diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml index 4db2e8d29b..c9c8e1ad0e 100644 --- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml @@ -1499,33 +1499,36 @@ block drop out quick on $ext_if from any to $martians - The IPFILTER (IPF) Firewall + IPFILTER (IPF) firewall - IPFILTER + IPFILTER - IPFILTER is a cross-platform, open source firewall which - has been ported to &os;, NetBSD, OpenBSD, &sunos;, HP/UX, and + IPFILTER, also known as + IPF, is a cross-platform, open source firewall which + has been ported to &os;, NetBSD, OpenBSD, and &solaris; operating systems. - IPFILTER is based on a kernel-side firewall and + IPFILTER is a kernel-side firewall and NAT mechanism that can be controlled and - monitored by userland interface programs. The firewall rules - can be set or deleted using &man.ipf.8;. The + monitored by userland programs. Firewall rules + can be set or deleted using ipf, NAT rules can be set or deleted using - &man.ipnat.8;. Run-time statistics for the kernel parts of - IPFILTER can be printed using &man.ipfstat.8;. To log IPFILTER - actions to the system log files, use &man.ipmon.8;. + ipnat, run-time statistics for the kernel parts of + IPFILTER can be printed using + ipfstat, and + ipmon can be used to log IPFILTER + actions to the system log files. - IPF was originally written using a rule processing logic + IPF was originally written using a rule processing logic of the last matching rule wins and only used - stateless rules. Over time, IPF has been enhanced to include a + stateless rules. Over time, IPF has been enhanced to include a quick option and a stateful keep state option which modernized the rules - processing logic. IPF's official documentation covers only the + processing logic. IPF's official documentation covers only the legacy rule coding parameters and rule file processing logic and the modernized functions are only included as additional options. @@ -1541,7 +1544,7 @@ block drop out quick on $ext_if from any to $martians and http://coombs.anu.edu.au/~avalon/ip-filter.html. - The IPF FAQ is at The IPF FAQ is at http://www.phildev.net/ipf/index.html. A searchable archive of the IPFilter mailing list is @@ -1549,32 +1552,22 @@ block drop out quick on $ext_if from any to $martians xlink:href="http://marc.theaimsgroup.com/?l=ipfilter">http://marc.theaimsgroup.com/?l=ipfilter. - Enabling IPF + Enabling <application>IPF</application> - IPFILTER + IPFILTER enabling - IPF is included in the basic &os; install as a kernel - loadable module. The system will dynamically load - this module at boot time when - ipfilter_enable="YES" is added to - rc.conf. The module enables logging and - default pass all. To change the - default to block all, add a - block all rule at the end of the - ruleset. - - - - Kernel Options + is included in the basic &os; install as a kernel + loadable module, meaning that a custom kernel is not needed in + order to enable IPF. kernel options - IPFILTER + IPFILTER @@ -1590,22 +1583,22 @@ block drop out quick on $ext_if from any to $martians - IPFILTER + IPFILTER kernel options - For users who prefer to statically compile IPF support - into a custom kernel, the following IPF option statements, - listed in /usr/src/sys/conf/NOTES, are + For users who prefer to statically compile IPF support + into a custom kernel, refer to the instructions in . The following IPF option statements are available: options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK - options IPFILTER enables support for - the IPFILTER firewall. + where options IPFILTER enables support for + IPFILTER. options IPFILTER_LOG enables IPF logging using the ipl packet logging @@ -1616,15 +1609,14 @@ options IPFILTER_DEFAULT_BLOCK the default behavior so that any packet not matching a firewall pass rule gets blocked. - These settings will take effect only after installing a - kernel that has been built with the above options set. - - - - Available <filename>rc.conf</filename> Options - - To activate IPF at boot time, the following statements - need to be added to /etc/rc.conf: + To configure the system to enable IPF + at boot time, add + the following entries to + /etc/rc.conf. These entries will also enable logging and + default pass all. To change the + default to block all, add a + block all rule at the end of the + ruleset. ipfilter_enable="YES" # Start ipf firewall ipfilter_rules="/etc/ipf.rules" # loads rules definition text file @@ -1634,20 +1626,50 @@ ipmon_flags="-Ds" # D = start as daemon # v = log tcp window, ack, seq # n = map IP & port to names - If there is a LAN behind the firewall that uses the - reserved private IP address ranges, the following lines have - to be added to enable NAT - functionality: + If NAT + functionality is needed, also add these lines: gateway_enable="YES" # Enable as LAN gateway ipnat_enable="YES" # Start ipnat function ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat + + To start IPF now: + + &prompt.root; service ipfilter start + - IPF + IPF Rulesets - ipf + A ruleset contains a group of IPF rules which pass or + block packets based on the values contained in the packet. + The bi-directional exchange of packets between hosts comprises + a session conversation. The firewall ruleset processes both + the packets arriving from the public Internet, as well as the + packets produced by the system as a response to them. + Each TCP/IP service is predefined by its + protocol and listening port. Packets destined for a specific + service originate from the source address using an + unprivileged port and target the specific service port on the + destination address. All the above parameters can be used as + selection criteria to create rules which will pass or block + services. + + + IPFILTER + + rule processing order + + + + When working with the firewall rules, be very + careful. Some configurations can + lock the administrator out of the server. To be + on the safe side, consider performing the initial firewall + configuration from the local console rather than doing it + remotely over ssh. + To load the ruleset file, use &man.ipf.8;. Custom rules are normally placed in a file, and the following command can @@ -1678,411 +1700,14 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnatThere is a way to build IPF rules that utilize the power of script symbolic substitution. For more information, see - . - - - - IPFSTAT - - ipfstat - - - IPFILTER - - statistics - - - The default behavior of &man.ipfstat.8; is to retrieve - and display the totals of the accumulated statistics gathered - by applying the rules against packets going in and out of the - firewall since it was last started, or since the last time the - accumulators were reset to zero using ipf - -Z. - - Refer to &man.ipfstat.8; for details. - - The default &man.ipfstat.8; output will look something - like this: - - input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 - output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 - input packets logged: blocked 99286 passed 0 - output packets logged: blocked 0 passed 0 - packets logged: input 0 output 0 - log failures: input 3898 output 0 - fragment state(in): kept 0 lost 0 - fragment state(out): kept 0 lost 0 - packet state(in): kept 169364 lost 0 - packet state(out): kept 431395 lost 0 - ICMP replies: 0 TCP RSTs sent: 0 - Result cache hits(in): 1215208 (out): 1098963 - IN Pullups succeeded: 2 failed: 0 - OUT Pullups succeeded: 0 failed: 0 - Fastroute successes: 0 failures: 0 - TCP cksum fails(in): 0 (out): 0 - Packet log flags set: (0) - - When supplied with either for inbound - or for outbound, the command will retrieve - and display the appropriate list of filter rules currently - installed and in use by the kernel. - - ipfstat -in displays the inbound - internal rules table with rule numbers. - - ipfstat -on displays the outbound - internal rules table with rule numbers. - - The output will look something like this: - - @1 pass out on xl0 from any to any -@2 block out on dc0 from any to any -@3 pass out quick on dc0 proto tcp/udp from any to any keep state - - ipfstat -ih displays the inbound - internal rules table, prefixing each rule with a count of how - many times the rule was matched. - - ipfstat -oh displays the outbound - internal rules table, prefixing each rule with a count of how - many times the rule was matched. - - The output will look something like this: - - 2451423 pass out on xl0 from any to any -354727 block out on dc0 from any to any -430918 pass out quick on dc0 proto tcp/udp from any to any keep state - - One of the most important options of - ipfstat is which - displays the state table in a way similar to how &man.top.1; - shows the &os; running process table. When a firewall is - under attack, this function provides the ability to identify - and see the attacking packets. The optional sub-flags give - the ability to select the destination or source IP, port, or - protocol to be monitored in real time. Refer to - &man.ipfstat.8; for details. - - - - IPMON - - ipmon - - - IPFILTER - - logging - - - In order for ipmon to work properly, - the kernel option IPFILTER_LOG must be - turned on. This command has two different modes. Native mode - is the default mode when the command is used without - . - - Daemon mode provides a continuous system log file so that - logging of past events may be reviewed. &os; has a built in - facility to automatically rotate system logs. This is why - outputting the log information to &man.syslogd.8; is better - than the default of outputting to a regular file. The default - rc.conf - ipmon_flags statement uses - : - - ipmon_flags="-Ds" # D = start as daemon - # s = log to syslog - # v = log tcp window, ack, seq - # n = map IP & port to names - - Logging provides the ability to review, after the fact, - information such as which packets were dropped, what addresses - they came from and where they were going. These can all - provide a significant edge in tracking down attackers. - - Even with the logging facility enabled, IPF will not - generate any rule logging by default. The firewall - administrator decides which rules in the ruleset should be - logged and adds the log keyword to those rules. Normally, - only deny rules are logged. - - It is customary to include a default deny - everything rule with the log keyword included as the - last rule in the ruleset. This makes it possible to see all - the packets that did not match any of the rules in the - ruleset. - - - - IPMON Logging - - &man.syslogd.8; uses its own method for segregation of log - data. It uses groupings called facility and - level. By default, IPMON in - mode uses local0 as - the facility name. The following levels can be - used to further segregate the logged data: - - LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. -LOG_NOTICE - packets logged which are also passed -LOG_WARNING - packets logged which are also blocked -LOG_ERR - packets which have been logged and which can be considered short - - - - In order to setup IPFILTER to log all data to - /var/log/ipfilter.log, first - create the empty file: - - &prompt.root; touch /var/log/ipfilter.log - - &man.syslogd.8; is controlled by definition statements in - /etc/syslog.conf. This file offers - considerable flexibility in how - syslog will deal with system - messages issued by software applications like IPF. - - To write all logged messages to the specified file, - add the following statement to - /etc/syslog.conf: - - local0.* /var/log/ipfilter.log - - To activate the changes and instruct &man.syslogd.8; - to read the modified /etc/syslog.conf, - run service syslogd reload. - - Do not forget to change - /etc/newsyslog.conf to rotate the new - log file. - - - - The Format of Logged Messages - - Messages generated by ipmon consist - of data fields separated by white space. Fields common to - all messages are: - - - - The date of packet receipt. - - - - The time of packet receipt. This is in the form - HH:MM:SS.F, for hours, minutes, seconds, and fractions - of a second. - - - - The name of the interface that processed the - packet. - - - - The group and rule number of the rule in the format - @0:17. - - - - These can be viewed with - ipfstat -in. - - - - The action: p for passed, - b for blocked, S for - a short packet, n did not match any - rules, and L for a log rule. The order - of precedence in showing flags is: S, - p, b, - n, L. A capital - P or B means that - the packet has been logged due to a global logging - setting, not a particular rule. - - - - The addresses written as three fields: the source - address and port separated by a comma, the -> symbol, - and the destination address and port. For example: - 209.53.17.22,80 -> - 198.73.220.17,1722. - - - - PR followed by the protocol name - or number: for example, PR tcp. - - - - len followed by the header length - and total length of the packet: for example, - len 20 40. - - - - If the packet is a TCP packet, there - will be an additional field starting with a hyphen followed by - letters corresponding to any flags that were set. Refer to - &man.ipf.5; for a list of letters and their flags. - - If the packet is an ICMP packet, there will be two fields - at the end: the first always being ICMP and - the next being the ICMP message and sub-message type, - separated by a slash. For example: ICMP 3/3 for a port - unreachable message. - - - - Building the Rule Script with Symbolic - Substitution - - Some experienced IPF users create a file containing the - rules and code them in a manner compatible with running them - as a script with symbolic substitution. The major benefit - of doing this is that only the value associated with the - symbolic name needs to be changed, and when the script is - run all the rules containing the symbolic name will have the - value substituted in the rules. Being a script, symbolic - substitution can be used to code frequently used values and - substitute them in multiple rules. This can be seen in the - following example. - - The script syntax used here is compatible with the - &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells. - - Symbolic substitution fields are prefixed with a - $. - - Symbolic fields do not have the $ prefix. - - The value to populate the symbolic field must be enclosed - between double quotes ("). - - Start the rule file with something