The configuration of the IPFW
software is done through the
ipfw(8)
utility. The syntax for this command looks
quite complicated, but it is relatively simple once you understand
its structure.
There are currently four different command categories used by the utility: addition/deletion, listing, flushing, and clearing. Addition/deletion is used to build the rules that control how packets are accepted, rejected, and logged. Listing is used to examine the contents of your rule set (otherwise known as the chain) and packet counters (accounting). Flushing is used to remove all entries from the chain. Clearing is used to zero out one or more accounting entries.
The syntax for this form of the command is:
ipfw [-N] command [index]
action [log] protocol addresses
[options]
There is one valid flag when using this form of the command:
Resolve addresses and service names in output.
The command given can be shortened to the shortest unique form. The valid commands are:
Add an entry to the firewall/accounting rule list
Delete an entry from the firewall/accounting rule list
Previous versions of IPFW
used separate firewall and
accounting entries. The present version provides packet accounting
with each firewall entry.
If an index
value is supplied, it used to place the entry
at a specific point in the chain. Otherwise, the entry is placed at
the end of the chain at an index 100 greater than the last chain
entry (this does not include the default policy, rule 65535, deny).
The log option causes matching rules to be output to the system console if the kernel was compiled with IPFIREWALL_VERBOSE.
Valid actions are:
Drop the packet, and send an ICMP host or port unreachable (as appropriate) packet to the source.
Pass the packet on as normal. (aliases: pass and accept)
Drop the packet. The source is not notified via an ICMP message (thus it appears that the packet never arrived at the destination).
Update packet counters but do not allow/deny the packet based on this rule. The search continues with the next chain entry.
Each action will be recognized by the shortest unambiguous prefix.
The protocols which can be specified are:
Matches any IP packet
Matches ICMP packets
Matches TCP packets
Matches UDP packets
The address specification is:
from <address/mask>[port] to
<address/mask>[port] [via <interface>]
You can only specify port in conjunction with protocols which support ports (UDP and TCP).
The via is optional and may specify the IP address or
domain name of a local IP interface, or an interface name (e.g.
ed0
) to match only packets coming through this interface.
Interface unit numbers can be specified with an optional wildcard.
For example, ppp*
would match all kernel PPP interfaces.
The syntax used to specify an <address/mask>
is:
<address>
or
<address>/mask-bits
or
<address>:mask-pattern
A valid hostname may be specified in place of the IP
address. mask-bits
is a decimal number representing how many
bits in the address mask should be set. e.g. specifying
192.216.222.1/24
will create a mask which will allow any address in a class C subnet
(in this case, 192.216.222) to be matched. mask-pattern
is an IP
address which will be logically AND'ed with the address given. The
keyword any
may be used to specify ``any IP address''.
The port numbers to be blocked are specified as:
port[,port[,port[...]]]
to specify either a single port or a list of ports, or
port-port
to specify a range of ports. You may also combine a single range with a
list, but the range must always be specified first.
The options available are:
Matches if the packet is not the first fragment of the datagram.
Matches if the packet is on the way in.
Matches if the packet is on the way out.
Matches if the IP header contains the comma separated list of options specified in spec. The supported list of IP options are: ssrr (strict source route), lsrr (loose source route), rr (record packet route), and ts (timestamp). The absence of a particular option may be denoted with a leading '!'.
Matches if the packet is part of an already established TCP connection (i.e. it has the RST or ACK bits set). You can optimize the performance of the firewall by placing established rules early in the chain.
Matches if the packet is an attempt to establish a TCP connection (the SYN bit set is set but the ACK bit is not).
Matches if the TCP header contains the comma separated list of flags. The supported flags are fin, syn, rst, psh, ack, and urg. The absence of a particular flag may be indicated by a leading '!'.
Matches if the ICMP type is present in
the list types. The list may be specified as any combination
of ranges and/or individual types separated by commas. Commonly used
ICMP types are:
0 echo reply (ping reply),
3 destination unreachable,
5 redirect,
8 echo request (ping request), and
11 time exceeded (used to indicate TTL
expiration as with traceroute(8)
).
The syntax for this form of the command is:
ipfw [-atN] l
There are three valid flags when using this form of the command:
While listing, show counter values. This option is the only way to see accounting counters.
Display the last match times for each chain entry. The time
listing is incompatible with the input syntax used by the
ipfw(8)
utility.
Attempt to resolve given addresses and service names.
The syntax for flushing the chain is:
ipfw flush
This causes all entries in the firewall chain to be removed except the fixed default policy enforced by the kernel (index 65535). Use caution when flushing rules, the default deny policy will leave your system cut off from the network until allow entries are added to the chain.
The syntax for clearing one or more packet counters is:
ipfw zero [index]
When used without an index argument, all packet counters are cleared. If an index is supplied, the clearing operation only affects a specific chain entry.