Print this page
11622 clean up rarer mandoc lint warnings
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/ipf.4
+++ new/usr/src/man/man4/ipf.4
1 1 '\" te
2 2 .\" To view license terms, attribution, and copyright for IP Filter, the
3 -.\" default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Illumos operating
3 +.\" default path is /usr/lib/ipf/IPFILTER.LICENCE. If the illumos operating
4 4 .\" environment has been installed anywhere other than the default, modify the
5 5 .\" given path to access the file at the installed location.
6 6 .\" Portions Copyright (c) 2015, Joyent, Inc.
7 7 .TH IPF 4 "Mar 18, 2015"
8 8 .SH NAME
9 9 ipf, ipf.conf, ipf6.conf \- IP packet filter rule syntax
10 10 .SH DESCRIPTION
11 -.PP
12 11 A rule file for \fBipf\fP may have any name or even be stdin. As
13 12 \fBipfstat\fP produces parsable rules as output when displaying the internal
14 13 kernel filter lists, it is quite plausible to use its output to feed back
15 14 into \fBipf\fP. Thus, to remove all filters on input packets, the following
16 15 could be done:
17 16 .nf
18 17
19 -\fC# ipfstat \-i | ipf \-rf \-\fP
18 +# ipfstat \-i | ipf \-rf \-\fP
20 19 .fi
21 20 .SH GRAMMAR
22 -.PP
23 21 The format used by \fBipf\fP for construction of filtering rules can be
24 22 described using the following grammar in BNF:
25 -\fC
26 23 .nf
27 24 filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
28 25 [ proto ] ip [ group ].
29 26
30 27 insert = "@" decnumber .
31 28 action = block | "pass" | log | "count" | skip | auth | call .
32 29 in-out = "in" | "out" .
33 30 options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ]
34 31 [ froute ] [ replyto ] ] .
35 32 tos = "tos" decnumber | "tos" hexnumber .
36 33 ttl = "ttl" decnumber .
37 34 proto = "proto" protocol .
38 35 ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
39 36 group = [ "head" decnumber ] [ "group" decnumber ] .
40 37
41 38 block = "block" [ return-icmp[return-code] | "return-rst" ] .
42 39 log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
43 40 tag = "tag" tagid .
44 41 skip = "skip" decnumber .
45 42 auth = "auth" | "preauth" .
46 43 call = "call" [ "now" ] function-name .
47 44 dup = "dup-to" interface-name [ ":" ipaddr ] .
48 45 froute = "fastroute" | "to" interface-name [ ":" ipaddr ] .
49 46 replyto = "reply-to" interface-name [ ":" ipaddr ] .
50 47 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
51 48 srcdst = "all" | fromto .
52 49 fromto = "from" [ "!" ] object "to" [ "!" ] object .
53 50
54 51 return-icmp = "return-icmp" | "return-icmp-as-dest" .
55 52 return-code = "(" icmp-code ")" .
56 53 object = addr [ port-comp | port-range ] .
57 54 addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
58 55 addr = "any" | "<thishost>" | nummask |
59 56 host-name [ "mask" ipaddr | "mask" hexnumber ] .
60 57 port-comp = "port" compare port-num .
61 58 port-range = "port" port-num range port-num .
62 59 flags = "flags" flag { flag } [ "/" flag { flag } ] .
63 60 with = "with" | "and" .
64 61 icmp = "icmp-type" icmp-type [ "code" decnumber ] .
65 62 return-code = "(" icmp-code ")" .
66 63 keep = "keep" "state" [ "(" state-options ")" ] | "keep" "frags" .
67 64 loglevel = facility"."priority | priority .
68 65
69 66 nummask = host-name [ "/" decnumber ] .
70 67 host-name = ipaddr | hostname | "any" .
71 68 ipaddr = host-num "." host-num "." host-num "." host-num .
72 69 host-num = digit [ digit [ digit ] ] .
73 70 port-num = service-name | decnumber .
74 71 state-options = state-opts [ "," state-options ] .
75 72
76 73 state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
77 74 "no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
78 75 withopt = [ "not" | "no" ] opttype [ withopt ] .
79 76 opttype = "ipopts" | "short" | "frag" | "opt" optname .
80 77 optname = ipopts [ "," optname ] .
81 78 ipopts = optlist | "sec-class" [ secname ] .
82 79 secname = seclvl [ "," secname ] .
