diff options
Diffstat (limited to 'contrib/ipfilter/man/ipf.5')
-rw-r--r-- | contrib/ipfilter/man/ipf.5 | 1698 |
1 files changed, 0 insertions, 1698 deletions
diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 deleted file mode 100644 index 8ef56493df5a..000000000000 --- a/contrib/ipfilter/man/ipf.5 +++ /dev/null @@ -1,1698 +0,0 @@ -.\" $FreeBSD$ -.TH IPF 5 -.SH NAME -ipf, ipf.conf \- IPFilter firewall rules file format -.SH DESCRIPTION -.PP -The ipf.conf file is used to specify rules for the firewall, packet -authentication and packet accounting components of IPFilter. To load rules -specified in the ipf.conf file, the ipf(8) program is used. -.PP -For use as a firewall, there are two important rule types: those that block -and drop packets (block rules) and those that allow packets through (pass -rules.) Accompanying the decision to apply is a collection of statements -that specify under what conditions the result is to be applied and how. -.PP -The simplest rules that can be used in ipf.conf are expressed like this: -.PP -.nf -block in all -pass out all -.fi -.PP -Each rule must contain at least the following three components -.RS -.IP * -a decision keyword (pass, block, etc.) -.IP * -the direction of the packet (in or out) -.IP * -address patterns or "all" to match any address information -.RE -.SS Long lines -.PP -For rules lines that are particularly long, it is possible to split -them over multiple lines implicity like this: -.PP -.nf -pass in on bgeo proto tcp from 1.1.1.1 port > 1000 - to 2.2.2.2 port < 5000 flags S keep state -.fi -.PP -or explicitly using the backslash ('\\') character: -.PP -.nf -pass in on bgeo proto tcp from 1.1.1.1 port > 1000 \\ - to 2.2.2.2 port < 5000 flags S keep state -.fi -.SS Comments -.PP -Comments in the ipf.conf file are indicated by the use of the '#' character. -This can either be at the start of the line, like this: -.PP -.nf -# Allow all ICMP packets in -pass in proto icmp from any to any -.fi -.PP -Or at the end of a like, like this: -.PP -.nf -pass in proto icmp from any to any # Allow all ICMP packets in -.fi -.SH Firewall rules -.PP -This section goes into detail on how to construct firewall rules that -are placed in the ipf.conf file. -.PP -It is beyond the scope of this document to describe what makes a good -firewall rule set or which packets should be blocked or allowed in. -Some suggestions will be provided but further reading is expected to -fully understand what is safe and unsafe to allow in/out. -.SS Filter rule keywords -.PP -The first word found in any filter rule describes what the eventual outcome -of a packet that matches it will be. Descriptions of the many and various -sections that can be used to match on the contents of packet headers will -follow on below. -.PP -The complete list of keywords, along with what they do is as follows: -.RS -.HP -pass -rules that match a packet indicate to ipfilter that it should be -allowed to continue on in the direction it is flowing. -.HP -block -rules are used when it is desirable to prevent a packet from going -any further. Packets that are blocked on the "in" side are never seen by -TCP/IP and those that are blocked going "out" are never seen on the wire. -.HP -log -when IPFilter successfully matches a packet against a log rule a log -record is generated and made available for ipmon(8) to read. These rules -have no impact on whether or not a packet is allowed through or not. -So if a packet first matched a block rule and then matched a log rule, -the status of the packet after the log rule is that it will still be -blocked. -.HP -count -rules provide the administrator with the ability to count packets and -bytes that match the criteria laid out in the configuration file. -The count rules are applied after NAT and filter rules on the inbound -path. For outbound packets, count rules are applied before NAT and -before the packet is dropped. Thus the count rule cannot be used as -a true indicator of link layer -.HP -auth -rules cause the matching packet to be queued up for processing by a -user space program. The user space program is responsible for making -an ioctl system call to collect the information about the queued -packet and another ioctl system call to return the verdict (block, -pass, etc) on what to do with the packet. In the event that the queue -becomes full, the packets will end up being dropped. -.HP -call -provides access to functions built into IPFilter that allow for more -complex actions to be taken as part of the decision making that goes -with the rule. -.HP -decapsulate -rules instruct ipfilter to remove any -other headers (IP, UDP, AH) and then process what is inside as a new packet. -For non-UDP packets, there are builtin checks that are applied in addition -to whatever is specified in the rule, to only allow decapsulation of -recognised protocols. After decapsulating the inner packet, any filtering -result that is applied to the inner packet is also applied to the other -packet. -.PP -The default way in which filter rules are applied is for the last -matching rule to be used as the decision maker. So even if the first -rule to match a packet is a pass, if there is a later matching rule -that is a block and no further rules match the packet, then it will -be blocked. -.SS Matching Network Interfaces -.PP -On systems with more than one network interface, it is necessary -to be able to specify different filter rules for each of them. -In the first instance, this is because different networks will send us -packets via each network interface but it is also because of the hosts, -the role and the resulting security policy that we need to be able to -distinguish which network interface a packet is on. -.PP -To accomodate systems where the presence of a network interface is -dynamic, it is not necessary for the network interface named in a -filter rule to be present in the system when the rule is loaded. -This can lead to silent errors being introduced and unexpected -behaviour with the simplest of keyboard mistakes - for example, -typing in hem0 instead of hme0 or hme2 instead of hme3. -.PP -On Solaris systems prior to Solaris 10 Update 4, it is not possible -to filter packets on the loopback interface (lo0) so filter rules -that specify it will have no impact on the corresponding flow of -packets. See below for Solaris specific tips on how to enable this. -.PP -Some examples of including the network interface in filter rules are: -.PP -.nf -block in on bge0 all -pass out on bge0 all -.fi -.SS Address matching (basic) -.PP -The first and most basic part of matching for filtering rules is to -specify IP addresses and TCP/UDP port numbers. The source address -information is matched by the "from" information in a filter rule -and the destination address information is matched with the "to" -information in a filter rule. -.PP -The typical format used for IP addresses is CIDR notation, where an -IP address (or network) is followed by a '/' and a number representing -the size of the netmask in bits. This notation is used for specifying -address matching in both IPv4 and IPv6. If the '/' and bitmask size -are excluded from the matching string, it is assumed that the address -specified is a host address and that the netmask applied should be -all 1's. -.PP -Some examples of this are: -.PP -.nf -pass in from 10.1.0.0/24 to any -block out from any to 10.1.1.1 -.fi -.PP -It is not possible to specify a range of addresses that does not -have a boundary that can be defined by a standard subnet mask. -.IP -.B Names instead of addresses -.RS -.PP -Hostnames, resolved either via DNS or /etc/hosts, or network names, -resolved via /etc/networks, may be used in place of actual addresses -in the filter rules. WARNING: if a hostname expands to more than one -address, only the *first* is used in building the filter rule. -.PP -Caution should be exercised when relying on DNS for filter rules in -case the sending and receiving of DNS packets is blocked when ipf(8) -is processing that part of the configuration file, leading to long -delays, if not errors, in loading the filter rules. -.RE -.SS Protocol Matching -.PP -To match packets based on TCP/UDP port information, it is first necessary -to indicate which protocol the packet must be. This is done using the -"proto" keyword, followed by either the protocol number or a name which -is mapped to the protocol number, usually through the /etc/protocols file. -.PP -.nf -pass in proto tcp from 10.1.0.0/24 to any -block out proto udp from any to 10.1.1.1 -pass in proto icmp from any to 192.168.0.0/16 -.fi -.SS Sending back error packets -.PP -When a packet is just discarded using a block rule, there is no feedback given -to the host that sent the packet. This is both good and bad. If this is the -desired behaviour and it is not desirable to send any feedback about packets -that are to be denied. The catch is that often a host trying to connect to a -TCP port or with a UDP based application will send more than one packet -because it assumes that just one packet may be discarded so a retry is -required. The end result being logs can become cluttered with duplicate -entries due to the retries. -.PP -To address this problem, a block rule can be qualified in two ways. -The first of these is specific to TCP and instructs IPFilter to send back -a reset (RST) packet. This packet indicates to the remote system that the -packet it sent has been rejected and that it shouldn't make any further -attempts to send packets to that port. Telling IPFilter to return a TCP -RST packet in response to something that has been received is achieved -with the return-rst keyword like this: -.PP -.nf -block return-rst in proto tcp from 10.0.0.0/8 to any -.fi -.PP -When sending back a TCP RST packet, IPFilter must construct a new packet -that has the source address of the intended target, not the source address -of the system it is running on (if they are different.) -.PP -For all of the other protocols handled by the IP protocol suite, to send -back an error indicating that the received packet was dropped requires -sending back an ICMP error packet. Whilst these can also be used for TCP, -the sending host may not treat the received ICMP error as a hard error -in the same way as it does the TCP RST packet. To return an ICMP error -it is necessary to place return-icmp after the block keyword like this: -.PP -.nf -block return-icmp in proto udp from any to 192.168.0.1/24 -.fi -.PP -When electing to return an ICMP error packet, it is also possible to -select what type of ICMP error is returned. Whilst the full compliment -of ICMP unreachable codes can be used by specifying a number instead of -the string below, only the following should be used in conjunction with -return-icmp. Which return code to use is a choice to be made when -weighing up the pro's and con's. Using some of the codes may make it -more obvious that a firewall is being used rather than just the host -not responding. -.RS -.HP -filter-prohib -(prohibited by filter) -sending packets to the destination given in the received packet is -prohibited due to the application of a packet filter -.HP -net-prohib -(prohibited network) -sending packets to the destination given in the received packet is -administratively prohibited. -.HP -host-unk -(host unknown) -the destination host address is not known by the system receiving -the packet and therefore cannot be reached. -.HP -host-unr -(host unreachable) -it is not possible to reach the host as given by the destination address -in the packet header. -.HP -net-unk -(network unknown) -the destination network address is not known by the system receiving -the packet and therefore cannot be reached. -.HP -net-unr -(network unreachable) -it is not possible to forward the packet on to its final destination -as given by the destination address -.HP -port-unr -(port unreachable) -there is no application using the given destination port and therefore -it is not possible to reach that port. -.HP -proto-unr -(protocol unreachable) -the IP protocol specified in the packet is not available to receive -packets. -.DE -.PP -An example that shows how to send back a port unreachable packet for -UDP packets to 192.168.1.0/24 is as follows: -.PP -.nf -block return-icmp(port-unr) in proto udp from any to 192.168.1.0/24 -.fi -.PP -In the above examples, when sending the ICMP packet, IPFilter will construct -a new ICMP packet with a source address of the network interface used to -send the packet back to the original source. This can give away that there -is an intermediate system blocking packets. To have IPFilter send back -ICMP packets where the source address is the original destination, regardless -of whether or not it is on the local host, return-icmp-as-dest is used like -this: -.PP -.nf -block return-icmp-as-dest(port-unr) in proto udp \\ - from any to 192.168.1.0/24 -.fi -.SS TCP/UDP Port Matching -.PP -Having specified which protocol is being matched, it is then possible to -indicate which port numbers a packet must have in order to match the rule. -Due to port numbers being used differently to addresses, it is therefore -possible to match on them in different ways. IPFilter allows you to use -the following logical operations: -.IP "< x" -is true if the port number is greater than or equal to x and less than or -equal to y -is true if the port number in the packet is less than x -.IP "<= x" -is true if the port number in the packet is less than or equal to x -.IP "> x" -is true if the port number in the packet is greater than x -.IP ">= x" -is true if the port number in the packet is greater or equal to x -.IP "= x" -is true if the port number in the packet is equal to x -.IP "!= x" -is true if the port number in the packet is not equal to x -.PP -Additionally, there are a number of ways to specify a range of ports: -.IP "x <> y" -is true if the port number is less than a and greater than y -.IP "x >< y" -is true if the port number is greater than x and less than y -.IP "x:y" -is true if the port number is greater than or equal to x and less than or -equal to y -.PP -Some examples of this are: -.PP -.nf -block in proto tcp from any port >= 1024 to any port < 1024 -pass in proto tcp from 10.1.0.0/24 to any port = 22 -block out proto udp from any to 10.1.1.1 port = 135 -pass in proto udp from 1.1.1.1 port = 123 to 10.1.1.1 port = 123 -pass in proto tcp from 127.0.0.0/8 to any port 6000:6009 -.fi -.PP -If there is no desire to mention any specific source or destintion -information in a filter rule then the word "all" can be used to -indicate that all addresses are considered to match the rule. -.SS IPv4 or IPv6 -.PP -If a filter rule is constructed without any addresses then IPFilter -will attempt to match both IPv4 and IPv6 packets with it. In the -next list of rules, each one can be applied to either network protocol -because there is no address specified from which IPFilter can derive -with network protocol to expect. -.PP -.nf -pass in proto udp from any to any port = 53 -block in proto tcp from any port < 1024 to any -.fi -.PP -To explicitly match a particular network address family with a specific -rule, the family must be added to the rule. For IPv4 it is necessary to -add family inet and for IPv6, family inet6. Thus the next rule will -block all packets (both IPv4 and IPv6: -.PP -.nf -block in all -.fi -.PP -but in the following example, we block all IPv4 packets and only allow -in IPv6 packets: -.PP -.nf -block in family inet all -pass in family inet6 all -.fi -.PP -To continue on from the example where we allowed