Provided by: ipfwadm_2.3.0-4_i386 bug

NAME

       ipfwadm - IP firewall and accounting administration

SYNOPSIS

       ipfwadm -A command parameters [options]
       ipfwadm -I command parameters [options]
       ipfwadm -O command parameters [options]
       ipfwadm -F command parameters [options]
       ipfwadm -M [ -l | -s ] [options]

DESCRIPTION

       Ipfwadm  is  used  to set up, maintain, and inspect the IP firewall and
       accounting rules in the Linux kernel.  These rules can be divided  into
       4  different  categories:  accounting  of  IP  packets,  the  IP  input
       firewall, the IP output firewall, and the IP forwarding firewall.   For
       each  of these categories, a separate list of rules is maintained.  See
       ipfw(4) for more details.

OPTIONS

       The options that are recognized by ipfwadm can be divided into  several
       different groups.

   CATEGORIES
       The  following  flags are used to select the category of rules to which
       the given command applies:

       -A [direction]
              IP accounting rules.  Optionally, a direction can  be  specified
              (in, out, or both), indicating whether only incoming or outgoing
              packets should be counted.  The default direction is both.

       -I     IP input firewall rules.

       -O     IP output firewall rules.

       -F     IP forwarding firewall rules.

       -M     IP masquerading administration.  This category can only be  used
              in  combination  with  the  -l (list) or -s (set timeout values)
              command.

       Exactly one of these options has to be specified.

   COMMANDS
       The next options specify the specific action to perform.  Only  one  of
       them  can  be  specified  on the command line, unless something else is
       listed in the description.

       -a [policy]
              Append one or more rules to the end of the selected  list.   For
              the  accounting  chain,  no  policy  should  be  specified.  For
              firewall chains, it is required to specify one of the  following
              policies:  accept, deny, reject, or masquerade.  When the source
              and/or destination names resolve to more  than  one  address,  a
              rule will be added for each possible address combination.

       -i [policy]
              Insert  one or more rules at the beginning of the selected list.
              See the description of the -a command for more details.

       -d [policy]
              Delete one or more entries from the selected list of rules.  The
              semantics are equal to those of the append/insert commands.  The
              specified parameters should exactly match the  parameters  given
              with  an  append  or  insert command, otherwise no match will be
              found and the rule will not be removed from the list.  Only  the
              first matching rule in the list will be deleted.

       -l     List  all  the  rules in the selected list.  This command may be
              combined with the -z (reset counters to zero) command.  In  that
              case,  the  packet  and  byte counters will be reset immediately
              after listing their current values.  Unless  the  -x  option  is
              present,  packet  and byte counters (if listed) will be shown as
              numberK or numberM, where 1K  means  1000  and  1M  means  1000K
              (rounded  to the nearest integer value).  See also the -e and -x
              flags for more capabilities.

       -z     Reset the packet and byte counters of all the rules in  selected
              list.   This command may be combined with the -l (list) command.

       -f     Flush the selected list of rules.

       -p policy
              Change the default policy for the  selected  type  of  firewall.
              The  given  policy  has  to  be  one of accept, deny, reject, or
              masquerade.  The default policy is used when no matching rule is
              found.   This operation is only valid for IP firewalls, that is,
              in combination with the -I, -O, or -F flag.

       -s tcp tcpfin udp
              Change the timeout values used for masquerading.   This  command
              always  takes  3 parameters, representing the timeout values (in
              seconds) for TCP sessions, TCP sessions after  receiving  a  FIN
              packet,  and UDP packets, respectively.  A timeout value 0 means
              that the current timeout value of  the  corresponding  entry  is
              preserved.   This  operation is only allowed in combination with
              the -M flag.

       -c     Check whether this IP  packet  would  be  accepted,  denied,  or
              rejected  by  the  selected type of firewall.  This operation is
              only valid for IP firewalls, that is, in  combination  with  the
              -I, -O, or -F flag.

       -h     Help.   Give a (currently very brief) description of the command
              syntax.

   PARAMETERS
       The following parameters can be used in combination  with  the  append,
       insert, delete, or check commands:

       -P protocol
              The  protocol  of  the  rule  or  of  the  packet to check.  The
              specified protocol can  be  one  of  tcp,  udp,  icmp,  or  all.
              Protocol  all  will  match  with  all  protocols and is taken as
              default when this option is omitted.  All may not be used in  in
              combination with the check command.

       -S address[/mask] [port ...]
              Source  specification  (optional).   Address  can  be  either  a
              hostname, a network name, or a plain IP address.  The  mask  can
              be  either  a  network  mask  or  a plain number, specifying the
              number of 1’s at the left side of the  network  mask.   Thus,  a
              mask of 24 is equivalent with 255.255.255.0.
              The  source  may include one or more port specifications or ICMP
              types.  Each of them can  either  be  a  service  name,  a  port
              number,  or  a  (numeric)  ICMP  type.   In  the  rest  of  this
              paragraph, a port means either a port specification or  an  ICMP
              type.   One  of these specifications may be a range of ports, in
              the format port:port.  Furthermore, the total  number  of  ports
              specified  with  the source and destination addresses should not
              be greater than IP_FW_MAX_PORTS (currently  10).   Here  a  port
              range counts as 2 ports.
              Packets  not  being  the  first  fragment of a TCP, UDP, or ICMP
              packet are always accepted  by  the  firewall.   For  accounting
              purposes,   these  second  and  further  fragments  are  treated
              special, to be able to count them in some way.  The port  number
              0xFFFF  (65535)  is used for a match with the second and further
              fragments of TCP or UDP packets.  These packets will be  treated
              for  accounting  purposes  as  if  both  their  port numbers are
              0xFFFF.  The number 0xFF (255) is used  for  a  match  with  the
              second  and  further  fragments  of ICMP packets.  These packets
              will be treated for acounting purposes as if  their  ICMP  types
              are  0xFF.   Note  that  the  specified command and protocol may
              imply restrictions on the ports to be specified.  Ports may only
              be specified in combination with the tcp, udp, or icmp protocol.
              When this option is omitted, the default address/mask  0.0.0.0/0
              (matching  with  any  address)  is used as source address.  This
              option is required in combination with  the  check  command,  in
              which case also exactly one port has to be specified.

