unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (Debian-3.1)
Page:
Section:
Apropos / Subsearch:
optional field

IPFWADM(8)                                                          IPFWADM(8)



NAME
       ipfwadm - IP firewall and accounting administration

SYNOPSIS
       ipfwadm -A command parameters [options]
       ipfwadm -I command parameters [options]
       ipfwadm -O command parameters [options]
       ipfwadm -F command parameters [options]
       ipfwadm -M [ -l | -s ] [options]

NOTE
       Please  note that this just is wrapper in ipchains(8) for old fashioned
       users and for old scripts.

DESCRIPTION
       Ipfwadm is used to set up, maintain, and inspect the  IP  firewall  and
       accounting  rules in the Linux kernel.  These rules can be divided into
       4 different categories: accounting of IP packets, the  IP  input  fire-
       wall, the IP output firewall, and the IP forwarding firewall.  For each
       of these categories, a separate  list  of  rules  is  maintained.   See
       ipfw(4) for more details.

OPTIONS
       The  options that are recognized by ipfwadm can be divided into several
       different groups.

   CATEGORIES
       The following flags are used to select the category of rules  to  which
       the given command applies:

       -A [direction]
              IP  accounting  rules.  Optionally, a direction can be specified
              (in, out, or both), indicating whether only incoming or outgoing
              packets should be counted.  The default direction is both.

       -I     IP input firewall rules.

       -O     IP output firewall rules.

       -F     IP forwarding firewall rules.

       -M     IP  masquerading administration.  This category can only be used
              in combination with the -l (list) or  -s  (set  timeout  values)
              command.

       Exactly one of these options has to be specified.

   COMMANDS
       The  next  options specify the specific action to perform.  Only one of
       them can be specified on the command line,  unless  something  else  is
       listed in the description.

       -a [policy]
              Append  one  or more rules to the end of the selected list.  For
              the accounting chain, no policy should be specified.  For  fire-
              wall  chains,  it  is  required  to specify one of the following
              policies: accept, deny, reject, or masquerade.  When the  source
              and/or  destination  names  resolve  to more than one address, a
              rule will be added for each possible address combination.

       -i [policy]
              Insert one or more rules at the beginning of the selected  list.
              See the description of the -a command for more details.

       -d [policy]
              Delete one or more entries from the selected list of rules.  The
              semantics are equal to those of the append/insert commands.  The
              specified  parameters  should exactly match the parameters given
              with an append or insert command, otherwise  no  match  will  be
              found  and the rule will not be removed from the list.  Only the
              first matching rule in the list will be deleted.

       -l     List all the rules in the selected list.  This  command  may  be
              combined  with the -z (reset counters to zero) command.  In that
              case, the packet and byte counters  will  be  reset  immediately
              after  listing  their  current  values.  Unless the -x option is
              present, packet and byte counters (if listed) will be  shown  as
              numberK  or  numberM,  where  1K  means  1000 and 1M means 1000K
              (rounded to the nearest integer value).  See also the -e and  -x
              flags for more capabilities.

       -z     Reset  the packet and byte counters of all the rules in selected
              list.  This command may be combined with the -l (list) command.

       -f     Flush the selected list of rules.

       -p policy
              Change the default policy for the  selected  type  of  firewall.
              The  given policy has to be one of accept, deny, reject, or mas-
              querade.  The default policy is used when no  matching  rule  is
              found.   This operation is only valid for IP firewalls, that is,
              in combination with the -I, -O, or -F flag.

       -s tcp tcpfin udp
              Change the timeout values used for masquerading.   This  command
              always  takes  3 parameters, representing the timeout values (in
              seconds) for TCP sessions, TCP sessions after  receiving  a  FIN
              packet,  and UDP packets, respectively.  A timeout value 0 means
              that the current timeout value of  the  corresponding  entry  is
              preserved.   This  operation is only allowed in combination with
              the -M flag.

       -c     Check whether this IP  packet  would  be  accepted,  denied,  or
              rejected  by  the  selected type of firewall.  This operation is
              only valid for IP firewalls, that is, in  combination  with  the
              -I, -O, or -F flag.

       -h     Help.   Give a (currently very brief) description of the command
              syntax.

   PARAMETERS
       The following parameters can be used in combination  with  the  append,
       insert, delete, or check commands:

       -P protocol
              The  protocol of the rule or of the packet to check.  The speci-
              fied protocol can be one of tcp, udp, icmp,  or  all.   Protocol
              all  will  match with all protocols and is taken as default when
              this option is omitted.  All may not be used in  in  combination
              with the check command.

       -S address[/mask] [port ...]
              Source  specification (optional).  Address can be either a host-
              name, a network name, or a plain IP address.  The  mask  can  be
              either  a  network mask or a plain number, specifying the number
              of 1's at the left side of the network mask.  Thus, a mask of 24
              is equivalent with 255.255.255.0.
              The  source  may include one or more port specifications or ICMP
              types.  Each of them can either be a service name, a  port  num-
              ber, or a (numeric) ICMP type.  In the rest of this paragraph, a
              port means either a port specification or an ICMP type.  One  of
              these  specifications  may  be  a  range of ports, in the format
              port:port.  Furthermore, the total  number  of  ports  specified
              with  the source and destination addresses should not be greater
              than IP_FW_MAX_PORTS (currently 10).  Here a port  range  counts
              as 2 ports.
              Packets  not  being  the  first  fragment of a TCP, UDP, or ICMP
              packet are always accepted by the firewall.  For accounting pur-
              poses,  these  second and further fragments are treated special,
              to be able to count them in some way.  The  port  number  0xFFFF
              (65535)  is  used  for a match with the second and further frag-
              ments of TCP or UDP packets.  These packets will be treated  for
              accounting  purposes  as  if both their port numbers are 0xFFFF.
              The number 0xFF (255) is used for a match with  the  second  and
              further  fragments  of  ICMP  packets.   These  packets  will be
              treated for acounting purposes as if their ICMP types are  0xFF.
              Note  that the specified command and protocol may imply restric-
              tions on the ports to be specified.  Ports may only be specified
              in combination with the tcp, udp, or icmp protocol.
              When  this option is omitted, the default address/mask 0.0.0.0/0
              (matching with any address) is used  as  source  address.   This
              option  is  required  in  combination with the check command, in
              which case also exactly one port has to be specified.