either IPv4 or IPv6 -packets to port 53 in, to change that such that only IPv6 packets to -port 53 need to allowed blocked then it is possible to add in a -protocol family qualifier: -.PP -.nf -pass in family inet6 proto udp from any to any port = 53 -.fi -.SS First match vs last match -.PP -To change the default behaviour from being the last matched rule decides -the outcome to being the first matched rule, the word "quick" is inserted -to the rule. -.SH Extended Packet Matching -.SS Beyond using plain addresses -.PP -On firewalls that are working with large numbers of hosts and networks -or simply trying to filter discretely against various hosts, it can -be an easier administration task to define a pool of addresses and have -a filter rule reference that address pool rather than have a rule for -each address. -.PP -In addition to being able to use address pools, it is possible to use -the interface name(s) in the from/to address fields of a rule. If the -name being used in the address section can be matched to any of the -interface names mentioned in the rule's "on" or "via" fields then it -can be used with one of the following keywords for extended effect: -.HP -broadcast -use the primary broadcast address of the network interface for matching -packets with this filter rule; -.IP -.nf -pass in on fxp0 proto udp from any to fxp0/broadcast port = 123 -.fi -.HP -peer -use the peer address on point to point network interfaces for matching -packets with this filter rule. This option typically only has meaningful -use with link protocols such as SLIP and PPP. -For example, this rule allows ICMP packets from the remote peer of ppp0 -to be received if they're destined for the address assigned to the link -at the firewall end. -.IP -.nf -pass in on ppp0 proto icmp from ppp0/peer to ppp0/32 -.fi -.HP -netmasked -use the primary network address, with its netmask, of the network interface -for matching packets with this filter rule. If a network interface had an -IP address of 192.168.1.1 and its netmask was 255.255.255.0 (/24), then -using the word "netmasked" after the interface name would match any -addresses that would match 192.168.1.0/24. If we assume that bge0 has -this IP address and netmask then the following two rules both serve -to produce the same effect: -.IP -.nf -pass in on bge0 proto icmp from any to 192.168.1.0/24 -pass in on bge0 proto icmp from any to bge0/netmasked -.fi -.HP -network -using the primary network address, and its netmask, of the network interface, -construct an address for exact matching. If a network interface has an -address of 192.168.1.1 and its netmask is 255.255.255.0, using this -option would only match packets to 192.168.1.0. -.IP -.nf -pass in on bge0 proto icmp from any to bge0/network -.fi -.PP -Another way to use the name of a network interface to get the address -is to wrap the name in ()'s. In the above method, IPFilter -looks at the interface names in use and to decide whether or not -the name given is a hostname or network interface name. With the -use of ()'s, it is possible to tell IPFilter that the name should -be treated as a network interface name even though it doesn't -appear in the list of network interface that the rule ias associated -with. -.IP -.nf -pass in proto icmp from any to (bge0)/32 -.fi -.SS Using address pools -.PP -Rather than list out multiple rules that either allow or deny specific -addresses, it is possible to create a single object, call an address -pool, that contains all of those addresses and reference that in the -filter rule. For documentation on how to write the configuration file -for those pools and load them, see ippool.conf(5) and ippool(8). -There are two types of address pools that can be defined in ippool.conf(5): -trees and hash tables. To refer to a tree defined in ippool.conf(5), -use this syntax: -.PP -.nf -pass in from pool/trusted to any -.fi -.PP -Either a name or number can be used after the '/', just so long as it -matches up with something that has already been defined in ipool.conf(5) -and loaded in with ippool(8). Loading a filter rule that references a -pool that does not exist will result in an error. -.PP -If hash tables have been used in ippool.conf(5) to store the addresses -in instead of a tree, then replace the word pool with hash: -.IP -.nf -pass in from any to hash/webservers -.fi -.PP -There are different operational characteristics with each, so there -may be some situations where a pool works better than hash and vice -versa. -.SS Matching TCP flags -.PP -The TCP header contains a field of flags that is used to decide if the -packet is a connection request, connection termination, data, etc. -By matching on the flags in conjunction with port numbers, it is -possible to restrict the way in which IPFilter allows connections to -be created. A quick overview of the TCP -flags is below. Each is listed with the letter used in IPFilter -rules, followed by its three or four letter pneumonic. -.HP -S -SYN - this bit is set when a host is setting up a connection. -The initiator typically sends a packet with the SYN bit and the -responder sends back SYN plus ACK. -.HP -A -ACK - this bit is set when the sender wishes to acknowledge the receipt -of a packet from another host -.HP -P -PUSH - this bit is set when a sending host has send some data that -is yet to be acknowledged and a reply is sought -.HP -F -FIN - this bit is set when one end of a connection starts to close -the connection down -.HP -U -URG - this bit is set to indicate that the packet contains urgent data -.HP -R -RST - this bit is set only in packets that are a reply to another -that has been received but is not targetted at any open port -.HP -C -CWN -.HP -E -ECN -.PP -When matching TCP flags, it is normal to just list the flag that you -wish to be set. By default the set of flags it is compared against -is "FSRPAU". Rules that say "flags S" will be displayed by ipfstat(8) -as having "flags S/FSRPAU". This is normal. -The last two flags, "C" and "E", are optional - they -may or may not be used by an end host and have no bearing on either -the acceptance of data nor control of the connection. Masking them -out with "flags S/FSRPAUCE" may cause problems for remote hosts -making a successful connection. -.PP -.nf -pass in quick proto tcp from any to any port = 22 flags S/SAFR -pass out quick proto tcp from any port = 22 to any flags SA -.fi -.PP -By itself, filtering based on the TCP flags becomes more work but when -combined with stateful filtering (see below), the situation changes. -.SS Matching on ICMP header information -.PP -The TCP and UDP are not the only protocols for which filtering beyond -just the IP header is possible, extended matching on ICMP packets is -also available. The list of valid ICMP types is different for IPv4 -vs IPv6. -.PP -As a practical example, to allow the ping command to work -against a specific target requires allowing two different types of -ICMP packets, like this: -.PP -.nf -pass in proto icmp from any to webserver icmp-type echo -pass out proto icmp from webserver to any icmp-type echorep -.fi -.PP -The ICMP header has two fields that are of interest for filtering: -the ICMP type and code. Filter rules can accept either a name or -number for both the type and code. The list of names supported for -ICMP types is listed below, however only ICMP unreachable errors -have named codes (see above.) -.PP -The list of ICMP types that are available for matching an IPv4 packet -are as follows: -.PP -echo (echo request), -echorep (echo reply), -inforeq (information request), -inforep (information reply), -maskreq (mask request), -maskrep (mask reply), -paramprob (parameter problem), -redir (redirect), -routerad (router advertisement), -routersol (router solicit), -squence (source