83 80 seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
84 81 "reserv-4" | "secret" | "topsecret" .
85 82 icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
86 83 "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
87 84 "inforep" | "maskreq" | "maskrep" | decnumber .
88 85 icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
89 86 "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
90 87 "net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
91 88 "filter-prohib" | "host-preced" | "cutoff-preced" .
92 89 optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
93 90 "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
94 91 "addext" | "visa" | "imitd" | "eip" | "finn" .
95 92 facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
96 93 "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
97 94 "audit" | "logalert" | "local0" | "local1" | "local2" |
98 95 "local3" | "local4" | "local5" | "local6" | "local7" .
99 96 priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
100 97 "info" | "debug" .
101 98
102 99 hexnumber = "0" "x" hexstring .
103 100 hexstring = hexdigit [ hexstring ] .
104 101 decnumber = digit [ decnumber ] .
105 102
106 103 compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
107 104 "gt" | "le" | "ge" .
|
↓ open down ↓ |
72 lines elided |
↑ open up ↑ |
108 105 range = "<>" | "><" .
109 106 hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
110 107 digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
111 108 flag = "F" | "S" | "R" | "P" | "A" | "U" .
112 109 .fi
113 110 .PP
114 111 This syntax is somewhat simplified for readability, some combinations
115 112 that match this grammar are disallowed by the software because they do
116 113 not make sense (such as tcp \fBflags\fP for non-TCP packets).
117 114 .SH FILTER RULES
118 -.PP
119 115 The "briefest" valid rules are (currently) no-ops and are of the form:
120 116 .nf
121 117 block in all
122 118 pass in all
123 119 log out all
124 120 count in all
125 121 .fi
126 122 .PP
127 123 Filter rules are checked in order, with the last matching rule
128 124 determining the fate of the packet (but see the \fBquick\fP option,
129 125 below).
130 126 .PP
131 127 Filters are installed by default at the end of the kernel's filter
132 128 lists, prepending the rule with \fB@n\fP will cause it to be inserted
133 129 as the n'th entry in the current list. This is especially useful when
134 130 modifying and testing active filter rulesets. See \fBipf\fP(1M) for more
135 131 information.
136 132 .SH ACTIONS
137 -.PP
138 133 The action indicates what to do with the packet if it matches the rest
139 134 of the filter rule. Each rule MUST have an action. The following
140 135 actions are recognised:
141 136 .TP
142 137 .B block
143 138 indicates that the packet should be flagged to be dropped. In response
144 139 to blocking a packet, the filter may be instructed to send a reply
145 140 packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet
146 141 masquerading as being from the original packet's destination
147 142 (\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An
148 143 ICMP packet may be generated in response to any IP packet, and its
149 144 type may optionally be specified, but a TCP reset may only be used
150 145 with a rule which is being applied to TCP packets. When using
151 146 \fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
152 147 the actual unreachable `type'. That is, whether it is a network
153 148 unreachable, port unreachable or even administratively
154 149 prohibited. This is done by enclosing the ICMP code associated with
155 150 it in parenthesis directly following \fBreturn-icmp\fP or
156 151 \fBreturn-icmp-as-dest\fP as follows:
157 152 .nf
158 153 block return-icmp(11) ...
159 154 .fi
160 155 .PP
161 156 Would return a Type-Of-Service (TOS) ICMP unreachable error.
162 157 .TP
163 158 .B pass
164 159 will flag the packet to be let through the filter.
165 160 .TP
166 161 .B log
167 162 causes the packet to be logged (as described in the LOGGING section
168 163 below) and has no effect on whether the packet will be allowed through
169 164 the filter.
170 165 .TP
171 166 .B count
172 167 causes the packet to be included in the accounting statistics kept by
173 168 the filter, and has no effect on whether the packet will be allowed through
174 169 the filter. These statistics are viewable with ipfstat(1M).
175 170 .TP
176 171 .B call
177 172 this action is used to invoke the named function in the kernel, which
178 173 must conform to a specific calling interface. Customised actions and
179 174 semantics can thus be implemented to supplement those available. This
180 175 feature is for use by knowledgeable hackers, and is not currently
181 176 documented.
182 177 .TP
183 178 .B "skip <n>"
184 179 causes the filter to skip over the next \fIn\fP filter rules. If a rule is
185 180 inserted or deleted inside the region being skipped over, then the value of
186 181 \fIn\fP is adjusted appropriately.
