sbin/ipfw/ipfw.8


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

.Dd November 16, 1994
.Dt IPFW 8
.Os
.Sh NAME
ipfw - controlling utility for ipfw/ipacct facilities. 

.Sh SYNOPSIS

 ipfw [-vn] <entry-action>  <chain entry pattern>
 ipfw [-vn] <check-action>  <packet pattern>
 ipfw [-vn] <chain-action>  <chain[s] type>

.Sh DESCRIPTION
 In the first synopsis form, the ipfw utility allows adding/removing of
entries of blocking/forwarding/accounting chains.
 In the second synopsis form, the ipfw utility checks whenever a given
IP packet type is accepted or denied by a blocking/forwarding firewall.
 In the third synopsis form, the ipfw utility allows global actions
on chain-zeroing of counters, and flushing or listing of chain entries
and their counter values.

The following options are available:

-v   be verbose. The meaning of this option varies depending on ipfw
     usage.

-n   do not resolve anything.  When setting entries, do not try to resolve
     a given address.   When listing, display addresses in numeric form.

These are <entry-actions>:
	
  addb[locking] - add entry to blocking firewall.
  delb[locking] - remove entry from blocking firewall.
  addf[orwarding] - add entry to forwarding firewall.
  delf[orwarding] - remove entry from forwarding firewall.
  adda[ccounting] - add entry to accounting chain.
  dela[ccounting] - remove entry from accounting chain.

These are <check-actions>:
  checkb[locking] - check packet against blocking firewall.
  checkf[orwarding] - check packet against forwarding firewall.

These are <chain-actions>:
  f[lush] - remove all entries in firewall/accounting chains.
  l[ist] - show all entries in blocking/forwarding/accounting chains.
  z[ero] - clear chain counters(for now accounting only).
  p[olicy] - define default firewall policy.

 The <chain-entry pattern> build like this: 
 For forwarding/blocking chains:
  d[eny] <proto/addr pattern>
  a[ccept] <proto/addr pattern>
 For accounting chain:
  s[ingle] <proto/addr pattern>
  b[idirectional] <proto/addr pattern>
    
 The <proto/addr pattern> is:
  all|icmp from  <src addr/mask> to <dst addr/mask>
  tcp|udp  from  <src addr/mask> [ports] to <dst addr/mask> [ports]
    
  <src addr/mask>:
    <INET IP addr | domain name> [/mask bits | :mask pattern]
  [ports]:
    [ port,port....|port:port] where name of service can be 
    used instead of port numeric value.

When entry added to chain and -v option used,entry added with 
PRN flag set.

The <packet pattern> build exactly like <chain-entry pattern>.

 To l[ist] command may be passed:
f[orwarding]|b[locking]|a[ccounting] to list specific chain or none
to list all of them.Option -v causes output format to change so that 
packet/bytes counters printed.Standart output format fully suitable
to be used as <chain-entry pattern>.

 To f[lush] command may be passed:
f[irewall]|a[ccounting] to remove all entries from forwarding/blocking
chains or from accounting chain.No arguments removes all chain entries.
 
 To z[ero] command no arguments needed,and all counters of accounting
chain zeroed.

 To p[olicy] command accepts a[ccept]|d[eny] to define default policy
as denial/accepting.Withno arguments current default policy displayed.

.Sh EXAMPLES

 This command add entry which denies all tcp packets from
hacker.evil.org to telnet port of wolf.tambov.su from being
forwarded by the host:
  ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet
 
 This one disallows any connection from entire hackers network
to my host:
  ipfw addb deny all from 123.45.67.8/24 to my.host.org

 Here is useful usage of lt] command to see accounting records:
  ipfw -v list accounting (or in short form ipfw -v l a ).
 
 Much more examples can be found in files:
  /usr/share/misc/ipfw.samp.filters
  /usr/share/misc/ipfw.samp.scripts

.Sh SEE ALSO
ipfirewall(4),ipaccounting(4),reboot(8)

.Sh BUGS
 WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
 This programm can put your computer in rather unusable state.
First time try using it from console and do *NOT* do anything
you don't understand.
 Remember that "ipfw flush" can solve all the problemms.
Also take in your mind that "ipfw policy deny" combined with
some wrong chain entry(possible the only entry which designed
to deny some external packets) can close your computer from
outer world for good.
  Besides of misuse the only known bug is that entry added 
with -v option set should be deleted with same option,
but there is no way to see this in list command.

.Sh HISTORY
 Initially this utility was written for BSDI by:
  Daniel Boulet    <danny@BouletFermat.ab.ca> 
 The FreeBSD version is written completely by: 
  Ugen J.S.Antsilevich <ugen@NetVision.net.il> 
 while synopsis partially compatible with old one.