version 1, including all changes.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
IPFWADM |
|
|
2 |
!!!IPFWADM |
|
|
3 |
NAME |
|
|
4 |
SYNOPSIS |
|
|
5 |
NOTE |
|
|
6 |
DESCRIPTION |
|
|
7 |
OPTIONS |
|
|
8 |
FILES |
|
|
9 |
SEE ALSO |
|
|
10 |
AUTHOR |
|
|
11 |
---- |
|
|
12 |
!!NAME |
|
|
13 |
|
|
|
14 |
|
|
|
15 |
ipfwadm - IP firewall and accounting administration |
|
|
16 |
!!SYNOPSIS |
|
|
17 |
|
|
|
18 |
|
|
|
19 |
__ipfwadm -A__ command parameters [[options]__ |
|
|
20 |
ipfwadm -I__ command parameters [[options]__ |
|
|
21 |
ipfwadm -O__ command parameters [[options]__ |
|
|
22 |
ipfwadm -F__ command parameters [[options]__ |
|
|
23 |
ipfwadm -M__ [[ -l | -s ] [[options] |
|
|
24 |
!!NOTE |
|
|
25 |
|
|
|
26 |
|
|
|
27 |
Please note that this just is wrapper in ipchains(8) for old |
|
|
28 |
fashioned users and for old scripts. |
|
|
29 |
!!DESCRIPTION |
|
|
30 |
|
|
|
31 |
|
|
|
32 |
__Ipfwadm__ is used to set up, maintain, and inspect the |
|
|
33 |
IP firewall and accounting rules in the Linux kernel. These |
|
|
34 |
rules can be divided into 4 different categories: accounting |
|
|
35 |
of IP packets, the IP input firewall, the IP output |
|
|
36 |
firewall, and the IP forwarding firewall. For each of these |
|
|
37 |
categories, a separate list of rules is maintained. See |
|
|
38 |
ipfw(4) for more details. |
|
|
39 |
!!OPTIONS |
|
|
40 |
|
|
|
41 |
|
|
|
42 |
The options that are recognized by __ipfwadm__ can be |
|
|
43 |
divided into several different groups. |
|
|
44 |
|
|
|
45 |
|
|
|
46 |
__CATEGORIES__ |
|
|
47 |
|
|
|
48 |
|
|
|
49 |
The following flags are used to select the category of rules |
|
|
50 |
to which the given command applies: |
|
|
51 |
|
|
|
52 |
|
|
|
53 |
__-A__ [[''direction''] |
|
|
54 |
|
|
|
55 |
|
|
|
56 |
IP accounting rules. Optionally, a ''direction'' can be |
|
|
57 |
specified (''in'', ''out'', or ''both''), |
|
|
58 |
indicating whether only incoming or outgoing packets should |
|
|
59 |
be counted. The default direction is |
|
|
60 |
''both''. |
|
|
61 |
|
|
|
62 |
|
|
|
63 |
__-I__ |
|
|
64 |
|
|
|
65 |
|
|
|
66 |
IP input firewall rules. |
|
|
67 |
|
|
|
68 |
|
|
|
69 |
__-O__ |
|
|
70 |
|
|
|
71 |
|
|
|
72 |
IP output firewall rules. |
|
|
73 |
|
|
|
74 |
|
|
|
75 |
__-F__ |
|
|
76 |
|
|
|
77 |
|
|
|
78 |
IP forwarding firewall rules. |
|
|
79 |
|
|
|
80 |
|
|
|
81 |
__-M__ |
|
|
82 |
|
|
|
83 |
|
|
|
84 |
IP masquerading administration. This category can only be |
|
|
85 |
used in combination with the __-l__ (list) or __-s__ |
|
|
86 |
(set timeout values) command. |
|
|
87 |
|
|
|
88 |
|
|
|
89 |
Exactly one of these options has to be |
|
|
90 |
specified. |
|
|
91 |
|
|
|
92 |
|
|
|
93 |
__COMMANDS__ |
|
|
94 |
|
|
|
95 |
|
|
|
96 |
The next options specify the specific action to perform. |
|
|
97 |
Only one of them can be specified on the command line, |
|
|
98 |
unless something else is listed in the |
|
|
99 |
description. |
|
|
100 |
|
|
|
101 |
|
|
|
102 |
__-a__ [[''policy''] |
|
|
103 |
|
|
|
104 |
|
|
|
105 |
Append one or more rules to the end of the selected list. |
|
|
106 |
For the accounting chain, no policy should be specified. For |
|
|
107 |
firewall chains, it is required to specify one of the |
|
|
108 |
following policies: ''accept'', ''deny'', |
|
|
109 |
''reject'', or ''masquerade''. When the source and/or |
|
|
110 |
destination names resolve to more than one address, a rule |
|
|
111 |
