ipfwadm

Hurricane Electric Internet Services: Accounts starting at $9.95/month
Hurricane Electric Internet Services

NAME

       ipfwadm - IP firewall and accounting administration


SYNOPSIS

       ipfwadm -A command parameters [options]
       ipfwadm -I command parameters [options]
       ipfwadm -O command parameters [options]
       ipfwadm -F command parameters [options]
       ipfwadm -M -l [options]


DESCRIPTION

       Ipfwadm  is  used  to set up, maintain, and inspect the IP
       firewall and accounting rules in the Linux kernel.   These
       rules can be divided into 4 different categories: account-
       ing of IP packets, the IP input firewall,  the  IP  output
       firewall,  and  the  IP  forwarding firewall.  For each of
       these categories, a separate list of rules is  maintained.
       See ipfw(4) for more details.


OPTIONS

       The  options that are recognized by ipfwadm can be divided
       into several different groups.

   CATEGORIES
       The following flags are used to  select  the  category  of
       rules to which the given command applies:

       -A     IP accounting rules.

       -I     IP input firewall rules.

       -O     IP output firewall rules.

       -F     IP forwarding firewall rules.

       -M     IP  masquerading administration.  This category can
              only be used in combination with the -l (list) com-
              mand.

       Exactly one of these options has to be specified.

   COMMANDS
       The  next  options specify the specific action to perform.
       Only one of them can be specified  on  the  command  line,
       unless something else is listed in the description.

       -a [policy]
              Append one or more rules to the end of the selected
              list.  For the accounting chain, no  policy  should
              be  specified.  For firewall chains, it is required
              to specify one of the following  policies:  accept,
              masquerade (only valid for forwarding rules), deny,
              or reject.   When  the  source  and/or  destination
              names resolve to more than one address, a rule will
              be added for each possible combination.

       -i [policy]
              Insert one or more rules at the  beginning  of  the
              selected  list.  See the description of the -a com-
              mand for more details.

       -d [policy]
              Delete one or more entries from the  selected  list
              of  rules.  The semantics are equal to those of the
              append/insert commands.  The  specified  parameters
              should  exactly  match the parameters given with an
              append or insert command, otherwise no  match  will
              be  found and the rule will not be removed from the
              list.  Only the first matching  rule  in  the  list
              will be deleted.

       -l     List all the rules in the selected list.  This com-
              mand may be combined with the -z (reset counters to
              zero)  command.   In that case, the packet and byte
              counters will be reset  immediately  after  listing
              their current values.  Unless the -x option is pre-
              sent, packet and byte counters (if listed) will  be
              shown  as  numberK  or numberM, where 1K means 1000
              and 1M means 1000K (rounded to the nearest  integer
              value).   See  also  the  -e  and -x flags for more
              capabilities.

       -z     Reset the packet and byte counters of all the rules
              in  selected  list.   This  command may be combined
              with the -l (list) command.

       -f     Flush the selected list of rules.

       -p policy
              Change the default policy for the selected type  of
              firewall.   The  given  policy  has  to  be  one of
              accept,  masquerade  (only  valid  for   forwarding
              rules),  deny,  or  reject.   The default policy is
              used when no matching rule is found.   This  opera-
              tion  is  only  valid for IP firewalls, that is, in
              combination with the -I, -O, or -F flag.

       -c     Check whether this IP  packet  would  be  accepted,
              denied,  or  rejected by the selected type of fire-
              wall.  This operation is only valid  for  IP  fire-
              walls,  that is, in combination with the -I, -O, or
              -F flag.

       -h     Help.  Give a (currently very brief) description of
              the command syntax.

   PARAMETERS
       The  following  parameters can be used in combination with
       the append, insert, delete, or check commands:

       -P protocol
              The protocol of the rule or of the packet to check.
              The  specified  protocol  can  be  one of tcp, udp,
              icmp, or all.  Protocol all  will  match  with  all
              protocols  and is taken as default when this option
              is omitted.  All may not be used in in  combination
              with the check command.

       -S address[/mask] [port ...]
              Source  specification  (mandatory).  Address can be
              either a hostname, a network name, or  a  plain  IP
              address.   The mask can be either a network mask or
              a plain number, specifying the number of 1's at the
              left  side of the network mask.  Thus, a mask of 24
              is equivalent with 255.255.255.0.
              The source may include one or more port  specifica-
              tions  or ICMP types.  Each of them can either be a
              service name, a port number, or  a  (numeric)  ICMP
              type.   In the rest of this paragraph, a port means
              either a port specification or an ICMP  type.   One
              of these specifications may be a range of ports, in
              the format port:port.  Furthermore, the total  num-
              ber of ports specified with the source and destina-
              tion  addresses  should   not   be   greater   than
              IP_FW_MAX_PORTS  (currently 10).  Here a port range
              counts as 2 ports.
              Packets not being the first fragment of a TCP, UDP,
              or ICMP packet are always accepted by the firewall.
              For accounting purposes, these second  and  further
              fragments  are treated special, to be able to count
              them in some way.  The port number  0xFFFF  (65535)
              is  used  for  a  match with the second and further
              fragments of TCP or  UDP  packets.   These  packets
              will  be treated for accounting purposes as if both
              their port numbers are  0xFFFF.   The  number  0xFF
              (255)  is used for a match with the second and fur-
              ther fragments of ICMP packets.  These packets will
              be  treated for acounting purposes as if their ICMP
              types are 0xFF.  Note that  the  specified  command
              and protocol may imply restrictions on the ports to
              be specified.  Ports may only be specified in  com-
              bination  with  the  tcp,  udp,  or  icmp protocol.
              Also, when the check command is specified,  exactly
              one port is required.

