summaryrefslogtreecommitdiff
path: root/sbin/ipf/ipf.8
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipf/ipf.8')
-rw-r--r--sbin/ipf/ipf.8348
1 files changed, 256 insertions, 92 deletions
diff --git a/sbin/ipf/ipf.8 b/sbin/ipf/ipf.8
index ba4a4e0bc0d..132b21e0b2e 100644
--- a/sbin/ipf/ipf.8
+++ b/sbin/ipf/ipf.8
@@ -1,129 +1,293 @@
-.\" $OpenBSD: ipf.8,v 1.11 1999/07/06 19:15:01 kjell Exp $
-.Dd February 6, 1999
+.\" $OpenBSD: ipf.8,v 1.12 1999/07/08 03:10:03 aaron Exp $
+.Dd July 7, 1999
.Dt IPF 8
.Os
.Sh NAME
.Nm ipf
-.Nd "alters packet filtering lists for IP packet input and output"
+.Nd "manage IP packet filtering and firewalling rules"
.Sh SYNOPSIS
.Nm ipf
-.Op Fl AdDEInorsvyzZ
-.Op Fl l Ar block|pass|nomatch
-.Op Fl F Ar i|o|a|s|S
+.Op Fl AdDEInorsUvyzZ
.Op Fl f Ar filename
.Sh DESCRIPTION
+The
.Nm
-opens the filenames listed (treating
-.Sq \-
-as stdin) and parses the
-file for a set of rules which are to be added or removed from the packet
-filter rule set.
+utility allows the insertion and removal of TCP/IP packet filtering and
+firewalling rules.
+.Nm
+can be used for anything from very simple tasks (i.e., preventing a host from
+replying to ping packets), to installing complex rulesets for a firewall to
+to protect an entire network.
+.Pp
+Based on the specified rules,
+.Nm
+can explicitly deny/permit any inbound or outbound packet on any interface,
+filter by IP networks or hosts, selectively filter packets by protocol and/or
+protocol options, keep packet state information for TCP, UDP, and ICMP packet
+flows, track fragment state information for IP packets (applying the same rules
+to all fragments), and much more.
.Pp
-Each rule processed by
.Nm
-is added to the kernel's internal lists if there are no parsing problems.
-Rules are added to the end of the internal lists, matching the order in
-which they appear when given to
-.Nm ipf .
-.Sh OPTIONS
+provides special capabilities for the most common Internet protocols. Both
+TCP and UDP packets may be filtered by port number or port range, or ICMP
+packets by type/code. Rules may filter packets on any arbitrary combination of
+TCP flags, IP options, IP security classes, or Type of Service (TOS).
+.Nm
+also supports inverted host/net matching.
+.Pp
+To get started, follow these steps:
+.Bl -enum -offset indent
+.It
+Edit
+.Pa /etc/rc.conf
+and set
+.Cm ipfilter=YES .
+This will cause
+.Nm
+to install the ruleset specified in
+.Pa /etc/ipf.rules
+each time the system is booted.
+.It
+Check that the kernel has been compiled with
+.Cm option IPFILTER
+(see
+.Xr options 4 ) .
+Refer to
+.Xr afterboot 8
+for further instructions on compiling a custom kernel.
+.It
+Edit
+.Pa /etc/sysctl.conf
+and set
+.Cm net.inet.ip.forwarding=1
+if this machine is to act as a firewall. This step is not necessary for hosts
+which are only filtering packets for themselves, but won't hurt either way.
+.El
+.Pp
+Once these steps are complete a rule file may be created. A very
+simple rule file might contain the following:
+.Pp
+.Dl pass in from any to any
+.Dl pass out from any to any
+.Pp
+Here we're passing all packets and not doing any filtering. This is a
+recommended starting point since it allows the current configuration to be
+tested before formulating and installing a more restrictive ruleset. For
+example, the following:
+.Pp
+.Dl "block in on we0 proto tcp from foo/32 to any"
+.Pp
+This would block all incoming TCP packets on interface
+.Dq we0
+from host
+.Dq foo
+to any internal destination. If this file is
+.Pa /etc/ipf.rules
+(the default location), the following command will flush the kernel's current
+ruleset, install the new ruleset, and enable
+.Pq Fl E
+.Nm ipf :
+.Pp
+.Dl "ipf -Fa -f /etc/ipf.rules -E"
+.Pp
+(This is the exact command executed by the
+.Pa /etc/rc
+script at boot-time if
+.Cm ipfilter=YES
+in
+.Pa /etc/rc.conf . )
+.Pp
+Please see
+.Xr ipf 5
+for a complete description of the
+.Nm
+rules file format and the example files in
+.Pa /usr/share/ipf .
