1 '\" te
2 .\" To view license terms, attribution, and copyright for IP Filter, the
3 .\" default path is /usr/lib/ipf/IPFILTER.LICENCE. If the illumos operating
4 .\" environment has been installed anywhere other than the default, modify the
5 .\" given path to access the file at the installed location.
6 .\" Portions Copyright (c) 2015, Joyent, Inc.
7 .TH IPF 4 "Mar 18, 2015"
8 .SH NAME
9 ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
10 .SH DESCRIPTION
11 A rule file for \fBipf\fP may have any name or even be stdin. As
12 \fBipfstat\fP produces parsable rules as output when displaying the internal
13 kernel filter lists, it is quite plausible to use its output to feed back
14 into \fBipf\fP. Thus, to remove all filters on input packets, the following
15 could be done:
16 .nf
17
18 # ipfstat \-i | ipf \-rf \-\fP
19 .fi
20 .SH GRAMMAR
21 The format used by \fBipf\fP for construction of filtering rules can be
22 described using the following grammar in BNF:
23 .nf
24 filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
25 [ proto ] ip [ group ].
26
27 insert = "@" decnumber .
28 action = block | "pass" | log | "count" | skip | auth | call .
29 in-out = "in" | "out" .
30 options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ]
31 [ froute ] [ replyto ] ] .
32 tos = "tos" decnumber | "tos" hexnumber .
33 ttl = "ttl" decnumber .
34 proto = "proto" protocol .
35 ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
36 group = [ "head" decnumber ] [ "group" decnumber ] .
37
38 block = "block" [ return-icmp[return-code] | "return-rst" ] .
39 log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
40 tag = "tag" tagid .
41 skip = "skip" decnumber .
42 auth = "auth" | "preauth" .
43 call = "call" [ "now" ] function-name .
44 dup = "dup-to" interface-name [ ":" ipaddr ] .
45 froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
46 replyto = "reply-to" interface-name [ ":" ipaddr ] .
47 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
48 srcdst = "all" | fromto .
49 fromto = "from" [ "!" ] object "to" [ "!" ] object .
50
51 return-icmp = "return-icmp" | "return-icmp-as-dest" .
52 return-code = "(" icmp-code ")" .
53 object = addr [ port-comp | port-range ] .
54 addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
55 addr = "any" | "<thishost>" | nummask |
56 host-name [ "mask" ipaddr | "mask" hexnumber ] .
57 port-comp = "port" compare port-num .
58 port-range = "port" port-num range port-num .
59 flags = "flags" flag { flag } [ "/" flag { flag } ] .
60 with = "with" | "and" .
61 icmp = "icmp-type" icmp-type [ "code" decnumber ] .
62 return-code = "(" icmp-code ")" .
63 keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
64 loglevel = facility"."priority | priority .
65
66 nummask = host-name [ "/" decnumber ] .
67 host-name = ipaddr | hostname | "any" .
68 ipaddr = host-num "." host-num "." host-num "." host-num .
69 host-num = digit [ digit [ digit ] ] .
70 port-num = service-name | decnumber .
71 state-options = state-opts [ "," state-options ] .
72
73 state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
74 "no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
75 withopt = [ "not" | "no" ] opttype [ withopt ] .
76 opttype = "ipopts" | "short" | "frag" | "opt" optname .
77 optname = ipopts [ "," optname ] .
78 ipopts = optlist | "sec-class" [ secname ] .
79 secname = seclvl [ "," secname ] .
80 seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
81 "reserv-4" | "secret" | "topsecret" .
82 icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
83 "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
84 "inforep" | "maskreq" | "maskrep" | decnumber .
85 icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
86 "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
87 "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
88 "filter-prohib" | "host-preced" | "cutoff-preced" .
89 optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
90 "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
91 "addext" | "visa" | "imitd" | "eip" | "finn" .
92 facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
93 "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
94 "audit" | "logalert" | "local0" | "local1" | "local2" |
95 "local3" | "local4" | "local5" | "local6" | "local7" .
96 priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
97 "info" | "debug" .
98
99 hexnumber = "0" "x" hexstring .
100 hexstring = hexdigit [ hexstring ] .
101 decnumber = digit [ decnumber ] .
102
103 compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
104 "gt" | "le" | "ge" .
105 range = "<>" | "><" .
106 hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
107 digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
108 flag = "F" | "S" | "R" | "P" | "A" | "U" .