quence), -timest (timestamp), -timestreq (timestamp reply), -timex (time exceeded), -unreach (unreachable). -.PP -The list of ICMP types that are available for matching an IPv6 packet -are as follows: -.PP -echo (echo request), -echorep (echo reply), -fqdnquery (FQDN query), -fqdnreply (FQDN reply), -inforeq (information request), -inforep (information reply), -listendone (MLD listener done), -listendqry (MLD listener query), -listendrep (MLD listener reply), -neighadvert (neighbour advert), -neighborsol (neighbour solicit), -paramprob (parameter problem), -redir (redirect), -renumber (router renumbering), -routerad (router advertisement), -routersol (router solicit), -timex (time exceeded), -toobig (packet too big), -unreach (unreachable, -whoreq (WRU request), -whorep (WRU reply). -.SH Stateful Packet Filtering -.PP -Stateful packet filtering is where IPFilter remembers some information from -one or more packets that it has seen and is able to apply it to future -packets that it receives from the network. -.PP -What this means for each transport layer protocol is different. -For TCP it means that if IPFilter -sees the very first packet of an attempt to make a connection, it has enough -information to allow all other subsequent packets without there needing to -be any explicit rules to match them. IPFilter uses the TCP port numbers, -TCP flags, window size and sequence numbers to determine which packets -should be matched. For UDP, only the UDP port numbers are available. -For ICMP, the ICMP types can be combined with the ICMP id field to -determine which reply packets match a request/query that has already -been seen. For all other protocols, only matching on IP address and -protocol number is available for determining if a packet received is a mate -to one that has already been let through. -.PP -The difference this makes is a reduction in the number of rules from -2 or 4 to 1. For example, these 4 rules: -.PP -.nf -pass in on bge0 proto tcp from any to any port = 22 -pass out on bge1 proto tcp from any to any port = 22 -pass in on bge1 proto tcp from any port = 22 to any -pass out on bge0 proto tcp from any port = 22 to any -.fi -.PP -can be replaced with this single rule: -.PP -.nf -pass in on bge0 proto tcp from any to any port = 22 flags S keep state -.fi -.PP -Similar rules for UDP and ICMP might be: -.PP -.nf -pass in on bge0 proto udp from any to any port = 53 keep state -pass in on bge0 proto icmp all icmp-type echo keep state -.fi -.PP -When using stateful filtering with TCP it is best to add "flags S" to the -rule to ensure that state is only created when a packet is seen that is -an indication of a new connection. Although IPFilter can gather some -information from packets in the middle of a TCP connection to do stateful -filtering, there are some options that are only sent at the start of the -connection which alter the valid window of what TCP accepts. The end result -of trying to pickup TCP state in mid connection is that some later packets -that are part of the connection may not match the known state information -and be dropped or blocked, causing problems. If a TCP packet matches IP -addresses and port numbers but does not fit into the recognised window, -it will not be automatically allowed and will be flagged inside of -IPFitler as "out of window" (oow). See below, "Extra packet attributes", -for how to match on this attribute. -.PP -Once a TCP connection has reached the established state, the default -timeout allows for it to be idle for 5 days before it is removed from -the state table. The timeouts for the other TCP connection states -vary from 240 seconds to 30 seconds. -Both UDP and ICMP state entries have asymetric timeouts where the timeout -set upon seeing packets in the forward direction is much larger than -for the reverse direction. For UDP the default timeouts are 120 and -12 seconds, for ICMP 60 and 6 seconds. This is a reflection of the -use of these protocols being more for query-response than for ongoing -connections. For all other protocols the -timeout is 60 seconds in both directions. -.SS Stateful filtering options -.PP -The following options can be used with stateful filtering: -.HP -limit -limit the number of state table entries that this rule can create to -the number given after limit. A rule that has a limit specified is -always permitted that many state table entries, even if creating an -additional entry would cause the table to have more entries than the -otherwise global limit. -.IP -.nf -pass ... keep state(limit 100) -.fi -.HP -age -sets the timeout for the state entry when it sees packets going through -it. Additionally it is possible to set the tieout for the reply packets -that come back through the firewall to a different value than for the -forward path. allowing a short timeout to be set after the reply has -been seen and the state no longer required. -.RS -.PP -.nf -pass in quick proto icmp all icmp-type echo \\ - keep state (age 3) -pass in quick proto udp from any \\ - to any port = 53 keep state (age 30/1) -.fi -.RE -.HP -strict -only has an impact when used with TCP. It forces all packets that are -allowed through the firewall to be sequential: no out of order delivery -of packets is allowed. This can cause significant slowdown for some -connections and may stall others. Use with caution. -.IP -.nf -pass in proto tcp ... keep state(strict) -.fi -.HP -noicmperr -prevents ICMP error packets from being able to match state table entries -created with this flag using the contents of the original packet included. -.IP -.nf -pass ... keep state(noicmperr) -.fi -.HP -sync -indicates to IPFilter that it needs to provide information to the user -land daemons responsible for syncing other machines state tables up -with this one. -.IP -.nf -pass ... keep state(sync) -.fi -.HP -nolog -do not generate any log records for the creation or deletion of state -table entries. -.IP -.nf -pass ... keep state(nolog) -.fi -.HP -icmp-head -rather than just precent ICMP error packets from being able to match -state table entries, allow an ACL to be processed that can filter in or -out ICMP error packets based as you would with normal firewall rules. -The icmp-head option requires a filter rule group number or name to -be present, just as you would use with head. -.RS -.PP -.nf -pass in quick proto tcp ... keep state(icmp-head 101) -block in proto icmp from 10.0.0.0/8 to any group 101 -.fi -.RE -.HP -max-srcs -allows the number of distinct hosts that can create a state entry to -be defined. -.IP -.nf -pass ... keep state(max-srcs 100) -pass ... keep state(limit 1000, max-srcs 100) -.fi -.HP -max-per-src -whilst max-srcs limits the number of individual hosts that may cause -the creation of a state table entry, each one of those hosts is still -table to fill up the state table with new entries until the global -maximum is reached. This option allows the number of state table entries -per address to be limited. -.IP -.nf -pass ... keep state(max-srcs 100, max-per-src 1) -pass ... keep state(limit 100, max-srcs 100, max-per-src 1) -.fi -.IP -Whilst these two rules might seem identical, in that they both -ultimately limit the number of hosts and state table entries created -from the rule to 100, there is a subtle difference: the second will -always allow up to 100 state table entries to be created whereas the -first may not if the state table fills up from other rules. -.IP -Further, it is possible to specify a netmask size after the per-host -limit that enables the per-host limit to become a per-subnet or -per-network limit. -.IP -.nf -pass ... keep state(max-srcs 100, max-per-src 1/24) -.fi -.IP -If there is no IP protocol implied by addresses or other features of -the rule, IPFilter will assume that no netmask is an all ones netmask -for