will be added for each possible address |
|
|
112 |
combination. |
|
|
113 |
|
|
|
114 |
|
|
|
115 |
__-i__ [[''policy''] |
|
|
116 |
|
|
|
117 |
|
|
|
118 |
Insert one or more rules at the beginning of the selected |
|
|
119 |
list. See the description of the __-a__ command for more |
|
|
120 |
details. |
|
|
121 |
|
|
|
122 |
|
|
|
123 |
__-d__ [[''policy''] |
|
|
124 |
|
|
|
125 |
|
|
|
126 |
Delete one or more entries from the selected list of rules. |
|
|
127 |
The semantics are equal to those of the append/insert |
|
|
128 |
commands. The specified parameters should exactly match the |
|
|
129 |
parameters given with an append or insert command, otherwise |
|
|
130 |
no match will be found and the rule will not be removed from |
|
|
131 |
the list. Only the first matching rule in the list will be |
|
|
132 |
deleted. |
|
|
133 |
|
|
|
134 |
|
|
|
135 |
__-l__ |
|
|
136 |
|
|
|
137 |
|
|
|
138 |
List all the rules in the selected list. This command may be |
|
|
139 |
combined with the __-z__ (reset counters to zero) |
|
|
140 |
command. In that case, the packet and byte counters will be |
|
|
141 |
reset immediately after listing their current values. Unless |
|
|
142 |
the __-x__ option is present, packet and byte counters |
|
|
143 |
(if listed) will be shown as ''number''K or |
|
|
144 |
''number''M, where 1K means 1000 and 1M means 1000K |
|
|
145 |
(rounded to the nearest integer value). See also the |
|
|
146 |
__-e__ and __-x__ flags for more |
|
|
147 |
capabilities. |
|
|
148 |
|
|
|
149 |
|
|
|
150 |
__-z__ |
|
|
151 |
|
|
|
152 |
|
|
|
153 |
Reset the packet and byte counters of all the rules in |
|
|
154 |
selected list. This command may be combined with the |
|
|
155 |
__-l__ (list) command. |
|
|
156 |
|
|
|
157 |
|
|
|
158 |
__-f__ |
|
|
159 |
|
|
|
160 |
|
|
|
161 |
Flush the selected list of rules. |
|
|
162 |
|
|
|
163 |
|
|
|
164 |
__-p__ ''policy'' |
|
|
165 |
|
|
|
166 |
|
|
|
167 |
Change the default policy for the selected type of firewall. |
|
|
168 |
The given policy has to be one of ''accept'', |
|
|
169 |
''deny'', ''reject'', or ''masquerade''. The |
|
|
170 |
default policy is used when no matching rule is found. This |
|
|
171 |
operation is only valid for IP firewalls, that is, in |
|
|
172 |
combination with the __-I__, __-O__, or __-F__ |
|
|
173 |
flag. |
|
|
174 |
|
|
|
175 |
|
|
|
176 |
__-s__ ''tcp tcpfin udp'' |
|
|
177 |
|
|
|
178 |
|
|
|
179 |
Change the timeout values used for masquerading. This |
|
|
180 |
command always takes 3 parameters, representing the timeout |
|
|
181 |
values (in seconds) for TCP sessions, TCP sessions after |
|
|
182 |
receiving a FIN packet, and UDP packets, respectively. A |
|
|
183 |
timeout value 0 means that the current timeout value of the |
|
|
184 |
corresponding entry is preserved. This operation is only |
|
|
185 |
allowed in combination with the __-M__ flag. |
|
|
186 |
|
|
|
187 |
|
|
|
188 |
__-c__ |
|
|
189 |
|
|
|
190 |
|
|
|
191 |
Check whether this IP packet would be accepted, denied, or |
|
|
192 |
rejected by the selected type of firewall. This operation is |
|
|
193 |
only valid for IP firewalls, that is, in combination with |
|
|
194 |
the __-I__, __-O__, or __-F__ flag. |
|
|
195 |
|
|
|
196 |
|
|
|
197 |
__-h__ |
|
|
198 |
|
|
|
199 |
|
|
|
200 |
Help. Give a (currently very brief) description of the |
|
|
201 |
command syntax. |
|
|
202 |
|
|
|
203 |
|
|
|
204 |
__PARAMETERS__ |
|
|
205 |
|
|
|
206 |
|
|
