xref: /freebsd/share/man/man4/ipfirewall.4 (revision dc60ef4a4e56bab7524fb72d168f3665534aa835)
1892cb98eSJohn-Mark Gurney.\"
27f3dea24SPeter Wemm.\" $FreeBSD$
3892cb98eSJohn-Mark Gurney.\"
42a81fd7cSJulian Elischer.Dd June 22, 1997
5b805452cSMike Pritchard.Dt IPFIREWALL 4
6a53227ffSUgen J.S. Antsilevich.Os
7a53227ffSUgen J.S. Antsilevich.Sh NAME
82a81fd7cSJulian Elischer.Nm ipfirewall
92a81fd7cSJulian Elischer.Nd IP packet filter and traffic accounting
10a53227ffSUgen J.S. Antsilevich.Sh SYNOPSIS
11ddbd0698SBruce Evans.Fd #include <sys/types.h>
12ddbd0698SBruce Evans.Fd #include <sys/queue.h>
13ddbd0698SBruce Evans.Fd #include <netinet/in.h>
14b805452cSMike Pritchard.Fd #include <netinet/ip_fw.h>
15b805452cSMike Pritchard.Ft int
162a81fd7cSJulian Elischer.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size
172a81fd7cSJulian Elischer.Sh DESCRIPTION
182a81fd7cSJulian ElischerIpfirewall (alias ipfw) is a system facility which allows filtering,
192a81fd7cSJulian Elischerredirecting, and other operations on IP packets travelling through
206d249eeeSSheldon Hearnsystem interfaces.
216d249eeeSSheldon HearnPackets are matched by applying an ordered list
222a81fd7cSJulian Elischerof pattern rules against each packet until a match is found, at
236d249eeeSSheldon Hearnwhich point the corresponding action is taken.
246d249eeeSSheldon HearnRules are numbered
252a81fd7cSJulian Elischerfrom 1 to 65534; multiple rules may share the same number.
262a81fd7cSJulian Elischer.Pp
274e86fcacSSheldon HearnThere is one rule that always exists, rule number 65535.
284e86fcacSSheldon HearnThis rule
296d249eeeSSheldon Hearnnormally causes all packets to be dropped.
306d249eeeSSheldon HearnHence, any packet which does not
31d6fd8b89SPeter Wemmmatch a lower numbered rule will be dropped.  However, a kernel compile
32d6fd8b89SPeter Wemmtime option
33dc60ef4aSRuslan Ermilov.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
34d6fd8b89SPeter Wemmallows the administrator to change this fixed rule to permit everything.
352a81fd7cSJulian Elischer.Pp
362a81fd7cSJulian ElischerThe value passed to
372a81fd7cSJulian Elischer.Fn setsockopt
384e86fcacSSheldon Hearnis a struct ip_fw describing the rule (see below).
394e86fcacSSheldon HearnIn some cases
402fd93bffSSheldon Hearn(such as
412fd93bffSSheldon Hearn.Dv IP_FW_DEL ) ,
422fd93bffSSheldon Hearnonly the rule number is significant.
432fd93bffSSheldon Hearn.Ss Commands
442a81fd7cSJulian ElischerThe following socket options are used to manage the rule list:
452fd93bffSSheldon Hearn.Bl -tag -width "IP_FW_FLUSH"
462fd93bffSSheldon Hearn.It Dv IP_FW_ADD
472fd93bffSSheldon Hearninserts the rule into the rule list
482fd93bffSSheldon Hearn.It Dv IP_FW_DEL
492fd93bffSSheldon Hearndeletes all rules having the matching rule number
502fd93bffSSheldon Hearn.It Dv IP_FW_GET
512fd93bffSSheldon Hearnreturns the (first) rule having the matching rule number
522fd93bffSSheldon Hearn.It Dv IP_FW_ZERO
532fd93bffSSheldon Hearnzeros the statistics associated with all rules having the
546d249eeeSSheldon Hearnmatching rule number.
556d249eeeSSheldon HearnIf the rule number is zero, all rules are zeroed.
562fd93bffSSheldon Hearn.It Dv IP_FW_FLUSH
572fd93bffSSheldon Hearnremoves all rules (except 65535).
582fd93bffSSheldon Hearn.El
592a81fd7cSJulian Elischer.Pp
602fd93bffSSheldon HearnWhen the kernel security level is greater than 2, only
612fd93bffSSheldon Hearn.Dv IP_FW_GET
622a81fd7cSJulian Elischeris allowed.
632fd93bffSSheldon Hearn.Ss Rule Structure
64c43d7a21SJulian ElischerRules are described by the structures in ip_fw.h.
