Changeset View
Changeset View
Standalone View
Standalone View
sbin/ipfw/ipfw.8
Context not available. | |||||
depending on how the kernel is configured. | depending on how the kernel is configured. | ||||
.Pp | .Pp | ||||
If the ruleset includes one or more rules with the | If the ruleset includes one or more rules with the | ||||
.Cm keep-state | .Cm keep-state , | ||||
.Cm record-state , | |||||
.Cm limit | |||||
or | or | ||||
.Cm limit | .Cm set-limit | ||||
option, | option, | ||||
the firewall will have a | the firewall will have a | ||||
.Em stateful | .Em stateful | ||||
Context not available. | |||||
.Cm limit | .Cm limit | ||||
rule, and are typically used to open the firewall on-demand to | rule, and are typically used to open the firewall on-demand to | ||||
legitimate traffic only. | legitimate traffic only. | ||||
Please, note, that | |||||
.Cm keep-state | |||||
amd | |||||
.Cm limit | |||||
imply implicit | |||||
.Cm check-state | |||||
for all packets (not only these matched by the rule) but | |||||
.Cm record-state | |||||
and | |||||
.Cm set-limit | |||||
have no implicit | |||||
.Cm check-state . | |||||
See the | See the | ||||
.Sx STATEFUL FIREWALL | .Sx STATEFUL FIREWALL | ||||
and | and | ||||
Context not available. | |||||
packet delivery. | packet delivery. | ||||
.Pp | .Pp | ||||
Note: this condition is checked before any other condition, including | Note: this condition is checked before any other condition, including | ||||
ones such as keep-state or check-state which might have side effects. | ones such as | ||||
.Cm keep-state | |||||
or | |||||
.Cm check-state | |||||
which might have | |||||
side effects. | |||||
.It Cm log Op Cm logamount Ar number | .It Cm log Op Cm logamount Ar number | ||||
Packets matching a rule with the | Packets matching a rule with the | ||||
.Cm log | .Cm log | ||||
Context not available. | |||||
.It Cm bridged | .It Cm bridged | ||||
Alias for | Alias for | ||||
.Cm layer2 . | .Cm layer2 . | ||||
.It Cm defer-immediate-action | defer-action | |||||
A rule with this option will not perform normal action | |||||
upon a match. This option is intended to be used with | |||||
.Cm record-state | |||||
or | |||||
.Cm keep-state | |||||
as the dynamic rule, created but ignored on match, will work | |||||
as intended. | |||||
Rules with both | |||||
.Cm record-state | |||||
and | |||||
.Cm defer-immediate-action | |||||
create a dynamic rule and continue with the next rule without actually | |||||
performing the action part of this rule. When the rule is later activated | |||||
via the state table, the action is performed as usual. | |||||
.It Cm diverted | .It Cm diverted | ||||
Matches only packets generated by a divert socket. | Matches only packets generated by a divert socket. | ||||
.It Cm diverted-loopback | .It Cm diverted-loopback | ||||
julian: However, this option doesn't imply an implicit check-state | |||||
Not Done Inline Actionsremove 'exactly' julian: remove 'exactly' | |||||
Not Done Inline Actionsbut does not have an implicit check-state. julian: but does not have an implicit check-state. | |||||
Not Done Inline ActionsA rule with... julian: A rule with...