|
207 |
The following parameters can be used in combination with the |
|
|
208 |
append, insert, delete, or check commands: |
|
|
209 |
|
|
|
210 |
|
|
|
211 |
__-P__ ''protocol'' |
|
|
212 |
|
|
|
213 |
|
|
|
214 |
The protocol of the rule or of the packet to check. The |
|
|
215 |
specified protocol can be one of ''tcp'', ''udp'', |
|
|
216 |
''icmp'', or ''all''. Protocol ''all'' will match |
|
|
217 |
with all protocols and is taken as default when this option |
|
|
218 |
is omitted. ''All'' may not be used in in combination |
|
|
219 |
with the check command. |
|
|
220 |
|
|
|
221 |
|
|
|
222 |
__-S__ ''address''[[/''mask''] [[''port'' |
|
|
223 |
...] |
|
|
224 |
|
|
|
225 |
|
|
|
226 |
Source specification (optional). ''Address'' can be |
|
|
227 |
either a hostname, a network name, or a plain IP address. |
|
|
228 |
The ''mask'' can be either a network mask or a plain |
|
|
229 |
number, specifying the number of 1's at the left side of the |
|
|
230 |
network mask. Thus, a mask of ''24'' is equivalent with |
|
|
231 |
''255.255.255.0''. |
|
|
232 |
|
|
|
233 |
|
|
|
234 |
The source may include one or more port specifications or |
|
|
235 |
ICMP types. Each of them can either be a service name, a |
|
|
236 |
port number, or a (numeric) ICMP type. In the rest of this |
|
|
237 |
paragraph, a ''port'' means either a port specification |
|
|
238 |
or an ICMP type. One of these specifications may be a range |
|
|
239 |
of ports, in the format ''port'':''port''. |
|
|
240 |
Furthermore, the total number of ports specified with the |
|
|
241 |
source and destination addresses should not be greater than |
|
|
242 |
__IP_FW_MAX_PORTS__ (currently 10). Here a port range |
|
|
243 |
counts as 2 ports. |
|
|
244 |
|
|
|
245 |
|
|
|
246 |
Packets not being the first fragment of a TCP, UDP, or ICMP |
|
|
247 |
packet are always accepted by the firewall. For accounting |
|
|
248 |
purposes, these second and further fragments are treated |
|
|
249 |
special, to be able to count them in some way. The port |
|
|
250 |
number 0xFFFF (65535) is used for a match with the second |
|
|
251 |
and further fragments of TCP or UDP packets. These packets |
|
|
252 |
will be treated for accounting purposes as if both their |
|
|
253 |
port numbers are 0xFFFF. The number 0xFF (255) is used for a |
|
|
254 |
match with the second and further fragments of ICMP packets. |
|
|
255 |
These packets will be treated for acounting purposes as if |
|
|
256 |
their ICMP types are 0xFF. Note that the specified command |
|
|
257 |
and protocol may imply restrictions on the ports to be |
|
|
258 |
specified. Ports may only be specified in combination with |
|
|
259 |
the ''tcp'', ''udp'', or ''icmp'' |
|
|
260 |
protocol. |
|
|
261 |
|
|
|
262 |
|
|
|
263 |
When this option is omitted, the default address/mask |
|
|
264 |
''0.0.0.0/0'' (matching with any address) is used as |
|
|
265 |
source address. This option is required in combination with |
|
|
266 |
the check command, in which case also exactly one port has |
|
|
267 |
to be specified. |
|
|
268 |
|
|
|
269 |
|
|
|
270 |
__-D__ ''address''[[/''mask''] [[''port'' |
|
|
271 |
...] |
|
|
272 |
|
|
|
273 |
|
|
|
274 |
Destination specification (optional). See the desciption of |
|
|
275 |
the __-S__ (source) flag for a detailed description of |
|
|
276 |
the syntax, default values, and other requirements. Note |
|
|
277 |
that ICMP types are not allowed in combination with the |