652fd93bffSSheldon Hearn.Ss Rule Actions
662a81fd7cSJulian ElischerEach rule has an action described by the IP_FW_F_COMMAND bits in the
672a81fd7cSJulian Elischerflags word:
682fd93bffSSheldon Hearn.Bl -tag -width "IP_FW_F_DIVERT"
692fd93bffSSheldon Hearn.It Dv IP_FW_F_DENY
70c43d7a21SJulian ElischerDrop packet and stop processing.
712fd93bffSSheldon Hearn.It Dv IP_FW_F_REJECT
72c43d7a21SJulian Elischerdrop packet; send rejection via ICMP or TCP and stop processing.
732fd93bffSSheldon Hearn.It Dv IP_FW_F_ACCEPT
74c43d7a21SJulian Elischeraccept packet and stop processing.
752fd93bffSSheldon Hearn.It Dv IP_FW_F_COUNT
762fd93bffSSheldon Hearnincrement counters; continue matching
772fd93bffSSheldon Hearn.It Dv IP_FW_F_DIVERT
782fd93bffSSheldon Hearndivert packet to a
792fd93bffSSheldon Hearn.Xr divert 4
80c43d7a21SJulian Elischersocket and stop processing.
812fd93bffSSheldon Hearn.It Dv IP_FW_F_TEE
82c43d7a21SJulian ElischerSend a copy of this packet to a
832fd93bffSSheldon Hearn.Xr divert 4
84c43d7a21SJulian Elischersocket and continue processing the original packet at the next rule.
852fd93bffSSheldon Hearn.It Dv IP_FW_F_SKIPTO
862fd93bffSSheldon Hearnskip to rule number
872fd93bffSSheldon Hearn.Va fu_skipto_rule
88c43d7a21SJulian ElischerAt this time the target rule number must be greater than the active rule number.
89c43d7a21SJulian Elischer.It Dv IP_FW_F_PIPE
90c43d7a21SJulian ElischerThe packet is marked for the use of
91c43d7a21SJulian Elischer.Xr dummynet 4 ,
92c43d7a21SJulian Elischerand processing stopped.
93c43d7a21SJulian Elischer.It Dv IP_FW_F_QUEUE
94c43d7a21SJulian ElischerThe packet is marked for the use of
95c43d7a21SJulian Elischer.Xr dummynet 4 ,
96c43d7a21SJulian Elischerand processing stopped.
97c43d7a21SJulian Elischer.It Dv IP_FW_F_FWD
98c43d7a21SJulian ElischerThe packet is accepted but the destination is hijacked. (see
99c43d7a21SJulian Elischer.Xr ipfw 8 )
1002fd93bffSSheldon Hearn.El
1012a81fd7cSJulian Elischer.Pp
1022fd93bffSSheldon HearnIn the case of
1032fd93bffSSheldon Hearn.Dv IP_FW_F_REJECT ,
1042fd93bffSSheldon Hearnif the
1052fd93bffSSheldon Hearn.Va fu_reject_code
1062fd93bffSSheldon Hearnis a number
1072a81fd7cSJulian Elischerfrom 0 to 255, then an ICMP unreachable packet is sent back to the
1082a81fd7cSJulian Elischeroriginal packet's source IP address, with the corresponding code.
1092fd93bffSSheldon HearnOtherwise, the value must be 256 and the protocol
1102fd93bffSSheldon Hearn.Dv IPPROTO_TCP ,
1112a81fd7cSJulian Elischerin which case a TCP reset packet is sent instead.
1122a81fd7cSJulian Elischer.Pp
1132fd93bffSSheldon HearnWith
1142fd93bffSSheldon Hearn.Dv IP_FW_F_SKIPTO ,
1152fd93bffSSheldon Hearnall succeeding rules having rule number less
1162fd93bffSSheldon Hearnthan
1172fd93bffSSheldon Hearn.Va fu_skipto_rule
1182fd93bffSSheldon Hearnare skipped.
