Penguin
Recent Changes
Blame: ipfwadm-ipchainsalternative(8)
EditPageHistoryDiffInfoLikePages
Annotated edit history of ipfwadm-ipchainsalternative(8) version 1, including all changes. View license author blame.
Rev Author # Line
1 perry 1 IPFWADM
2 !!!IPFWADM
3 NAME
4 SYNOPSIS
5 NOTE
6 DESCRIPTION
7 OPTIONS
8 FILES
9 SEE ALSO
10 AUTHOR
11 ----
12 !!NAME
13
14
15 ipfwadm - IP firewall and accounting administration
16 !!SYNOPSIS
17
18
19 __ipfwadm -A__ command parameters [[options]__
20 ipfwadm -I__ command parameters [[options]__
21 ipfwadm -O__ command parameters [[options]__
22 ipfwadm -F__ command parameters [[options]__
23 ipfwadm -M__ [[ -l | -s ] [[options]
24 !!NOTE
25
26
27 Please note that this just is wrapper in ipchains(8) for old
28 fashioned users and for old scripts.
29 !!DESCRIPTION
30
31
32 __Ipfwadm__ is used to set up, maintain, and inspect the
33 IP firewall and accounting rules in the Linux kernel. These
34 rules can be divided into 4 different categories: accounting
35 of IP packets, the IP input firewall, the IP output
36 firewall, and the IP forwarding firewall. For each of these
37 categories, a separate list of rules is maintained. See
38 ipfw(4) for more details.
39 !!OPTIONS
40
41
42 The options that are recognized by __ipfwadm__ can be
43 divided into several different groups.
44
45
46 __CATEGORIES__
47
48
49 The following flags are used to select the category of rules
50 to which the given command applies:
51
52
53 __-A__ [[''direction'']
54
55
56 IP accounting rules. Optionally, a ''direction'' can be
57 specified (''in'', ''out'', or ''both''),
58 indicating whether only incoming or outgoing packets should
59 be counted. The default direction is
60 ''both''.
61
62
63 __-I__
64
65
66 IP input firewall rules.
67
68
69 __-O__
70
71
72 IP output firewall rules.
73
74
75 __-F__
76
77
78 IP forwarding firewall rules.
79
80
81 __-M__
82
83
84 IP masquerading administration. This category can only be
85 used in combination with the __-l__ (list) or __-s__
86 (set timeout values) command.
87
88
89 Exactly one of these options has to be
90 specified.
91
92
93 __COMMANDS__
94
95
96 The next options specify the specific action to perform.
97 Only one of them can be specified on the command line,
98 unless something else is listed in the
99 description.
100
101
102 __-a__ [[''policy'']
103
104
105 Append one or more rules to the end of the selected list.
106 For the accounting chain, no policy should be specified. For
107 firewall chains, it is required to specify one of the
108 following policies: ''accept'', ''deny'',
109 ''reject'', or ''masquerade''. When the source and/or
110 destination names resolve to more than one address, a rule
111 will be added for each possible address
112 combination.
113
114
115 __-i__ [[''policy'']
116
117
118 Insert one or more rules at the beginning of the selected
119 list. See the description of the __-a__ command for more
120 details.
121
122
123 __-d__ [[''policy'']
124
125
126 Delete one or more entries from the selected list of rules.
127 The semantics are equal to those of the append/insert
128 commands. The specified parameters should exactly match the
129 parameters given with an append or insert command, otherwise
130 no match will be found and the rule will not be removed from
131 the list. Only the first matching rule in the list will be
132 deleted.
133
134
135 __-l__
136
137
138 List all the rules in the selected list. This command may be
139 combined with the __-z__ (reset counters to zero)
140 command. In that case, the packet and byte counters will be
141 reset immediately after listing their current values. Unless
142 the __-x__ option is present, packet and byte counters
143 (if listed) will be shown as ''number''K or
144 ''number''M, where 1K means 1000 and 1M means 1000K
145 (rounded to the nearest integer value). See also the
146 __-e__ and __-x__ flags for more
147 capabilities.
148
149
150 __-z__
151
152
153 Reset the packet and byte counters of all the rules in
154 selected list. This command may be combined with the
155 __-l__ (list) command.