|
|
278 |
__-D__ flag: ICMP types can only be specified after the |
|
|
279 |
the __-S__ flag. |
|
|
280 |
|
|
|
281 |
|
|
|
282 |
__-V__ ''address'' |
|
|
283 |
|
|
|
284 |
|
|
|
285 |
Optional address of an interface via which a packet is |
|
|
286 |
received, or via which is packet is going to be sent. |
|
|
287 |
''Address'' can be either a hostname or a plain IP |
|
|
288 |
address. When a hostname is specified, it should resolve to |
|
|
289 |
exactly one IP address. When this option is omitted, the |
|
|
290 |
address ''0.0.0.0'' is assumed, which has a special |
|
|
291 |
meaning and will match with any interface address. For the |
|
|
292 |
check command, this option is mandatory. |
|
|
293 |
|
|
|
294 |
|
|
|
295 |
__-W__ ''name'' |
|
|
296 |
|
|
|
297 |
|
|
|
298 |
Optional name of an interface via which a packet is |
|
|
299 |
received, or via which is packet is going to be sent. When |
|
|
300 |
this option is omitted, the empty string is assumed, which |
|
|
301 |
has a special meaning and will match with any interface |
|
|
302 |
name. For the check command, this option is |
|
|
303 |
mandatory. |
|
|
304 |
|
|
|
305 |
|
|
|
306 |
__OTHER OPTIONS__ |
|
|
307 |
|
|
|
308 |
|
|
|
309 |
The following additional options can be |
|
|
310 |
specified: |
|
|
311 |
|
|
|
312 |
|
|
|
313 |
__-b__ |
|
|
314 |
|
|
|
315 |
|
|
|
316 |
Bidirectional mode. The rule will match with IP packets in |
|
|
317 |
both directions. This option is only valid in combination |
|
|
318 |
with the append, insert, or delete commands. |
|
|
319 |
|
|
|
320 |
|
|
|
321 |
__-e__ |
|
|
322 |
|
|
|
323 |
|
|
|
324 |
Extended output. This option makes the list command also |
|
|
325 |
show the interface address and the rule options (if any). |
|
|
326 |
For firewall lists, also the packet and byte counters (the |
|
|
327 |
default is to only show these counters for the accounting |
|
|
328 |
rules) and the TOS masks will be listed. When used in |
|
|
329 |
combination with __-M__, information related to delta |
|
|
330 |
sequence numbers will also be listed. This option is only |
|
|
331 |
valid in combination with the list command. |
|
|
332 |
|
|
|
333 |
|
|
|
334 |
__-k__ |
|
|
335 |
|
|
|
336 |
|
|
|
337 |
Only match TCP packets with the ACK bit set (this option |
|
|
338 |
will be ignored for packets of other protocols). This option |
|
|
339 |
is only valid in combination with the append, insert, or |
|
|
340 |
delete command. |
|
|
341 |
|
|
|
342 |
|
|
|
343 |
__-m__ |
|
|
344 |
|
|
|
345 |
|
|
|
346 |
Masquerade packets accepted for forwarding. When this option |
|
|
347 |
is set, packets accepted by this rule will be masqueraded as |
|
|
348 |
if they originated from the local host. Furthermore, reverse |
|
|
349 |
packets will be recognized as such and they will be |
|
|
350 |
demasqueraded automatically, bypassing the forwarding |
|
|
351 |
firewall. This option is only valid in forwarding firewall |
|
|
352 |
rules with policy ''accept'' (or when specifying |
|
|
353 |
''accept'' as default policy) and can only be used when |
|
|
354 |
the kernel is compiled with __CONFIG_IP_MASQUERADE__ |
|
|
355 |
defined. |
|
|
356 |
|
|
|
357 |
|
|
|
358 |
__-n__ |
|
|
359 |
|
|
|
360 |
|
|
|
361 |
Numeric output. IP addresses and port numbers will be |
|
|
362 |
printed in numeric format. By default, the program will try |
|
|
363 |
to display them as host names, network names, or services |
|
|
