ipfwadm - IP firewall and accounting administration
ipfwadm -A command parameters [options]
ipfwadm -I command parameters [options]
ipfwadm -O command parameters [options]
ipfwadm -F command parameters [options]
ipfwadm -M [ -l | -s ] [options]
Please note that this just is wrapper in ipchains(8) for old fashioned
users and for old scripts.
Ipfwadm is used to set up, maintain, and inspect the IP firewall and
accounting rules in the Linux kernel. These rules can be divided into
4 different categories: accounting of IP packets, the IP input fire-
wall, the IP output firewall, and the IP forwarding firewall. For each
of these categories, a separate list of rules is maintained. See
ipfw(4) for more details.
The options that are recognized by ipfwadm can be divided into several
The following flags are used to select the category of rules to which
the given command applies:
IP accounting rules. Optionally, a direction can be specified
(in, out, or both), indicating whether only incoming or outgoing
packets should be counted. The default direction is both.
-I IP input firewall rules.
-O IP output firewall rules.
-F IP forwarding firewall rules.
-M IP masquerading administration. This category can only be used
in combination with the -l (list) or -s (set timeout values)
Exactly one of these options has to be specified.
The next options specify the specific action to perform. Only one of
them can be specified on the command line, unless something else is
listed in the description.
Append one or more rules to the end of the selected list. For
the accounting chain, no policy should be specified. For fire-
wall chains, it is required to specify one of the following
policies: accept, deny, reject, or masquerade. When the source
and/or destination names resolve to more than one address, a
rule will be added for each possible address combination.
Insert one or more rules at the beginning of the selected list.
See the description of the -a command for more details.
Delete one or more entries from the selected list of rules. The
semantics are equal to those of the append/insert commands. The
specified parameters should exactly match the parameters given
with an append or insert command, otherwise no match will be
found and the rule will not be removed from the list. Only the
first matching rule in the list will be deleted.
-l List all the rules in the selected list. This command may be
combined with the -z (reset counters to zero) command. In that
case, the packet and byte counters will be reset immediately
after listing their current values. Unless the -x option is
present, packet and byte counters (if listed) will be shown as
numberK or numberM, where 1K means 1000 and 1M means 1000K
(rounded to the nearest integer value). See also the -e and -x
flags for more capabilities.
-z Reset the packet and byte counters of all the rules in selected
list. This command may be combined with the -l (list) command.
-f Flush the selected list of rules.
Change the default policy for the selected type of firewall.
The given policy has to be one of accept, deny, reject, or mas-
querade. The default policy is used when no matching rule is
found. This operation is only valid for IP firewalls, that is,
in combination with the -I, -O, or -F flag.
-s tcp tcpfin udp
Change the timeout values used for masquerading. This command
always takes 3 parameters, representing the timeout values (in
seconds) for TCP sessions, TCP sessions after receiving a FIN
packet, and UDP packets, respectively. A timeout value 0 means
that the current timeout value of the corresponding entry is
preserved. This operation is only allowed in combination with
the -M flag.
-c Check whether this IP packet would be accepted, denied, or
rejected by the selected type of firewall. This operation is
only valid for IP firewalls, that is, in combination with the
-I, -O, or -F flag.
-h Help. Give a (currently very brief) description of the command
The following parameters can be used in combination with the append,
insert, delete, or check commands:
The protocol of the rule or of the packet to check. The speci-
fied protocol can be one of tcp, udp, icmp, or all. Protocol
all will match with all protocols and is taken as default when
this option is omitted. All may not be used in in combination
with the check command.
-S address[/mask] [port ...]
Source specification (optional). Address can be either a host-
name, a network name, or a plain IP address. The mask can be
either a network mask or a plain number, specifying the number
of 1's at the left side of the network mask. Thus, a mask of 24
is equivalent with 255.255.255.0.
The source may include one or more port specifications or ICMP
types. Each of them can either be a service name, a port num-
ber, or a (numeric) ICMP type. In the rest of this paragraph, a
port means either a port specification or an ICMP type. One of
these specifications may be a range of ports, in the format
port:port. Furthermore, the total number of ports specified
with the source and destination addresses should not be greater
than IP_FW_MAX_PORTS (currently 10). Here a port range counts
as 2 ports.
Packets not being the first fragment of a TCP, UDP, or ICMP
packet are always accepted by the firewall. For accounting pur-
poses, these second and further fragments are treated special,
to be able to count them in some way. The port number 0xFFFF
(65535) is used for a match with the second and further frag-
ments of TCP or UDP packets. These packets will be treated for
accounting purposes as if both their port numbers are 0xFFFF.