156
157
158 __-f__
159
160
161 Flush the selected list of rules.
162
163
164 __-p__ ''policy''
165
166
167 Change the default policy for the selected type of firewall.
168 The given policy has to be one of ''accept'',
169 ''deny'', ''reject'', or ''masquerade''. The
170 default policy is used when no matching rule is found. This
171 operation is only valid for IP firewalls, that is, in
172 combination with the __-I__, __-O__, or __-F__
173 flag.
174
175
176 __-s__ ''tcp tcpfin udp''
177
178
179 Change the timeout values used for masquerading. This
180 command always takes 3 parameters, representing the timeout
181 values (in seconds) for TCP sessions, TCP sessions after
182 receiving a FIN packet, and UDP packets, respectively. A
183 timeout value 0 means that the current timeout value of the
184 corresponding entry is preserved. This operation is only
185 allowed in combination with the __-M__ flag.
186
187
188 __-c__
189
190
191 Check whether this IP packet would be accepted, denied, or
192 rejected by the selected type of firewall. This operation is
193 only valid for IP firewalls, that is, in combination with
194 the __-I__, __-O__, or __-F__ flag.
195
196
197 __-h__
198
199
200 Help. Give a (currently very brief) description of the
201 command syntax.
202
203
204 __PARAMETERS__
205
206
207 The following parameters can be used in combination with the
208 append, insert, delete, or check commands:
209
210
211 __-P__ ''protocol''
212
213
214 The protocol of the rule or of the packet to check. The
215 specified protocol can be one of ''tcp'', ''udp'',
216 ''icmp'', or ''all''. Protocol ''all'' will match
217 with all protocols and is taken as default when this option
218 is omitted. ''All'' may not be used in in combination
219 with the check command.
220
221
222 __-S__ ''address''[[/''mask''] [[''port''
223 ...]
224
225
226 Source specification (optional). ''Address'' can be
227 either a hostname, a network name, or a plain IP address.
228 The ''mask'' can be either a network mask or a plain
229 number, specifying the number of 1's at the left side of the
230 network mask. Thus, a mask of ''24'' is equivalent with
231 ''255.255.255.0''.
232
233
234 The source may include one or more port specifications or
235 ICMP types. Each of them can either be a service name, a
236 port number, or a (numeric) ICMP type. In the rest of this
237 paragraph, a ''port'' means either a port specification
238 or an ICMP type. One of these specifications may be a range
239 of ports, in the format ''port'':''port''.
240 Furthermore, the total number of ports specified with the
241 source and destination addresses should not be greater than
242 __IP_FW_MAX_PORTS__ (currently 10). Here a port range
243 counts as 2 ports.
244
245
246 Packets not being the first fragment of a TCP, UDP, or ICMP
247 packet are always accepted by the firewall. For accounting
248 purposes, these second and further fragments are treated
249 special, to be able to count them in some way. The port
250 number 0xFFFF (65535) is used for a match with the second
251 and further fragments of TCP or UDP packets. These packets
252 will be treated for accounting purposes as if both their
253 port numbers are 0xFFFF. The number 0xFF (255) is used for a
254 match with the second and further fragments of ICMP packets.
255 These packets will be treated for acounting purposes as if
256 their ICMP types are 0xFF. Note that the specified command
257 and protocol may imply restrictions on the ports to be
258 specified. Ports may only be specified in combination with
259 the ''tcp'', ''udp'', or ''icmp''
260 protocol.
261
262
263 When this option is omitted, the default address/mask
264 ''0.0.0.0/0'' (matching with any address) is used as
265 source address. This option is required in combination with
266 the check command, in which case also exactly one port has
267 to be specified.
268
269
270 __-D__ ''address''[[/''mask''] [[''port''
271 ...]
272
273
274 Destination specification (optional). See the desciption of
275 the __-S__ (source) flag for a detailed description of
276 the syntax, default values, and other requirements. Note
277 that ICMP types are not allowed in combination with the
278 __-D__ flag: ICMP types can only be specified after the
279 the __-S__ flag.
280
281
282 __-V__ ''address''
283
284
285 Optional address of an interface via which a packet is
286 received, or via which is packet is going to be sent.
287 ''Address'' can be either a hostname or a plain IP
288 address. When a hostname is specified, it should resolve to
289 exactly one IP address. When this option is omitted, the
290 address ''0.0.0.0'' is assumed, which has a special
291 meaning and will match with any interface address. For the
292 check command, this option is mandatory.
