aboutsummaryrefslogtreecommitdiff
path: root/contrib/ipfilter/man/ipfilter.4.mandoc
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ipfilter/man/ipfilter.4.mandoc')
-rw-r--r--contrib/ipfilter/man/ipfilter.4.mandoc267
1 files changed, 0 insertions, 267 deletions
diff --git a/contrib/ipfilter/man/ipfilter.4.mandoc b/contrib/ipfilter/man/ipfilter.4.mandoc
deleted file mode 100644
index 22e1f36450b6..000000000000
--- a/contrib/ipfilter/man/ipfilter.4.mandoc
+++ /dev/null
@@ -1,267 +0,0 @@
-.Dd December 8, 2000
-.Dt IP\ FILTER 4
-.Os
-.Sh NAME
-.Nm IP Filter
-.Nd Introduction to IP packet filtering
-.Sh DESCRIPTION
-IP Filter is a TCP/IP packet filter, suitable for use in a firewall
-environment. To use, it can either be used as a loadable kernel module or
-incorporated into your UNIX kernel; use as a loadable kernel module where
-possible is highly recommended. Scripts are provided to install and patch
-system files, as required.
-.Sh FEATURES
-The IP packet filter can:
-.Bl -bullet -offset indent -compact
-.It
-explicitly deny/permit any packet from passing through
-.It
-distinguish between various interfaces
-.It
-filter by IP networks or hosts
-.It
-selectively filter any IP protocol
-.It
-selectively filter fragmented IP packets
-.It
-selectively filter packets with IP options
-.It
-send back an ICMP error/TCP reset for blocked packets
-.It
-keep packet state information for TCP, UDP and ICMP packet flows
-.It
-keep fragment state information for any IP packet, applying the same rule
-to all fragments.
-.It
-act as a Network Address Translator (NAT)
-.It
-use redirection to setup true transparent proxy connections
-.It
-provide packet header details to a user program for authentication
-.It
-in addition, supports temporary storage of pre-authenticated rules for passing packets through
-.El
-.Pp
-Special provision is made for the three most common Internet protocols, TCP,
-UDP and ICMP. The IP Packet filter allows filtering of:
-.Bl -bullet -offset indent -compact
-.It
-Inverted host/net matchingTCP/UDP packets by port number or a port number
-range
-.It
-ICMP packets by type/code
-.It
-"established" TCP packets
-.It
-On any arbitrary combination of TCP flags
-.It
-"short" (fragmented) IP packets with incomplete headers can be filtered
-.It
-any of the 19 IP options or 8 registered IP security classes TOS (Type of
-Service) field in packets
-.El
-.Pp
-To keep track of the performance of the IP packet filter, a logging device
-is used which supports logging of:
-.Bl -bullet -offset indent -compact
-.It
-the TCP/UDP/ICMP and IP packet headers
-.It
-the first 128 bytes of the packet (including headers)
-.El
-.Pp
-A packet can be logged when:
-.Bl -bullet -offset indent -compact
-.It
-it is successfully passed through
-.It
-it is blocked from passing through
-.It
-it matches a rule setup to look for suspicious packets
-.El
-.Pp
-IP Filter keeps its own set of statistics on:
-.Bl -bullet -offset indent -compact
-.It
-packets blocked
-.It
-packets (and bytes!) used for accounting
-.It
-packets passed
-.li
-packets logged
-.It
-attempts to log which failed (buffer full)
-.El
-and much more, for packets going both in and out.
-
-.Sh Tools
-The current implementation provides a small set of tools, which can easily
-be used and integrated with regular unix shells and tools. A brief description
-of the tools provided:
-.Pp
-.Xr ipf 8
-reads in a set of rules, from either stdin or a file, and adds them to
-the kernels current list (appending them). It can also be used to flush the
-current filter set or delete individual filter rules. The file format is
-described in
-.Xr ipf 5 .
-.Pp
-.Xr ipfs 8
-is a utility to temporarily lock the IP Filter kernel tables (state tables
-and NAT mappings) and write them to disk. After that the system can be
-rebooted, and ipfs can be used to read these tables from disk and restore
-them into the kernel. This way the system can be rebooted without the
-connections being terminated.