The number 0xFF (255) is used for a match with the second and
further fragments of ICMP packets. These packets will be
treated for acounting purposes as if their ICMP types are 0xFF.
Note that the specified command and protocol may imply restric-
tions on the ports to be specified. Ports may only be specified
in combination with the tcp, udp, or icmp protocol.
When this option is omitted, the default address/mask 0.0.0.0/0
(matching with any address) is used as source address. This
option is required in combination with the check command, in
which case also exactly one port has to be specified.
-D address[/mask] [port ...]
Destination specification (optional). See the desciption of the
-S (source) flag for a detailed description of the syntax,
default values, and other requirements. Note that ICMP types
are not allowed in combination with the -D flag: ICMP types can
only be specified after the the -S flag.
Optional address of an interface via which a packet is received,
or via which is packet is going to be sent. Address can be
either a hostname or a plain IP address. When a hostname is
specified, it should resolve to exactly one IP address. When
this option is omitted, the address 0.0.0.0 is assumed, which
has a special meaning and will match with any interface address.
For the check command, this option is mandatory.
Optional name of an interface via which a packet is received, or
via which is packet is going to be sent. When this option is
omitted, the empty string is assumed, which has a special mean-
ing and will match with any interface name. For the check com-
mand, this option is mandatory.
The following additional options can be specified:
-b Bidirectional mode. The rule will match with IP packets in both
directions. This option is only valid in combination with the
append, insert, or delete commands.
-e Extended output. This option makes the list command also show
the interface address and the rule options (if any). For fire-
wall lists, also the packet and byte counters (the default is to
only show these counters for the accounting rules) and the TOS
masks will be listed. When used in combination with -M, infor-
mation related to delta sequence numbers will also be listed.
This option is only valid in combination with the list command.
-k Only match TCP packets with the ACK bit set (this option will be
ignored for packets of other protocols). This option is only
valid in combination with the append, insert, or delete command.
-m Masquerade packets accepted for forwarding. When this option is
set, packets accepted by this rule will be masqueraded as if
they originated from the local host. Furthermore, reverse pack-
ets will be recognized as such and they will be demasqueraded
automatically, bypassing the forwarding firewall. This option
is only valid in forwarding firewall rules with policy accept
(or when specifying accept as default policy) and can only be
used when the kernel is compiled with CONFIG_IP_MASQUERADE
-n Numeric output. IP addresses and port numbers will be printed
in numeric format. By default, the program will try to display
them as host names, network names, or services (whenever appli-
-o Turn on kernel logging of matching packets. When this option is
set for a rule, the Linux kernel will print some information of
all matching packets (like most IP header fields) via printk().
This option will only be effective when the Linux kernel is com-
piled with CONFIG_IP_FIREWALL_VERBOSE defined. This option is
only valid in combination with the append, insert or delete com-
Redirect packets to a local socket. When this option is set,
packets accepted by this rule will be redirected to a local
socket, even if they were sent to a remote host. If the speci-
fied redirection port is 0, which is the default value, the des-
tination port of a packet will be used as the redirection port.
This option is only valid in input firewall rules with policy
accept and can only be used when the Linux kernel is compiled
with CONFIG_IP_TRANSPARENT_PROXY defined.
-t andmask xormask
Masks used for modifying the TOS field in the IP header. When a
packet is accepted (with or without masquerading) by a firewall
rule, its TOS field is first bitwise and'ed with first mask and
the result of this will be bitwise xor'ed with the second mask.
The masks should be specified as hexadecimal 8-bit values. This
option is only valid in combination with the append, insert or
delete command and will have no effect when used in combination
with accounting rules or firewall rules for rejecting or denying
-v Verbose output. Print detailed information of the rule or
packet to be added, deleted, or checked. This option will only
have effect with the append, insert, delete, or check command.
-x Expand numbers. Display the exact value of the packet and byte
counters, instead of only the rounded number in K's (multiples
of 1000) or M's (multiples of 1000K). This option will only
have effect when the counters are listed anyway (see also the -e
-y Only match TCP packets with the SYN bit set and the ACK bit
cleared (this option will be ignored for packets of other proto-
cols). This option is only valid in combination with the
append, insert, or delete command.
Jos Vos <josATxos.nl>
X/OS Experts in Open Systems BV, Amsterdam, The Netherlands
July 30, 1996 IPFWADM(8)