       -D address[/mask] [port ...]
              Destination  specification  (mandatory).   See  the
              desciption of the -S (source) flag for  a  detailed
              description  of  the  syntax.  Note that ICMP types
              are not allowed in combination with  the  -D  flag:
              ICMP  types  can only be specified after the the -S
              flag.

       -V address
              Optional address of an interface via which a packet
              is  received, or via which is packet is going to be
              sent.  Address can be either a hostname or a  plain
              IP  address.   When  a  hostname  is  specified, it
              should resolve to exactly  one  IP  address.   When
              this  option  is  omitted,  the  address 0.0.0.0 is
              assumed, which has a special meaning and will match
              with any interface address.  For the check command,
              this option is mandatory.

       -W name
              Optional name of an interface via which a packet is
              received,  or  via  which  is packet is going to be
              sent.  When  this  option  is  omitted,  the  empty
              string  is assumed, which has a special meaning and
              will match with any interface name.

   OTHER OPTIONS
       The following additional options can be specified:

       -b     Bidirectional mode.  The rule will  match  with  IP
              packets  in  both  directions.  This option is only
              valid in combination with the  append,  insert,  or
              delete commands.

       -e     Extended  output.   This option makes the list com-
              mand also show the interface address and  the  rule
              options  (if  any).   For  firewall lists, also the
              packet and byte counters (the default  is  to  only
              show  these  counters for the accounting rules) and
              the TOS masks will be listed.  When used in  combi-
              nation   with  -M,  information  related  to  delta
              sequence numbers will also be listed.  This  option
              is only valid in combination with the list command.

       -k     Only match TCP packets with the ACK bit set.   This
              option  is  only  valid  in  combination  with  the
              append, insert, or delete command and the TCP  pro-
              tocol.

       -n     Numeric output.  IP addresses and port numbers will
              be printed in numeric format.  By default, the pro-
              gram  will  try to display them as host names, net-
              work names, or services (whenever applicable).

       -o     Turn on kernel logging of matching  packets.   When
              this  option  is  set  for a rule, the Linux kernel
              will print some basic information of  all  matching
              packets  via  printk().   This  option will only be
              effective when the kernel  is  compiled  with  CON-
              FIG_IP_FIREWALL_VERBOSE  defined.   This  option is
              only valid in combination with the  append,  insert
              or delete command.

       -t andmaskxormask
              Masks  used  for  modifying the TOS field in the IP
              header.  When a packet is accepted (with or without
              masquerading)  by a firewall rule, its TOS field is
              first bitwise and'ed with first mask and the result
              of  this  will  be  bitwise  xor'ed with the second
              mask.  The masks should be specified as hexadecimal
              8-bit  values.  This option is only valid in combi-
              nation with the append, insert  or  delete  command
              and  will  have  no effect when used in combination
              with accounting rules or firewall rules for reject-
              ing or denying a packet.

       -v     Verbose  output.  Print detailed information of the
              rule or packet to be added,  deleted,  or  checked.
              This  option will only have effect with the append,
              insert, delete, or check command.

       -x     Expand numbers.  Display the  exact  value  of  the
              packet  and  byte  counters,  instead  of  only the
              rounded number in K's (multiples of  1000)  or  M's
              (multiples  of  1000K).  This option will only have
              effect when the counters  are  listed  anyway  (see
              also the -e option).

       -y     Only match TCP packets with the SYN bit set and the
              ACK bit cleared.  This option is only valid in com-
              bination with the append, insert, or delete command
              and the TCP protocol.


FILES

       /proc/net/ip_acct
       /proc/net/ip_input
       /proc/net/ip_output
       /proc/net/ip_forward
       /proc/net/ip_masquerade


SEE ALSO

       ipfw(4)


AUTHOR

       Jos Vos <jos@xos.nl>
       X/OS Experts in Open Systems BV,  Amsterdam,  The  Nether-
       lands
Hurricane Electric Internet Services: Accounts starting at $9.95/month
Hurricane Electric Internet Services
Copyright (C) 1998 Hurricane Electric. All Rights Reserved.