-.Pp
-.Xr ipfstat 8
-interrogates the kernel for statistics on packet filtering, so
-far, and retrieves the list of filters in operation for inbound and outbound
-packets.
-.Pp
-.Xr ipftest 1
-reads in a filter rule file and then applies sample IP packets to
-the rule file. This allows for testing of filter list and examination of how
-a packet is passed along through it.
-.Pp
-.Xr ipmon 8
-reads buffered data from the logging device (default is /dev/ipl)
-for output to either:
-.Bl -bullet -offset indent -compact
-.It
-screen (standard output)
-.It
-file
-.It
-syslog
-.El
-.Pp
-.Xr ipsend 1
-generates arbitary IP packets for ethernet connected machines.
-.Pp
-.Xr ipresend 1
-reads in a data file of saved IP packets (ie
-snoop/tcpdump/etherfind output) and sends it back across the network.
-.Pp
-.Xr iptest 1
-contains a set of test "programs" which send out a series of IP
-packets, aimed at testing the strength of the TCP/IP stack at which it is
-aimed at. WARNING: this may crash machine(s) targeted!
-.Pp
-.Xr ipnat 8
-reads in a set of rules, from either stdin or a file and adds them
-to the kernels current list of active NAT rules. NAT rules can also be
-deleted using ipnat. The format of the configuration file to be used
-with ipnat is described in
-.Xr ipnat 5 .
-.Pp
-For use in your own programs (e.g. for writing of transparent application
-proxies), the programming interface and the associated ioctl's are
-documented in
-.Xr ipf 4 .
-
-Documentation on ioctl's and the format of data saved
-to the logging character device is provided in
-.Xr ipl 4
-so that you may develop your own applications to work with or in place of any
-of the above.
-
-Similar, the interface to the NAT code is documented in
-.Xr ipnat 4 .
-
-.Sh PACKET PROCESSING FLOW
-The following diagram illustrates the flow of TCP/IP packets through the
-various stages introduced by IP Filter.
-.Pp
-.nf
- IN
- |
- V
- +-------------------------+--------------------------+
- | | |
- | V |
- | Network Address Translation |
- | | |
- | authenticated | |
- | +-------<---------+ |
- | | | |
- | | V |
- | V IP Accounting |
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | V V V |
- | | Packet State Check-->+ |
- | | | | |
- | | +->--+ | | |
- | | | | V | |
- | V groups IP Filtering V |
- | | | | | | |
- | | +--<-+ | | |
- | | | | |
- | +---------------->|<-----------+ |
- | | |
- | V |
- | +---<----+ |
- | | | |
- | function | |
- | | V |
- | +--->----+ |
- | | |
- | V |
- +--|---<--- fast-route ---<--+ |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- | |
- | V
- V [KERNEL TCP/IP Processing]
- | |
- | +-------------------------+--------------------------+
- | | | |
- | | V |
- | | Fragment Cache Check--+ |
- | | | | |
- | | V V |
- | | Packet State Check-->+ |
- | | | | |
- | | V | |
- V | IP Filtering | |
- | | | V |
- | | |<-----------+ |
- | | V |
- | | IP Accounting |
- | | | |
- | | V |
- | | Network Address Translation |
- | | | |
- | | V |
- | +-------------------------+--------------------------+
- | |
- | pass only
- V |
- +--------------------------->|
- V
- OUT
-.fi
-
-.Sh MORE INFORMATION
-More information (including pointers to the FAQ and the mailing list) can be
-obtained from the sofware's official homepage: www.ipfilter.org
-
-.Sh SEE ALSO
-.Xr ipf 4 ,
-.Xr ipf 5 ,
-.Xr ipf 8 ,
-.Xr ipfilter 5 ,
-.Xr ipfs 8 ,
-.Xr ipfstat 8 ,
-.Xr ipftest 1 ,
-.Xr ipl 4 ,
-.Xr ipmon 8 ,
-.Xr ipnat 4 ,
-.Xr ipnat 8 ,
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 21:21:42 +0000