IPFW(8) BSD System Manager's Manual IPFW(8)NAMEipfw - set / retrieve BSD IP Filters
SYNOPSISipfw [filter] [-command [options]] [...]
DESCRIPTION
The ipfw utility allows the setting and retrieving of kernel based BSD IP
Filters, as well as resolution of interface names into interface index
numbers. The filter argument must be one of:
pre-input
A filter on all IP packets as they first enter IP processing
input A filter on IP packets destined for the local machine, after
fragment re-assembly.
forward
A filter on IP packets being forwarded through this machine.
pre-output
A filter on all IP packets leaving this machine, prior to rout-
ing.
output A filter on IP packets generated locally by this machine.
call Not an actual filtering point, this chain should contain filters
to be called from a BPF based filter.
rate Filters each packet just prior to call the interface's output
routine. If the filter returns a non-zero value then that is the
index number of a rate limiting filter that should be applied to
this packet
If no command is given, the chain of filters associated with filter are
displayed.
If no filter is given then there must either be no other arguments or the
only argument must be -list. In these cases, all the above filtering
points are reported or listed.
The following commands are available:
-display
Displays the contents of a filter as it was provided to ipfw when
installed. (See special note about NAT filters below.) If op-
tions are provided, they are to be a list of serial numbers. The
serial number 0 implies the first filter. If no options are pro-
vided then all the filters in this chain are displayed.
-dontsave
Do not save a copy of this filter in /var/run/ipfw. This will
prevent the -display command from working for this filter.
-insert
This command takes a filter number and a filter. The filter is
pushed onto the call list and assigned the specified filter num-
ber. The filter number should be a small positive integer. This
number can be used with the call and chain commands when compil-
ing filters with ipfwcmp(8). This command is only valid when the
filter is call.
-list List the filters in the chain as well as the length of the fil-
ters. This is a much more resource consuming task than the de-
fault report which does not include lengths.
-move This command takes two serial numbers. The filter specified by
the first serial number is moved just below the filter specified
by the second serial number.
-output
This command takes exactly one option, which should be the name
of a file into which to write the contents of the filter chain
specified for filter.
-pop Remove the last filter pushed onto the filter chain. If options
are provided, they are to be a list of serial numbers. The fil-
ters of the specified serial numbers will be removed, rather than
the first filter. The serial number 0 implies the first filter.
-popall
If an option is provided, it should be the serial number of a
filter in the chain. If not provided, the serial number defaults
to 0, which implies the first filter in the chain. The specified
filter in the chain, and all following filters, are removed.
(-popall then simply clears the entire filter chain.)
-priority
This command takes exactly one option, which should be a priority
(a signed 32 bit value). All filters, on this command line, that
are inserted after the -priority command will have this priority
(unless changed by another -priority -command). The default pri-
ority of a filter is 0. When a new filter is pushed on, it is
pushed on just before the top most filter with a priority less
than or equal to this filters priority.
-push The options are a list of file names containing filters to be
pushed onto the front of the chain of filters for filter. The
last filter specified is pushed on first. This results in the
first filer listed being at the top of the chain. This command
requires at least one option.
-replace
The command is identical to -push with the exception that filter
which used to be at the top of the chain will be popped once the
new filter(s) are installed.
-replaceall
The command is identical to -push with the exception that all the
old filters will be removed once the new filter(s) are installed.
This command requires at least one option.
-serialpush
The command is identical to -push but each filter requires a se-
rial number following each file name. Use the -serial command to
retrieve a new serial number.
-secure
Mark filter as secure (immutable). This command takes no op-
tions.
-serial
Print out an available serial number to use with the -serialpush
command.
-stats Display statistics for filter This command takes no options.
-tag This command takes a single option which is the tag to be as-
signed to the next filter installed (on this command line). Each
filter may have a 32 byte tag (shorter tags are automatically NUL
padded). If a tag does not start with a NUL byte and another
filter on the chain exists with the same tag, that filter is re-
placed by the new filter and its location is not modified. The
priority is not used to position the filter, though the new pri-
ority may alter how future filters are inserted.
For the -push, -replace, and -replaceall commands, the options refer to
files which should be descriptions of BSD IP Filters. Unless the file
name ends with .ipfw, the file is expected to be a compiled filter (see
ipfwcmp(8) and ipfwcisco(8)) otherwise ipfw will use the ipfwcmp(8)
utility to compile the filter.
NAT FILTERS
When using the -display command on a NAT filter both the configuration
and any active NAT sessions are displayed. The NAT configuration is com-
puted from the current active configuration and does not include any
prefill values (see ipfwnat(8)). timeouts and buckets are only display
if the filter is using values other than the defaults.
The active NAT sessions are displayed one per line. The first two char-
acters of each line indicate how the session was created. ``->'' implies
the session was created on an incoming packet that matched a service.
``<-'' implies the session was created by an outgoing packet that matched
a map.
The remote address and port are of the endpoint outside of the NAT envi-
ronment. The external address and port are what the remote end sees.
The internal address and port are for the endpoint within the NAT envi-
ronment.
SEE ALSOipfwasm(8), ipfwcisco(8), ipfwcmp(8), ipfwdump(8), ipfwlog(8)
September 20, 1996 3