like this: - - ############# Start of IPF rules script ######################## - -oif="dc0" # name of the outbound interface -odns="192.0.2.11" # ISP's DNS server IP address -myip="192.0.2.7" # my static IP address from ISP -ks="keep state" -fks="flags S keep state" - -# You can choose between building /etc/ipf.rules file -# from this script or running this script "as is". -# -# Uncomment only one line and comment out another. -# -# 1) This can be used for building /etc/ipf.rules: -#cat > /etc/ipf.rules << EOF -# -# 2) This can be used to run script "as is": -/sbin/ipf -Fa -f - << EOF - -# Allow out access to my ISP's Domain name server. -pass out quick on $oif proto tcp from any to $odns port = 53 $fks -pass out quick on $oif proto udp from any to $odns port = 53 $ks - -# Allow out non-secure standard www function -pass out quick on $oif proto tcp from $myip to any port = 80 $fks - -# Allow out secure www function https over TLS SSL -pass out quick on $oif proto tcp from $myip to any port = 443 $fks -EOF -################## End of IPF rules script ######################## - - The rules are not important in this example as it instead - focuses on how the symbolic substitution fields are populated. - If this example was in a file named - /etc/ipf.rules.script, these rules could - be reloaded by running: - - &prompt.root; sh /etc/ipf.rules.script - - There is one problem with using a rules file with embedded - symbolics: IPF does not understand symbolic substitution, and - cannot read such scripts directly. - - This script can be used in one of two ways: - - - - Uncomment the line that begins with - cat, and comment out the line that - begins with /sbin/ipf. Place - ipfilter_enable="YES" into - /etc/rc.conf, and run the script - once after each modification to create or update - /etc/ipf.rules. - - - - Disable IPFILTER in the system startup scripts by - adding ipfilter_enable="NO"to - /etc/rc.conf. - - Then, add a script like the following to - /usr/local/etc/rc.d/. The script - should have an obvious name like - ipf.loadrules.sh, where the - .sh extension is mandatory. - - #!/bin/sh -sh /etc/ipf.rules.script - - The permissions on this script file must be read, - write, execute for owner - root: - - &prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh - - - - Now, when the system boots, the IPF rules will be - loaded. - - - - IPF Rulesets - - A ruleset contains a group of IPF rules which pass or - block packets based on the values contained in the packet. - The bi-directional exchange of packets between hosts comprises - a session conversation. The firewall ruleset processes both - the packets arriving from the public Internet, as well as the - packets produced by the system as a response to them. - Each TCP/IP service is predefined by its - protocol and listening port. Packets destined for a specific - service originate from the source address using an - unprivileged port and target the specific service port on the - destination address. All the above parameters can be used as - selection criteria to create rules which will pass or block - services. - - - IPFILTER - - rule processing order - - - - When working with the firewall rules, be very - careful. Some configurations can - lock the administrator out of the server. To be - on the safe side, consider performing the initial firewall - configuration from the local console rather than doing it - remotely over ssh. - + . Rule Syntax - IPFILTER + IPFILTER rule syntax @@ -2323,7 +1948,7 @@ sh /etc/ipf.rules.script Stateful Filtering - IPFILTER + IPFILTER stateful filtering @@ -2646,6 +2271,116 @@ block in log first quick on dc0 all ################### End of rules file ##################################### + + Building the Rule Script with Symbolic + Substitution + + Some experienced IPF users create a file containing the + rules and code them in a manner compatible with running them + as a script with symbolic substitution. The major benefit + of doing this is that only the value associated with the + symbolic name needs to be changed, and when the script is + run all the rules containing the symbolic name will have the + value substituted in the rules. Being a script, symbolic + substitution can be used to code frequently used values and + substitute them in multiple rules. This can be seen in the + following example. + + The script syntax used here is compatible with the + &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells. + + Symbolic substitution fields are prefixed with a + $. + + Symbolic fields do not have the $ prefix. + + The value to populate the symbolic field must be enclosed + between double quotes ("). + + Start the rule file with something like this: + + ############# Start of IPF rules script ######################## + +oif="dc0" # name