Table of Contents

NAME

ipfwadm - IP firewall and accounting administration

SYNOPSIS

ipfwadm -A command parameters [options]
ipfwadm -B command parameters [options]
ipfwadm -F command parameters [options]

DESCRIPTION

Ipfwadm is used to set up, maintain, and inspect the IP firewall and accounting rules in the Linux kernel. These rules can be divided into 3 different categories: accounting of IP packets, the IP blocking firewall, and the IP forwarding firewall. For each of these categories, a separate list of rules is maintained. See ipfw(4) for more details.

OPTIONS

The options that are recognized by ipfwadm can be divided into several different groups.

CATEGORIES

The following flags are used to select the category of rules to which the given command applies:
-A
IP accounting rules.
-B
IP blocking firewall rules.
-F
IP forwarding firewall rules.

Exactly one of these options has to be specified.

COMMANDS

The next options specify the specific action to perform. Only one of them can be specified on the command line, unless something else is listed in the description.
-a [policy]
Add one or more rules to the selected list. For the accounting chain, no policy should be specified. For firewall chains, it is required to specify one of the following policies: accept, deny, or reject. When the source and/or destination names resolve to more than one address, a rule will be added for each possible combination. The new rule(s) will be inserted at the most appropriate place in the list, which is kept sorted from the most specific rule to the least specific rule. The order depends on characteristics like the specified masks and ports.
-d [policy]
Delete one or more entries from the selected list of rules. The semantics are equal to those of the add command. The specified parameters should exactly match the parameters given with the add command, otherwise no matches will be found and the rules will not be removed from the list. All matching rules in the list will be deleted.
-l
List all the rules in the selected list. This command may be combined with the -z (reset counters to zero) command. In that case, the packet and byte counters will be reset immediately after listing their current values. Unless the -x option is present, packet and byte counters (if listed) will be shown as numberK or numberM, where 1K means 1000 and 1M means 1000K (rounded to the nearest integer value). See also the -e and -x flags for more capabilities.
-z
Reset the packet and byte counters of all the rules in selected list. This command may be combined with the -l (list) command.
-f
Flush the selected list of rules.
-p policy
Change the default policy for the selected type of firewall. The given policy has to be one of accept, deny, or reject. The default policy is used when no matching rule is found. This operation is only valid for IP firewalls, that is, in combination with the -B or -F flag.
-c
Check whether this IP packet would be accepted, denied, or rejected by the selected type of firewall. This operation is only valid for IP firewalls, that is, in combination with the -B or -F flag.
-h
Help. Give a (currently very brief) description of the command syntax.

PARAMETERS

The following parameters can be used in combination with the add, delete, or check commands:
-P protocol
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all. Protocol all will match with all protocols and is taken as default when this option is omitted. All may not be used in in combination with the check command.
-S address[/mask] [port ...]
Source specification (mandatory). Address can be either a hostname, a network name, or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent with 255.255.255.0.

The source may include one or more port specifications. Each of them can either be a service name or a port number. One of the port specifications may be a range of ports, in the format port:port. Furthermore, the total number of ports specified with the source and destination addresses should not be greater than IP_FW_MAX_PORTS (currently 10). Here a port range counts as 2 ports.

The port number zero is used for a match with the second and further fragments of TCP or UDP packets. These packets will be treated as if their port numbers are zero. Note that the specified command and protocol may imply restrictions on the ports to be specified. Ports may only be specified in combination with the tcp or udp protocol. Also, when the check command is specified, exactly one port is required in combination with either of these protocols.

-D address[/mask] [port ...]
Destination specification (mandatory). See the desciption of the -S (source) flag for a detailed description of the syntax.
-I address
Optional interface address via which a packet is received by the system, or via which is packet is going to be sent. Address can be either a hostname or a plain IP address. When a hostname is specified, it should resolve to exactly one IP address. When this option is omitted, the address 0.0.0.0 is assumed, which has a special meaning and will match with any interface address. For the check command, this option is mandatory.

OTHER OPTIONS

The following additional options can be specified:
-b
Bidirectional mode. The rule will match with IP packets in both directions. This option is only valid in combination with the add or delete command.
-e
Extended output. This option makes the list command also show the interface address and the rule options (if any). For firewall lists, the packet and byte counters will be listed too (the default is to only show these counters for the accounting rules). This option is only valid in combination with the list command.
-k
Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some basic information of all matching packets via printk(). This option will only be effective when the kernel is compiled with CONFIG_IP_FIREWALL_VERBOSE defined. Note: currently (Linux kernel version 1.2.1), the kernel can not be compiled with this flag without some other modifications. This option is only valid in combination with the add or delete command.
-n
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services (whenever applicable).
-v
Verbose output. Print detailed information of the rule or packet to be added, deleted, or checked. This option will only have effect with the add, delete, or check command.
-x
Expand numbers. Display the exact value of the packet and byte counters, instead of only the rounded number in K's (multiples of 1000) or M's (multiples of 1000K). This option will only have effect when the counters are listed anyway (see also the -e option).
-y
Only match TCP packets with the SYN bit set and the ACK bit cleared. This option is only valid in combination with the add and delete command and the TCP protocol.

FILES

/proc/net/ip_acct
/proc/net/ip_block
/proc/net/ip_forward

SEE ALSO

ipfw(4)

AUTHOR

Jos Vos <jos@xos.nl>
X/OS Experts in Open Systems BV, Amsterdam, The Netherlands

Table of Contents

www.fiveanddime.net


Google
Web www.fiveanddime.net