293
294
295 __-W__ ''name''
296
297
298 Optional name of an interface via which a packet is
299 received, or via which is packet is going to be sent. When
300 this option is omitted, the empty string is assumed, which
301 has a special meaning and will match with any interface
302 name. For the check command, this option is
303 mandatory.
304
305
306 __OTHER OPTIONS__
307
308
309 The following additional options can be
310 specified:
311
312
313 __-b__
314
315
316 Bidirectional mode. The rule will match with IP packets in
317 both directions. This option is only valid in combination
318 with the append, insert, or delete commands.
319
320
321 __-e__
322
323
324 Extended output. This option makes the list command also
325 show the interface address and the rule options (if any).
326 For firewall lists, also the packet and byte counters (the
327 default is to only show these counters for the accounting
328 rules) and the TOS masks will be listed. When used in
329 combination with __-M__, information related to delta
330 sequence numbers will also be listed. This option is only
331 valid in combination with the list command.
332
333
334 __-k__
335
336
337 Only match TCP packets with the ACK bit set (this option
338 will be ignored for packets of other protocols). This option
339 is only valid in combination with the append, insert, or
340 delete command.
341
342
343 __-m__
344
345
346 Masquerade packets accepted for forwarding. When this option
347 is set, packets accepted by this rule will be masqueraded as
348 if they originated from the local host. Furthermore, reverse
349 packets will be recognized as such and they will be
350 demasqueraded automatically, bypassing the forwarding
351 firewall. This option is only valid in forwarding firewall
352 rules with policy ''accept'' (or when specifying
353 ''accept'' as default policy) and can only be used when
354 the kernel is compiled with __CONFIG_IP_MASQUERADE__
355 defined.
356
357
358 __-n__
359
360
361 Numeric output. IP addresses and port numbers will be
362 printed in numeric format. By default, the program will try
363 to display them as host names, network names, or services
364 (whenever applicable).
365
366
367 __-o__
368
369
370 Turn on kernel logging of matching packets. When this option
371 is set for a rule, the Linux kernel will print some
372 information of all matching packets (like most IP header
373 fields) via ''printk''(). This option will only be
374 effective when the Linux kernel is compiled with
375 __CONFIG_IP_FIREWALL_VERBOSE__ defined. This option is
376 only valid in combination with the append, insert or delete
377 command.
378
379
380 __-r__ [[''port'']
381
382
383 Redirect packets to a local socket. When this option is set,
384 packets accepted by this rule will be redirected to a local
385 socket, even if they were sent to a remote host. If the
386 specified redirection port is 0, which is the default value,
387 the destination port of a packet will be used as the
388 redirection port. This option is only valid in input
389 firewall rules with policy ''accept'' and can only be
390 used when the Linux kernel is compiled with
391 __CONFIG_IP_TRANSPARENT_PROXY__ defined.
392
393
394 __-t__ ''andmask xormask''
395
396
397 Masks used for modifying the TOS field in the IP header.
398 When a packet is accepted (with or without masquerading) by
399 a firewall rule, its TOS field is first bitwise and'ed with
400 first mask and the result of this will be bitwise xor'ed
401 with the second mask. The masks should be specified as
402 hexadecimal 8-bit values. This option is only valid in
403 combination with the append, insert or delete command and
404 will have no effect when used in combination with accounting
405 rules or firewall rules for rejecting or denying a
406 packet.
407
408
409 __-v__
410
411
412 Verbose output. Print detailed information of the rule or
413 packet to be added, deleted, or checked. This option will
414 only have effect with the append, insert, delete, or check
415 command.
416
417
418 __-x__
419
420
421 Expand numbers. Display the exact value of the packet and
422 byte counters, instead of only the rounded number in K's
423 (multiples of 1000) or M's (multiples of 1000K). This option
424 will only have effect when the counters are listed anyway
425 (see also the __-e__ option).
426
427
428 __-y__
429
430
431 Only match TCP packets with the SYN bit set and the ACK bit
432 cleared (this option will be ignored for packets of other
433 protocols). This option is only valid in combination with
434 the append, insert, or delete command.
435 !!FILES
436
437
438 ''/proc/net/ip_acct
439 /proc/net/ip_input
440 /proc/net/ip_output
441 /proc/net/ip_forward
442 /proc/net/ip_masquerade''
443 !!SEE ALSO
444
445
446 ipfw(4)
447 !!AUTHOR
448
449
450 Jos Vos
451 X/OS Experts in Open Systems BV, Amsterdam, The
452 Netherlands
453 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.