109 .fi
110 .PP
111 This syntax is somewhat simplified for readability, some combinations
112 that match this grammar are disallowed by the software because they do
113 not make sense (such as tcp \fBflags\fP for non-TCP packets).
114 .SH FILTER RULES
115 The "briefest" valid rules are (currently) no-ops and are of the form:
116 .nf
117 block in all
118 pass in all
119 log out all
120 count in all
121 .fi
122 .PP
123 Filter rules are checked in order, with the last matching rule
124 determining the fate of the packet (but see the \fBquick\fP option,
125 below).
126 .PP
127 Filters are installed by default at the end of the kernel's filter
128 lists, prepending the rule with \fB@n\fP will cause it to be inserted
129 as the n'th entry in the current list. This is especially useful when
130 modifying and testing active filter rulesets. See \fBipf\fP(1M) for more
131 information.
132 .SH ACTIONS
133 The action indicates what to do with the packet if it matches the rest
134 of the filter rule. Each rule MUST have an action. The following
135 actions are recognised:
136 .TP
137 .B block
138 indicates that the packet should be flagged to be dropped. In response
139 to blocking a packet, the filter may be instructed to send a reply
140 packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet
141 masquerading as being from the original packet's destination
142 (\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An
143 ICMP packet may be generated in response to any IP packet, and its
144 type may optionally be specified, but a TCP reset may only be used
145 with a rule which is being applied to TCP packets. When using
146 \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
147 the actual unreachable `type'. That is, whether it is a network
148 unreachable, port unreachable or even administratively
149 prohibited. This is done by enclosing the ICMP code associated with
150 it in parenthesis directly following \fBreturn-icmp\fP or
151 \fBreturn-icmp-as-dest\fP as follows:
152 .nf
153 block return-icmp(11) ...
154 .fi
155 .PP
156 Would return a Type-Of-Service (TOS) ICMP unreachable error.
157 .TP
158 .B pass
159 will flag the packet to be let through the filter.
160 .TP
161 .B log
162 causes the packet to be logged (as described in the LOGGING section
163 below) and has no effect on whether the packet will be allowed through
164 the filter.
165 .TP
166 .B count
167 causes the packet to be included in the accounting statistics kept by
168 the filter, and has no effect on whether the packet will be allowed through
169 the filter. These statistics are viewable with ipfstat(1M).
170 .TP
171 .B call
172 this action is used to invoke the named function in the kernel, which
173 must conform to a specific calling interface. Customised actions and
174 semantics can thus be implemented to supplement those available. This
175 feature is for use by knowledgeable hackers, and is not currently
176 documented.
177 .TP
178 .B "skip <n>"
179 causes the filter to skip over the next \fIn\fP filter rules. If a rule is
180 inserted or deleted inside the region being skipped over, then the value of
181 \fIn\fP is adjusted appropriately.
182 .TP
183 .B auth
184 this allows authentication to be performed by a user-space program running
185 and waiting for packet information to validate. The packet is held for a
186 period of time in an internal buffer whilst it waits for the program to return
187 to the kernel the \fIreal\fP flags for whether it should be allowed through
188 or not. Such a program might look at the source address and request some sort
189 of authentication from the user (such as a password) before allowing the
190 packet through or telling the kernel to drop it if from an unrecognised source.
191 .TP
192 .B preauth
193 tells the filter that for packets of this class, it should look in the
194 pre-authenticated list for further clarification. If no further matching
195 rule is found, the packet will be dropped (the FR_PREAUTH is not the same
196 as FR_PASS). If a further matching rule is found, the result from that is
197 used in its instead. This might be used in a situation where a person
198 \fIlogs in\fP to the firewall and it sets up some temporary rules defining
199 the access for that person.
200 .PP
201 The next word must be either \fBin\fP or \fBout\fP. Each packet
202 moving through the kernel is either inbound (just been received on an
203 interface, and moving towards the kernel's protocol processing) or
204 outbound (transmitted or forwarded by the stack, and on its way to an
205 interface). There is a requirement that each filter rule explicitly
206 state which side of the I/O it is to be used on.
207 .SH OPTIONS
208 The list of options is brief, and all are indeed optional. Where
209 options are used, they must be present in the order shown here. These
210 are the currently supported options:
211 .TP
212 .B log
213 indicates that, should this be the last matching rule, the packet
214 header will be written to the \fBipl\fP log (as described in the
215 LOGGING section below).
216 .TP
217 .B tag tagid
218 indicates that, if this rule causes the packet to be logged or entered
219 in the state table, the tagid will be logged as part of the log entry.