both IPv4 and IPv6. -.SS Tieing down a connection -.PP -For any connection that transits a firewall, each packet will be seen -twice: once going in and once going out. Thus a connection has 4 flows -of packets: -.HP -forward -inbound packets -.HP -forward -outbound packets -.HP -reverse -inbound packets -.HP -reverse -outbound packets -.PP -IPFilter allows you to define the network interface to be used at all -four points in the flow of packets. For rules that match inbound packets, -out-via is used to specify which interfaces the packets go out, For rules -that match outbound packets, in-via is used to match the inbound packets. -In each case, the syntax generalises to this: -.PP -.nf -pass ... in on forward-in,reverse-in \\ - out-via forward-out,reverse-out ... - -pass ... out on forward-out,reverse-out \\ - in-via forward-in,reverse-in ... -.fi -.PP -An example that pins down all 4 network interfaces used by an ssh -connection might look something like this: -.PP -.nf -pass in on bge0,bge1 out-via bge1,bge0 proto tcp \\ - from any to any port = 22 flags S keep state -.fi -.SS Working with packet fragments -.PP -Fragmented packets result in 1 packet containing all of the layer 3 and 4 -header information whilst the data is split across a number of other packets. -.PP -To enforce access control on fragmented packets, one of two approaches -can be taken. The first is to allow through all of the data fragments -(those that made up the body of the original packet) and rely on matching -the header information in the "first" fragment, when it is seen. The -reception of body fragments without the first will result in the receiving -host being unable to completely reassemble the packet and discarding all -of the fragments. The following three rules deny all fragmented packets -from being received except those that are UDP and even then only allows -those destined for port 2049 to be completed. -.PP -.nf -block in all with frags -pass in proto udp from any to any with frag-body -pass in proto udp from any to any port = 2049 with frags -.fi -.PP -Another mechanism that is available is to track "fragment state". -This relies on the first fragment of a packet that arrives to be -the fragment that contains all of the layer 3 and layer 4 header -information. With the receipt of that fragment before any other, -it is possible to determine which other fragments are to be allowed -through without needing to explicitly allow all fragment body packets. -An example of how this is done is as follows: -.PP -.nf -pass in proto udp from any port = 2049 to any with frags keep frags -.fi -.SH Building a tree of rules -.PP -Writing your filter rules as one long list of rules can be both inefficient -in terms of processing the rules and difficult to understand. To make the -construction of filter rules easier, it is possible to place them in groups. -A rule can be both a member of a group and the head of a new group. -.PP -Using filter groups requires at least two rules: one to be in the group -one one to send matchign packets to the group. If a packet matches a -filtre rule that is a group head but does not match any of the rules -in that group, then the packet is considered to have matched the head -rule. -.PP -Rules that are a member of a group contain the word group followed by -either a name or number that defines which group they're in. Rules that -form the branch point or starting point for the group must use the -word head, followed by either a group name or number. If rules are -loaded in that define a group but there is no matching head then they -will effectively be orphaned rules. It is possible to have more than -one head rule point to the same group, allowing groups to be used -like subroutines to implement specific common policies. -.PP -A common use of filter groups is to define head rules that exist in the -filter "main line" for each direction with the interfaces in use. For -example: -.PP -.nf -block in quick on bge0 all head 100 -block out quick on bge0 all head 101 -block in quick on fxp0 all head internal-in -block out quick on fxp0 all head internal-out -pass in quick proto icmp all icmp-type echo group 100 -.fi -.PP -In the above set of rules, there are four groups defined but only one -of them has a member rule. The only packets that would be allowed -through the above ruleset would be ICMP echo packets that are -received on bge0. -.PP -Rules can be both a member of a group and the head of a new group, -allowing groups to specialise. -.PP -.nf -block in quick on bge0 all head 100 -block in quick proto tcp all head 1006 group 100 -.fi -.PP -Another use of filter rule groups is to provide a place for rules to -be dynamically added without needing to worry about their specific -ordering amongst the entire ruleset. For example, if I was using this -simple ruleset: -.PP -.nf -block in quick all with bad -block in proto tcp from any to any port = smtp head spammers -pass in quick proto tcp from any to any port = smtp flags S keep state -.fi -.PP -and I was getting lots of connections to my email server from 10.1.1.1 -to deliver spam, I could load the following rule to complement the above: -.IP -.nf -block in quick from 10.1.1.1 to any group spammers -.fi -.SS Decapsulation -.PP -Rule groups also form a different but vital role for decapsulation rules. -With the following simple rule, if IPFilter receives an IP packet that has -an AH header as its layer 4 payload, IPFilter would adjust its view of the -packet internally and then jump to group 1001 using the data beyond the -AH header as the new transport header. -.PP -.nf -decapsulate in proto ah all head 1001 -.fi -.PP -For protocols that -are recognised as being used with tunnelling or otherwise encapsulating -IP protocols, IPFilter is able to decide what it has on the inside -without any assistance. Some tunnelling protocols use UDP as the -transport mechanism. In this case, it is necessary to instruct IPFilter -as to what protocol is inside UDP. -.PP -.nf -decapsulate l5-as(ip) in proto udp from any \\ - to any port = 1520 head 1001 -.fi -.PP -Currently IPFilter only supports finding IPv4 and IPv6 headers -directly after the UDP header. -.PP -If a packet matches a decapsulate rule but fails to match any of the rules -that are within the specified group, processing of the packet continues -to the next rule after the decapsulate and IPFilter's internal view of the -packet is returned to what it was prior to the decapsulate rule. -.PP -It is possible to construct a decapsulate rule without the group -head at the end that ipf(8) will accept but such rules will not -result in anything happening. -.SS Policy Based Routing -.PP -With firewalls being in the position they often are, at the boundary -of different networks connecting together and multiple connections that -have different properties, it is often desirable to have packets flow -in a direction different to what the routing table instructs the kernel. -These decisions can often be extended to changing the route based on -both source and destination address or even port numbers. -.PP -To support this kind of configuration, IPFilter allows the next hop -destination to be specified with a filter rule. The next hop is given -with the interface name to use for output. The syntax for this is -interface:ip.address. It is expected that the address given as the next -hop is directly connected to the network to which the interface is. -.PP -.nf -pass in on bge0 to bge1:1.1.1.1 proto tcp \\ - from 1.1.2.3 to any port = 80 flags S keep state -.fi -.PP -When this feature is combined with stateful filtering, it becomes -possible to influence the network interface used to transmit packets -in both directions because we now have a sense for what its reverse -flow of packets is. -.PP -.nf -pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\ - proto tcp from 1.1.2.3 to any port = 80 flags S keep state -.fi -.PP -If the actions of the routing table are perfectly acceptable, but -you would like to mask the presence of the firewall by not changing -the TTL in IP packets as they transit it, IPFilter can be instructed -to do a "fastroute" action like this: -.PP -.nf -pass in on bge0 fastroute proto icmp all -.fi -.PP -This should be used with caution as it can lead to endless packet -loops. Additionally, policy based routing does not change the IP -header's TTL value. -.PP -A variation on this type of rule supports a duplicate of the original -packet being created and sent out a different network. This can be -useful for monitoring traffic and other purposes. -.PP -.nf -pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\ - dup-to fxp0:10.0.0.1 proto tcp from 1.1.2.3 \\ - to any port = 80 flags S keep state -.fi -.SS Matching IPv4 options -.PP -The design for IPv4 allows for the header to be upto 64 bytes long, -however most traffic only uses the basic header which is 20 bytes long. -The other 44 bytes can be uesd to store IP options. These options are -generally not necessary for proper interaction and function on the -Internet today. For most people it is sufficient to block and drop -all packets that have any options set. This can be achieved with this -rule: -.PP -.nf -block in quick all with ipopts -.fi -.PP -This rule is usually placed towards the top of the configuration -so that all incoming packets are blocked. -.PP -If you wanted to allow in a specific IP option type, the syntax -changes slightly: -.PP -.nf -pass in quick proto igmp all with opt rtralrt -.fi -.PP -The following is a list of IP options that most people encounter and -what their use/threat is. -.HP -lsrr -(loose source route) the sender of the packet includes a list of addresses -that they wish the packet to be routed through to on the way to the -destination. Because replies to such packets are expected to use the -list of addresses in reverse, hackers are able to very effectively use -this header option in address spoofing attacks. -.HP -rr -(record route) the sender allocates some buffer space for recording the -IP address of each router that the packet goes through. This is most often -used with ping, where the ping response contains a copy of all addresses -from the original packet, telling the sender what route the packet took -to get there. Due to performance and security issues with IP header -options, this is almost no longer used. -.HP -rtralrt -(router alert) this option is often used in IGMP messages as a flag to -routers that the packet needs to be handled differently. It is unlikely -to ever be received from an unknown sender. It may be found on LANs or -otherwise controlled networks where the RSVP protocol and multicast -traffic is in heavy use. -.HP -ssrr -(strict source route) the sender of the packet includes a list of addresses -that they wish the packet to be routed through to on the way to the -destination. Where the lsrr option allows the sender to specify only -some of the nodes the packet must go through, with the ssrr option, -every next hop router must be specified. -.PP -The complete list of IPv4 options that can be matched on is: -addext (Address Extention), -cipso (Classical IP Security Option), -dps (Dynamic Packet State), -e-sec (Extended Security), -eip (Extended Internet Protocol), -encode (ENCODE), -finn (Experimental Flow Control), -imitd (IMI Traffic Descriptor), -lsrr (Loose Source Route), -mtup (MTU Probe - obsolete), -mtur (MTU response - obsolete), -nop (No Operation), -nsapa (NSAP Address), -rr (Record Route), -rtralrt (Router Alert), -satid (Stream Identifier), -sdb (Selective Directed Broadcast), -sec (Security), -ssrr (Strict Source Route), -tr (Tracerote), -ts (Timestamp), -ump (Upstream Multicast Packet), -visa (Experimental Access Control) -and zsu (Experimental Measurement). -.SS Security with CIPSO and IPSO -.PP -IPFilter supports filtering on IPv4 packets using security attributes embedded -in the IP options part of the packet. These options are usually only used on -networks and systems that are using lablled security. Unless you know that -you are using labelled security and your networking is also labelled, it -is highly unlikely that this section will be relevant to you. -.PP -With the traditional IP Security Options (IPSO), packets can be tagged with -a security level. The following keywords are recognised and match with the -relevant RFC with respect to the bit patterns matched: -confid (confidential), -rserve-1 (1st reserved value), -rserve-2 (2nd reserved value), -rserve-3 (3rd reserved value), -rserve-4 (4th reserved value), -secret (secret), -topsecret (top secret), -unclass (unclassified). -.PP -.nf -block in quick all with opt sec-class unclass -pass in all with opt sec-class secret -.fi -.SS Matching IPv6 extension headers -.PP -Just as it is possible to filter on the various IPv4 header options, -so too it is possible to filter on the IPv6 extension headers that are -placed between the IPv6 header and the transport protocol header. -.PP -dstopts (destination options), -esp (encrypted, secure, payload), -frag (fragment), -hopopts (hop-by-hop options), -ipv6 (IPv6 header), -mobility (IP mobility), -none, -routing. -.SS Logging -.PP -There are two ways in which packets can be logged with IPFilter. The -first is with a rule that specifically says log these types of packets -and the second is a qualifier to one of the other keywords. Thus it is -possible to both log and allow or deny a packet with a single rule. -.PP -.nf -pass in log quick proto tcp from any to any port = 22 -.fi -.PP -When using stateful filtering, the log action becomes part of the result -that is remembered about a packet. Thus if the above rule was qualified -with keep state, every packet in the connection would be logged. To only -log the first packet from every packet flow tracked with keep state, it -is necessary to indicate to IPFilter that you only wish to log the first -packet. -.PP -.nf -pass in log first quick proto tcp from any to any port = 22 \\ - flags S keep state -.fi -.PP -If it is a requirement that the logging provide an accurate representation -of which connections are allowed, the log action can be qualified with the -option or-block. This allows the administrator to instruct IPFilter to -block the packet if the attempt to record the packet in IPFilter's kernel -log records (which have an upper bound on size) failed. Unless the system -shuts down or reboots, once a log record is written into the kernel buffer, -it is there until ipmon(8) reads it. -.PP -.nf -block in log proto tcp from any to any port = smtp -pass in log or-block first quick proto tcp from any \\ - to any port = 22 flags S keep state -.fi -.PP -By default, IPFilter will only log the header portion of a packet received -on the network. Up to 128 bytes of a packet's body can also -be logged with the body keyword. ipmon(8) will display the contents of the -portion of the body logged in hex. -.PP -.nf -block in log body proto icmp all -.fi -.PP -When logging packets from ipmon(8) to syslog, by default ipmon(8) will -control what syslog facility and priority a packet will be logged with. -This can be tuned on a per rule basis like this: -.PP -.nf -block in quick log level err all with bad -pass in log level local1.info proto tcp \\ - from any to any port = 22 flags S keep state -.fi -.PP -ipfstat(8) reports how many packets have been successfully logged and how -many failed attempts to log a packet there were. -.SS Filter rule comments -.PP -If there is a desire to associate a text string, be it an administrative -comment or otherwise, with an IPFilter