IPFWADM(8)
NAME
ipfwadm - IP firewall and accounting administration
SYNOPSIS
ipfwadm -A command parameters [options]
ipfwadm -I command parameters [options]
ipfwadm -O command parameters [options]
ipfwadm -F command parameters [options]
ipfwadm -M [ -l | -s ] [options]
DESCRIPTION
Ipfwadm is used to set up, maintain, and inspect the IP
firewall and accounting rules in the Linux kernel. These
rules can be divided into 4 different categories: account-
ing of IP packets, the IP input firewall, the IP output
firewall, and the IP forwarding firewall. For each of
these categories, a separate list of rules is maintained.
See ipfw(4) for more details.
OPTIONS
The options that are recognized by ipfwadm can be divided
into several different groups.
CATEGORIES
The following flags are used to select the category of
rules to which the given command applies:
-A [direction]
IP accounting rules. Optionally, a direction can
be specified (in, out, or both), indicating whether
only incoming or outgoing packets should be
counted. The default direction is both.
-I IP input firewall rules.
-O IP output firewall rules.
-F IP forwarding firewall rules.
-M IP masquerading administration. This category can
only be used in combination with the -l (list) or
-s (set timeout values) command.
Exactly one of these options has to be specified.
COMMANDS
The next options specify the specific action to perform.
Only one of them can be specified on the command line,
unless something else is listed in the description.
-a [policy]
Append one or more rules to the end of the selected
list. For the accounting chain, no policy should
be specified. For firewall chains, it is required
to specify one of the following policies: accept,
deny, or reject. When the source and/or destina-
tion names resolve to more than one address, a rule
will be added for each possible address combina-
tion.
-i [policy]
Insert one or more rules at the beginning of the
selected list. See the description of the -a com-
mand for more details.
-d [policy]
Delete one or more entries from the selected list
of rules. The semantics are equal to those of the
append/insert commands. The specified parameters
should exactly match the parameters given with an
append or insert command, otherwise no match will
be found and the rule will not be removed from the
list. Only the first matching rule in the list
will be deleted.
-l List all the rules in the selected list. This com-
mand may be combined with the -z (reset counters to
zero) command. In that case, the packet and byte
counters will be reset immediately after listing
their current values. Unless the -x option is pre-
sent, packet and byte counters (if listed) will be
shown as numberK or numberM, where 1K means 1000
and 1M means 1000K (rounded to the nearest integer
value). See also the -e and -x flags for more
capabilities.
-z Reset the packet and byte counters of all the rules
in selected list. This command may be combined
with the -l (list) command.
-f Flush the selected list of rules.
-p policy
Change the default policy for the selected type of
firewall. The given policy has to be one of
accept, deny, or reject. The default policy is
used when no matching rule is found. This opera-
tion is only valid for IP firewalls, that is, in
combination with the -I, -O, or -F flag.
-s tcp tcpfin udp
Change the timeout values used for masquerading.
This command always takes 3 parameters, represent-
ing the timeout values (in seconds) for TCP ses-
sions, TCP sessions after receiving a FIN packet,
and UDP packets, respectively. A timeout value 0
means that the current timeout value of the corre-
sponding entry is preserved. This operation is
only allowed in combination with the -M flag.
-c Check whether this IP packet would be accepted,
denied, or rejected by the selected type of fire-
wall. This operation is only valid for IP fire-
walls, that is, in combination with the -I, -O, or
-F flag.
-h Help. Give a (currently very brief) description of
the command syntax.
PARAMETERS
The following parameters can be used in combination with
the append, insert, delete, or check commands:
-P protocol
The protocol of the rule or of the packet to check.
The specified protocol can be one of tcp, udp,
icmp, or all. Protocol all will match with all
protocols and is taken as default when this option
is omitted. All may not be used in in combination
with the check command.
-S address[/mask] [port ...]
Source specification (optional). Address can be
either a hostname, a network name, or a plain IP
address. The mask can be either a network mask or
a plain number, specifying the number of 1's at the
left side of the network mask. Thus, a mask of 24
is equivalent with 255.255.255.0.
The source may include one or more port specifica-
tions or ICMP types. Each of them can either be a
service name, a port number, or a (numeric) ICMP
type. In the rest of this paragraph, a port means
either a port specification or an ICMP type. One
of these specifications may be a range of ports, in
the format port:port. Furthermore, the total num-
ber of ports specified with the source and destina-
tion addresses should not be greater than
IP_FW_MAX_PORTS (currently 10). Here a port range
counts as 2 ports.
Packets not being the first fragment of a TCP, UDP,
or ICMP packet are always accepted by the firewall.