       -D address[/mask] [port ...]
              Destination specification (optional).  See the desciption of the
              -S  (source)  flag  for  a  detailed  description of the syntax,
              default values, and other requirements.  Note  that  ICMP  types
              are  not allowed in combination with the -D flag: ICMP types can
              only be specified after the the -S flag.

       -V address
              Optional address of an interface via which a packet is received,
              or  via  which  is  packet  is going to be sent.  Address can be
              either a hostname or a plain IP address.   When  a  hostname  is
              specified,  it  should  resolve to exactly one IP address.  When
              this option is omitted, the address 0.0.0.0  is  assumed,  which
              has a special meaning and will match with any interface address.
              For the check command, this option is mandatory.

       -W name
              Optional name of an interface via which a packet is received, or
              via  which  is  packet is going to be sent.  When this option is
              omitted, the empty string is assumed, which has a special  mean-
              ing  and will match with any interface name.  For the check com-
              mand, this option is mandatory.

   OTHER OPTIONS
       The following additional options can be specified:

       -b     Bidirectional mode.  The rule will match with IP packets in both
              directions.   This  option is only valid in combination with the
              append, insert, or delete commands.

       -e     Extended output.  This option makes the list command  also  show
              the  interface address and the rule options (if any).  For fire-
              wall lists, also the packet and byte counters (the default is to
              only  show  these counters for the accounting rules) and the TOS
              masks will be listed.  When used in combination with -M,  infor-
              mation  related  to  delta sequence numbers will also be listed.
              This option is only valid in combination with the list command.

       -k     Only match TCP packets with the ACK bit set (this option will be
              ignored  for  packets  of other protocols).  This option is only
              valid in combination with the append, insert, or delete command.

       -m     Masquerade packets accepted for forwarding.  When this option is
              set,  packets  accepted  by  this rule will be masqueraded as if
              they originated from the local host.  Furthermore, reverse pack-
              ets  will  be  recognized as such and they will be demasqueraded
              automatically, bypassing the forwarding firewall.   This  option
              is  only  valid  in forwarding firewall rules with policy accept
              (or when specifying accept as default policy) and  can  only  be
              used  when  the  kernel  is  compiled  with CONFIG_IP_MASQUERADE
              defined.

       -n     Numeric output.  IP addresses and port numbers will  be  printed
              in  numeric format.  By default, the program will try to display
              them as host names, network names, or services (whenever  appli-
              cable).

       -o     Turn on kernel logging of matching packets.  When this option is
              set for a rule, the Linux kernel will print some information  of
              all  matching packets (like most IP header fields) via printk().
              This option will only be effective when the Linux kernel is com-
              piled  with  CONFIG_IP_FIREWALL_VERBOSE defined.  This option is
              only valid in combination with the append, insert or delete com-
              mand.

       -r [port]
              Redirect  packets  to  a local socket.  When this option is set,
              packets accepted by this rule will  be  redirected  to  a  local
              socket,  even if they were sent to a remote host.  If the speci-
              fied redirection port is 0, which is the default value, the des-
              tination  port of a packet will be used as the redirection port.
              This option is only valid in input firewall  rules  with  policy
              accept  and  can  only be used when the Linux kernel is compiled
              with CONFIG_IP_TRANSPARENT_PROXY defined.

       -t andmask xormask
              Masks used for modifying the TOS field in the IP header.  When a
              packet  is accepted (with or without masquerading) by a firewall
              rule, its TOS field is first bitwise and'ed with first mask  and
              the  result of this will be bitwise xor'ed with the second mask.
              The masks should be specified as hexadecimal 8-bit values.  This
              option  is  only valid in combination with the append, insert or
              delete command and will have no effect when used in  combination
              with accounting rules or firewall rules for rejecting or denying
              a packet.

       -v     Verbose output.  Print  detailed  information  of  the  rule  or
              packet  to be added, deleted, or checked.  This option will only
              have effect with the append, insert, delete, or check command.

       -x     Expand numbers.  Display the exact value of the packet and  byte
              counters,  instead  of only the rounded number in K's (multiples
              of 1000) or M's (multiples of 1000K).   This  option  will  only
              have effect when the counters are listed anyway (see also the -e
              option).

       -y     Only match TCP packets with the SYN bit  set  and  the  ACK  bit
              cleared (this option will be ignored for packets of other proto-
              cols).  This option  is  only  valid  in  combination  with  the
              append, insert, or delete command.

FILES
       /proc/net/ip_acct
       /proc/net/ip_input
       /proc/net/ip_output
       /proc/net/ip_forward
       /proc/net/ip_masquerade

SEE ALSO
       ipfw(4)

AUTHOR
       Jos Vos <josATxos.nl>
       X/OS Experts in Open Systems BV, Amsterdam, The Netherlands



                                 July 30, 1996                      IPFWADM(8)