Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IPFW(8)			FreeBSD	System Manager's Manual		       IPFW(8)

NAME
     ipfw - controlling	utility	for ipfw/ipacct	facilities.

SYNOPSIS
      ipfw [-vn] <entry-action>	 <chain	entry pattern>
      ipfw [-vn] <check-action>	 <packet pattern>
      ipfw [-vn] <chain-action>	 <chain[s] type>

DESCRIPTION
      In the first synopsis form, the ipfw utility allows adding/removing of
     entries of	blocking/forwarding/accounting chains.
      In the second synopsis form, the ipfw utility checks whenever a given IP
     packet type is accepted or	denied by a blocking/forwarding	firewall.
      In the third synopsis form, the ipfw utility allows global actions on
     chain-zeroing of counters,	and flushing or	listing	of chain entries and
     their counter values.

     The following options are available:

     -v	  be verbose. The meaning of this option varies	depending on ipfw
	  usage.

     -n	  do not resolve anything.  When setting entries, do not try to
     resolve
	  a given address.   When listing, display addresses in	numeric	form.

     These are <entry-actions>:
       addb[locking] - add entry to blocking firewall.
       delb[locking] - remove entry from blocking firewall.
       addf[orwarding] - add entry to forwarding firewall.
       delf[orwarding] - remove	entry from forwarding firewall.
       adda[ccounting] - add entry to accounting chain.
       dela[ccounting] - remove	entry from accounting chain.

     These are <check-actions>:
       checkb[locking] - check packet against blocking firewall.
       checkf[orwarding] - check packet	against	forwarding firewall.

     These are <chain-actions>:
       f[lush] - remove	all entries in firewall/accounting chains.
       l[ist] -	show all entries in blocking/forwarding/accounting chains.
       z[ero] -	clear chain counters(for now accounting	only).
       p[olicy]	- define default firewall policy.

      The <chain-entry pattern>	build like this:
      For forwarding/blocking chains:
       d[eny] <proto/addr pattern>
       a[ccept]	<proto/addr pattern>
      For accounting chain:
       s[ingle]	<proto/addr pattern>
       b[idirectional] <proto/addr pattern>

      The <proto/addr pattern> is:
       all|icmp	from  <src addr/mask> to <dst addr/mask>
       tcp|udp	from  <src addr/mask> [ports] to <dst addr/mask> [ports]

       <src addr/mask>:
	 <INET IP addr | domain	name> [/mask bits | :mask pattern]
       [ports]:
	 [ port,port....|port:port] where name of service can be
	 used instead of port numeric value.

     When entry	added to chain and -v option used,entry	added with PRN flag
     set.

     The <packet pattern> build	exactly	like <chain-entry pattern>.

      To l[ist]	command	may be passed: f[orwarding]|b[locking]|a[ccounting] to
     list specific chain or none to list all of	them.Option -v causes output
     format to change so that packet/bytes counters printed.Standart output
     format fully suitable to be used as <chain-entry pattern>.

      To f[lush] command may be	passed:	f[irewall]|a[ccounting]	to remove all
     entries from forwarding/blocking chains or	from accounting	chain.No argu-
     ments removes all chain entries.

      To z[ero]	command	no arguments needed,and	all counters of	accounting
     chain zeroed.

      To p[olicy] command accepts a[ccept]|d[eny] to define default policy as
     denial/accepting.Withno arguments current default policy displayed.

EXAMPLES
      This command add entry which denies all tcp packets from hacker.evil.org
     to	telnet port of wolf.tambov.su from being forwarded by the host:
       ipfw addf deny tcp from hacker.evil.org to wolf.tambov.su telnet

      This one disallows any connection	from entire hackers network to my
     host:
       ipfw addb deny all from 123.45.67.8/24 to my.host.org

      Here is useful usage of lt] command to see accounting records:
       ipfw -v list accounting (or in short form ipfw -v l a ).

      Much more	examples can be	found in files:
       /usr/share/misc/ipfw.samp.filters
       /usr/share/misc/ipfw.samp.scripts

SEE ALSO
     ipfirewall(4),ipaccounting(4),reboot(1)

BUGS
      WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!WARNING!!
      This programm can	put your computer in rather unusable state.  First
     time try using it from console and	do *NOT* do anything you don't under-
     stand.
      Remember that "ipfw flush" can solve all the problemms.  Also take in
     your mind that "ipfw policy deny" combined	with some wrong	chain
     entry(possible the	only entry which designed to deny some external	pack-
     ets) can close your computer from outer world for good.
       Besides of misuse the only known	bug is that entry added	with -v	option
     set should	be deleted with	same option, but there is no way to see	this
     in	list command.

HISTORY
      Initially	this utility was written for BSDI by:
       Daniel Boulet	<danny@BouletFermat.ab.ca>
      The FreeBSD version is written completely	by:
       Ugen J.S.Antsilevich <ugen@NetVision.net.il>
      while synopsis partially compatible with old one.

FreeBSD	2.0		       November	16, 1994		   FreeBSD 2.0

NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | SEE ALSO | BUGS | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=FreeBSD+2.0-RELEASE>

home | help