+.Pp
+In addition to
+.Dq active
+rulesets (those installed into the kernel which dictate the current filtering
+policies),
+.Nm
+can maintain a separate
+.Dq inactive
+ruleset simultaneously. Inactive rulesets are useful for debugging pending or
+proposed changes to the active ruleset (see
+.Fl I
+option below).
+.Pp
+The following options are available:
.Bl -tag -width Ds
.It Fl A
-Set the list to make changes to the active list (default).
-.It Fl d
-Turn debug mode on. Causes a hexdump of filter rules to be generated as
-it processes each one.
+Apply changes to the active ruleset. This is the default.
+.It Fl I
+Apply changes to the inactive ruleset.
.It Fl D
-Disable the filter (if enabled). Not effective for loadable kernel versions.
+Disable the filter (if enabled).
.It Fl E
-Enable the filter (if disabled). Not effective for loadable kernel versions.
-.It Fl F Ar i|o|a
-This option specifies which filter list to flush. The parameter should
-either be "i" (input), "o" (output) or "a" (remove all filter rules).
-Either a single letter or an entire word starting with the appropriate
-letter maybe used. This option maybe before, or after, any other with
-the order on the command line being that used to execute options.
-.It Fl F Ar s|S
-To flush entries from the state table, the
-.Fl -F
-option is used in
-conjunction with either "s" (removes state information about any non-fully
-established connections) or "S" (deletes the entire state table). Only
-one of the two options may be given. A fully established connection
-will show up in
-.Li ipfstat -s
-output as 4/4, with deviations either way indicating it is not
-fully established any more.
+Enable the filter (if disabled).
+.It Fl F Ar list
+Flush filter lists.
+.Ar list
+is one of
+.Sq i
+(input rules),
+.Sq o
+(output rules),
+or
+.Sq a
+(all filtering rules).
+.It Fl F Ar table
+Flush entries from state tables. If
+.Ar table
+is
+.Sq s ,
+.Nm
+removes any state information about connections that are non-fully established.
+If
+.Sq S ,
+.Nm
+removes the entire state table. Only one of the two options may be specified.
+A fully established connection will appear in
+.Ic ipfstat -s output
+as
+.Dq 4/4 ;
+any deviations indicate a connection that has not completed the three-way
+handshake.
+.It Fl d
+Enable debug mode. Causes a hexdump of filter rules to be generated as it
+processes each one.
.It Fl f Ar filename
-This option specifies which files
+Read, parse, and process the
.Nm
-should use to get input from for modifying the packet filter rule lists.
-.It Fl I
-Set the list to make changes to the inactive list.
-.It Fl l Ar pass|block|nomatch
-Use of the
-.Fl l
-flag toggles default logging of packets. Valid arguments to this option are
-.Ar pass ,
-.Ar block
-and
-.Ar nomatch .
-When an option is set, any packet which exits filtering and matches the
-set category is logged. This is most useful for causing all packets
-which don't match any of the loaded rules to be logged.
+rules contained in
+.Ar filename .
+If
+.Ar filename
+is
+.Ql - ,
+.Nm
+reads from the standard input.
+All valid rules are installed into the kernel's internal rule list using the
+interface described by
+.Xr ipf 4 .
+Blank lines and lines beginning with
+.Ql #
+(comments) are ignored.
.It Fl n
-This flag (no-change) prevents
+No change. Prevent
.Nm
-from actually making any ioctl calls or doing anything which would
-alter the currently running kernel.
+from actually changing the state of the in-kernel filtering configuration.
.It Fl o
-Force rules by default to be added/deleted to/from the output list, rather
-than the (default) input list.
-.It Fl r
-Remove matching filter rules rather than add them to the internal lists
+Force rules to be added/deleted to/from the output list rather than the
+(default) input list.
.It Fl s
-Swap the active filter list in use to be the "other" one.
+Swap the active and inactive rulesets.
+.It Fl r
+Remove matching filter rules rather than add them to the in-kernel lists.
.It Fl v
-Turn verbose mode on. Displays information relating to rule processing.
+Enable verbose mode.
