Update to reflect new ipfw syntax.

svn path=/head/; revision=377
1996-06-25 03:15:17 +00:00 · 1996-06-25 03:15:17 +00:00 · 4255ccc7df · 2020-12-08 03:00:23 +00:00
commit 4255ccc7df
parent 705a564dad
1 changed files with 141 additions and 143 deletions
--- a/handbook/firewalls.sgml
+++ b/handbook/firewalls.sgml
@ -1,9 +1,9 @@
-<!-- $Id: firewalls.sgml,v 1.4 1996-01-31 19:02:57 mpp Exp $ -->
+<!-- $Id: firewalls.sgml,v 1.5 1996-06-25 03:15:17 alex Exp $ -->
 <!-- The FreeBSD Documentation Project -->
 <sect><heading>Firewalls<label id="firewalls"></heading>
-<p><em>Contributed by &a.gpalmer;.<newline>4th of October 1995</em>
+<p><em>Contributed by &a.gpalmer; and &a.alex;.</em>
 Firewalls are an area of increasing interest for people who are
 connected to the Internet, and are even finding applications on
@ -96,7 +96,7 @@ can be set up so that you can limit which users can talk to which
 destination machine. Again, what facilities are available depends
 largely on what proxy software you choose.
-<sect1><heading>What does <tt>IPFW</tt> allow me to do?</heading>
+<sect1><heading>What does IPFW allow me to do?</heading>
 <p><tt>IPFW</tt>, the software supplied with FreeBSD, is a packet
 filtering and accounting system which resides in the kernel, and has a
@ -117,7 +117,7 @@ incoming and outgoing connections. This is a special case of the more
 general use of <tt>IPFW</tt>, and the same commands and techniques
 should be used in this situation.
-<sect1><heading>Enabling <tt>IPFW</tt> on FreeBSD</heading>
+<sect1><heading>Enabling IPFW on FreeBSD</heading>
 <p>As the main part of the <tt>IPFW</tt> system lives in the kernel, you will
 need to add one or more options to your kernel configuration
@ -137,35 +137,57 @@ packets through <tt>syslogd(8)</tt>. Without this option, even if you
 specify that packets should be logged in the filter rules, nothing
 will happen.
-<tag/options IPACCT/ Turns on the IP accounting facilities.
+<tag/options "IPFIREWALL_VERBOSE_LIMIT=10"/ Limits the number of
 packets logged through <tt>syslogd(8)</tt> on a per entry basis.
 You may wish to use this option in hostile environments in which
 you want to log firewall activity, but do not want to be open to
 a denial of serivce attack via syslog flooding.
 <p>When a chain entry reaches the packet limit specified, logging
 is turned off for that particular entry.  To resume logging, you
 will need to reset the associated counter using the <tt>ipfw(8)</tt>
 utility:
 <tscreen><verb>
 ipfw zero 4500
 </verb></tscreen>
 Where 4500 is the chain entry you wish to continue logging.
 </descrip>
-<sect1><heading>Configuring <tt>IPFW</tt></heading>
+Previous versions of FreeBSD contained an <tt>IPFIREWALL_ACCT</tt> 
 option.  This is now obsolete as the firewall code automatically 
 includes accounting facilities.
 <sect1><heading>Configuring IPFW</heading>
 <p>The configuration of the <tt>IPFW</tt> software is done through the
 <tt>ipfw(8)</tt> utility. The syntax for this command looks
 quite complicated, but it is relatively simple once you understand
 its structure.
-<p>There are currently two different command line formats for the
+<p>There are currently four different command categories used by the
-utility, depending on what you are doing. The first form is used when
+utility: addition/deletion, listing, flushing, and clearing.
-adding/deleting entries from the firewall or accounting chains, or
+Addition/deletion is used to build the rules that control how packets
-when clearing the counters for an entry on the accounting chain. The
+are accepted, rejected, and logged.  Listing is used to examine the
-second form is used for more general actions, such as flushing the
+contents of your rule set (otherwise known as the chain) and packet
-rule chains, listing the rule chains or setting the default policy.
+counters (accounting).  Flushing is used to remove all entries from
 the chain.  Clearing is used to zero out one or more accounting
 entries.
-<sect2><heading>Altering the <tt>IPFW</tt> rules</heading>
+<sect2><heading>Altering the IPFW rules</heading>
 <p>The syntax for this form of the command is:
 <tscreen>
-ipfw [-n] <em>command</em> <em>action</em> <em>protocol</em> <em>addresses</em>
+ipfw &lsqb;-N&rsqb; <em>command</em> &lsqb;index&rsqb; <em>action</em> 
 <em>protocol</em> <em>addresses</em> &lsqb;options&rsqb;
 </tscreen>
 <p>There is one valid flag when using this form of the command:
 <descrip>
-<tag/-n/Do not attempt to resolve given addresses.