rule, this can be achieved by giving -the filter rule a comment. The comment is loaded with the rule into the -kernel and can be seen when the rules are listed with ipfstat. -.PP -.nf -pass in quick proto tcp from any \\ - to port = 80 comment "all web server traffic is ok" -pass out quick proto tcp from any port = 80 \\ - to any comment "all web server traffic is ok" -.fi -.SS Tags -.PP -To enable filtering and NAT to correctly match up packets with rules, -tags can be added at with NAT (for inbound packets) and filtering (for -outbound packets.) This allows a filter to be correctly mated with its -NAT rule in the event that the NAT rule changed the packet in a way -that would mean it is not obvious what it was. -.PP -For inbound packets, IPFilter can match the tag used in the filter -rules with that set by NAT. For outbound rules, it is the reverse, -the filter sets the tag and the NAT rule matches up with it. -.PP -.nf -pass in ... match-tag(nat=proxy) -pass out ... set-tag(nat=proxy) -.fi -.PP -Another use of tags is to supply a number that is only used with logging. -When packets match these rules, the log tag is carried over into the -log file records generated by ipmon(8). With the correct use of tools -such as grep, extracting log records of interest is simplified. -.PP -.nf -block in quick log ... set-tag(log=33) -.fi -.SH Filter Rule Expiration -.PP -IPFilter allows rules to be added into the kernel that it will remove after -a specific period of time by specifying rule-ttl at the end of a rule. -When listing rules in the kernel using ipfstat(8), rules that are going -to expire will NOT display "rule-ttl" with the timeout, rather what will -be seen is a comment with how many ipfilter ticks left the rule has to -live. -.PP -The time to live is specified in seconds. -.PP -.nf -pass in on fxp0 proto tcp from any \\ - to port = 22 flags S keep state rule-ttl 30 -.fi -.SH Internal packet attributes -.PP -In addition to being able to filter on very specific network and transport -header fields, it is possible to filter on other attributes that IPFilter -attaches to a packet. These attributes are placed in a rule after the -keyword "with", as can be seen with frags and frag-body above. The -following is a list of the other attributes available: -.HP -oow -the packet's IP addresses and TCP ports match an existing entry in the -state table but the sequence numbers indicate that it is outside of the -accepted window. -.IP -.nf -block return-rst in quick proto tcp from any to any with not oow -.fi -.HP -bcast -this is set by IPFilter when it receives notification that the link -layer packet was a broadcast packet. No checking of the IP addresses -is performned to determine if it is a broadcast destination or not. -.IP -.nf -block in quick proto udp all with bcast -.fi -.HP -mcast -this is set by IPFilter when it receives notification that the link -layer packet was a multicast packet. No checking of the IP addresses -is performned to determine if it is a multicast destination or not. -.IP -.nf -pass in quick proto udp from any to any port = dns with mcast -.fi -.HP -mbcast -can be used to match a packet that is either a multicast or broadcast -packet at the link layer, as indicated by the operating system. -.IP -.nf -pass in quick proto udp from any to any port = ntp with mbcast -.fi -.HP -nat -the packet positively matched a NAT table entry. -.HP -bad -sanity checking of the packet failed. This could indicate that the -layer 3/4 headers are not properly formed. -.HP -bad-src -when reverse path verification is enabled, this flag will be set when -the interface the packet is received on does not match that which would -be used to send a packet out of to the source address in the received -packet. -.HP -bad-nat -an attempt to perform NAT on the packet failed. -.HP -not -each one of the attributes matched using the "with" keyword can also be -looked for to not be present. For example, to only allow in good packets, -I can do this: -.PP -.nf -block in all -pass in all with not bad -.fi -.SH Tuning IPFilter -.PP -The ipf.conf file can also be used to tune the behaviour of IPFilter, -allowing, for example, timeouts for the NAT/state table(s) to be set -along with their sizes. The presence and names of tunables may change -from one release of IPFilter to the next. The tunables that can be -changed via ipf.conf is the same as those that can be seen and modified -using the -T command line option to ipf(8). -.PP -NOTE: When parsing ipf.conf, ipf(8) will apply the settings before -loading any rules. Thus if your settings are at the top, these may -be applied whilst the rules not applied if there is an error further -down in the configuration file. -.PP -To set one of the values below, the syntax is simple: "set", followed -by the name of the tuneable to set and then the value to set it to. -.PP -.nf -set state_max 9999; -set state_size 10101; -.fi -.PP -A list of the currently available variables inside IPFilter that may -be tuned from ipf.conf are as follows: -.HP -active -set through -s command line switch of ipf(8). See ipf(8) for detals. -.HP -chksrc -when set, enables reverse path verification on source addresses and -for filters to match packets with bad-src attribute. -.HP -control_forwarding -when set turns off kernel forwarding when IPFilter is disabled or unloaded. -.HP -default_pass -the default policy - whether packets are blocked or passed, etc - is -represented by the value of this variable. It is a bit field and the -bits that can be set are found in <netinet/ip_fil.h>. It is not -recommended to tune this value directly. -.HP -ftp_debug -set the debugging level of the in-kernel FTP proxy. -Debug messages will be printed to the system console. -.HP -ftp_forcepasv -when set the FTP proxy must see a PASV/EPSV command before creating -the state/NAT entries for the 227 response. -.HP -ftp_insecure -when set the FTP proxy will not wait for a user to login before allowing -data connections to be created. -.HP -ftp_pasvonly -when set the proxy will not create state/NAT entries for when it -sees either the PORT or EPRT command. -.HP -ftp_pasvrdr -when enabled causes the FTP proxy to create very insecure NAT/state -entries that will allow any connection between the client and server -hosts when a 227 reply is seen. Use with extreme caution. -.HP -ftp_single_xfer -when set the FTP proxy will only allow one data connection at a time. -.HP -hostmap_size -sets the size of the hostmap table used by NAT to store address mappings -for use with sticky rules. -.HP -icmp_ack_timeout -default timeout used for ICMP NAT/state when a reply packet is seen for -an ICMP state that already exists -.HP -icmp_minfragmtu -sets the minimum MTU that is considered acceptable in an ICMP error -before deciding it is a bad packet. -.HP -icmp_timeout -default timeout used for ICMP NAT/state when the packet matches the rule -.HP -ip_timeout -default timeout used for NAT/state entries that are not TCP/UDP/ICMP. -.HP -ipf_flags -.HP -ips_proxy_debug -this sets the debugging level for the proxy support code. -When enabled, debugging messages will be printed to the system console. -.HP -log_all -when set it changes the behaviour of "log body" to log the entire packet -rather than just the first 128 bytes. -.HP -log_size -sets the size of the in-kernel log buffer in bytes. -.HP -log_suppress -when set, IPFilter will check to see if the packet it is logging is -similar to the one it previously logged and if so, increases -the occurance count for that packet. The previously logged packet -must not have yet been read by ipmon(8). -.HP -min_ttl -is used to set the TTL value that packets below will be marked with -the low-ttl attribute. -.HP -nat_doflush -if set it will cause the NAT code to do a more aggressive