364 |
(whenever applicable). |
|
|
365 |
|
|
|
366 |
|
|
|
367 |
__-o__ |
|
|
368 |
|
|
|
369 |
|
|
|
370 |
Turn on kernel logging of matching packets. When this option |
|
|
371 |
is set for a rule, the Linux kernel will print some |
|
|
372 |
information of all matching packets (like most IP header |
|
|
373 |
fields) via ''printk''(). This option will only be |
|
|
374 |
effective when the Linux kernel is compiled with |
|
|
375 |
__CONFIG_IP_FIREWALL_VERBOSE__ defined. This option is |
|
|
376 |
only valid in combination with the append, insert or delete |
|
|
377 |
command. |
|
|
378 |
|
|
|
379 |
|
|
|
380 |
__-r__ [[''port''] |
|
|
381 |
|
|
|
382 |
|
|
|
383 |
Redirect packets to a local socket. When this option is set, |
|
|
384 |
packets accepted by this rule will be redirected to a local |
|
|
385 |
socket, even if they were sent to a remote host. If the |
|
|
386 |
specified redirection port is 0, which is the default value, |
|
|
387 |
the destination port of a packet will be used as the |
|
|
388 |
redirection port. This option is only valid in input |
|
|
389 |
firewall rules with policy ''accept'' and can only be |
|
|
390 |
used when the Linux kernel is compiled with |
|
|
391 |
__CONFIG_IP_TRANSPARENT_PROXY__ defined. |
|
|
392 |
|
|
|
393 |
|
|
|
394 |
__-t__ ''andmask xormask'' |
|
|
395 |
|
|
|
396 |
|
|
|
397 |
Masks used for modifying the TOS field in the IP header. |
|
|
398 |
When a packet is accepted (with or without masquerading) by |
|
|
399 |
a firewall rule, its TOS field is first bitwise and'ed with |
|
|
400 |
first mask and the result of this will be bitwise xor'ed |
|
|
401 |
with the second mask. The masks should be specified as |
|
|
402 |
hexadecimal 8-bit values. This option is only valid in |
|
|
403 |
combination with the append, insert or delete command and |
|
|
404 |
will have no effect when used in combination with accounting |
|
|
405 |
rules or firewall rules for rejecting or denying a |
|
|
406 |
packet. |
|
|
407 |
|
|
|
408 |
|
|
|
409 |
__-v__ |
|
|
410 |
|
|
|
411 |
|
|
|
412 |
Verbose output. Print detailed information of the rule or |
|
|
413 |
packet to be added, deleted, or checked. This option will |
|
|
414 |
only have effect with the append, insert, delete, or check |
|
|
415 |
command. |
|
|
416 |
|
|
|
417 |
|
|
|
418 |
__-x__ |
|
|
419 |
|
|
|
420 |
|
|
|
421 |
Expand numbers. Display the exact value of the packet and |
|
|
422 |
byte counters, instead of only the rounded number in K's |
|
|
423 |
(multiples of 1000) or M's (multiples of 1000K). This option |
|
|
424 |
will only have effect when the counters are listed anyway |
|
|
425 |
(see also the __-e__ option). |
|
|
426 |
|
|
|
427 |
|
|
|
428 |
__-y__ |
|
|
429 |
|
|
|
430 |
|
|
|
431 |
Only match TCP packets with the SYN bit set and the ACK bit |
|
|
432 |
cleared (this option will be ignored for packets of other |
|
|
433 |
protocols). This option is only valid in combination with |
|
|
434 |
the append, insert, or delete command. |
|
|
435 |
!!FILES |
|
|
436 |
|
|
|
437 |
|
|
|
438 |
''/proc/net/ip_acct |
|
|
439 |
/proc/net/ip_input |
|
|
440 |
/proc/net/ip_output |
|
|
441 |
/proc/net/ip_forward |
|
|
442 |
/proc/net/ip_masquerade'' |
|
|
443 |
!!SEE ALSO |
|
|
444 |
|
|
|
445 |
|
|
|
446 |
ipfw(4) |
|
|
447 |
!!AUTHOR |
|
|
448 |
|
|
|
449 |
|
|
|
450 |
Jos Vos |
|
|
451 |
X/OS Experts in Open Systems BV, Amsterdam, The |
|
|
452 |
Netherlands |
|
|
453 |
---- |