FreeBSD Manual Pages
IP FILTER(4) Kernel Interfaces Manual IP FILTER(4) NAME ipfilter - Introduction to IP packet filtering DESCRIPTION IP Filter is a TCP/IP packet filter, suitable for use in a firewall en- vironment. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required. FEATURES The IP packet filter can: explicitly deny/permit any packet from passing through distinguish between various interfaces filter by IP networks or hosts selectively filter any IP protocol selectively filter fragmented IP packets selectively filter packets with IP options send back an ICMP error/TCP reset for blocked packets keep packet state information for TCP, UDP and ICMP packet flows keep fragment state information for any IP packet, applying the same rule to all fragments. act as a Network Address Translator (NAT) use redirection to setup true transparent proxy connections provide packet header details to a user program for authentica- tion in addition, supports temporary storage of pre-authenticated rules for passing packets through Special provision is made for the three most common Internet protocols, TCP, UDP and ICMP. The IP Packet filter allows filtering of: Inverted host/net matchingTCP/UDP packets by port number or a port number range ICMP packets by type/code "established" TCP packets On any arbitrary combination of TCP flags "short" (fragmented) IP packets with incomplete headers can be filtered any of the 19 IP options or 8 registered IP security classes TOS (Type of Service) field in packets To keep track of the performance of the IP packet filter, a logging de- vice is used which supports logging of: the TCP/UDP/ICMP and IP packet headers the first 128 bytes of the packet (including headers) A packet can be logged when: it is successfully passed through it is blocked from passing through it matches a rule setup to look for suspicious packets IP Filter keeps its own set of statistics on: packets blocked packets (and bytes!) used for accounting packets passed packets logged attempts to log which failed (buffer full) and much more, for packets going both in and out. Tools The current implementation provides a small set of tools, which can easily be used and integrated with regular unix shells and tools. A brief description of the tools provided: ipf(8) reads in a set of rules, from either stdin or a file, and adds them to the kernels current list (appending them). It can also be used to flush the current filter set or delete individual filter rules. The file format is described in ipf(5). ipfs(8) is a utility to temporarily lock the IP Filter kernel tables (state tables and NAT mappings) and write them to disk. After that the system can be rebooted, and ipfs can be used to read these tables from disk and restore them into the kernel. This way the system can be re- booted without the connections being terminated. ipfstat(8) interrogates the kernel for statistics on packet filtering, so far, and retrieves the list of filters in operation for inbound and outbound packets. ipftest(1) reads in a filter rule file and then applies sample IP pack- ets to the rule file. This allows for testing of filter list and exami- nation of how a packet is passed along through it. ipmon(8) reads buffered data from the logging device (default is /dev/ipl) for output to either: screen (standard output) file syslog ipsend(1) generates arbitary IP packets for ethernet connected ma- chines. ipresend(1) reads in a data file of saved IP packets (ie snoop/tcp- dump/etherfind output) and sends it back across the network. iptest(1) contains a set of test "programs" which send out a series of IP packets, aimed at testing the strength of the TCP/IP stack at which it is aimed at. WARNING: this may crash machine(s) targeted! ipnat(8) reads in a set of rules, from either stdin or a file and adds them to the kernels current list of active NAT rules. NAT rules can also be deleted using ipnat. The format of the configuration file to be used with ipnat is described in ipnat(5). For use in your own programs (e.g. for writing of transparent applica- tion proxies), the programming interface and the associated ioctl's are documented in ipf(4). Documentation on ioctl's and the format of data saved to the logging character device is provided in ipl(4) so that you may develop your own applications to work with or in place of any of the above. Similar, the interface to the NAT code is documented in ipnat(4). PACKET PROCESSING FLOW The following diagram illustrates the flow of TCP/IP packets through the various stages introduced by IP Filter. IN | V +-------------------------+--------------------------+ | | | | V | | Network Address Translation | | | | | authenticated | | | +-------<---------+ | | | | | | | V | | V IP Accounting | | | | | | | V | | | Fragment Cache Check--+ | | | | | | | V V V | | | Packet State Check-->+ | | | | | | | | +->--+ | | | | | | | V | | | V groups IP Filtering V | | | | | | | | | | +--<-+ | | | | | | | | | +---------------->|<-----------+ | | | | | V | | +---<----+ | | | | | | function | | | | V | | +--->----+ | | | | | V | +--|---<--- fast-route ---<--+ | | | | | | | V | | +-------------------------+--------------------------+ | | | pass only | | | V V [KERNEL TCP/IP Processing] | | | +-------------------------+--------------------------+ | | | | | | V | | | Fragment Cache Check--+ | | | | | | | | V V | | | Packet State Check-->+ | | | | | | | | V | | V | IP Filtering | | | | | V | | | |<-----------+ | | | V | | | IP Accounting | | | | | | | V | | | Network Address Translation | | | | | | | V | | +-------------------------+--------------------------+ | | | pass only V | +--------------------------->| V OUT MORE INFORMATION The IP Filter FAQ can be found at https://www.phildev.net/ipf/ SEE ALSO ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1), ipl(4), ipmon(8), ipnat(8), ipnat(4), IP FILTER(4)
NAME | DESCRIPTION | FEATURES | Tools | PACKET PROCESSING FLOW | MORE INFORMATION | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipfilter&manpath=FreeBSD+14.2-RELEASE+and+Ports>