1892cb98eSJohn-Mark Gurney.\" 27f3dea24SPeter Wemm.\" $FreeBSD$ 3892cb98eSJohn-Mark Gurney.\" 42a81fd7cSJulian Elischer.Dd June 22, 1997 5b805452cSMike Pritchard.Dt IPFIREWALL 4 6a53227ffSUgen J.S. Antsilevich.Os 7a53227ffSUgen J.S. Antsilevich.Sh NAME 82a81fd7cSJulian Elischer.Nm ipfirewall 92a81fd7cSJulian Elischer.Nd IP packet filter and traffic accounting 10a53227ffSUgen J.S. Antsilevich.Sh SYNOPSIS 11ddbd0698SBruce Evans.Fd #include <sys/types.h> 12ddbd0698SBruce Evans.Fd #include <sys/queue.h> 13ddbd0698SBruce Evans.Fd #include <netinet/in.h> 14b805452cSMike Pritchard.Fd #include <netinet/ip_fw.h> 15b805452cSMike Pritchard.Ft int 162a81fd7cSJulian Elischer.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size 172a81fd7cSJulian Elischer.Sh DESCRIPTION 182a81fd7cSJulian ElischerIpfirewall (alias ipfw) is a system facility which allows filtering, 192a81fd7cSJulian Elischerredirecting, and other operations on IP packets travelling through 206d249eeeSSheldon Hearnsystem interfaces. 216d249eeeSSheldon HearnPackets are matched by applying an ordered list 222a81fd7cSJulian Elischerof pattern rules against each packet until a match is found, at 236d249eeeSSheldon Hearnwhich point the corresponding action is taken. 246d249eeeSSheldon HearnRules are numbered 252a81fd7cSJulian Elischerfrom 1 to 65534; multiple rules may share the same number. 262a81fd7cSJulian Elischer.Pp 274e86fcacSSheldon HearnThere is one rule that always exists, rule number 65535. 284e86fcacSSheldon HearnThis rule 296d249eeeSSheldon Hearnnormally causes all packets to be dropped. 306d249eeeSSheldon HearnHence, any packet which does not 31d6fd8b89SPeter Wemmmatch a lower numbered rule will be dropped. However, a kernel compile 32d6fd8b89SPeter Wemmtime option 33dc60ef4aSRuslan Ermilov.Dv IPFIREWALL_DEFAULT_TO_ACCEPT 34d6fd8b89SPeter Wemmallows the administrator to change this fixed rule to permit everything. 352a81fd7cSJulian Elischer.Pp 362a81fd7cSJulian ElischerThe value passed to 372a81fd7cSJulian Elischer.Fn setsockopt 384e86fcacSSheldon Hearnis a struct ip_fw describing the rule (see below). 394e86fcacSSheldon HearnIn some cases 402fd93bffSSheldon Hearn(such as 412fd93bffSSheldon Hearn.Dv IP_FW_DEL ) , 422fd93bffSSheldon Hearnonly the rule number is significant. 432fd93bffSSheldon Hearn.Ss Commands 442a81fd7cSJulian ElischerThe following socket options are used to manage the rule list: 452fd93bffSSheldon Hearn.Bl -tag -width "IP_FW_FLUSH" 462fd93bffSSheldon Hearn.It Dv IP_FW_ADD 472fd93bffSSheldon Hearninserts the rule into the rule list 482fd93bffSSheldon Hearn.It Dv IP_FW_DEL 492fd93bffSSheldon Hearndeletes all rules having the matching rule number 502fd93bffSSheldon Hearn.It Dv IP_FW_GET 512fd93bffSSheldon Hearnreturns the (first) rule having the matching rule number 522fd93bffSSheldon Hearn.It Dv IP_FW_ZERO 532fd93bffSSheldon Hearnzeros the statistics associated with all rules having the 546d249eeeSSheldon Hearnmatching rule number. 556d249eeeSSheldon HearnIf the rule number is zero, all rules are zeroed. 562fd93bffSSheldon Hearn.It Dv IP_FW_FLUSH 572fd93bffSSheldon Hearnremoves all rules (except 65535). 582fd93bffSSheldon Hearn.El 592a81fd7cSJulian Elischer.Pp 602fd93bffSSheldon HearnWhen the kernel security level is greater than 2, only 612fd93bffSSheldon Hearn.Dv IP_FW_GET 622a81fd7cSJulian Elischeris allowed. 