220 This can be used to quickly match "similar" rules in scripts that post
221 process the log files for e.g. generation of security reports or accounting
222 purposes. The tagid is a 32 bit unsigned integer.
223 .TP
224 .B quick
225 allows "short-cut" rules in order to speed up the filter or override
226 later rules. If a packet matches a filter rule which is marked as
227 \fBquick\fP, this rule will be the last rule checked, allowing a
228 "short-circuit" path to avoid processing later rules for this
229 packet. The current status of the packet (after any effects of the
230 current rule) will determine whether it is passed or blocked.
231 .IP
232 If this option is missing, the rule is taken to be a "fall-through"
233 rule, meaning that the result of the match (block/pass) is saved and
234 that processing will continue to see if there are any more matches.
235 .TP
236 .B on
237 allows an interface name to be incorporated into the matching
238 procedure. Interface names are as printed by "netstat \-i". If this
239 option is used, the rule will only match if the packet is going
240 through that interface in the specified direction (in/out). If this
241 option is absent, the rule is taken to be applied to a packet
242 regardless of the interface it is present on (i.e. on all interfaces).
243 Filter rulesets are common to all interfaces, rather than having a
244 filter list for each interface.
245 .IP
246 This option is especially useful for simple IP-spoofing protection:
247 packets should only be allowed to pass inbound on the interface from
248 which the specified source address would be expected, others may be
249 logged and/or dropped.
250 .TP
251 .B dup-to
252 causes the packet to be copied, and the duplicate packet to be sent
253 outbound on the specified interface, optionally with the destination
254 IP address changed to that specified. This is useful for off-host
255 logging, using a network sniffer.
256 .TP
257 .B to
258 causes the packet to be moved to the outbound queue on the
259 specified interface. This can be used to circumvent kernel routing
260 decisions, and even to bypass the rest of the kernel processing of the
261 packet (if applied to an inbound rule). It is thus possible to
262 construct a firewall that behaves transparently, like a filtering hub
263 or switch, rather than a router. The \fBfastroute\fP keyword is a
264 synonym for this option.
265 .SH MATCHING PARAMETERS
266 The keywords described in this section are used to describe attributes
267 of the packet to be used when determining whether rules match or don't
268 match. The following general-purpose attributes are provided for
269 matching, and must be used in this order:
270 .TP
271 .B tos
272 packets with different Type-Of-Service values can be filtered.
273 Individual service levels or combinations can be filtered upon. The
274 value for the TOS mask can either be represented as a hex number or a
275 decimal integer value.
276 .TP
277 .B ttl
278 packets may also be selected by their Time-To-Live value. The value given in
279 the filter rule must exactly match that in the packet for a match to occur.
280 This value can only be given as a decimal integer value.
281 .TP
282 .B proto
283 allows a specific protocol to be matched against. All protocol names
284 found in \fB/etc/protocols\fP are recognised and may be used.
285 However, the protocol may also be given as a DECIMAL number, allowing
286 for rules to match your own protocols, or new ones which would
287 out-date any attempted listing.
288 .IP
289 The special protocol keyword \fBtcp/udp\fP may be used to match either
290 a TCP or a UDP packet, and has been added as a convenience to save
291 duplication of otherwise-identical rules.
292 .\" XXX grammar should reflect this (/etc/protocols)
293 .PP
294 The \fBfrom\fP and \fBto\fP keywords are used to match against IP
295 addresses (and optionally port numbers). Rules must specify BOTH
296 source and destination parameters.
297 .PP
298 IP addresses may be specified in one of two ways: as a numerical
299 address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname
300 may either be a valid hostname, from either the hosts file or DNS
301 (depending on your configuration and library) or of the dotted numeric
302 form. There is no special designation for networks but network names
303 are recognised. Note that having your filter rules depend on DNS
304 results can introduce an avenue of attack, and is discouraged.
305 .PP
306 There is a special case for the hostname \fBany\fP which is taken to
307 be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
308 Only the presence of "any" has an implied mask, in all other
309 situations, a hostname MUST be accompanied by a mask. It is possible
310 to give "any" a hostmask, but in the context of this language, it is
311 non-sensical.
