Provided by: ipchains_1.3.10-16_i386 bug

NAME

       ipfwadm - IP firewall and accounting administration

SYNOPSIS

       ipfwadm -A command parameters [options]
       ipfwadm -I command parameters [options]
       ipfwadm -O command parameters [options]
       ipfwadm -F command parameters [options]
       ipfwadm -M [ -l | -s ] [options]

NOTE

       Please  note that this just is wrapper in ipchains(8) for old fashioned
       users and for old scripts.

DESCRIPTION

       Ipfwadm is used to set up, maintain, and inspect the  IP  firewall  and
       accounting  rules in the Linux kernel.  These rules can be divided into
       4  different  categories:  accounting  of  IP  packets,  the  IP  input
       firewall,  the IP output firewall, and the IP forwarding firewall.  For
       each of these categories, a separate list of rules is maintained.   See
       ipfw(4) for more details.

OPTIONS

       The  options that are recognized by ipfwadm can be divided into several
       different groups.

   CATEGORIES
       The following flags are used to select the category of rules  to  which
       the given command applies:

       -A [direction]
              IP  accounting  rules.  Optionally, a direction can be specified
              (in, out, or both), indicating whether only incoming or outgoing
              packets should be counted.  The default direction is both.

       -I     IP input firewall rules.

       -O     IP output firewall rules.

       -F     IP forwarding firewall rules.

       -M     IP  masquerading administration.  This category can only be used
              in combination with the -l (list) or  -s  (set  timeout  values)
              command.

       Exactly one of these options has to be specified.

   COMMANDS
       The  next  options specify the specific action to perform.  Only one of
       them can be specified on the command line,  unless  something  else  is
       listed in the description.

       -a [policy]
              Append  one  or more rules to the end of the selected list.  For
              the accounting  chain,  no  policy  should  be  specified.   For
              firewall  chains, it is required to specify one of the following
              policies: accept, deny, reject, or masquerade.  When the  source
              and/or  destination  names  resolve  to more than one address, a
              rule will be added for each possible address combination.

       -i [policy]
              Insert one or more rules at the beginning of the selected  list.
              See the description of the -a command for more details.

       -d [policy]
              Delete one or more entries from the selected list of rules.  The
              semantics are equal to those of the append/insert commands.  The
              specified  parameters  should exactly match the parameters given
              with an append or insert command, otherwise  no  match  will  be
              found  and the rule will not be removed from the list.  Only the
              first matching rule in the list will be deleted.

       -l     List all the rules in the selected list.  This  command  may  be
              combined  with the -z (reset counters to zero) command.  In that
              case, the packet and byte counters  will  be  reset  immediately
              after  listing  their  current  values.  Unless the -x option is
              present, packet and byte counters (if listed) will be  shown  as
              numberK  or  numberM,  where  1K  means  1000 and 1M means 1000K
              (rounded to the nearest integer value).  See also the -e and  -x
              flags for more capabilities.

       -z     Reset  the packet and byte counters of all the rules in selected
              list.  This command may be combined with the -l (list)  command.

       -f     Flush the selected list of rules.

       -p policy
              Change  the  default  policy  for the selected type of firewall.
              The given policy has to be  one  of  accept,  deny,  reject,  or
              masquerade.  The default policy is used when no matching rule is
              found.  This operation is only valid for IP firewalls, that  is,
              in combination with the -I, -O, or -F flag.

       -s tcp tcpfin udp
              Change  the  timeout values used for masquerading.  This command
              always takes 3 parameters, representing the timeout  values  (in
              seconds)  for  TCP  sessions, TCP sessions after receiving a FIN
              packet, and UDP packets, respectively.  A timeout value 0  means
              that  the  current  timeout  value of the corresponding entry is
              preserved.  This operation is only allowed in  combination  with
              the -M flag.

       -c     Check  whether  this  IP  packet  would  be accepted, denied, or
              rejected by the selected type of firewall.   This  operation  is
              only  valid  for  IP firewalls, that is, in combination with the
              -I, -O, or -F flag.

       -h     Help.  Give a (currently very brief) description of the  command
              syntax.

   PARAMETERS
       The  following  parameters  can be used in combination with the append,
       insert, delete, or check commands:

       -P protocol
              The protocol of the  rule  or  of  the  packet  to  check.   The
              specified  protocol  can  be  one  of  tcp,  udp,  icmp, or all.
              Protocol all will match with  all  protocols  and  is  taken  as
              default  when this option is omitted.  All may not be used in in
              combination with the check command.

       -S address[/mask] [port ...]
              Source  specification  (optional).   Address  can  be  either  a
              hostname,  a  network name, or a plain IP address.  The mask can
              be either a network mask  or  a  plain  number,  specifying  the
              number  of  1’s  at  the left side of the network mask.  Thus, a
              mask of 24 is equivalent with 255.255.255.0.
              The source may include one or more port specifications  or  ICMP
              types.   Each  of  them  can  either  be  a service name, a port
              number,  or  a  (numeric)  ICMP  type.   In  the  rest  of  this
              paragraph,  a  port means either a port specification or an ICMP
              type.  One of these specifications may be a range of  ports,  in
              the  format  port:port.   Furthermore, the total number of ports
              specified with the source and destination addresses  should  not
              be  greater  than  IP_FW_MAX_PORTS  (currently 10).  Here a port
              range counts as 2 ports.
              Packets not being the first fragment of  a  TCP,  UDP,  or  ICMP
              packet  are  always  accepted  by  the firewall.  For accounting
              purposes,  these  second  and  further  fragments  are   treated
              special,  to be able to count them in some way.  The port number
              0xFFFF (65535) is used for a match with the second  and  further
              fragments  of TCP or UDP packets.  These packets will be treated
              for accounting purposes  as  if  both  their  port  numbers  are
              0xFFFF.   The  number  0xFF  (255)  is used for a match with the
              second and further fragments of  ICMP  packets.   These  packets
              will  be  treated for accounting purposes as if their ICMP types
              are 0xFF.  Note that the  specified  command  and  protocol  may
              imply restrictions on the ports to be specified.  Ports may only
              be specified in combination with the tcp, udp, or icmp protocol.
              When  this option is omitted, the default address/mask 0.0.0.0/0
              (matching with any address) is used  as  source  address.   This
              option  is  required  in  combination with the check command, in
              which case also exactly one port has to be specified.