flush of the -NAT table at the next opportunity. Once the flush has been done, the -value is reset to 0. -.HP -nat_lock -this should only be changed using ipfs(8) -.HP -nat_logging -when set, NAT will create log records that can be read from /dev/ipnat. -.HP -nat_maxbucket -maximum number of entries allowed to exist in each NAT hash bucket. -This prevents an attacker trying to load up the hash table with -entries in a single bucket, reducing performance. -.HP -nat_rules_size -size of the hash table to store map rules. -.HP -nat_table_max -maximum number of entries allowed into the NAT table -.HP -nat_table_size -size of the hash table used for NAT -.HP -nat_table_wm_high -when the fill percentage of the NAT table exceeds this mark, more -aggressive flushing is enabled. -.HP -nat_table_wm_low -this sets the percentage at which the NAT table's agressive flushing -will turn itself off at. -.HP -rdr_rules_size -size of the hash table to store rdr rules. -.HP -state_lock -this should only be changed using ipfs(8) -.HP -state_logging -when set, the stateful filtering will create log records -that can be read from /dev/ipstate. -.HP -state_max -maximum number of entries allowed into the state table -.HP -state_maxbucket -maximum number of entries allowed to exist in each state hash bucket. -This prevents an attacker trying to load up the hash table with -entries in a single bucket, reducing performance. -.HP -state_size -size of the hash table used for stateful filtering -.HP -state_wm_freq -this controls how often the agressive flushing should be run once the -state table exceeds state_wm_high in percentage full. -.HP -state_wm_high -when the fill percentage of the state table exceeds this mark, more -aggressive flushing is enabled. -.HP -state_wm_low -this sets the percentage at which the state table's agressive flushing -will turn itself off at. -.HP -tcp_close_wait -timeout used when a TCP state entry reaches the FIN_WAIT_2 state. -.HP -tcp_closed -timeout used when a TCP state entry is ready to be removed after either -a RST packet is seen. -.HP -tcp_half_closed -timeout used when a TCP state entry reaches the CLOSE_WAIT state. -.HP -tcp_idle_timeout -timeout used when a TCP state entry reaches the ESTABLISHED state. -.HP -tcp_last_ack -timeout used when a TCP NAT/state entry reaches the LAST_ACK state. -.HP -tcp_syn_received -timeout applied to a TCP NAT/state entry after SYN-ACK packet has been seen. -.HP -tcp_syn_sent -timeout applied to a TCP NAT/state entry after SYN packet has been seen. -.HP -tcp_time_wait -timeout used when a TCP NAT/state entry reaches the TIME_WAIT state. -.HP -tcp_timeout -timeout used when a TCP NAT/state entry reaches either the half established -state (one ack is seen after a SYN-ACK) or one side is in FIN_WAIT_1. -.HP -udp_ack_timeout -default timeout used for UDP NAT/state when a reply packet is seen for -a UDP state that already exists -.HP -udp_timeout -default timeout used for UDP NAT/state when the packet matches the rule -.HP -update_ipid -when set, turns on changing the IP id field in NAT'd packets to a random -number. -.SS Table of visible variables -.PP -A list of all of the tunables, their minimum, maximum and current -values is as follows. -.PP -.nf -Name Min Max Current -active 0 0 0 -chksrc 0 1 0 -control_forwarding 0 1 0 -default_pass 0 MAXUINT 134217730 -ftp_debug 0 10 0 -ftp_forcepasv 0 1 1 -ftp_insecure 0 1 0 -ftp_pasvonly 0 1 0 -ftp_pasvrdr 0 1 0 -ftp_single_xfer 0 1 0 -hostmap_size 1 MAXINT 2047 -icmp_ack_timeout 1 MAXINT 12 -icmp_minfragmtu 0 1 68 -icmp_timeout 1 MAXINT 120 -ip_timeout 1 MAXINT 120 -ipf_flags 0 MAXUINT 0 -ips_proxy_debug 0 10 0 -log_all 0 1 0 -log_size 0 524288 32768 -log_suppress 0 1 1 -min_ttl 0 1 4 -nat_doflush 0 1 0 -nat_lock 0 1 0 -nat_logging 0 1 1 -nat_maxbucket 1 MAXINT 22 -nat_rules_size 1 MAXINT 127 -nat_table_max 1 MAXINT 30000 -nat_table_size 1 MAXINT 2047 -nat_table_wm_high 2 100 99 -nat_table_wm_low 1 99 90 -rdr_rules_size 1 MAXINT 127 -state_lock 0 1 0 -state_logging 0 1 1 -state_max 1 MAXINT 4013 -state_maxbucket 1 MAXINT 26 -state_size 1 MAXINT 5737 -state_wm_freq 2 999999 20 -state_wm_high 2 100 99 -state_wm_low 1 99 90 -tcp_close_wait 1 MAXINT 480 -tcp_closed 1 MAXINT 60 -tcp_half_closed 1 MAXINT 14400 -tcp_idle_timeout 1 MAXINT 864000 -tcp_last_ack 1 MAXINT 60 -tcp_syn_received 1 MAXINT 480 -tcp_syn_sent 1 MAXINT 480 -tcp_time_wait 1 MAXINT 480 -tcp_timeout 1 MAXINT 480 -udp_ack_timeout 1 MAXINT 24 -udp_timeout 1 MAXINT 240 -update_ipid 0 1 0 -.fi -.SH Calling out to internal functions -.PP -IPFilter provides a pair of functions that can be called from a rule -that allow for a single rule to jump out to a group rather than walk -through a list of rules to find the group. If you've got multiple -networks, each with its own group of rules, this feature may help -provide better filtering performance. -.PP -The lookup to find which rule group to jump to is done on either the -source address or the destination address but not both. -.PP -In this example below, we are blocking all packets by default but then -doing a lookup on the source address from group 1010. The two rules in -the ipf.conf section are lone members of their group. For an incoming -packet that is from 1.1.1.1, it will go through three rules: (1) the -block rule, (2) the call rule and (3) the pass rule for group 1020. -For a packet that is from 3.3.2.2, it will also go through three rules: -(1) the block rule, (2) the call rule and (3) the pass rule for group -1030. Should a packet from 3.1.1.1 arrive, it will be blocked as it -does not match any of the entries in group 1010, leaving it to only -match the first rule. -.PP -.nf -from ipf.conf -------------- -block in all -call now srcgrpmap/1010 in all -pass in proto tcp from any to any port = 80 group 1020 -pass in proto icmp all icmp-type echo group 1030 - -from ippool.conf ----------------- -group-map in role=ipf number=1010 - { 1.1.1.1 group = 1020, 3.3.0.0/16 group = 1030; }; -.fi -.SS IPFilter matching expressions -.PP -An experimental feature that has been added to filter rules is to use -the same expression matching that is available with various commands -to flush and list state/NAT table entries. The use of such an expression -precludes the filter rule from using the normal IP header matching. -.PP -.nf -pass in exp { "tcp.sport 23 or tcp.sport 50" } keep state -.fi -.SS Filter rules with BPF -.PP -On platforms that have the BPF built into the kernel, IPFilter can be -built to allow BPF expressions in filter rules. This allows for packet -matching to be on arbitrary data in the packt. The use of a BPF expression -replaces all of the other protocol header matching done by IPFilter. -.PP -.nf -pass in bpf-v4 { "tcp and (src port 23 or src port 50)" } \\ - keep state -.fi -.PP -These rules tend to be -write-only because the act of compiling the filter expression into the -BPF instructions loaded into the kernel can make it difficut to -accurately reconstruct the original text filter. The end result is that -while ipf.conf() can be easy to read, understanding the output from -ipfstat might not be. -.SH VARIABLES -.PP -This configuration file, like all others used with IPFilter, supports the -use of variable substitution throughout the text. -.PP -.nf -nif="ppp0"; -pass in on $nif from any to any -.fi -.PP -would become -.PP -.nf -pass in on ppp0 from any to any -.fi -.PP -Variables can be used recursively, such as 'foo="$bar baz";', so long as -$bar exists when the parser reaches the assignment for foo. -.PP -See -.B ipf(8) -for instructions on how to define variables to be used from a shell -environment. -.DT -.SH FILES -/dev/ipf -/etc/ipf.conf -.br -/usr/share/examples/ipfilter Directory with examples. -.SH SEE ALSO -ipf(8), ipfstat(8), ippool.conf(5), ippool(8) |