312 .PP
313 The numerical format "x\fB/\fPy" indicates that a mask of y
314 consecutive 1 bits set is generated, starting with the MSB, so a y value
315 of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates
316 that the mask y is in dotted IP notation or a hexadecimal number of
317 the form 0x12345678. Note that all the bits of the IP address
318 indicated by the bitmask must match the address on the packet exactly;
319 there isn't currently a way to invert the sense of the match, or to
320 match ranges of IP addresses which do not express themselves easily as
321 bitmasks (anthropomorphization; it's not just for breakfast anymore).
322 .PP
323 If a \fBport\fP match is included, for either or both of source and
324 destination, then it is only applied to
325 .\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
326 TCP and UDP packets. If there is no \fBproto\fP match parameter,
327 packets from both protocols are compared. This is equivalent to "proto
328 tcp/udp". When composing \fBport\fP comparisons, either the service
329 name or an integer port number may be used. Port comparisons may be
330 done in a number of forms, with a number of comparison operators, or
331 port ranges may be specified. When the port appears as part of the
332 \fBfrom\fP object, it matches the source port number, when it appears
333 as part of the \fBto\fP object, it matches the destination port number.
334 See the examples for more information.
335 .PP
336 The \fBall\fP keyword is essentially a synonym for "from any to any"
337 with no other match parameters.
338 .PP
339 Following the source and destination matching parameters, the
340 following additional parameters may be used:
341 .TP
342 .B with
343 is used to match irregular attributes that some packets may have
344 associated with them. To match the presence of IP options in general,
345 use \fBwith ipopts\fP. To match packets that are too short to contain
346 a complete header, use \fBwith short\fP. To match fragmented packets,
347 use \fBwith frag\fP. For more specific filtering on IP options,
348 individual options can be listed.
349 .IP
350 Before any parameter used after the \fBwith\fP keyword, the word
351 \fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only
352 match if the option(s) is not present.
353 .IP
354 Multiple consecutive \fBwith\fP clauses are allowed. Alternatively,
355 the keyword \fBand\fP may be used in place of \fBwith\fP, this is
356 provided purely to make the rules more readable ("with ... and ...").
357 When multiple clauses are listed, all those must match to cause a
358 match of the rule.
359 .\" XXX describe the options more specifically in a separate section
360 .TP
361 .B flags
362 is only effective for TCP filtering. Each of the letters possible
363 represents one of the possible flags that can be set in the TCP
364 header. The association is as follows:
365 .LP
366 .nf
367 F - FIN
368 S - SYN
369 R - RST
370 P - PUSH
371 A - ACK
372 U - URG
373 .fi
374 .IP
375 The various flag symbols may be used in combination, so that "SA"
376 would represent a SYN-ACK combination present in a packet. There is
377 nothing preventing the specification of combinations, such as "SFR",
378 that would not normally be generated by law-abiding TCP
379 implementations. However, to guard against weird aberrations, it is
380 necessary to state which flags you are filtering against. To allow
381 this, it is possible to set a mask indicating which TCP flags you wish
382 to compare (i.e., those you deem significant). This is done by
383 appending "/<flags>" to the set of TCP flags you wish to match
384 against, e.g.:
385 .LP
386 .nf
387 ... flags S
388 # becomes "flags S/AUPRFS" and will match
389 # packets with ONLY the SYN flag set.
390
391 ... flags SA
392 # becomes "flags SA/AUPRFS" and will match any
393 # packet with only the SYN and ACK flags set.
394
395 ... flags S/SA
396 # will match any packet with just the SYN flag set
397 # out of the SYN-ACK pair; the common "establish"
398 # keyword action. "S/SA" will NOT match a packet
399 # with BOTH SYN and ACK set, but WILL match "SFP".
400 .fi
401 .TP
402 .B icmp-type
403 is only effective when used with \fBproto icmp\fP and must NOT be used
404 in conjunction with \fBflags\fP. There are a number of types, which can be
405 referred to by an abbreviation recognised by this language, or the numbers
406 with which they are associated can be used. The most important from
407 a security point of view is the ICMP redirect.
408 .SH KEEP HISTORY
409 The second last parameter which can be set for a filter rule is whether or not
410 to record historical information for that packet, and what sort to keep. The
411 following information can be kept:
412 .TP
413 .B state
414 keeps information about the flow of a communication session. State can
415 be kept for TCP, UDP, and ICMP packets.
416 .TP
417 .B frags
418 keeps information on fragmented packets, to be applied to later
419 fragments.
420 .PP
421 allowing packets which match these to flow straight through, rather
422 than going through the access control list.
