Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IP FILTER(4)		   Kernel Interfaces Manual		  IP FILTER(4)

       ipfilter	- Introduction to IP packet filtering

       IP Filter is a TCP/IP packet filter, suitable for use in	a firewall en-
       vironment. To use, it can either	be used	as a loadable kernel module or
       incorporated  into  your	 UNIX  kernel; use as a	loadable kernel	module
       where possible is highly	recommended. Scripts are provided  to  install
       and patch system	files, as required.

       The IP packet filter can:

	      explicitly deny/permit any packet	from passing through

	      distinguish between various interfaces

	      filter by	IP networks or hosts

	      selectively filter any IP	protocol

	      selectively filter fragmented IP packets

	      selectively filter packets with IP options

	      send back	an ICMP	error/TCP reset	for blocked packets

	      keep packet state	information for	TCP, UDP and ICMP packet flows

	      keep  fragment state information for any IP packet, applying the
	      same rule	to all fragments.

	      act as a Network Address Translator (NAT)

	      use redirection to setup true transparent	proxy connections

	      provide packet header details to a user program for  authentica-

	      in  addition,  supports  temporary  storage of pre-authenticated
	      rules for	passing	packets	through

       Special provision is made for the three most common Internet protocols,
       TCP, UDP	and ICMP. The IP Packet	filter allows filtering	of:

	      Inverted	host/net  matchingTCP/UDP  packets by port number or a
	      port number range

	      ICMP packets by type/code

	      "established" TCP	packets

	      On any arbitrary combination of TCP flags

	      "short" (fragmented) IP packets with incomplete headers  can  be

	      any of the 19 IP options or 8 registered IP security classes TOS
	      (Type of Service)	field in packets

       To keep track of	the performance	of the IP packet filter, a logging de-
       vice is used which supports logging of:

	      the TCP/UDP/ICMP and IP packet headers

	      the first	128 bytes of the packet	(including headers)

       A packet	can be logged when:

	      it is successfully passed	through

	      it is blocked from passing through

	      it matches a rule	setup to look for suspicious packets

       IP Filter keeps its own set of statistics on:

	      packets blocked

	      packets (and bytes!) used	for accounting

	      packets passed

	      packets logged

	      attempts to log which failed (buffer full)

	      and much more, for packets going both in and out.

       The  current  implementation  provides  a small set of tools, which can
       easily be used and integrated with regular unix	shells	and  tools.  A
       brief description of the	tools provided:

       ipf(8)  reads  in a set of rules, from either stdin or a	file, and adds
       them to the kernels current list	(appending them). It can also be  used
       to  flush the current filter set	or delete individual filter rules. The
       file format is described	in ipf(5).

       ipfs(8) is a utility to temporarily lock	the IP	Filter	kernel	tables
       (state  tables and NAT mappings)	and write them to disk.	After that the
       system can be rebooted, and ipfs	can be used to read these tables  from
       disk  and  restore them into the	kernel.	This way the system can	be re-
       booted without the connections being terminated.

       ipfstat(8) interrogates the kernel for statistics on packet  filtering,
       so  far,	and retrieves the list of filters in operation for inbound and
       outbound	packets.

       ipftest(1) reads	in a filter rule file and then applies sample IP pack-
       ets to the rule file. This allows for testing of	filter list and	exami-
       nation of how a packet is passed	along through it.

       ipmon(8)	reads buffered	data  from  the	 logging  device  (default  is
       /dev/ipl) for output to either:

	      screen (standard output)



       ipsend(1)  generates  arbitary  IP  packets  for	ethernet connected ma-

       ipresend(1) reads in a data file	of saved  IP  packets  (ie  snoop/tcp-
       dump/etherfind output) and sends	it back	across the network.

       iptest(1)  contains a set of test "programs" which send out a series of
       IP packets, aimed at testing the	strength of the	TCP/IP stack at	 which
       it is aimed at. WARNING:	this may crash machine(s) targeted!

       ipnat(8)	 reads in a set	of rules, from either stdin or a file and adds
       them to the kernels current list	of active NAT  rules.  NAT  rules  can
       also be deleted using ipnat. The	format of the configuration file to be
       used with ipnat is described in ipnat(5).

       For use in your own programs (e.g. for writing of transparent  applica-
       tion proxies), the programming interface	and the	associated ioctl's are
       documented in ipf(4).

       Documentation on	ioctl's	and the	format of data saved  to  the  logging
       character device	is provided in ipl(4) so that you may develop your own
       applications to work with or in place of	any of the above.

       Similar,	the interface to the NAT code is documented in ipnat(4).

       The following diagram illustrates the flow of  TCP/IP  packets  through
       the various stages introduced by	IP Filter.

		 |			   |			      |
		 |			   V			      |
		 |	      Network Address Translation	      |
		 |			   |			      |
		 |	   authenticated   |			      |
		 |	 +-------<---------+			      |
		 |	 |		   |			      |
		 |	 |		   V			      |
		 |	 V	     IP	Accounting		      |
		 |	 |		   |			      |
		 |	 |		   V			      |
		 |	 |	  Fragment Cache Check--+	      |
		 |	 |		   |		|	      |
		 |	 V		   V		V	      |
		 |	 |	   Packet State	Check-->+	      |
		 |	 |		   |		|	      |
		 |	 |	 +->--+	   |		|	      |
		 |	 |	 |    |	   V		|	      |
		 |	 V   groups   IP Filtering	V	      |
		 |	 |	 |    |	   |		|	      |
		 |	 |	 +--<-+	   |		|	      |
		 |	 |		   |		|	      |
		 |	 +---------------->|<-----------+	      |
		 |			   |			      |
		 |			   V			      |
		 |		  +---<----+			      |
		 |		  |	   |			      |
		 |	      function	   |			      |
		 |		  |	   V			      |
		 |		  +--->----+			      |
		 |			   |			      |
		 |			   V			      |
	      +--|---<--- fast-route ---<--+			      |
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 +-------------------------+--------------------------+
	      |				   |
	      |			       pass only
	      |				   |
	      |				   V
	      V		      [KERNEL TCP/IP Processing]
	      |				   |
	      |	 +-------------------------+--------------------------+
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 |		  Fragment Cache Check--+	      |
	      |	 |			   |		|	      |
	      |	 |			   V		V	      |
	      |	 |		   Packet State	Check-->+	      |
	      |	 |			   |		|	      |
	      |	 |			   V		|	      |
	      V	 |		      IP Filtering	|	      |
	      |	 |			   |		V	      |
	      |	 |			   |<-----------+	      |
	      |	 |			   V			      |
	      |	 |		     IP	Accounting		      |
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 |	      Network Address Translation	      |
	      |	 |			   |			      |
	      |	 |			   V			      |
	      |	 +-------------------------+--------------------------+
	      |				   |
	      |			       pass only
	      V				   |

       More  information  (including pointers to the FAQ and the mailing list)
       can be obtained from the	sofware's official homepage:

       ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8),  ipfstat(8),  ipftest(1),
       ipl(4), ipmon(8), ipnat(8), ipnat(4),

								  IP FILTER(4)


Want to link to this manual page? Use this URL:

home | help