+<tag/-N/Resolve addresses and service names.
 </descrip>
 The <em>command</em> given can be shortened to the shortest unique
@ -173,69 +195,39 @@ form. The valid <em>commands</em> are:
 <descrip>
-<tag/addfirewall/Add an entry to the firewall rule list
+<tag/add/Add an entry to the firewall/accounting rule list
-<tag/delfirewall/Delete an entry from the firewall rule list
+<tag/delete/Delete an entry from the firewall/accounting rule list
 <tag/addaccounting/Add an entry to the accounting rule list
 <tag/delaccounting/Delete an entry from the accounting rule list
 <tag/clraccounting/Clear the counters for an accounting rule entry.
 </descrip>
-If no command is given, it will default <bf>addfirewall</bf> or
+Previous versions of <tt>IPFW</tt> used separate firewall and
-<bf>addaccounting</bf> depending on the arguments given.
+accounting entries.  The present version provides packet accounting
 with each firewall entry.
-<p>Currently, the firewall support in the kernel applies a set of
+<p>If an <tt>index</tt> value is supplied, it used to place the entry
-weights to the rule being added. This means that the rules will
+at a specific point in the chain.  Otherwise, the entry is placed at
-<em>not</em> be evaluated in the order that they are given to the
+the end of the chain at an index 100 greater than the last chain
-system. The weighting system is designed so that rules which are very
+entry (this does not include the default policy, rule 65535, deny).
 specific are evaluated first, and rules which cover very large ranges
 are evaluated last. In other words, a rule which applies to a specific
 port on a specific host will have a higher priority than a rule which
 applies to that same port, but on a range of hosts, or that host on a
 range of ports.
-<p>The weighting system is not perfect, however, and can lead to
+Valid <em>actions</em> are:
 problems. The best way to see what order it has put your rules in is
 to use the <bf>list</bf> command, as that command lists the rules in
 the order that they are evaluated, not the order that they were fed to
 the system.
 <p>The <em>actions</em> available depend on which rule chain the
 entry is destined for. For the firewall chain, valid
 <em>actions</em> are:
 <descrip>
-<tag/reject/Drop the packet, and send an ICMP HOST_UNREACHABLE or
+<tag/reject/Drop the packet, and send an ICMP host or port
-ICMP PORT_UNREACHABLE (as appropriate) packet to the source.
+unreachable (as appropriate) packet to the source.
-<tag/lreject/As <bf>reject</bf>, but also log the packet details.
+<tag/allow/Pass the packet on as normal.
-<tag/deny/Drop the packet.
+<tag/deny/Drop the packet.  The source is not notified via an ICMP
 message (thus it appears that the packet never arrived at the
 destination).
-<tag/ldeny/As <bf>deny</bf>, but also log the packet details.
+<tag/count/Update packet counters but do not allow/deny the packet
 based on this rule.  The search continues with the next chain entry.
-<tag/log/Log the packets details and pass it on as normal.
+<tag/reject/Discard the packet, sending an ICMP host/port unreachable
-
+message back to the source.
 <tag/accept/Pass the packet on as normal.
 <tag/pass/Synonym for <bf>accept</bf>.
 </descrip>
 For the accounting chain, valid <em>actions</em> are:
 <descrip>
 <tag/single/Count packets matching the address specifier.
 <tag/bidirectional/Count packets matching the address specifier, and
 also packets traveling in the opposite direction (i.e. those going
 from ``destination'' to ``source'').
 </descrip>
@ -254,30 +246,22 @@ The <em>protocols</em> which can be specified are:
 <tag/udp/Matches UDP packets
 <tag/syn/Matches the TCP SYN (synchronization) packet used during TCP
 connection negotiation. You can use this to block ``incoming'' TCP
 connections, but allow ``outgoing'' TCP connections.
 </descrip>
 <p>The <em>address</em> specification is:
 <tscreen>
-&lsqb;<bf>from</bf> &lt;<em>address/mask</em>&gt;&lsqb;<em>port</em>&rsqb;&rsqb; &lsqb;<bf>to</bf>
+<bf>from</bf> &lt;<em>address/mask</em>&gt;&lsqb;<em>port</em>&rsqb; <bf>to</bf>
- &lt;<em>address/mask</em>&gt;&lsqb;<em>port</em>&rsqb;&rsqb; &lsqb;<bf>via</bf> &lt;<em>interface</em>&gt;&rsqb;
+ &lt;<em>address/mask</em>&gt;&lsqb;<em>port</em>&rsqb &lsqb;<bf>via</bf> &lt;<em>interface</em>&gt;&rsqb;
 </tscreen>
 <p>You can only specify <em>port</em> in conjunction with
-<em>protocols</em> which support ports (UDP, TCP and SYN).