632fd93bffSSheldon Hearn.Ss Rule Structure 64c43d7a21SJulian ElischerRules are described by the structures in ip_fw.h. 652fd93bffSSheldon Hearn.Ss Rule Actions 662a81fd7cSJulian ElischerEach rule has an action described by the IP_FW_F_COMMAND bits in the 672a81fd7cSJulian Elischerflags word: 682fd93bffSSheldon Hearn.Bl -tag -width "IP_FW_F_DIVERT" 692fd93bffSSheldon Hearn.It Dv IP_FW_F_DENY 70c43d7a21SJulian ElischerDrop packet and stop processing. 712fd93bffSSheldon Hearn.It Dv IP_FW_F_REJECT 72c43d7a21SJulian Elischerdrop packet; send rejection via ICMP or TCP and stop processing. 732fd93bffSSheldon Hearn.It Dv IP_FW_F_ACCEPT 74c43d7a21SJulian Elischeraccept packet and stop processing. 752fd93bffSSheldon Hearn.It Dv IP_FW_F_COUNT 762fd93bffSSheldon Hearnincrement counters; continue matching 772fd93bffSSheldon Hearn.It Dv IP_FW_F_DIVERT 782fd93bffSSheldon Hearndivert packet to a 792fd93bffSSheldon Hearn.Xr divert 4 80c43d7a21SJulian Elischersocket and stop processing. 812fd93bffSSheldon Hearn.It Dv IP_FW_F_TEE 82c43d7a21SJulian ElischerSend a copy of this packet to a 832fd93bffSSheldon Hearn.Xr divert 4 84c43d7a21SJulian Elischersocket and continue processing the original packet at the next rule. 852fd93bffSSheldon Hearn.It Dv IP_FW_F_SKIPTO 862fd93bffSSheldon Hearnskip to rule number 872fd93bffSSheldon Hearn.Va fu_skipto_rule 88c43d7a21SJulian ElischerAt this time the target rule number must be greater than the active rule number. 89c43d7a21SJulian Elischer.It Dv IP_FW_F_PIPE 90c43d7a21SJulian ElischerThe packet is marked for the use of 91c43d7a21SJulian Elischer.Xr dummynet 4 , 92c43d7a21SJulian Elischerand processing stopped. 93c43d7a21SJulian Elischer.It Dv IP_FW_F_QUEUE 94c43d7a21SJulian ElischerThe packet is marked for the use of 95c43d7a21SJulian Elischer.Xr dummynet 4 , 96c43d7a21SJulian Elischerand processing stopped. 97c43d7a21SJulian Elischer.It Dv IP_FW_F_FWD 98c43d7a21SJulian ElischerThe packet is accepted but the destination is hijacked. (see 99c43d7a21SJulian Elischer.Xr ipfw 8 ) 1002fd93bffSSheldon Hearn.El 1012a81fd7cSJulian Elischer.Pp 1022fd93bffSSheldon HearnIn the case of 1032fd93bffSSheldon Hearn.Dv IP_FW_F_REJECT , 1042fd93bffSSheldon Hearnif the 1052fd93bffSSheldon Hearn.Va fu_reject_code 1062fd93bffSSheldon Hearnis a number 1072a81fd7cSJulian Elischerfrom 0 to 255, then an ICMP unreachable packet is sent back to the 1082a81fd7cSJulian Elischeroriginal packet's source IP address, with the corresponding code. 1092fd93bffSSheldon HearnOtherwise, the value must be 256 and the protocol 1102fd93bffSSheldon Hearn.Dv IPPROTO_TCP , 1112a81fd7cSJulian Elischerin which case a TCP reset packet is sent instead. 1122a81fd7cSJulian Elischer.Pp 1132fd93bffSSheldon HearnWith 1142fd93bffSSheldon Hearn.Dv IP_FW_F_SKIPTO , 1152fd93bffSSheldon Hearnall succeeding rules having rule number less 1162fd93bffSSheldon Hearnthan 1172fd93bffSSheldon Hearn.Va fu_skipto_rule 1182fd93bffSSheldon Hearnare skipped. 