of the outbound interface +odns="192.0.2.11" # ISP's DNS server IP address +myip="192.0.2.7" # my static IP address from ISP +ks="keep state" +fks="flags S keep state" + +# You can choose between building /etc/ipf.rules file +# from this script or running this script "as is". +# +# Uncomment only one line and comment out another. +# +# 1) This can be used for building /etc/ipf.rules: +#cat > /etc/ipf.rules << EOF +# +# 2) This can be used to run script "as is": +/sbin/ipf -Fa -f - << EOF + +# Allow out access to my ISP's Domain name server. +pass out quick on $oif proto tcp from any to $odns port = 53 $fks +pass out quick on $oif proto udp from any to $odns port = 53 $ks + +# Allow out non-secure standard www function +pass out quick on $oif proto tcp from $myip to any port = 80 $fks + +# Allow out secure www function https over TLS SSL +pass out quick on $oif proto tcp from $myip to any port = 443 $fks +EOF +################## End of IPF rules script ######################## + + The rules are not important in this example as it instead + focuses on how the symbolic substitution fields are populated. + If this example was in a file named + /etc/ipf.rules.script, these rules could + be reloaded by running: + + &prompt.root; sh /etc/ipf.rules.script + + There is one problem with using a rules file with embedded + symbolics: IPF does not understand symbolic substitution, and + cannot read such scripts directly. + + This script can be used in one of two ways: + + + + Uncomment the line that begins with + cat, and comment out the line that + begins with /sbin/ipf. Place + ipfilter_enable="YES" into + /etc/rc.conf, and run the script + once after each modification to create or update + /etc/ipf.rules. + + + + Disable IPFILTER in the system startup scripts by + adding ipfilter_enable="NO"to + /etc/rc.conf. + + Then, add a script like the following to + /usr/local/etc/rc.d/. The script + should have an obvious name like + ipf.loadrules.sh, where the + .sh extension is mandatory. + + #!/bin/sh +sh /etc/ipf.rules.script + + The permissions on this script file must be read, + write, execute for owner + root: + + &prompt.root; chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh + + + + Now, when the system boots, the IPF rules will be + loaded. + + <acronym>NAT</acronym> @@ -2706,7 +2441,7 @@ block in log first quick on dc0 all NAT - and IPFILTER + and IPFILTER ipnat @@ -2980,6 +2715,260 @@ pass out quick on rl0 proto tcp from any to any port > 1024 flags S keep stat pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state + + + IPFSTAT + + ipfstat + + + IPFILTER + + statistics + + + The default behavior of &man.ipfstat.8; is to retrieve + and display the totals of the accumulated statistics gathered + by applying the rules against packets going in and out of the + firewall since it was last started, or since the last time the + accumulators were reset to zero using ipf + -Z. + + Refer to &man.ipfstat.8; for details. + + The default &man.ipfstat.8; output will look something + like this: + + input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0 + output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0 + input packets logged: blocked 99286 passed 0 + output packets logged: blocked 0 passed 0 + packets logged: input 0 output 0 + log failures: input 3898 output 0 + fragment state(in): kept 0 lost 0 + fragment state(out): kept 0 lost 0 + packet state(in): kept 169364 lost 0 + packet state(out): kept 431395 lost 0 + ICMP replies: 0 TCP RSTs sent: 0 + Result cache hits(in): 1215208 (out): 1098963 + IN Pullups succeeded: 2 failed: 0 + OUT Pullups succeeded: 0 failed: 0 + Fastroute successes: 0 failures: 0 + TCP cksum fails(in): 0 (out): 0 + Packet log flags set: (0) + + When supplied with either for inbound + or for outbound, the command will retrieve + and display the appropriate list of filter rules currently + installed and in use by the kernel. + + ipfstat -in displays the inbound + internal rules table with rule numbers. + + ipfstat -on displays the outbound + internal rules table with rule numbers. + + The output will look something like this: + + @1 pass out on xl0 from any to any +@2 block out on dc0 from any to any +@3 pass out quick on dc0 proto tcp/udp from any to any keep state + + ipfstat -ih displays the inbound + internal rules table, prefixing each rule with a count of how + many times the rule was matched. + + ipfstat -oh displays the outbound + internal rules table, prefixing each rule with a count of how + many times the rule was matched. + + The output will look something like this: + + 2451423 pass out on xl0 from any to any +354727 block out on dc0 from any to any +430918 pass out quick on dc0 proto tcp/udp from any to any keep state + + One of the most important options