1192fd93bffSSheldon Hearn.Ss Kernel Options
120a53227ffSUgen J.S. AntsilevichOptions in the kernel configuration file:
121dc60ef4aSRuslan Ermilov.Bl -tag -width "options IPFIREWALL_VERBOSE_LIMIT"
1222fd93bffSSheldon Hearn.It Cd options IPFIREWALL
1232fd93bffSSheldon Hearnenable
1242fd93bffSSheldon Hearn.Nm
1252fd93bffSSheldon Hearn.It Cd options IPFIREWALL_VERBOSE
126dc60ef4aSRuslan Ermilovenable firewall logging
1272fd93bffSSheldon Hearn.It Cd options IPFIREWALL_VERBOSE_LIMIT
128dc60ef4aSRuslan Ermilovlimit firewall logging
1292fd93bffSSheldon Hearn.It Cd options IPDIVERT
1302fd93bffSSheldon Hearnenable
1312fd93bffSSheldon Hearn.Xr divert 4
1322fd93bffSSheldon Hearnsockets
1332fd93bffSSheldon Hearn.El
134b805452cSMike Pritchard.Pp
1352fd93bffSSheldon HearnWhen packets match a rule with the
1362fd93bffSSheldon Hearn.Dv IP_FW_F_PRN
137dc60ef4aSRuslan Ermilovbit set, and if
1382fd93bffSSheldon Hearn.Dv IPFIREWALL_VERBOSE
139dc60ef4aSRuslan Ermilovhas been enabled,
140dc60ef4aSRuslan Ermilova message is written to
141dc60ef4aSRuslan Ermilov.Pa /dev/klog
142dc60ef4aSRuslan Ermilovwith the
143dc60ef4aSRuslan Ermilov.Dv LOG_SECURITY
144dc60ef4aSRuslan Ermilovfacility
145dc60ef4aSRuslan Ermilov(see
146dc60ef4aSRuslan Ermilov.Xr syslog 3 )
147dc60ef4aSRuslan Ermilovfor further logging by
148dc60ef4aSRuslan Ermilov.Xr syslogd 8 ;
149dc60ef4aSRuslan Ermilov.Dv IPFIREWALL_VERBOSE_LIMIT
1502fd93bffSSheldon Hearnlimits the maximum number of times each
1516d249eeeSSheldon Hearnrule can cause a log message.
1526d249eeeSSheldon HearnThese variables are also
1532a81fd7cSJulian Elischeravailable via the
1542a81fd7cSJulian Elischer.Xr sysctl 3
1552a81fd7cSJulian Elischerinterface.
1561a22b190SSheldon Hearn.Sh RETURN VALUES
1571a22b190SSheldon HearnThe
1581a22b190SSheldon Hearn.Fn setsockopt
1591a22b190SSheldon Hearnfunction returns 0 on success.
1601a22b190SSheldon HearnOtherwise, -1 is returned and the global variable
1611a22b190SSheldon Hearn.Va errno
1621a22b190SSheldon Hearnis set to indicate the error.
1631a22b190SSheldon Hearn.Sh ERRORS
1641a22b190SSheldon HearnThe
1651a22b190SSheldon Hearn.Fn setsockopt
1661a22b190SSheldon Hearnfunction will fail if:
1671a22b190SSheldon Hearn.Bl -tag -width Er
1681a22b190SSheldon Hearn.It Bq Er EINVAL
1691a22b190SSheldon HearnThe IP option field was improperly formed;
1701a22b190SSheldon Hearnan option field was shorter than the minimum value
1711a22b190SSheldon Hearnor longer than the option buffer provided.
1721a22b190SSheldon Hearn.It Bq Er EINVAL
1731a22b190SSheldon HearnA structural error in ip_fw structure occurred
1741a22b190SSheldon Hearn(n_src_p+n_dst_p too big, ports set for ALL/ICMP protocols etc.).
1751a22b190SSheldon Hearn.It Bq Er EINVAL
1761a22b190SSheldon HearnAn invalid rule number was used.
1771a22b190SSheldon Hearn.El
178a53227ffSUgen J.S. Antsilevich.Sh SEE ALSO
179b805452cSMike Pritchard.Xr setsockopt 2 ,
1802a81fd7cSJulian Elischer.Xr divert 4 ,
181bceb8aedSWolfram Schneider.Xr ip 4 ,
1822a81fd7cSJulian Elischer.Xr ipfw 8 ,
183dc60ef4aSRuslan Ermilov.Xr sysctl 8 ,
184dc60ef4aSRuslan Ermilov.Xr syslogd 8
185a53227ffSUgen J.S. Antsilevich.Sh BUGS
1862a81fd7cSJulian ElischerThis man page still needs work.
187a53227ffSUgen J.S. Antsilevich.Sh HISTORY
1882a81fd7cSJulian ElischerThe ipfw facility was initially written as package to BSDI
1892fd93bffSSheldon Hearnby
1902fd93bffSSheldon Hearn.An Daniel Boulet
1912fd93bffSSheldon Hearn.Aq danny@BouletFermat.ab.ca .
1922fd93bffSSheldon HearnIt has been heavily modified and ported to
1932fd93bffSSheldon Hearn.Fx
1942fd93bffSSheldon Hearnby
195d0353b83SRuslan Ermilov.An Ugen J.S. Antsilevich
1962fd93bffSSheldon Hearn.Aq ugen@NetVision.net.il .
1972a81fd7cSJulian Elischer.Pp
1982fd93bffSSheldon HearnSeveral enhancements added by
1992fd93bffSSheldon Hearn.An Archie Cobbs
200eddc45e7SJeroen Ruigrok van der Werven.Aq archie@FreeBSD.org .
201