423 .SH GROUPS
424 The last pair of parameters control filter rule "grouping". By default, all
425 filter rules are placed in group 0 if no other group is specified. To add a
426 rule to a non-default group, the group must first be started by creating a
427 group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a
428 group, the filter processing then switches to the group, using that rule as
429 the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule
430 processing isn't stopped until it has returned from processing the group.
431 .PP
432 A rule may be both the head for a new group and a member of a non-default
433 group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
434 .TP
435 .B "head <n>"
436 indicates that a new group (number n) should be created.
437 .TP
438 .B "group <n>"
439 indicates that the rule should be put in group (number n) rather than group 0.
440 .SH LOGGING
441 When a packet is logged, with either the \fBlog\fP action or option,
442 the headers of the packet are written to the \fBipl\fP packet logging
443 pseudo-device. Immediately following the \fBlog\fP keyword, the
444 following qualifiers may be used (in order):
445 .TP
446 .B body
447 indicates that the first 128 bytes of the packet contents will be
448 logged after the headers.
449 .TP
450 .B first
451 If log is being used in conjunction with a "keep" option, it is recommended
452 that this option is also applied so that only the triggering packet is logged
453 and not every packet which thereafter matches state information.
454 .TP
455 .B or-block
456 indicates that, if for some reason the filter is unable to log the
457 packet (such as the log reader being too slow) then the rule should be
458 interpreted as if the action was \fBblock\fP for this packet.
459 .TP
460 .B "level <loglevel>"
461 indicates what logging facility and priority, or just priority with
462 the default facility being used, will be used to log information about
463 this packet using ipmon's -s option.
464 .PP
465 See ipl(4) for the format of records written
466 to this device. The ipmon(1M) program can be used to read and format
467 this log.
468 .SH EXAMPLES
469 The \fBquick\fP option is good for rules such as:
470 .nf
471 block in quick from any to any with ipopts
472 .fi
473 .PP
474 which will match any packet with a non-standard header length (IP
475 options present) and abort further processing of later rules,
476 recording a match and also that the packet should be blocked.
477 .PP
478 The "fall-through" rule parsing allows for effects such as this:
479 .LP
480 .nf
481 block in from any to any port < 6000
482 pass in from any to any port >= 6000
483 block in from any to any port > 6003
484 .fi
485 .PP
486 which sets up the range 6000-6003 as being permitted and all others being
487 denied. Note that the effect of the first rule is overridden by subsequent
488 rules. Another (easier) way to do the same is:
489 .LP
490 .nf
491 block in from any to any port 6000 <> 6003
492 pass in from any to any port 5999 >< 6004
493 .fi
494 .PP
495 Note that both the "block" and "pass" are needed here to effect a
496 result as a failed match on the "block" action does not imply a pass,
497 only that the rule hasn't taken effect. To then allow ports < 1024, a
498 rule such as:
499 .LP
500 .nf
501 pass in quick from any to any port < 1024
502 .fi
503 .PP
504 would be needed before the first block. To create a new group for
505 processing all inbound packets on le0/le1/lo0, with the default being to block
506 all inbound packets, we would do something like:
507 .LP
508 .nf
509 block in all
510 block in quick on le0 all head 100
511 block in quick on le1 all head 200
512 block in quick on lo0 all head 300
513 .fi
514 .PP
515 and to then allow ICMP packets in on le0, only, we would do:
516 .LP
517 .nf
518 pass in proto icmp all group 100
519 .fi
520 .PP
521 Note that because only inbound packets on le0 are used processed by group 100,
522 there is no need to respecify the interface name. Likewise, we could further
523 breakup processing of TCP, etc, as follows:
524 .LP
525 .nf
526 block in proto tcp all head 110 group 100
527 pass in from any to any port = 23 group 110
528 .fi
529 .PP
530 and so on. The last line, if written without the groups would be:
531 .LP
532 .nf
533 pass in on le0 proto tcp from any to any port = telnet
534 .fi
535 .PP
536 Note, that if we wanted to say "port = telnet", "proto tcp" would
537 need to be specified as the parser interprets each rule on its own and
538 qualifies all service/port names with the protocol specified.
539 .SH FILES
540 /dev/ipauth
541 .br
542 /dev/ipl
543 .br
544 /dev/ipstate
545 .br
546 /etc/hosts
547 .br
548 /etc/services
549 .SH SEE ALSO
550 \fBipnat\fR(4), \fBipf\fR(1M), \fBipfstat\fR(1M), \fBipfilter\fR(5)