diff options
Diffstat (limited to 'contrib/ipfilter/man/ipfilter.4.mandoc')
-rw-r--r-- | contrib/ipfilter/man/ipfilter.4.mandoc | 267 |
1 files changed, 0 insertions, 267 deletions
diff --git a/contrib/ipfilter/man/ipfilter.4.mandoc b/contrib/ipfilter/man/ipfilter.4.mandoc deleted file mode 100644 index 22e1f36450b6..000000000000 --- a/contrib/ipfilter/man/ipfilter.4.mandoc +++ /dev/null @@ -1,267 +0,0 @@ -.Dd December 8, 2000 -.Dt IP\ FILTER 4 -.Os -.Sh NAME -.Nm IP Filter -.Nd Introduction to IP packet filtering -.Sh DESCRIPTION -IP Filter is a TCP/IP packet filter, suitable for use in a firewall -environment. To use, it can either be used as a loadable kernel module or -incorporated into your UNIX kernel; use as a loadable kernel module where -possible is highly recommended. Scripts are provided to install and patch -system files, as required. -.Sh FEATURES -The IP packet filter can: -.Bl -bullet -offset indent -compact -.It -explicitly deny/permit any packet from passing through -.It -distinguish between various interfaces -.It -filter by IP networks or hosts -.It -selectively filter any IP protocol -.It -selectively filter fragmented IP packets -.It -selectively filter packets with IP options -.It -send back an ICMP error/TCP reset for blocked packets -.It -keep packet state information for TCP, UDP and ICMP packet flows -.It -keep fragment state information for any IP packet, applying the same rule -to all fragments. -.It -act as a Network Address Translator (NAT) -.It -use redirection to setup true transparent proxy connections -.It -provide packet header details to a user program for authentication -.It -in addition, supports temporary storage of pre-authenticated rules for passing packets through -.El -.Pp -Special provision is made for the three most common Internet protocols, TCP, -UDP and ICMP. The IP Packet filter allows filtering of: -.Bl -bullet -offset indent -compact -.It -Inverted host/net matchingTCP/UDP packets by port number or a port number -range -.It -ICMP packets by type/code -.It -"established" TCP packets -.It -On any arbitrary combination of TCP flags -.It -"short" (fragmented) IP packets with incomplete headers can be filtered -.It -any of the 19 IP options or 8 registered IP security classes TOS (Type of -Service) field in packets -.El -.Pp -To keep track of the performance of the IP packet filter, a logging device -is used which supports logging of: -.Bl -bullet -offset indent -compact -.It -the TCP/UDP/ICMP and IP packet headers -.It -the first 128 bytes of the packet (including headers) -.El -.Pp -A packet can be logged when: -.Bl -bullet -offset indent -compact -.It -it is successfully passed through -.It -it is blocked from passing through -.It -it matches a rule setup to look for suspicious packets -.El -.Pp -IP Filter keeps its own set of statistics on: -.Bl -bullet -offset indent -compact -.It -packets blocked -.It -packets (and bytes!) used for accounting -.It -packets passed -.li -packets logged -.It -attempts to log which failed (buffer full) -.El -and much more, for packets going both in and out. - -.Sh Tools -The current implementation provides a small set of tools, which can easily -be used and integrated with regular unix shells and tools. A brief description -of the tools provided: -.Pp -.Xr ipf 8 -reads in a set of rules, from either stdin or a file, and adds them to -the kernels current list (appending them). It can also be used to flush the -current filter set or delete individual filter rules. The file format is -described in -.Xr ipf 5 . -.Pp -.Xr ipfs 8 -is a utility to temporarily lock the IP Filter kernel tables (state tables -and NAT mappings) and write them to disk. After that the system can be -rebooted, and ipfs can be used to read these tables from disk and restore -them into the kernel. This way the system can be rebooted without the -connections being terminated. -.Pp -.Xr ipfstat 8 -interrogates the kernel for statistics on packet filtering, so -far, and retrieves the list of filters in operation for inbound and outbound -packets. -.Pp -.Xr ipftest 1 -reads in a filter rule file and then applies sample IP packets to -the rule file. This allows for testing of filter list and examination of how -a packet is passed along through it. -.Pp -.Xr ipmon 8 -reads buffered data from the logging device (default is /dev/ipl) -for output to either: -.Bl -bullet -offset indent -compact -.It -screen (standard output) -.It -file -.It -syslog -.El -.Pp -.Xr ipsend 1 -generates arbitary IP packets for ethernet connected machines. -.Pp -.Xr ipresend 1 -reads in a data file of saved IP packets (ie -snoop/tcpdump/etherfind output) and sends it back across the network. -.Pp -.Xr iptest 1 -contains a set of test "programs" which send out a series of IP -packets, aimed at testing the strength of the TCP/IP stack at which it is -aimed at. WARNING: this may crash machine(s) targeted! -.Pp -.Xr ipnat 8 -reads in a set of rules, from either stdin or a file and adds them -to the kernels current list of active NAT rules. NAT rules can also be -deleted using ipnat. The format of the configuration file to be used -with ipnat is described in -.Xr ipnat 5 . -.Pp -For use in your own programs (e.g. for writing of transparent application -proxies), the programming interface and the associated ioctl's are -documented in -.Xr ipf 4 . - -Documentation on ioctl's and the format of data saved -to the logging character device is provided in -.Xr ipl 4 -so that you may develop your own applications to work with or in place of any -of the above. - -Similar, the interface to the NAT code is documented in -.Xr ipnat 4 . - -.Sh PACKET PROCESSING FLOW -The following diagram illustrates the flow of TCP/IP packets through the -various stages introduced by IP Filter. -.Pp -.nf - IN - | - V - +-------------------------+--------------------------+ - | | | - | V | - | Network Address Translation | - | | | - | authenticated | | - | +-------<---------+ | - | | | | - | | V | - | V IP Accounting | - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | V V V | - | | Packet State Check-->+ | - | | | | | - | | +->--+ | | | - | | | | V | | - | V groups IP Filtering V | - | | | | | | | - | | +--<-+ | | | - | | | | | - | +---------------->|<-----------+ | - | | | - | V | - | +---<----+ | - | | | | - | function | | - | | V | - | +--->----+ | - | | | - | V | - +--|---<--- fast-route ---<--+ | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - | | - | V - V [KERNEL TCP/IP Processing] - | | - | +-------------------------+--------------------------+ - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | | V V | - | | Packet State Check-->+ | - | | | | | - | | V | | - V | IP Filtering | | - | | | V | - | | |<-----------+ | - | | V | - | | IP Accounting | - | | | | - | | V | - | | Network Address Translation | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - V | - +--------------------------->| - V - OUT -.fi - -.Sh MORE INFORMATION -More information (including pointers to the FAQ and the mailing list) can be -obtained from the sofware's official homepage: www.ipfilter.org - -.Sh SEE ALSO -.Xr ipf 4 , -.Xr ipf 5 , -.Xr ipf 8 , -.Xr ipfilter 5 , -.Xr ipfs 8 , -.Xr ipfstat 8 , -.Xr ipftest 1 , -.Xr ipl 4 , -.Xr ipmon 8 , -.Xr ipnat 4 , -.Xr ipnat 8 , - |