unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



IP FILTER(4)							 IP FILTER(4)



NAME
  ipfilter - Introduction to IP	packet filtering

DESCRIPTION
  IP Filter is a TCP/IP	packet filter, suitable	for use	in a firewall
  environment. To use, it can either be	used as	a loadable kernel module or
  incorporated into your UNIX kernel; use as a loadable	kernel module where
  possible is highly recommended. Scripts are provided to install and patch
  system files,	as required.

FEATURES
  The IP packet	filter can:

       explicitly deny/permit any packet from passing through

       distinguish between various interfaces

       filter by IP networks or	hosts

       selectively filter any IP protocol

       selectively filter fragmented IP	packets

       selectively filter packets with IP options

       send back an ICMP error/TCP reset for blocked packets

       keep packet state information for TCP, UDP and ICMP packet flows

       keep fragment state information for any IP packet, applying the same
       rule to all fragments.

       act as a	Network	Address	Translator (NAT)

       use redirection to setup	true transparent proxy connections

       provide packet header details to	a user program for authentication

       in addition, supports temporary storage of pre-authenticated rules for
       passing packets through

  Special provision is made for	the three most common Internet protocols,
  TCP, UDP and ICMP. The IP Packet filter allows filtering of:

       Inverted	host/net matchingTCP/UDP packets by port number	or a port
       number range

       ICMP packets by type/code

       "established" TCP packets

       On any arbitrary	combination of TCP flags

       "short" (fragmented) IP packets with incomplete headers can be fil-
       tered

       any of the 19 IP	options	or 8 registered	IP security classes TOS	(Type
       of Service) field in packets

  To keep track	of the performance of the IP packet filter, a logging device
  is used which	supports logging of:

       the TCP/UDP/ICMP	and IP packet headers

       the first 128 bytes of the packet (including headers)

  A packet can be logged when:

       it is successfully passed through

       it is blocked from passing through

       it matches a rule setup to look for suspicious packets

  IP Filter keeps its own set of statistics on:

       packets blocked

       packets (and bytes!) used for accounting

       packets passed packets logged

       attempts	to log which failed (buffer full)

       and much	more, for packets going	both in	and out.


Tools
  The current implementation provides a	small set of tools, which can easily
  be used and integrated with regular unix shells and tools. A brief descrip-
  tion of the tools provided:

  ipf(8) reads in a set	of rules, from either stdin or a file, and adds	them
  to the kernels current list (appending them).	It can also be used to flush
  the current filter set or delete individual filter rules. The	file format
  is described in ipf(5).

  ipfs(8) is a utility to temporarily lock the IP Filter kernel	tables (state
  tables and NAT mappings) and write them to disk. After that the system can
  be rebooted, and ipfs	can be used to read these tables from disk and
  restore them into the	kernel.	This way the system can	be rebooted without
  the connections being	terminated.

  ipfstat(8) interrogates the kernel for statistics on packet filtering, so
  far, and retrieves the list of filters in operation for inbound and out-
  bound	packets.

  ipftest(1) reads in a	filter rule file and then applies sample IP packets
  to the rule file. This allows	for testing of filter list and examination of
  how a	packet is passed along through it.

  ipmon(8) reads buffered data from the	logging	device (default	is /dev/ipl)
  for output to	either:

       screen (standard	output)

       file

       syslog

  ipsend(1) generates arbitary IP packets for ethernet connected machines.

  ipresend(1) reads in a data file of saved IP packets (ie
  snoop/tcpdump/etherfind output) and sends it back across the network.

  iptest(1) contains a set of test "programs" which send out a series of IP
  packets, aimed at testing the	strength of the	TCP/IP stack at	which it is
  aimed	at. WARNING: this may crash machine(s) targeted!

  ipnat(8) reads in a set of rules, from either	stdin or a file	and adds them
  to the kernels current list of active	NAT rules. NAT rules can also be
  deleted using	ipnat. The format of the configuration file to be used with
  ipnat	is described in	ipnat(5).

  For use in your own programs (e.g. for writing of transparent	application
  proxies), the	programming interface and the associated ioctl's are docu-
  mented in ipf(4).

  Documentation	on ioctl's and the format of data saved	to the logging char-
  acter	device is provided in ipl(4) so	that you may develop your own appli-
  cations to work with or in place of any of the above.

  Similar, the interface to the	NAT code is documented in ipnat(4).


PACKET PROCESSING FLOW
  The following	diagram	illustrates the	flow of	TCP/IP packets through the
  various stages introduced by IP Filter.

				     IN
				      |
				      V
	    +-------------------------+--------------------------+
	    |			      |				 |
	    |			      V				 |
	    |		 Network Address Translation		 |
	    |			      |				 |
	    |	      authenticated   |				 |
	    |	    +-------<---------+				 |
	    |	    |		      |				 |
	    |	    |		      V				 |
	    |	    V		IP Accounting			 |
	    |	    |		      |				 |
	    |	    |		      V				 |
	    |	    |	     Fragment Cache Check--+		 |
	    |	    |		      |		   |		 |
	    |	    V		      V		   V		 |
	    |	    |	      Packet State Check-->+		 |
	    |	    |		      |		   |		 |
	    |	    |	    +->--+    |		   |		 |
	    |	    |	    |	 |    V		   |		 |
	    |	    V	groups	 IP Filtering	   V		 |
	    |	    |	    |	 |    |		   |		 |
	    |	    |	    +--<-+    |		   |		 |
	    |	    |		      |		   |		 |
	    |	    +---------------->|<-----------+		 |
	    |			      |				 |
	    |			      V				 |
	    |		     +---<----+				 |
	    |		     |	      |				 |
	    |		 function     |				 |
	    |		     |	      V				 |
	    |		     +--->----+				 |
	    |			      |				 |
	    |			      V				 |
	 +--|---<--- fast-route	---<--+				 |
	 |  |			      |				 |
	 |  |			      V				 |
	 |  +-------------------------+--------------------------+
	 |			      |
	 |			  pass only
	 |			      |
	 |			      V
	 V		 [KERNEL TCP/IP	Processing]
	 |			      |
	 |  +-------------------------+--------------------------+
	 |  |			      |				 |
	 |  |			      V				 |
	 |  |		     Fragment Cache Check--+		 |
	 |  |			      |		   |		 |
	 |  |			      V		   V		 |
	 |  |		      Packet State Check-->+		 |
	 |  |			      |		   |		 |
	 |  |			      V		   |		 |
	 V  |			 IP Filtering	   |		 |
	 |  |			      |		   V		 |
	 |  |			      |<-----------+		 |
	 |  |			      V				 |
	 |  |			IP Accounting			 |
	 |  |			      |				 |
	 |  |			      V				 |
	 |  |		 Network Address Translation		 |
	 |  |			      |				 |
	 |  |			      V				 |
	 |  +-------------------------+--------------------------+
	 |			      |
	 |			  pass only
	 V			      |
	 +--------------------------->|
				      V
				     OUT


MORE INFORMATION
  More information (including pointers to the FAQ and the mailing list)	can
  be obtained from the sofware's official homepage: www.ipfilter.org


SEE ALSO
  ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8),	ipfstat(8), ipftest(1),
  ipl(4), ipmon(8), ipnat(8), ipnat(4),