187 182 .TP
188 183 .B auth
189 184 this allows authentication to be performed by a user-space program running
190 185 and waiting for packet information to validate. The packet is held for a
191 186 period of time in an internal buffer whilst it waits for the program to return
192 187 to the kernel the \fIreal\fP flags for whether it should be allowed through
193 188 or not. Such a program might look at the source address and request some sort
194 189 of authentication from the user (such as a password) before allowing the
195 190 packet through or telling the kernel to drop it if from an unrecognised source.
196 191 .TP
197 192 .B preauth
198 193 tells the filter that for packets of this class, it should look in the
199 194 pre-authenticated list for further clarification. If no further matching
200 195 rule is found, the packet will be dropped (the FR_PREAUTH is not the same
201 196 as FR_PASS). If a further matching rule is found, the result from that is
202 197 used in its instead. This might be used in a situation where a person
|
↓ open down ↓ |
55 lines elided |
↑ open up ↑ |
203 198 \fIlogs in\fP to the firewall and it sets up some temporary rules defining
204 199 the access for that person.
205 200 .PP
206 201 The next word must be either \fBin\fP or \fBout\fP. Each packet
207 202 moving through the kernel is either inbound (just been received on an
208 203 interface, and moving towards the kernel's protocol processing) or
209 204 outbound (transmitted or forwarded by the stack, and on its way to an
210 205 interface). There is a requirement that each filter rule explicitly
211 206 state which side of the I/O it is to be used on.
212 207 .SH OPTIONS
213 -.PP
214 208 The list of options is brief, and all are indeed optional. Where
215 209 options are used, they must be present in the order shown here. These
216 210 are the currently supported options:
217 211 .TP
218 212 .B log
219 213 indicates that, should this be the last matching rule, the packet
220 214 header will be written to the \fBipl\fP log (as described in the
221 215 LOGGING section below).
222 216 .TP
223 217 .B tag tagid
224 218 indicates that, if this rule causes the packet to be logged or entered
225 219 in the state table, the tagid will be logged as part of the log entry.
226 220 This can be used to quickly match "similar" rules in scripts that post
227 221 process the log files for e.g. generation of security reports or accounting
228 222 purposes. The tagid is a 32 bit unsigned integer.
229 223 .TP
230 224 .B quick
231 225 allows "short-cut" rules in order to speed up the filter or override
232 226 later rules. If a packet matches a filter rule which is marked as
233 227 \fBquick\fP, this rule will be the last rule checked, allowing a
234 228 "short-circuit" path to avoid processing later rules for this
235 229 packet. The current status of the packet (after any effects of the
236 230 current rule) will determine whether it is passed or blocked.
237 231 .IP
238 232 If this option is missing, the rule is taken to be a "fall-through"
239 233 rule, meaning that the result of the match (block/pass) is saved and
240 234 that processing will continue to see if there are any more matches.
241 235 .TP
242 236 .B on
243 237 allows an interface name to be incorporated into the matching
244 238 procedure. Interface names are as printed by "netstat \-i". If this
245 239 option is used, the rule will only match if the packet is going
246 240 through that interface in the specified direction (in/out). If this
247 241 option is absent, the rule is taken to be applied to a packet
248 242 regardless of the interface it is present on (i.e. on all interfaces).
249 243 Filter rulesets are common to all interfaces, rather than having a
250 244 filter list for each interface.
251 245 .IP
252 246 This option is especially useful for simple IP-spoofing protection:
253 247 packets should only be allowed to pass inbound on the interface from
254 248 which the specified source address would be expected, others may be
255 249 logged and/or dropped.
256 250 .TP
257 251 .B dup-to
258 252 causes the packet to be copied, and the duplicate packet to be sent
259 253 outbound on the specified interface, optionally with the destination
260 254 IP address changed to that specified. This is useful for off-host
261 255 logging, using a network sniffer.
|
↓ open down ↓ |
38 lines elided |
↑ open up ↑ |
262 256 .TP
263 257 .B to
264 258 causes the packet to be moved to the outbound queue on the
265 259 specified interface. This can be used to circumvent kernel routing
266 260 decisions, and even to bypass the rest of the kernel processing of the
267 261 packet (if applied to an inbound rule). It is thus possible to
268 262 construct a firewall that behaves transparently, like a filtering hub
269 263 or switch, rather than a router. The \fBfastroute\fP keyword is a
270 264 synonym for this option.