of + ipfstat is which + displays the state table in a way similar to how &man.top.1; + shows the &os; running process table. When a firewall is + under attack, this function provides the ability to identify + and see the attacking packets. The optional sub-flags give + the ability to select the destination or source IP, port, or + protocol to be monitored in real time. Refer to + &man.ipfstat.8; for details. + + + + IPMON + + ipmon + + + IPFILTER + + logging + + + In order for ipmon to work properly, + the kernel option IPFILTER_LOG must be + turned on. This command has two different modes. Native mode + is the default mode when the command is used without + . + + Daemon mode provides a continuous system log file so that + logging of past events may be reviewed. &os; has a built in + facility to automatically rotate system logs. This is why + outputting the log information to &man.syslogd.8; is better + than the default of outputting to a regular file. The default + rc.conf + ipmon_flags statement uses + : + + ipmon_flags="-Ds" # D = start as daemon + # s = log to syslog + # v = log tcp window, ack, seq + # n = map IP & port to names + + Logging provides the ability to review, after the fact, + information such as which packets were dropped, what addresses + they came from and where they were going. These can all + provide a significant edge in tracking down attackers. + + Even with the logging facility enabled, IPF will not + generate any rule logging by default. The firewall + administrator decides which rules in the ruleset should be + logged and adds the log keyword to those rules. Normally, + only deny rules are logged. + + It is customary to include a default deny + everything rule with the log keyword included as the + last rule in the ruleset. This makes it possible to see all + the packets that did not match any of the rules in the + ruleset. + + + + IPMON Logging + + &man.syslogd.8; uses its own method for segregation of log + data. It uses groupings called facility and + level. By default, IPMON in + mode uses local0 as + the facility name. The following levels can be + used to further segregate the logged data: + + LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. +LOG_NOTICE - packets logged which are also passed +LOG_WARNING - packets logged which are also blocked +LOG_ERR - packets which have been logged and which can be considered short + + + + In order to setup IPFILTER to log all data to + /var/log/ipfilter.log, first + create the empty file: + + &prompt.root; touch /var/log/ipfilter.log + + &man.syslogd.8; is controlled by definition statements in + /etc/syslog.conf. This file offers + considerable flexibility in how + syslog will deal with system + messages issued by software applications like IPF. + + To write all logged messages to the specified file, + add the following statement to + /etc/syslog.conf: + + local0.* /var/log/ipfilter.log + + To activate the changes and instruct &man.syslogd.8; + to read the modified /etc/syslog.conf, + run service syslogd reload. + + Do not forget to change + /etc/newsyslog.conf to rotate the new + log file. + + + + The Format of Logged Messages + + Messages generated by ipmon consist + of data fields separated by white space. Fields common to + all messages are: + + + + The date of packet receipt. + + + + The time of packet receipt. This is in the form + HH:MM:SS.F, for hours, minutes, seconds, and fractions + of a second. + + + + The name of the interface that processed the + packet. + + + + The group and rule number of the rule in the format + @0:17. + + + + These can be viewed with + ipfstat -in. + + + + The action: p for passed, + b for blocked, S for + a short packet, n did not match any + rules, and L for a log rule. The order + of precedence in showing flags is: S, + p, b, + n, L. A capital + P or B means that + the packet has been logged due to a global logging + setting, not a particular rule. + + + + The addresses written as three fields: the source + address and port separated by a comma, the -> symbol, + and the destination address and port. For example: + 209.53.17.22,80 -> + 198.73.220.17,1722. + + + + PR followed by the protocol name + or number: for example, PR tcp. + + + + len followed by the header length + and total length of the packet: for example, + len 20 40. + + + + If the packet is a TCP packet, there + will be an additional field starting with a hyphen followed by + letters corresponding to any flags that were set. Refer to + &man.ipf.5; for a list of letters and their flags. + + If the packet is an ICMP packet, there will be two fields + at the end: the first always being ICMP and + the next being the ICMP message and sub-message type, + separated by a slash. For example: ICMP 3/3 for a port + unreachable message. +