For accounting purposes, these second and further
fragments are treated special, to be able to count
them in some way. The port number 0xFFFF (65535)
is used for a match with the second and further
fragments of TCP or UDP packets. These packets
will be treated for accounting purposes as if both
their port numbers are 0xFFFF. The number 0xFF
(255) is used for a match with the second and fur-
ther fragments of ICMP packets. These packets will
be treated for acounting purposes as if their ICMP
types are 0xFF. Note that the specified command
and protocol may imply restrictions on the ports to
be specified. Ports may only be specified in com-
bination with the tcp, udp, or icmp protocol.
When this option is omitted, the default
address/mask 0.0.0.0/0 (matching with any address)
is used as source address. This option is required
in combination with the check command, in which
case also exactly one port has to be specified.
-D address[/mask] [port ...]
Destination specification (optional). See the
desciption of the -S (source) flag for a detailed
description of the syntax, default values, and
other requirements. Note that ICMP types are not
allowed in combination with the -D flag: ICMP types
can only be specified after the the -S flag.
-V address
Optional address of an interface via which a packet
is received, or via which is packet is going to be
sent. Address can be either a hostname or a plain
IP address. When a hostname is specified, it
should resolve to exactly one IP address. When
this option is omitted, the address 0.0.0.0 is
assumed, which has a special meaning and will match
with any interface address. For the check command,
this option is mandatory.
-W name
Optional name of an interface via which a packet is
received, or via which is packet is going to be
sent. When this option is omitted, the empty
string is assumed, which has a special meaning and
will match with any interface name. For the check
command, this option is mandatory.
OTHER OPTIONS
The following additional options can be specified:
-b Bidirectional mode. The rule will match with IP
packets in both directions. This option is only
valid in combination with the append, insert, or
delete commands.
-e Extended output. This option makes the list com-
mand also show the interface address and the rule
options (if any). For firewall lists, also the
packet and byte counters (the default is to only
show these counters for the accounting rules) and
the TOS masks will be listed. When used in combi-
nation with -M, information related to delta
sequence numbers will also be listed. This option
is only valid in combination with the list command.
-k Only match TCP packets with the ACK bit set (this
option will be ignored for packets of other proto-
cols). This option is only valid in combination
with the append, insert, or delete command.
-m Masquerade packets accepted for forwarding. When
this option is set, packets accepted by this rule
will be masqueraded as if they originated from the
local host. Furthermore, reverse packets will be
recognized as such and they will be demasqueraded
automatically, bypassing the forwarding firewall.
This option is only valid in forwarding firewall
rules with policy accept (or when specifying accept
as default policy) and can only be used when the
kernel is compiled with CONFIG_IP_MASQUERADE
defined.
-n Numeric output. IP addresses and port numbers will
be printed in numeric format. By default, the pro-
gram will try to display them as host names, net-
work names, or services (whenever applicable).
-o Turn on kernel logging of matching packets. When
this option is set for a rule, the Linux kernel
will print some information of all matching packets
(like most IP header fields) via printk(). This
option will only be effective when the Linux kernel
is compiled with CONFIG_IP_FIREWALL_VERBOSE
defined. This option is only valid in combination
with the append, insert or delete command.
-r [port]
Redirect packets to a local socket. When this
option is set, packets accepted by this rule will
be redirected to a local socket, even if they were
sent to a remote host. If the specified redirec-
tion port is 0, which is the default value, the
destination port of a packet will be used as the
redirection port. This option is only valid in
input firewall rules with policy accept and can
only be used when the Linux kernel is compiled with
CONFIG_IP_TRANSPARENT_PROXY defined.
-t andmask xormask
Masks used for modifying the TOS field in the IP
header. When a packet is accepted (with or without
masquerading) by a firewall rule, its TOS field is
first bitwise and'ed with first mask and the result
of this will be bitwise xor'ed with the second
mask. The masks should be specified as hexadecimal
8-bit values. This option is only valid in combi-
nation with the append, insert or delete command
and will have no effect when used in combination
with accounting rules or firewall rules for
rejecting or denying a packet.
-v Verbose output. Print detailed information of the
rule or packet to be added, deleted, or checked.
This option will only have effect with the append,
insert, delete, or check command.
-x Expand numbers. Display the exact value of the
packet and byte counters, instead of only the
rounded number in K's (multiples of 1000) or M's
(multiples of 1000K). This option will only have
effect when the counters are listed anyway (see
also the -e option).
-y Only match TCP packets with the SYN bit set and the
ACK bit cleared (this option will be ignored for
packets of other protocols). This option is only
valid in combination with the append, insert, or
delete command.
FILES
/proc/net/ip_acct
/proc/net/ip_input
/proc/net/ip_output
/proc/net/ip_forward
/proc/net/ip_masquerade
SEE ALSO
ipfw(4)
AUTHOR
Jos Vos lt;jos@xos.nl
X/OS Experts in Open Systems BV, Amsterdam, The Nether-
lands