       -D address[/mask] [port ...]
              Destination specification (optional).  See  the  description  of
              the  -S  (source) flag for a detailed description of the syntax,
              default values, and other requirements.  Note  that  ICMP  types
              are  not allowed in combination with the -D flag: ICMP types can
              only be specified after the the -S flag.

       -V address
              Optional address of an interface via which a packet is received,
              or  via  which  is  packet  is going to be sent.  Address can be
              either a hostname or a plain IP address.   When  a  hostname  is
              specified,  it  should  resolve to exactly one IP address.  When
              this option is omitted, the address 0.0.0.0  is  assumed,  which
              has a special meaning and will match with any interface address.
              For the check command, this option is mandatory.

       -W name
              Optional name of an interface via which a packet is received, or
              via  which  is  packet is going to be sent.  When this option is
              omitted, the empty  string  is  assumed,  which  has  a  special
              meaning  and  will match with any interface name.  For the check
              command, this option is mandatory.

   OTHER OPTIONS
       The following additional options can be specified:

       -b     Bidirectional mode.  The rule will match with IP packets in both
              directions.   This  option is only valid in combination with the
              append, insert, or delete commands.

       -e     Extended output.  This option makes the list command  also  show
              the  interface  address  and  the  rule  options  (if any).  For
              firewall lists, also the packet and byte counters  (the  default
              is to only show these counters for the accounting rules) and the
              TOS masks will be listed.  When used  in  combination  with  -M,
              information  related  to  delta  sequence  numbers  will also be
              listed.  This option is only valid in combination with the  list
              command.

       -k     Only match TCP packets with the ACK bit set (this option will be
              ignored for packets of other protocols).  This  option  is  only
              valid in combination with the append, insert, or delete command.

       -m     Masquerade packets accepted for forwarding.  When this option is
              set,  packets  accepted  by  this rule will be masqueraded as if
              they originated  from  the  local  host.   Furthermore,  reverse
              packets   will   be   recognized   as  such  and  they  will  be
              demasqueraded automatically, bypassing the forwarding  firewall.
              This  option  is  only  valid  in forwarding firewall rules with
              policy accept (or when specifying accept as default policy)  and
              can   only   be   used   when   the   kernel  is  compiled  with
              CONFIG_IP_MASQUERADE defined.

       -n     Numeric output.  IP addresses and port numbers will  be  printed
              in  numeric format.  By default, the program will try to display
              them  as  host  names,  network  names,  or  services  (whenever
              applicable).

       -o     Turn on kernel logging of matching packets.  When this option is
              set for a rule, the Linux kernel will print some information  of
              all  matching packets (like most IP header fields) via printk().
              This option will only be effective  when  the  Linux  kernel  is
              compiled  with  CONFIG_IP_FIREWALL_VERBOSE defined.  This option
              is only valid in combination with the append, insert  or  delete
              command.

       -r [port]
              Redirect  packets  to  a local socket.  When this option is set,
              packets accepted by this rule will  be  redirected  to  a  local
              socket,  even  if  they  were  sent  to  a  remote host.  If the
              specified redirection port is 0, which is the default value, the
              destination  port  of  a  packet will be used as the redirection
              port.  This option is only valid in input  firewall  rules  with
              policy  accept  and  can  only  be used when the Linux kernel is
              compiled with CONFIG_IP_TRANSPARENT_PROXY defined.

       -t andmask xormask
              Masks used for modifying the TOS field in the IP header.  When a
              packet  is accepted (with or without masquerading) by a firewall
              rule, its TOS field is first bitwise and’ed with first mask  and
              the  result of this will be bitwise xor’ed with the second mask.
              The masks should be specified as hexadecimal 8-bit values.  This
              option  is  only valid in combination with the append, insert or
              delete command and will have no effect when used in  combination
              with accounting rules or firewall rules for rejecting or denying
              a packet.

       -v     Verbose output.  Print  detailed  information  of  the  rule  or
              packet  to be added, deleted, or checked.  This option will only
              have effect with the append, insert, delete, or check command.

       -x     Expand numbers.  Display the exact value of the packet and  byte
              counters,  instead  of only the rounded number in K’s (multiples
              of 1000) or M’s (multiples of 1000K).   This  option  will  only
              have effect when the counters are listed anyway (see also the -e
              option).

       -y     Only match TCP packets with the SYN bit  set  and  the  ACK  bit
              cleared  (this  option  will  be  ignored  for  packets of other
              protocols).  This option is only valid in combination  with  the
              append, insert, or delete command.

FILES

       /proc/net/ip_acct
       /proc/net/ip_input
       /proc/net/ip_output
       /proc/net/ip_forward
       /proc/net/ip_masquerade

SEE ALSO

       ipfw(4)

AUTHOR

       Jos Vos <jos@xos.nl>
       X/OS Experts in Open Systems BV, Amsterdam, The Netherlands

                                 July 30, 1996                      IPFWADM(8)