271 265 .SH MATCHING PARAMETERS
272 -.PP
273 266 The keywords described in this section are used to describe attributes
274 267 of the packet to be used when determining whether rules match or don't
275 268 match. The following general-purpose attributes are provided for
276 269 matching, and must be used in this order:
277 270 .TP
278 271 .B tos
279 272 packets with different Type-Of-Service values can be filtered.
280 273 Individual service levels or combinations can be filtered upon. The
281 274 value for the TOS mask can either be represented as a hex number or a
282 275 decimal integer value.
283 276 .TP
284 277 .B ttl
285 278 packets may also be selected by their Time-To-Live value. The value given in
286 279 the filter rule must exactly match that in the packet for a match to occur.
287 280 This value can only be given as a decimal integer value.
288 281 .TP
289 282 .B proto
290 283 allows a specific protocol to be matched against. All protocol names
291 284 found in \fB/etc/protocols\fP are recognised and may be used.
292 285 However, the protocol may also be given as a DECIMAL number, allowing
293 286 for rules to match your own protocols, or new ones which would
294 287 out-date any attempted listing.
295 288 .IP
296 289 The special protocol keyword \fBtcp/udp\fP may be used to match either
297 290 a TCP or a UDP packet, and has been added as a convenience to save
298 291 duplication of otherwise-identical rules.
299 292 .\" XXX grammar should reflect this (/etc/protocols)
300 293 .PP
301 294 The \fBfrom\fP and \fBto\fP keywords are used to match against IP
302 295 addresses (and optionally port numbers). Rules must specify BOTH
303 296 source and destination parameters.
304 297 .PP
305 298 IP addresses may be specified in one of two ways: as a numerical
306 299 address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname
307 300 may either be a valid hostname, from either the hosts file or DNS
308 301 (depending on your configuration and library) or of the dotted numeric
309 302 form. There is no special designation for networks but network names
310 303 are recognised. Note that having your filter rules depend on DNS
311 304 results can introduce an avenue of attack, and is discouraged.
312 305 .PP
313 306 There is a special case for the hostname \fBany\fP which is taken to
314 307 be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
315 308 Only the presence of "any" has an implied mask, in all other
316 309 situations, a hostname MUST be accompanied by a mask. It is possible
317 310 to give "any" a hostmask, but in the context of this language, it is
318 311 non-sensical.
319 312 .PP
320 313 The numerical format "x\fB/\fPy" indicates that a mask of y
321 314 consecutive 1 bits set is generated, starting with the MSB, so a y value
322 315 of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates
323 316 that the mask y is in dotted IP notation or a hexadecimal number of
324 317 the form 0x12345678. Note that all the bits of the IP address
325 318 indicated by the bitmask must match the address on the packet exactly;
326 319 there isn't currently a way to invert the sense of the match, or to
327 320 match ranges of IP addresses which do not express themselves easily as
328 321 bitmasks (anthropomorphization; it's not just for breakfast anymore).
329 322 .PP
330 323 If a \fBport\fP match is included, for either or both of source and
331 324 destination, then it is only applied to
332 325 .\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
333 326 TCP and UDP packets. If there is no \fBproto\fP match parameter,
334 327 packets from both protocols are compared. This is equivalent to "proto
335 328 tcp/udp". When composing \fBport\fP comparisons, either the service
336 329 name or an integer port number may be used. Port comparisons may be
337 330 done in a number of forms, with a number of comparison operators, or
338 331 port ranges may be specified. When the port appears as part of the
339 332 \fBfrom\fP object, it matches the source port number, when it appears
340 333 as part of the \fBto\fP object, it matches the destination port number.
341 334 See the examples for more information.
342 335 .PP
343 336 The \fBall\fP keyword is essentially a synonym for "from any to any"
344 337 with no other match parameters.
345 338 .PP
346 339 Following the source and destination matching parameters, the
347 340 following additional parameters may be used:
348 341 .TP
349 342 .B with
350 343 is used to match irregular attributes that some packets may have
351 344 associated with them. To match the presence of IP options in general,
352 345 use \fBwith ipopts\fP. To match packets that are too short to contain
353 346 a complete header, use \fBwith short\fP. To match fragmented packets,
354 347 use \fBwith frag\fP. For more specific filtering on IP options,
355 348 individual options can be listed.