| |||||
Not Done Inline Actionsas the dynamic rule, created but ignored on match, will.. julian: as the dynamic rule, created but ignored on match, will.. | |||||
Not Done Inline ActionsRules with both .....create a dynamic rule and continue with the next rule, but when the state is checked and the dynamic rule matches, the action will be performed as usual. julian: Rules with both .....create a dynamic rule and continue with the next rule, but when the state… | |||||
Not Done Inline Actionscreate a dynamic rule and continue with the next rule without actually performing the action part of this rule. When the rule is later activated via the state table, the action is performed as usual. julian: create a dynamic rule and continue with the next rule without actually performing the action… | |||||
Context not available. | |||||
option is used, in which case symbolic resolution will be attempted). | option is used, in which case symbolic resolution will be attempted). | ||||
.It Cm proto Ar protocol | .It Cm proto Ar protocol | ||||
Matches packets with the corresponding IP protocol. | Matches packets with the corresponding IP protocol. | ||||
.It Cm record-state | |||||
Upon a match, the firewall will create a dynamic rule as if | |||||
.Cm keep-state | |||||
was specified. | |||||
However, this option doesn't imply an implicit | |||||
.Cm check-state | |||||
in contrast to | |||||
.Cm keep-state . | |||||
.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any | .It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any | ||||
Matches packets received, transmitted or going through, | Matches packets received, transmitted or going through, | ||||
respectively, the interface specified by exact name | respectively, the interface specified by exact name | ||||
Context not available. | |||||
originating from the local host have no receive interface, | originating from the local host have no receive interface, | ||||
while packets destined for the local host have no transmit | while packets destined for the local host have no transmit | ||||
interface. | interface. | ||||
.It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N | |||||
Works like | |||||
.Cm limit | |||||
but does not have an implicit | |||||
.Cm check-state | |||||
attached to it. | |||||
.It Cm setup | .It Cm setup | ||||
Matches TCP packets that have the SYN bit set but no ACK bit. | Matches TCP packets that have the SYN bit set but no ACK bit. | ||||
This is the short form of | This is the short form of | ||||
Context not available. | |||||
match a given pattern are detected. | match a given pattern are detected. | ||||
Support for stateful | Support for stateful | ||||
operation comes through the | operation comes through the | ||||
.Cm check-state , keep-state | .Cm check-state , keep-state , record-state , limit | ||||
and | and | ||||
.Cm limit | .Cm set-limit | ||||
options of | options of | ||||
.Nm rules . | .Nm rules . | ||||
.Pp | .Pp | ||||
Dynamic rules are created when a packet matches a | Dynamic rules are created when a packet matches a | ||||
.Cm keep-state | .Cm keep-state , | ||||
.Cm record-state , | |||||
.Cm limit | |||||
or | or | ||||
.Cm limit | .Cm set-limit | ||||
rule, causing the creation of a | rule, causing the creation of a | ||||
.Em dynamic | .Em dynamic | ||||
rule which will match all and only packets with | rule which will match all and only packets with | ||||
Context not available. | |||||
ruleset to minimize the amount of work scanning the ruleset. | ruleset to minimize the amount of work scanning the ruleset. | ||||
Your mileage may vary. | Your mileage may vary. | ||||
.Pp | .Pp | ||||
For more complex scenarios with dynamic rules | |||||
.Cm record-state | |||||
and | |||||
.Cm defer-action | |||||
can be used to precisely control creation and checking of dynamic rules. | |||||
Example of usage of these options are provided in | |||||
.Sx NETWORK ADDRESS TRANSLATION (NAT) | |||||
Section. | |||||
.Pp | |||||
To limit the number of connections a user can open | To limit the number of connections a user can open | ||||
you can use the following type of rules: | you can use the following type of rules: | ||||
.Pp | .Pp | ||||
Context not available. | |||||
.Dl " 10.0.0.100" | .Dl " 10.0.0.100" | ||||
.Dl "ipfw nat 5 config redirect_port tcp" | .Dl "ipfw nat 5 config redirect_port tcp" | ||||
.Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" | .Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" | ||||
.Pp | |||||
Sometimes you may want to mix NAT and dynamic rules. It could be achived with | |||||
.Cm record-state | |||||
and | |||||
.Cm defer-action | |||||
options. Problem is, you need to create dynamic rule before NAT and check it | |||||
after NAT actions (or vice versa) to have consistent addresses and ports. | |||||
Rule with | |||||
.Cm keep-state | |||||
option will trigger activation of existing dynamic state, and action of such | |||||
rule will be performed as soon as rule is matched. In case of NAT and | |||||
.Cm allow | |||||
rule packet need to be passed to NAT, not allowed as soon is possible. | |||||
.Pp | |||||
There is example of set of rules to achive this. Bear in mind that this | |||||
is exmaple only and it is not very usefult by itself. | |||||
.Pp | |||||
On way out, after all checks place this rules: | |||||
.Pp | |||||
.Dl "ipfw add allow record-state skip-action" | |||||
.Dl "ipfw add nat 1" | |||||
.Pp | |||||
And on way in there should be something like this: | |||||
.Pp | |||||
.Dl "ipfw add nat 1" | |||||
.Dl "ipfw add check-state" | |||||
.Pp | |||||
Please note, that first rule on way out doesn't allow packet and doesn't | |||||
execute existing dynamic rules. All it does, create new dynamic rule with | |||||
.Cm allow | |||||
action, if it is not created yet. Later, this dynamic rule is used on way | |||||
in by | |||||
.Cm check-state | |||||
rule. | |||||
.Sh SEE ALSO | .Sh SEE ALSO | ||||
.Xr cpp 1 , | .Xr cpp 1 , | ||||
.Xr m4 1 , | .Xr m4 1 , | ||||
Context not available. |
However, this option doesn't imply an implicit check-state