ipfwcircuit man page on BSDi

Man page or keyword search:  
man Server   6284 pages
apropos Keyword Search (all sections)
Output format
BSDi logo
[printable version]

IPFWCIRCUIT(8)		  BSD System Manager's Manual		IPFWCIRCUIT(8)

NAME
     ipfwcircuit - set / delete / modify BSD IP Filter circuit

SYNOPSIS
     ipfwcircuit [filter] [-Fv] [-f number] [-i index] [-m mask] [-s size] [-T
		 tag] [-w [src | dst]] [-N maxcircuits] [-n ticks] [-t
		 tickrate]
     ipfwcircuit [filter] [-v] [-a serial] [-w [src | dst]] [-H -hitcode] [-M
		 -misscode] addr1 [addr2] ports
     ipfwcircuit [filter] [-v] [-d serial] [-w [src | dst]] addr1 [addr2]
		 ports
     ipfwcircuit [filter] [-v] [-D serial]
     ipfwcircuit [filter] -e serial [-n ticks] [-t tickrate]

DESCRIPTION
     The ipfwcircuit utility is used to create and maintain circuit caches.
     This utility mostly exists for testing purposes.  It is expected that
     most real world situations will warrant a custom program to maintain the
     circuit cache.

     The filter argument, if specified, must be one of:

     pre-input
	     A filter on all IP packets as they first enter IP processing

     input   A filter on IP packets destined for the local machine, after
	     fragment re-assembly.

     forward
	     A filter on IP packets being forwarded through this machine.

     pre-output
	     A filter on all IP packets leaving this machine, prior to rout-
	     ing.

     output  A filter on IP packets generated locally by this machine.

     call    Not an actual filtering point, this chain should contain filters
	     to be called from a BPF based filter.  This is the default chain
	     of filters used.

     The following options are available:

     -a	     Add an entry to the filter specified by serial.

     -D	     Display the number of entries in each bucket for the circuit
	     cache specified by serial.

     -d	     Delete the entry specified in the circuit cache specified by
	     serial.

     -e	     Expire old circuits.  In this mode the program does not return
	     but checks every tickrate seconds for circuits that have not been
	     used in the past tick intervals (or tickrate * tick seconds).

     -F	     For TCP circuit caches turn on the following of FIN's and RST's.

     -f	     Insert the newly created filter at location number in the call
	     list.

     -H	     When used with the -a flag specify the return value on a hit

     -i	     Specify interface to restrict filtering to.  Currently this must

	     be the interfaces index number.

     -m	     Set the mask of the first 32 bits of the data packet to examine
	     to mask. By default all 32 bits are examined.

     -N	     Set the maximum number of circuits allowed in the cache to
	     maxcircuits.

     -n	     Set the number of ticks before an entry expires.  Defaults to to
	     128, which is also the maximum value.

     -s	     By default all circuit caches have 997 buckets.  This is good for
	     up to 10,000 entries.  An alternate size my be specified with -s.

     -T	     Specify the tag to be used for this filter.

     -t	     Set the tick rate for expiration.	Defaults to 225 seconds per
	     tick.  When combined with a 128 ticks (the default) the expira-
	     tion rate is 8 hours.

     -v	     Be verbose about what is going on.

     -w	     By default both the source and destination IP addresses are used.
	     Specifying src or dst with the -w flag will limit the usage to
	     only that entry.  Providing -w src -w dst allows the insertion of
	     a uni-directional circuit cache using both addresses.

     If none of -a, -d, or -D are specified then a new circuit cache is creat-
     ed.

     When adding or deleting any entry to the circuit cache, the same -w flags
     must be passed as were used in the creation of the filter.	 When -w is
     not used addr1 and addr2 specify the two addresses.  The first 32 bits of
     data will be treated as two 16 bits words.	 If addr1 is the destination
     address of the packet being checked then the 16 bit words will be swapped
     prior to checking.	 Even if the mask is zero, ports must be specified
     (the pattern to compare the first 32 bits of data to after masking).

SEE ALSO
     ipfw(8),  ipfwdump(8),  ipfwlog(8)

				 June 16, 1997				     2
[top]

List of man pages available for BSDi

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net