+<em>protocols</em> which support ports (UDP and TCP).
 <p>The order of the <bf>from</bf>, <bf>to</bf>, and
 <bf>via</bf> keywords is unimportant. Any of them can be omitted,
 in which case a default entry for that keyword will be supplied which
 matches everything.
 <p>The <bf>via</bf> is optional and may specify the IP address or
 domain name of a local IP interface, or an interface name (e.g.
-<tt>ed0</tt>) to match only packets coming through this interface. The
+<tt>ed0</tt>) to match only packets coming through this interface.
-keyword <bf>via</bf> can be substituted by <bf>on</bf>, for
+Interface unit numbers can be specified with an optional wildcard.
-readability reasons.
+For example, <tt>ppp*</tt> would match all kernel PPP interfaces.
 <p>The syntax used to specify an <tt>&lt;address/mask&gt;</tt> is:
 <tscreen>
@ -310,14 +294,50 @@ to specify either a single port or a list of ports, or
 <tscreen><verb>
 port:port
 </verb></tscreen>
-to specify a range of ports. The name of a service (from
+to specify a range of ports.
 <em>/etc/services</em>) can be used instead of a numeric port value.
-<sect2><heading>Listing/flushing the <tt>IPFW</tt> rules</heading>
+<p>The <em>options</em> available are:
 <descrip>
 <tag/frag/Matches if the packet is the first fragment of the datagram.
 <tag/in/Matches if the packet is on the way in.
 <tag/out/Matches if the packet is on the way out.
 <tag/ipoptions <em>spec</em>/Matches if the IP header contains the
 comma separated list of options specified in <em>spec</em>.  The
 supported list of IP options are: <bf>ssrr</bf> (strict source route),
 <bf>lsrr</bf> (loose source route), <bf>rr</bf> (record packet route),
 and <bf>ts</bf> (timestamp).  The absence of a particular option may
 be denoted with a leading '!'.
 <tag/established/Matches if the packet is part of an already established
 TCP connection (i.e. it has the RST or ACK bits set).
 <tag/setup/Matches if the packet is an attempt to establish a TCP connection
 (the SYN bit set is set but the ACK bit is not).
 <tag/tcpflags <em>flags</em>/Matches if the TCP header contains
 the comma separated list of <em>flags</em>.  The supported flags
 are <bf>fin</bf>, <bf>syn</bf>, <bf>rst</bf>, <bf>psh</bf>, <bf>ack</bf>,
 and <bf>urg</bf>.  The absence of a particular flag may be indicated
 by a leading '!'.
 <tag/icmptypes <em>types</em>/Matches if the ICMP type is present in
 the list <em>types</em>.  The list may be specified as any combination
 of ranges and/or individual types separated by commas.  Commonly used
 ICMP types are: <bf>0</bf> echo reply (ping reply), <bf>5</bf>
 redirect, and <bf>8</bf> echo request (ping request).
 </descrip>
 <sect2><heading>Listing the IPFW rules</heading>
 <p>The syntax for this form of the command is:
 <tscreen>
-ipfw &lsqb;-ans&rsqb; <em>command</em> &lsqb;<em>argument</em>&rsqb;
+ipfw &lsqb;-atN&rsqb; l
 </tscreen>
 <p>There are three valid flags when using this form of the command:
@ -325,56 +345,39 @@ ipfw &lsqb;-ans&rsqb; <em>command</em> &lsqb;<em>argument</em>&rsqb;
 <descrip>
 <tag/-a/While listing, show counter values. This option is the only
-way to see accounting counters. Works only with <bf>-s</bf>.
+way to see accounting counters.
-<tag/-n/Do not attempt to resolve given addresses.
+<tag/-t/Display the last match times for each chain entry.  The time
 listing is incompatible with the input syntax used by the
 <tt>ipfw(8)</tt> utility.
-<tag/-s/Use short listing form. This should be used with <bf>-a</bf>
+<tag/-N/Do not attempt to resolve given addresses.
 to see accounting counters. The short form listing is incompatible
 with the input syntax used by the <tt>ipfw(8)</tt> utility.
 </descrip>
-The <em>command</em> given can be shortened to the shortest unique
+<sect2><heading>Flushing the IPFW rules</heading>
 form. The valid <em>commands</em> are:
-<descrip>
+<p>The syntax for flushing the chain is:
 <tscreen>
 ipfw flush
 </tscreen>
-<tag/list/List the chain rule entries. Unless the <bf>-s</bf> flag is
+<p>This causes all entries in the firewall chain to be removed except
-given, the format is compatible with the command line syntax.
+the fixed default policy enforced by the kernel (index 65535).  Use
 caution when flushing rules, the default deny policy will leave your
 system cut off from the network until allow entries are added to the
 chain.