+.Nm
+will echo each of the successfully processed rules to the standard output. The
+original rule and any error messages that result will be echoed to standard
+error.
.It Fl y
-Manually resync the in-kernel interface list maintained by IP Filter with
-the current interface status list.
+Force
+.Nm
+to synchronize the IP filter's in-kernel network interface list with the
+current system interface list. In particular, if an interface's IP address
+changes (i.e., due to a DHCP operation),
+.Nm
+must be executed with this option.
.It Fl z
-For each rule in the input file, reset the statistics for it to zero and
-display the statistics prior to them being zeroed.
+For each rule in the input file, display its statistics, then reset them to 0.
.It Fl Z
-Zero global statistics held in the kernel for filtering only (this doesn't
-affect fragment or state statistics).
+Globally reset all in-kernel filtering statistics to 0 (does not affect
+fragment or state statistics).
.El
-.Sh FILES
-.Bl -tag -width /usr/share/ipf -compact
-.It Pa /usr/share/ipf
-location of sample configuration files
-.It Pa /dev/ipauth
-name of the
-.Nm
-auth socket
-.It Pa /dev/ipl
-name of the
-.Nm
-logging socket
-.It Pa /dev/ipstate
-name of the
+.Sh EXAMPLES
+To flush all in-kernel filtering lists, install the ruleset contained in
+.Pa /etc/ipf.rules
+into the active list, and enable IP filtering:
+.Pp
+.Dl ipf -A -Fa -f /etc/ipf.rules
+.Pp
+It is advisable to work with an inactive filtering list before commiting new
+rules to the active in-kernel filtering list. To load a ruleset into the
+inactive list:
+.Pp
+.Dl ipf -I -Fa -f /etc/ipf.rules
+.Pp
+The verbose
+.Pq Fl v
+option is useful for verifying that rules are being processed as
+expected and is often used in conjunction with the inactive
+.Pq Fl I
+ruleset:
+.Pp
+.Dl ipf -I -Fa -vf /etc/ipf.rules
+.Pp
+After the inactive ruleset has been tested and seems to be processed correctly,
+use the
+.Fl s
+option to swap it with the active ruleset so that it represents the new
+filtering policy for the system:
+.Pp
+.Dl ipf -s
+.Pp
+Consider a system manager who administers
.Nm
-state socket
+remotely and has made changes to the
+.Pa /etc/ipf.rules
+file on the remote system. The following command sequence is noteworthy:
+.Pp
+.Dl ipf -I -Fa -f /etc/ipf.rules
+.Dl ipf -s; sleep 10; ipf -s
+.Pp
+The first command installs the new ruleset into the inactive filtering list.
+The second command first swaps the inactive (new) rules with the active (old)
+rules. After entering the second command, type some characters. If the
+characters are echoed the new ruleset is possibly valid. If not, within 10
+seconds the old ruleset will be re-installed. This trick is useful for
+minimizing service disruptions.
+.Sh NOTES
+Rules are checked in the order they are specified. The last matching rule
+wins, except when the
+.Dq quick
+keyword is present (see
+.Xr ipf 5 ) .
+.Pp
+Note that
+.Fl F Ns No a
+does not affect the state table. To view the current state table, use the
+.Xr ipfstat 8
+program:
+.Pp
+.Dl ipfstat -s
+.Pp
+To remove all active state entries:
+.Pp
+.Dl ipf -FS
+.Sh FILES
+.Bl -tag -width /usr/share/ipf/example.* -compact
+.It /usr/share/ipf/example.*
+sample rule files
+.It /dev/ipfauth
+ipf authentication socket
+.It /dev/ipl
+ipf logging socket
+.It /dev/ipstate
+ipf state socket
.El
.Sh SEE ALSO
-.Xr ipftest 1 ,
.Xr ipf 4 ,
.Xr ipl 4 ,
.Xr ipnat 4 ,
.Xr ipf 5 ,
.Xr ipfstat 8 ,
+.Xr ipftest 8 ,
.Xr ipmon 8 ,
.Xr ipnat 8
.Pp
-http://coombs.anu.edu.au/ipfilter/
-.Sh DIAGNOSTICS
-Needs to be run as root for the packet filtering lists to actually
-be affected inside the kernel.
-.Sh BUGS
-If you find any, please send email to me at darrenr@pobox.com.
+http://coombs.anu.edu.au/ipfilter
+