fd7cSJulian ElischerThis man page still needs work. 196a53227ffSUgen J.S. Antsilevich.Sh HISTORY 1972a81fd7cSJulian ElischerThe ipfw facility was initially written as package to BSDI 198a53227ffSUgen J.S. Antsilevichby Daniel Boulet <danny@BouletFermat.ab.ca>. 1992a81fd7cSJulian ElischerIt has been heavily modified and ported to FreeBSD 2002a81fd7cSJulian Elischerby Ugen J.S.Antsilevich <ugen@NetVision.net.il>. 2012a81fd7cSJulian Elischer.Pp 2022a81fd7cSJulian ElischerSeveral enhancements added by Archie Cobbs <archie@whistle.com>. 203