Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IP FILTER(4)							  IP FILTER(4)

       ipfilter	- Introduction to IP packet filtering

       IP  Filter  is  a  TCP/IP packet	filter,	suitable for use in a firewall
       environment. To use, it can either be used as a loadable	kernel	module
       or  incorporated	into your UNIX kernel; use as a	loadable kernel	module
       where possible is highly	recommended. Scripts are provided  to  install
       and patch system	files, as required.

       The IP packet filter can:

	      explicitly deny/permit any packet	from passing through

	      distinguish between various interfaces

	      filter by	IP networks or hosts

	      selectively filter any IP	protocol

	      selectively filter fragmented IP packets

	      selectively filter packets with IP options

	      send back	an ICMP	error/TCP reset	for blocked packets

	      keep packet state	information for	TCP, UDP and ICMP packet flows

	      keep fragment state information for any IP packet, applying  the
	      same rule	to all fragments.

	      act as a Network Address Translator (NAT)

	      use redirection to setup true transparent	proxy connections

	      provide  packet header details to	a user program for authentica-

	      in addition, supports  temporary	storage	 of  pre-authenticated
	      rules for	passing	packets	through

       Special provision is made for the three most common Internet protocols,
       TCP, UDP	and ICMP. The IP Packet	filter allows filtering	of:

	      Inverted host/net	matchingTCP/UDP	packets	by port	 number	 or  a
	      port number range

	      ICMP packets by type/code

	      "established" TCP	packets

	      On any arbitrary combination of TCP flags

	      "short"  (fragmented)  IP	packets	with incomplete	headers	can be

	      any of the 19 IP options or 8 registered IP security classes TOS
	      (Type of Service)	field in packets

       To  keep	 track	of  the	performance of the IP packet filter, a logging
       device is used which supports logging of:

	      the TCP/UDP/ICMP and IP packet headers

	      the first	128 bytes of the packet	(including headers)

       A packet	can be logged when:

	      it is successfully passed	through

	      it is blocked from passing through

	      it matches a rule	setup to look for suspicious packets

       IP Filter keeps its own set of statistics on:

	      packets blocked

	      packets (and bytes!) used	for accounting

	      packets passed

	      packets logged

	      attempts to log which failed (buffer full)

	      and much more, for packets going both in and out.

       The current implementation provides a small set	of  tools,  which  can
       easily  be  used	 and  integrated with regular unix shells and tools. A
       brief description of the	tools provided:

       ipf(8) reads in a set of	rules, from either stdin or a file,  and  adds
       them  to	the kernels current list (appending them). It can also be used
       to flush	the current filter set or delete individual filter rules.  The
       file format is described	in ipf(5).

       ipfs(8)	is  a  utility to temporarily lock the IP Filter kernel	tables
       (state tables and NAT mappings) and write them to disk. After that  the
       system  can be rebooted,	and ipfs can be	used to	read these tables from
       disk and	restore	them into the kernel.  This  way  the  system  can  be
       rebooted	without	the connections	being terminated.

       ipfstat(8)  interrogates	the kernel for statistics on packet filtering,
       so far, and retrieves the list of filters in operation for inbound  and
       outbound	packets.

       ipftest(1) reads	in a filter rule file and then applies sample IP pack-
       ets to the rule file. This allows for testing of	filter list and	exami-
       nation of how a packet is passed	along through it.

       ipmon(8)	 reads	buffered  data	from  the  logging  device (default is
       /dev/ipl) for output to either:

	      screen (standard output)



       ipsend(1)  generates  arbitary  IP  packets  for	  ethernet   connected

       ipresend(1)  reads  in  a  data file of saved IP	packets	(ie snoop/tcp-
       dump/etherfind output) and sends	it back	across the network.

       iptest(1) contains a set	of test	"programs" which send out a series  of
       IP  packets, aimed at testing the strength of the TCP/IP	stack at which
       it is aimed at. WARNING:	this may crash machine(s) targeted!

       ipnat(8)	reads in a set of rules, from either stdin or a	file and  adds
       them  to	 the  kernels  current list of active NAT rules. NAT rules can
       also be deleted using ipnat. The	format of the configuration file to be
       used with ipnat is described in ipnat(5).

       For  use	in your	own programs (e.g. for writing of transparent applica-
       tion proxies), the programming interface	and the	associated ioctl's are
       documented in ipf(4).

       Documentation  on  ioctl's  and the format of data saved	to the logging
       character device	is provided in ipl(4) so that you may develop your own
       applications to work with or in place of	any of the above.

       Similar,	the interface to the NAT code is documented in ipnat(4).

       The  following  diagram	illustrates the	flow of	TCP/IP packets through
       the various stages introduced by	IP Filter.

		 |			   |			      |
		 |			   V			      |
		 |	      Network Address Translation	      |
		 |			   |			      |
		 |	   authenticated   |			      |
		 |	 +-------<---------+			      |
		 |	 |		   |			      |
		 |	 |		   V			      |
		 |	 V	     IP	Accounting		      |
		 |	 |		   |			      |
		 |	 |		   V			      |
		 |	 |	  Fragment Cache Check--+	      |
		 |	 |		   |		|	      |
		 |	 V		   V		V	      |
		 |	 |	   Packet State	Check-->+	      |
		 |	 |		   |		|	      |
		 |	 |	 +->--+	   |		|	      |
		 |	 |	 |    |	   V		|	      |
		 |	 V   groups   IP Filtering	V	      |
		 |	 |	 |    |	   |		|	      |
		 |	 |	 +--<-+	   |		|	      |
		 |	 |		   |		|	      |
		 |	 +---------------->|<-----------+	      |
		 |			   |			      |
		 |			   V			      |
		 |		  +---<----+			      |
		 |		  |	   |			      |
		 |	      function	   |			      |
		 |		  |	   V			      |
		 |		  +--->----+			      |
		 |			   |			      |
		 |			   V			      |
	      +--|---<--- fast-route ---<--+			      |
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 +-------------------------+--------------------------+
	      |				   |
	      |			       pass only
	      |				   |
	      |				   V
	      V		      [KERNEL TCP/IP Processing]
	      |				   |
	      |	 +-------------------------+--------------------------+
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 |		  Fragment Cache Check--+	      |
	      |	 |			   |		|	      |
	      |	 |			   V		V	      |
	      |	 |		   Packet State	Check-->+	      |
	      |	 |			   |		|	      |
	      |	 |			   V		|	      |
	      V	 |		      IP Filtering	|	      |
	      |	 |			   |		V	      |
	      |	 |			   |<-----------+	      |
	      |	 |			   V			      |
	      |	 |		     IP	Accounting		      |
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 |	      Network Address Translation	      |
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 +-------------------------+--------------------------+
	      |				   |
	      |			       pass only
	      V				   |

       More information	(including pointers to the FAQ and the	mailing	 list)
       can be obtained from the	sofware's official homepage:

       ipf(4),	ipf(5),	 ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1),
       ipl(4), ipmon(8), ipnat(8), ipnat(4),

								  IP FILTER(4)


Want to link to this manual page? Use this URL:

home | help