356 349 .IP
357 350 Before any parameter used after the \fBwith\fP keyword, the word
358 351 \fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only
359 352 match if the option(s) is not present.
360 353 .IP
361 354 Multiple consecutive \fBwith\fP clauses are allowed. Alternatively,
362 355 the keyword \fBand\fP may be used in place of \fBwith\fP, this is
363 356 provided purely to make the rules more readable ("with ... and ...").
364 357 When multiple clauses are listed, all those must match to cause a
365 358 match of the rule.
366 359 .\" XXX describe the options more specifically in a separate section
367 360 .TP
368 361 .B flags
369 362 is only effective for TCP filtering. Each of the letters possible
370 363 represents one of the possible flags that can be set in the TCP
371 364 header. The association is as follows:
372 365 .LP
373 366 .nf
374 367 F - FIN
375 368 S - SYN
376 369 R - RST
377 370 P - PUSH
378 371 A - ACK
379 372 U - URG
380 373 .fi
381 374 .IP
382 375 The various flag symbols may be used in combination, so that "SA"
383 376 would represent a SYN-ACK combination present in a packet. There is
384 377 nothing preventing the specification of combinations, such as "SFR",
385 378 that would not normally be generated by law-abiding TCP
386 379 implementations. However, to guard against weird aberrations, it is
387 380 necessary to state which flags you are filtering against. To allow
388 381 this, it is possible to set a mask indicating which TCP flags you wish
389 382 to compare (i.e., those you deem significant). This is done by
390 383 appending "/<flags>" to the set of TCP flags you wish to match
391 384 against, e.g.:
392 385 .LP
393 386 .nf
394 387 ... flags S
395 388 # becomes "flags S/AUPRFS" and will match
396 389 # packets with ONLY the SYN flag set.
397 390
398 391 ... flags SA
399 392 # becomes "flags SA/AUPRFS" and will match any
400 393 # packet with only the SYN and ACK flags set.
401 394
402 395 ... flags S/SA
403 396 # will match any packet with just the SYN flag set
404 397 # out of the SYN-ACK pair; the common "establish"
405 398 # keyword action. "S/SA" will NOT match a packet
|
↓ open down ↓ |
123 lines elided |
↑ open up ↑ |
406 399 # with BOTH SYN and ACK set, but WILL match "SFP".
407 400 .fi
408 401 .TP
409 402 .B icmp-type
410 403 is only effective when used with \fBproto icmp\fP and must NOT be used
411 404 in conjunction with \fBflags\fP. There are a number of types, which can be
412 405 referred to by an abbreviation recognised by this language, or the numbers
413 406 with which they are associated can be used. The most important from
414 407 a security point of view is the ICMP redirect.
415 408 .SH KEEP HISTORY
416 -.PP
417 409 The second last parameter which can be set for a filter rule is whether or not
418 410 to record historical information for that packet, and what sort to keep. The
419 411 following information can be kept:
420 412 .TP
421 413 .B state
422 414 keeps information about the flow of a communication session. State can
423 415 be kept for TCP, UDP, and ICMP packets.
424 416 .TP
425 417 .B frags
426 418 keeps information on fragmented packets, to be applied to later
427 419 fragments.
428 420 .PP
429 421 allowing packets which match these to flow straight through, rather
430 422 than going through the access control list.
431 423 .SH GROUPS
432 424 The last pair of parameters control filter rule "grouping". By default, all
433 425 filter rules are placed in group 0 if no other group is specified. To add a
434 426 rule to a non-default group, the group must first be started by creating a
435 427 group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a
436 428 group, the filter processing then switches to the group, using that rule as
437 429 the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule
438 430 processing isn't stopped until it has returned from processing the group.
|
↓ open down ↓ |
12 lines elided |
↑ open up ↑ |
439 431 .PP
440 432 A rule may be both the head for a new group and a member of a non-default
441 433 group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
442 434 .TP
443 435 .B "head <n>"
444 436 indicates that a new group (number n) should be created.
445 437 .TP
446 438 .B "group <n>"
447 439 indicates that the rule should be put in group (number n) rather than group 0.
448 440 .SH LOGGING
449 -.PP
450 441 When a packet is logged, with either the \fBlog\fP action or option,
451 442 the headers of the packet are written to the \fBipl\fP packet logging
452 443 pseudo-device. Immediately following the \fBlog\fP keyword, the
453 444 following qualifiers may be used (in order):
454 445 .TP
455 446 .B body
456 447 indicates that the first 128 bytes of the packet contents will be
457 448 logged after the headers.