-<tag/flush/Flush the chain rule entries.
+<sect2><heading>Clearing the IPFW packet counters</heading>
-<tag/zero/Clear counters for the entire accounting chain.
+<p>The syntax for clearing one or more packet counters is:
 <tscreen>
 ipfw zero &lsqb;index&rsqb;
 </tscreen>
-<tag/policy/Set or display the default policy for the firewall
+<p>When used without an <em>index</em> argument, all packet counters
-code. Without an argument, the current policy will be displayed.
+are cleared.  If an <em>index</em> is supplied, the clearing operation
-
+only affects a specific chain entry.
 </descrip>
 The <bf>list</bf> and <bf>flush</bf> commands may optionally be passed
 an <em>argument</em> to specify which chain to flush. Valid arguments are:
 <descrip>
 <tag/firewall/The packet filter chain.
 <tag/accounting/The accounting chain.
 </descrip>
 <p>The <bf>policy</bf> command can be given one of two arguments:
 <descrip>
 <tag/accept/If a packet is not matched by any rule, pass it on.
 <tag/deny/If a packet is not matched by any rule, do not pass it on.
 </descrip>
 As usual, the arguments can be shortened to the shortest unique form
 (in this case, the first letter).
 <sect1><heading>Example commands for ipfw</heading>
@ -383,7 +386,7 @@ As usual, the arguments can be shortened to the shortest unique form
 <bf>nice.people.org</bf> by being forwarded by the router:
 <tscreen><verb>
-ipfw addf deny tcp from evil.hacker.org to nice.people.org telnet
+ipfw add deny tcp from evil.hacker.org to nice.people.org 23
 </verb></tscreen>
 <p>The next example denies and logs any TCP traffic from the entire
@ -391,7 +394,7 @@ ipfw addf deny tcp from evil.hacker.org to nice.people.org telnet
 machine (any port).
 <tscreen><verb>
-ipfw addf ldeny tcp from evil.hacker.org/24 to nice.people.org
+ipfw add deny log tcp from evil.hacker.org/24 to nice.people.org
 </verb></tscreen>
 If you do not want people sending X sessions to your internal network
@ -399,23 +402,27 @@ If you do not want people sending X sessions to your internal network
 filtering:
 <tscreen><verb>
-ipfw addf deny syn to my.org/28 6000
+ipfw add deny setup from any to my.org/28 6000
 </verb></tscreen>
 To allow access to the SUP server on <bf>sup.FreeBSD.ORG</bf>, use the
 following command:
 <tscreen><verb>
-ipfw addf accept syn to sup.FreeBSD.ORG supfilesrv
+ipfw addf accept syn to sup.FreeBSD.ORG 871
 </verb></tscreen>
 To see the accounting records:
 <tscreen><verb>
-ipfw -sa list accounting
+ipfw -a list
 </verb></tscreen>
 or in the short form
 <tscreen><verb>
-ipfw -sa l a
+ipfw -a l
 </verb></tscreen>
 You can also see the last time a chain entry was matched with
 <tscreen><verb>
 ipfw -at l
 </verb></tscreen>
 <sect1><heading>Building a packet filtering firewall</heading>
@ -479,10 +486,11 @@ want to allow from the inside. Some general rules are:
 where most of the security sensitive services are, like finger, SMTP
 (mail) and telnet.
- <item>Block incoming SYN connections to ports between 1001 and 1024
+ <item>Block incoming SYN (<bf>setup</bf>) connections to ports
-(this will allow internal users to rsh/rlogin to the outside). If you
+between 1001 and 1024 (this will allow internal users to rsh/rlogin to
-do not want to allow rsh/rlogin connections from the inside to the
+the outside). If you do not want to allow rsh/rlogin connections from
-outside, then extend the above suggestion to cover ports 1-1024.
+the inside to the outside, then extend the above suggestion to cover
 ports 1-1024.
 <item>Block <bf>all</bf> incoming UDP traffic. There are very few
 useful services that travel over UDP, and what useful traffic there is
@ -509,16 +517,6 @@ normally fall outside the 1-1024 range specified above.
 </itemize>
 <p>Of course, if you want to make sure that no un-authorized traffic
 gets through the firewall, change the default policy to ``deny''. This
 will mean that any traffic which is allowed through has to be
 specified explicitly in an ``accept'' or ``allow'' filter rule. Which
 ports you allow through is again something that you will have to
 decide for yourself. If you do set the default policy to be deny, you
 will probably want to install proxy servers, as no traffic will be
 able to get OUT either unless you allow TCP SYN connections going form
 the inside out.
 <p>As I said above, these are only <em>guidelines</em>. You will have
 to decide what filter rules you want to use on your firewall
 yourself. I cannot accept ANY responsibility if someone breaks into