       -D address[/mask] [port ...]
              Destination specification (optional).  See the desciption of the
              -S (source) flag for  a  detailed  description  of  the  syntax,
              default  values,  and  other requirements.  Note that ICMP types
              are not allowed in combination with the -D flag: ICMP types  can
              only be specified after the the -S flag.

       -V address
              Optional address of an interface via which a packet is received,
              or via which is packet is going to  be  sent.   Address  can  be
              either  a  hostname  or  a plain IP address.  When a hostname is
              specified, it should resolve to exactly one  IP  address.   When
              this  option  is  omitted, the address 0.0.0.0 is assumed, which
              has a special meaning and will match with any interface address.
              For the check command, this option is mandatory.

       -W name
              Optional name of an interface via which a packet is received, or
              via which is packet is going to be sent.  When  this  option  is
              omitted,  the  empty  string  is  assumed,  which  has a special
              meaning and will match with any interface name.  For  the  check
              command, this option is mandatory.

   OTHER OPTIONS
       The following additional options can be specified:

       -b     Bidirectional mode.  The rule will match with IP packets in both
              directions.  This option is only valid in combination  with  the
              append, insert, or delete commands.

       -e     Extended  output.   This option makes the list command also show
              the interface address  and  the  rule  options  (if  any).   For
              firewall  lists,  also the packet and byte counters (the default
              is to only show these counters for the accounting rules) and the
              TOS  masks  will  be  listed.  When used in combination with -M,
              information related to  delta  sequence  numbers  will  also  be
              listed.   This option is only valid in combination with the list
              command.

       -k     Only match TCP packets with the ACK bit set (this option will be
              ignored  for  packets  of other protocols).  This option is only
              valid in combination with the append, insert, or delete command.

       -m     Masquerade packets accepted for forwarding.  When this option is
              set, packets accepted by this rule will  be  masqueraded  as  if
              they  originated  from  the  local  host.   Furthermore, reverse
              packets  will  be  recognized  as  such   and   they   will   be
              demasqueraded  automatically, bypassing the forwarding firewall.
              This option is only valid  in  forwarding  firewall  rules  with
              policy  accept (or when specifying accept as default policy) and
              can  only  be  used   when   the   kernel   is   compiled   with
              CONFIG_IP_MASQUERADE defined.

       -n     Numeric  output.   IP addresses and port numbers will be printed
              in numeric format.  By default, the program will try to  display
              them  as  host  names,  network  names,  or  services  (whenever
              applicable).

       -o     Turn on kernel logging of matching packets.  When this option is
              set  for a rule, the Linux kernel will print some information of
              all matching packets (like most IP header fields) via  printk().
              This  option  will  only  be  effective when the Linux kernel is
              compiled with CONFIG_IP_FIREWALL_VERBOSE defined.   This  option
              is  only  valid in combination with the append, insert or delete
              command.

       -r [port]
              Redirect packets to a local socket.  When this  option  is  set,
              packets  accepted  by  this  rule  will be redirected to a local
              socket, even if they  were  sent  to  a  remote  host.   If  the
              specified redirection port is 0, which is the default value, the
              destination port of a packet will be  used  as  the  redirection
              port.   This  option  is only valid in input firewall rules with
              policy accept and can only be used  when  the  Linux  kernel  is
              compiled with CONFIG_IP_TRANSPARENT_PROXY defined.

       -t andmask xormask
              Masks used for modifying the TOS field in the IP header.  When a
              packet is accepted (with or without masquerading) by a  firewall
              rule,  its TOS field is first bitwise and’ed with first mask and
              the result of this will be bitwise xor’ed with the second  mask.
              The masks should be specified as hexadecimal 8-bit values.  This
              option is only valid in combination with the append,  insert  or
              delete  command and will have no effect when used in combination
              with accounting rules or firewall rules for rejecting or denying
              a packet.

       -v     Verbose  output.   Print  detailed  information  of  the rule or
              packet to be added, deleted, or checked.  This option will  only
              have effect with the append, insert, delete, or check command.

       -x     Expand  numbers.  Display the exact value of the packet and byte
              counters, instead of only the rounded number in  K’s  (multiples
              of  1000)  or  M’s  (multiples of 1000K).  This option will only
              have effect when the counters are listed anyway (see also the -e
              option).

       -y     Only  match  TCP  packets  with  the SYN bit set and the ACK bit
              cleared (this option  will  be  ignored  for  packets  of  other
              protocols).   This  option is only valid in combination with the
              append, insert, or delete command.

FILES

       /proc/net/ip_acct
       /proc/net/ip_input
       /proc/net/ip_output
       /proc/net/ip_forward
       /proc/net/ip_masquerade

SEE ALSO

       ipfw(4)

AUTHOR

       Jos Vos <jos@xos.nl>
       X/OS Experts in Open Systems BV, Amsterdam, The Netherlands

                                 July 30, 1996                      IPFWADM(8)