1192fd93bffSSheldon Hearn.Ss Kernel Options 120a53227ffSUgen J.S. AntsilevichOptions in the kernel configuration file: 121dc60ef4aSRuslan Ermilov.Bl -tag -width "options IPFIREWALL_VERBOSE_LIMIT" 1222fd93bffSSheldon Hearn.It Cd options IPFIREWALL 1232fd93bffSSheldon Hearnenable 1242fd93bffSSheldon Hearn.Nm 1252fd93bffSSheldon Hearn.It Cd options IPFIREWALL_VERBOSE 126dc60ef4aSRuslan Ermilovenable firewall logging 1272fd93bffSSheldon Hearn.It Cd options IPFIREWALL_VERBOSE_LIMIT 128dc60ef4aSRuslan Ermilovlimit firewall logging 1292fd93bffSSheldon Hearn.It Cd options IPDIVERT 1302fd93bffSSheldon Hearnenable 1312fd93bffSSheldon Hearn.Xr divert 4 1322fd93bffSSheldon Hearnsockets 1332fd93bffSSheldon Hearn.El 134b805452cSMike Pritchard.Pp 1352fd93bffSSheldon HearnWhen packets match a rule with the 1362fd93bffSSheldon Hearn.Dv IP_FW_F_PRN 137dc60ef4aSRuslan Ermilovbit set, and if 1382fd93bffSSheldon Hearn.Dv IPFIREWALL_VERBOSE 139dc60ef4aSRuslan Ermilovhas been enabled, 140dc60ef4aSRuslan Ermilova message is written to 141dc60ef4aSRuslan Ermilov.Pa /dev/klog 142dc60ef4aSRuslan Ermilovwith the 143dc60ef4aSRuslan Ermilov.Dv LOG_SECURITY 144dc60ef4aSRuslan Ermilovfacility 145dc60ef4aSRuslan Ermilov(see 146dc60ef4aSRuslan Ermilov.Xr syslog 3 ) 147dc60ef4aSRuslan Ermilovfor further logging by 148dc60ef4aSRuslan Ermilov.Xr syslogd 8 ; 149dc60ef4aSRuslan Ermilov.Dv IPFIREWALL_VERBOSE_LIMIT 1502fd93bffSSheldon Hearnlimits the maximum number of times each 1516d249eeeSSheldon Hearnrule can cause a log message. 1526d249eeeSSheldon HearnThese variables are also 1532a81fd7cSJulian Elischeravailable via the 1542a81fd7cSJulian Elischer.Xr sysctl 3 1552a81fd7cSJulian Elischerinterface. 1561a22b190SSheldon Hearn.Sh RETURN VALUES 1571a22b190SSheldon HearnThe 1581a22b190SSheldon Hearn.Fn setsockopt 1591a22b190SSheldon Hearnfunction returns 0 on success. 1601a22b190SSheldon HearnOtherwise, -1 is returned and the global variable 1611a22b190SSheldon Hearn.Va errno 1621a22b190SSheldon Hearnis set to indicate the error. 1631a22b190SSheldon Hearn.Sh ERRORS 1641a22b190SSheldon HearnThe 1651a22b190SSheldon Hearn.Fn setsockopt 1661a22b190SSheldon Hearnfunction will fail if: 1671a22b190SSheldon Hearn.Bl -tag -width Er 1681a22b190SSheldon Hearn.It Bq Er EINVAL 1691a22b190SSheldon HearnThe IP option field was improperly formed; 1701a22b190SSheldon Hearnan option field was shorter than the minimum value 1711a22b190SSheldon Hearnor longer than the option buffer provided. 1721a22b190SSheldon Hearn.It Bq Er EINVAL 1731a22b190SSheldon HearnA structural error in ip_fw structure occurred 1741a22b190SSheldon Hearn(n_src_p+n_dst_p too big, ports set for ALL/ICMP protocols etc.). 1751a22b190SSheldon Hearn.It Bq Er EINVAL 1761a22b190SSheldon HearnAn invalid rule number was used. 1771a22b190SSheldon Hearn.El 178a53227ffSUgen J.S. Antsilevich.Sh SEE ALSO 179b805452cSMike Pritchard.Xr setsockopt 2 , 1802a81fd7cSJulian Elischer.Xr divert 4 , 181bceb8aedSWolfram Schneider.Xr ip 4 , 1822a81fd7cSJulian Elischer.Xr ipfw 8 , 183dc60ef4aSRuslan Ermilov.Xr sysctl 8 , 184dc60ef4aSRuslan Ermilov.Xr syslogd 8 185a53227ffSUgen J.S. Antsilevich.Sh BUGS 1862a81fd7cSJulian ElischerThis man page still needs work. 187a53227ffSUgen J.S. Antsilevich.Sh HISTORY 1882a81fd7cSJulian ElischerThe ipfw facility was initially written as package to BSDI 1892fd93bffSSheldon Hearnby 1902fd93bffSSheldon Hearn.An Daniel Boulet 1912fd93bffSSheldon Hearn.Aq danny@BouletFermat.ab.ca . 1922fd93bffSSheldon HearnIt has been heavily modified and ported to 1932fd93bffSSheldon Hearn.Fx 1942fd93bffSSheldon Hearnby 195d0353b83SRuslan Ermilov.An Ugen J.S. Antsilevich 1962fd93bffSSheldon Hearn.Aq ugen@NetVision.net.il . 1972a81fd7cSJulian Elischer.Pp 1982fd93bffSSheldon HearnSeveral enhancements added by 1992fd93bffSSheldon Hearn.An Archie Cobbs 200eddc45e7SJeroen Ruigrok van der Werven.Aq archie@FreeBSD.org . 201