458 449 .TP
459 450 .B first
460 451 If log is being used in conjunction with a "keep" option, it is recommended
461 452 that this option is also applied so that only the triggering packet is logged
462 453 and not every packet which thereafter matches state information.
463 454 .TP
464 455 .B or-block
465 456 indicates that, if for some reason the filter is unable to log the
466 457 packet (such as the log reader being too slow) then the rule should be
467 458 interpreted as if the action was \fBblock\fP for this packet.
|
↓ open down ↓ |
8 lines elided |
↑ open up ↑ |
468 459 .TP
469 460 .B "level <loglevel>"
470 461 indicates what logging facility and priority, or just priority with
471 462 the default facility being used, will be used to log information about
472 463 this packet using ipmon's -s option.
473 464 .PP
474 465 See ipl(4) for the format of records written
475 466 to this device. The ipmon(1M) program can be used to read and format
476 467 this log.
477 468 .SH EXAMPLES
478 -.PP
479 469 The \fBquick\fP option is good for rules such as:
480 -\fC
481 470 .nf
482 471 block in quick from any to any with ipopts
483 472 .fi
484 473 .PP
485 474 which will match any packet with a non-standard header length (IP
486 475 options present) and abort further processing of later rules,
487 476 recording a match and also that the packet should be blocked.
488 477 .PP
489 478 The "fall-through" rule parsing allows for effects such as this:
490 479 .LP
491 480 .nf
492 481 block in from any to any port < 6000
493 482 pass in from any to any port >= 6000
494 483 block in from any to any port > 6003
495 484 .fi
496 485 .PP
497 486 which sets up the range 6000-6003 as being permitted and all others being
498 487 denied. Note that the effect of the first rule is overridden by subsequent
499 488 rules. Another (easier) way to do the same is:
500 489 .LP
501 490 .nf
502 491 block in from any to any port 6000 <> 6003
503 492 pass in from any to any port 5999 >< 6004
504 493 .fi
505 494 .PP
506 495 Note that both the "block" and "pass" are needed here to effect a
507 496 result as a failed match on the "block" action does not imply a pass,
508 497 only that the rule hasn't taken effect. To then allow ports < 1024, a
509 498 rule such as:
510 499 .LP
511 500 .nf
512 501 pass in quick from any to any port < 1024
513 502 .fi
514 503 .PP
515 504 would be needed before the first block. To create a new group for
|
↓ open down ↓ |
25 lines elided |
↑ open up ↑ |
516 505 processing all inbound packets on le0/le1/lo0, with the default being to block
517 506 all inbound packets, we would do something like:
518 507 .LP
519 508 .nf
520 509 block in all
521 510 block in quick on le0 all head 100
522 511 block in quick on le1 all head 200
523 512 block in quick on lo0 all head 300
524 513 .fi
525 514 .PP
526 -
527 515 and to then allow ICMP packets in on le0, only, we would do:
528 516 .LP
529 517 .nf
530 518 pass in proto icmp all group 100
531 519 .fi
532 520 .PP
533 521 Note that because only inbound packets on le0 are used processed by group 100,
534 522 there is no need to respecify the interface name. Likewise, we could further
535 523 breakup processing of TCP, etc, as follows:
536 524 .LP
537 525 .nf
538 526 block in proto tcp all head 110 group 100
539 527 pass in from any to any port = 23 group 110
540 528 .fi
541 529 .PP
542 530 and so on. The last line, if written without the groups would be:
543 531 .LP
544 532 .nf
545 533 pass in on le0 proto tcp from any to any port = telnet
546 534 .fi
547 535 .PP
548 536 Note, that if we wanted to say "port = telnet", "proto tcp" would
549 537 need to be specified as the parser interprets each rule on its own and
550 538 qualifies all service/port names with the protocol specified.
551 539 .SH FILES
552 540 /dev/ipauth
553 541 .br
554 542 /dev/ipl
555 543 .br
556 544 /dev/ipstate
557 545 .br
558 546 /etc/hosts
559 547 .br
560 548 /etc/services
561 549 .SH SEE ALSO
562 550 \fBipnat\fR(4), \fBipf\fR(1M), \fBipfstat\fR(1M), \fBipfilter\fR(5)
|
↓ open down ↓ |
26 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX