[apple/xnu.git] / bsd / man / man4 / ipfirewall.4

.Dd June 22, 1997
.Dt IPFIREWALL 4
.Os Darwin
.Sh NAME
.Nm ipfirewall
.Nd IP packet filter and traffic accounting
.Sh SYNOPSIS
.Fd #include <sys/types.h>
.Fd #include <sys/queue.h>
.Fd #include <netinet/in.h>
.Fd #include <netinet/ip_fw.h>
.Ft int
.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size
.\"--------------------------------------------------------------------------------------------
.Sh DESCRIPTION
.\"--------------------------------------------------------------------------------------------
IPFirewall (sometimes referred to as "ipfw") is a system facility which allows filtering,
redirecting, and other operations on IP packets travelling through network interfaces.  Packets
are matched by applying an ordered list of pattern rules against each packet until a match is
found, at which point the corresponding action is taken.  Rules are numbered from 1 to 65534;
multiple rules may share the same number.
.Pp
There is one rule that always exists, rule number 65535.  This rule normally causes all packets
to be dropped.  Hence, any packet which does not match a lower numbered rule will be dropped.
However, the kernel compile time option
.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
allows the administrator to change this fixed rule to permit everything.
.Pp
The buffer passed down via the socket-option call should contain a "struct ip_fw" that is
initialized with the required parameters for the firewall command being invoked.  This
structure is consistently required for every firewall command, even though in some cases
the majority of its fields will go unused.  The reason for this is the API versioning that
the firewall supports for the sake of backward compatibility.  The
.Dv version
field of this
structure should always be set to
.Dv IP_FW_CURRENT_API_VERSION
or an EINVAL error will be returned.
.Ss Commands
The following socket options are used to manage the rule list:
.Bl -tag -width "IP_FW_FLUSH"
.It Dv IP_FW_ADD
inserts the rule into the rule list
.It Dv IP_FW_DEL
deletes all rules having the matching rule number
.It Dv IP_FW_GET
returns the (first) rule having the matching rule number
.It Dv IP_FW_ZERO
zeros the statistics associated with all rules having the
matching rule number.
If the rule number is zero, all rules are zeroed.
.It Dv IP_FW_FLUSH
removes all rules (except 65535).
.El
.Pp
When the kernel security level is greater than 2, only
.Dv IP_FW_GET
is allowed.
.\"--------------------------------------------------------------------------------------------
.Ss Rule Structure
.\"--------------------------------------------------------------------------------------------
Rules are described by the following structure:
.Bd -literal
/* One ipfw rule */
struct ip_fw {
    u_int32_t version;              /* Version of this structure.  Should always be */
                                    /* set to IP_FW_CURRENT_API_VERSION by clients. */
    void *context;                  /* Context that is usable by user processes to */
                                    /* identify this rule. */
    u_int64_t fw_pcnt,fw_bcnt;          /* Packet and byte counters */
    struct in_addr fw_src, fw_dst;      /* Source and destination IP addr */
    struct in_addr fw_smsk, fw_dmsk;    /* Mask for src and dest IP addr */
    u_short fw_number;                  /* Rule number */
    u_int fw_flg;                       /* Flags word */
#define IP_FW_MAX_PORTS 10              /* A reasonable maximum */
        union {
        u_short fw_pts[IP_FW_MAX_PORTS];        /* Array of port numbers to match */
#define IP_FW_ICMPTYPES_MAX     128
#define IP_FW_ICMPTYPES_DIM     (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
        unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
        } fw_uar;
    u_int fw_ipflg;                     /* IP flags word */
    u_char fw_ipopt,fw_ipnopt;          /* IP options set/unset */
    u_char fw_tcpopt,fw_tcpnopt;        /* TCP options set/unset */
    u_char fw_tcpf,fw_tcpnf;            /* TCP flags set/unset */
    long timestamp;                     /* timestamp (tv_sec) of last match */
    union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */
    union {
        u_short fu_divert_port;         /* Divert/tee port (options IPDIVERT) */
        u_short fu_pipe_nr;             /* queue number (option DUMMYNET) */
        u_short fu_skipto_rule;         /* SKIPTO command rule number */
        u_short fu_reject_code;         /* REJECT response code */
        struct sockaddr_in fu_fwd_ip;
    } fw_un;
    u_char fw_prot;                     /* IP protocol */
        /*
         * N'of src ports and # of dst ports in ports array (dst ports
         * follow src ports; max of 10 ports in all; count of 0 means
         * match all ports)
         */
    u_char fw_nports;
    void *pipe_ptr;                    /* flow_set ptr for dummynet pipe */
    void *next_rule_ptr ;              /* next rule in case of match */
    uid_t fw_uid;                       /* uid to match */
    int fw_logamount;                   /* amount to log */
    u_int64_t fw_loghighest;            /* highest number packet to log */
};

The ip_fw.h header also contains macros for setting the fw_ports field and various
flags and constants for setting other fields.
.Ed
.\"--------------------------------------------------------------------------------------------
.Ss Rule Actions
.\"--------------------------------------------------------------------------------------------
Each rule has an action described by the IP_FW_F_COMMAND bits in the flags word:
.Bl -tag -width "IP_FW_F_DIVERT"
.It Dv IP_FW_F_DENY
drop packet
.It Dv IP_FW_F_REJECT
drop packet; send rejection via ICMP or TCP
.It Dv IP_FW_F_ACCEPT
accept packet
.It Dv IP_FW_F_COUNT
increment counters; continue matching
.It Dv IP_FW_F_DIVERT
divert packet to a
.Xr divert 4
socket
.It Dv IP_FW_F_TEE
copy packet to a
.Xr divert 4
socket; continue
.It Dv IP_FW_F_SKIPTO
skip to rule number
.Va fu_skipto_rule
.El
.Pp
In the case of
.Dv IP_FW_F_REJECT ,
if the
.Va fu_reject_code
is a number from 0 to 255, then an ICMP unreachable packet is sent back to the
original packet's source IP address, with the corresponding code.  Otherwise, the
value must be 256 and the protocol
.Dv IPPROTO_TCP ,
in which case a TCP reset packet is sent instead.
.Pp
With
.Dv IP_FW_F_SKIPTO ,
all succeeding rules having rule number less than
.Va fu_skipto_rule
are skipped.
.Ss Kernel Options
Options in the kernel configuration file:
.Bl -tag -width "options IPFIREWALL_VERBOSE_LIMIT"
.It Cd options IPFIREWALL
enable
.Nm
.It Cd options IPFIREWALL_VERBOSE
enable firewall logging
.It Cd options IPFIREWALL_VERBOSE_LIMIT
limit firewall logging
.It Cd options IPDIVERT
enable
.Xr divert 4
sockets
.El
.Pp
When packets match a rule with the
.Dv IP_FW_F_PRN
bit set, and if
.Dv IPFIREWALL_VERBOSE
has been enabled,a message is written to
.Pa /dev/klog
with the
.Dv LOG_SECURITY
facility
(see
.Xr syslog 3 )
for further logging by
.Xr syslogd 8 ;
.Dv IPFIREWALL_VERBOSE_LIMIT
limits the maximum number of times each rule can cause a log message. These variables are also
available via the
.Xr sysctl 3
interface.
.\"--------------------------------------------------------------------------------------------
.Sh RETURN VALUES
.\"--------------------------------------------------------------------------------------------
The
.Fn setsockopt
function returns 0 on success.  Otherwise, -1 is returned and the global variable
.Va errno
is set to indicate the error.
.\"--------------------------------------------------------------------------------------------
.Sh ERRORS
.\"--------------------------------------------------------------------------------------------
The
.Fn setsockopt
function will fail if:
.Bl -tag -width Er
.It Bq Er EINVAL
The IP option field was improperly formed;
an option field was shorter than the minimum value
or longer than the option buffer provided.
.It Bq Er EINVAL
A structural error in ip_fw structure occurred
(n_src_p+n_dst_p too big, ports set for ALL/ICMP protocols etc.).
.It Bq Er EINVAL
The version field of the ip_fw structure was set to a value not supported by the
currently-installed
.Dv IPFirewall,
or no ip_fw structure was passed to it at all.
.It Bq Er EINVAL
An invalid rule number was used.
.El
.\"--------------------------------------------------------------------------------------------
.Sh SEE ALSO
.\"--------------------------------------------------------------------------------------------
.Xr setsockopt 2 ,
.Xr divert 4 ,
.Xr ip 4 ,
.Xr ipfw 8 ,
.Xr sysctl 8 ,
.Xr syslogd 8
.\"--------------------------------------------------------------------------------------------
.Sh BUGS
.\"--------------------------------------------------------------------------------------------
The ``tee'' rule is not yet implemented (currently it has no effect).
.Pp
This man page still needs work.
.\"--------------------------------------------------------------------------------------------
.Sh HISTORY
.\"--------------------------------------------------------------------------------------------
The ipfw facility was initially written as package to BSDI by
.An Daniel Boulet
.Aq danny@BouletFermat.ab.ca .
It has been heavily modified and ported to
.Fx
by
.An Ugen J.S. Antsilevich
.Aq ugen@NetVision.net.il .
.Pp
Several enhancements added by
.An Archie Cobbs
.Aq archie@FreeBSD.org .
Commit	Line	Data
9bccf70c A	1	.Dd June 22, 1997
	2	.Dt IPFIREWALL 4
	3	.Os Darwin
	4	.Sh NAME
	5	.Nm ipfirewall
	6	.Nd IP packet filter and traffic accounting
	7	.Sh SYNOPSIS
	8	.Fd #include <sys/types.h>
	9	.Fd #include <sys/queue.h>
	10	.Fd #include <netinet/in.h>
	11	.Fd #include <netinet/ip_fw.h>
	12	.Ft int
	13	.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size
	14	.\"--------------------------------------------------------------------------------------------
	15	.Sh DESCRIPTION
	16	.\"--------------------------------------------------------------------------------------------
	17	IPFirewall (sometimes referred to as "ipfw") is a system facility which allows filtering,
	18	redirecting, and other operations on IP packets travelling through network interfaces. Packets
	19	are matched by applying an ordered list of pattern rules against each packet until a match is
	20	found, at which point the corresponding action is taken. Rules are numbered from 1 to 65534;
	21	multiple rules may share the same number.
	22	.Pp
	23	There is one rule that always exists, rule number 65535. This rule normally causes all packets
	24	to be dropped. Hence, any packet which does not match a lower numbered rule will be dropped.
	25	However, the kernel compile time option
	26	.Dv IPFIREWALL_DEFAULT_TO_ACCEPT
	27	allows the administrator to change this fixed rule to permit everything.
	28	.Pp
	29	The buffer passed down via the socket-option call should contain a "struct ip_fw" that is
	30	initialized with the required parameters for the firewall command being invoked. This
	31	structure is consistently required for every firewall command, even though in some cases
	32	the majority of its fields will go unused. The reason for this is the API versioning that
	33	the firewall supports for the sake of backward compatibility. The
	34	.Dv version
	35	field of this
	36	structure should always be set to
	37	.Dv IP_FW_CURRENT_API_VERSION
	38	or an EINVAL error will be returned.
	39	.Ss Commands
	40	The following socket options are used to manage the rule list:
	41	.Bl -tag -width "IP_FW_FLUSH"
	42	.It Dv IP_FW_ADD
	43	inserts the rule into the rule list
	44	.It Dv IP_FW_DEL
	45	deletes all rules having the matching rule number
	46	.It Dv IP_FW_GET
	47	returns the (first) rule having the matching rule number
	48	.It Dv IP_FW_ZERO
	49	zeros the statistics associated with all rules having the
	50	matching rule number.
	51	If the rule number is zero, all rules are zeroed.
	52	.It Dv IP_FW_FLUSH
	53	removes all rules (except 65535).
	54	.El
	55	.Pp
	56	When the kernel security level is greater than 2, only
	57	.Dv IP_FW_GET
	58	is allowed.
	59	.\"--------------------------------------------------------------------------------------------
	60	.Ss Rule Structure
	61	.\"--------------------------------------------------------------------------------------------
	62	Rules are described by the following structure:
	63	.Bd -literal
	64	/* One ipfw rule */
65	struct ip_fw {
66	u_int32_t version; /* Version of this structure. Should always be */
67	/* set to IP_FW_CURRENT_API_VERSION by clients. */
68	void context; / Context that is usable by user processes to */
69	/* identify this rule. */
70	u_int64_t fw_pcnt,fw_bcnt; /* Packet and byte counters */
71	struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
72	struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
73	u_short fw_number; /* Rule number */
74	u_int fw_flg; /* Flags word */
75	#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
76	union {
77	u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
78	#define IP_FW_ICMPTYPES_MAX 128
79	#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
80	unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
81	} fw_uar;
82	u_int fw_ipflg; /* IP flags word */
83	u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */
84	u_char fw_tcpopt,fw_tcpnopt; /* TCP options set/unset */
85	u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
86	long timestamp; /* timestamp (tv_sec) of last match */
87	union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */
88	union {
89	u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */
90	u_short fu_pipe_nr; /* queue number (option DUMMYNET) */
91	u_short fu_skipto_rule; /* SKIPTO command rule number */
92	u_short fu_reject_code; /* REJECT response code */
93	struct sockaddr_in fu_fwd_ip;
94	} fw_un;
95	u_char fw_prot; /* IP protocol */
96	/*
97	* N'of src ports and # of dst ports in ports array (dst ports
98	* follow src ports; max of 10 ports in all; count of 0 means
99	* match all ports)
100	*/
101	u_char fw_nports;
102	void pipe_ptr; / flow_set ptr for dummynet pipe */
103	void next_rule_ptr ; / next rule in case of match */
104	uid_t fw_uid; /* uid to match */
105	int fw_logamount; /* amount to log */
106	u_int64_t fw_loghighest; /* highest number packet to log */
107	};
108
109	The ip_fw.h header also contains macros for setting the fw_ports field and various
110	flags and constants for setting other fields.
111	.Ed
112	.\"--------------------------------------------------------------------------------------------
113	.Ss Rule Actions
114	.\"--------------------------------------------------------------------------------------------
115	Each rule has an action described by the IP_FW_F_COMMAND bits in the flags word:
116	.Bl -tag -width "IP_FW_F_DIVERT"
117	.It Dv IP_FW_F_DENY
118	drop packet
119	.It Dv IP_FW_F_REJECT
120	drop packet; send rejection via ICMP or TCP
121	.It Dv IP_FW_F_ACCEPT
122	accept packet
123	.It Dv IP_FW_F_COUNT
124	increment counters; continue matching
125	.It Dv IP_FW_F_DIVERT
126	divert packet to a
127	.Xr divert 4
128	socket
129	.It Dv IP_FW_F_TEE
130	copy packet to a
131	.Xr divert 4
132	socket; continue
133	.It Dv IP_FW_F_SKIPTO
134	skip to rule number
135	.Va fu_skipto_rule
136	.El
137	.Pp
138	In the case of
139	.Dv IP_FW_F_REJECT ,
140	if the
141	.Va fu_reject_code
142	is a number from 0 to 255, then an ICMP unreachable packet is sent back to the
143	original packet's source IP address, with the corresponding code. Otherwise, the
144	value must be 256 and the protocol
145	.Dv IPPROTO_TCP ,
146	in which case a TCP reset packet is sent instead.
147	.Pp
148	With
149	.Dv IP_FW_F_SKIPTO ,
150	all succeeding rules having rule number less than
151	.Va fu_skipto_rule
152	are skipped.
153	.Ss Kernel Options
154	Options in the kernel configuration file:
155	.Bl -tag -width "options IPFIREWALL_VERBOSE_LIMIT"
156	.It Cd options IPFIREWALL
157	enable
158	.Nm
159	.It Cd options IPFIREWALL_VERBOSE
160	enable firewall logging
161	.It Cd options IPFIREWALL_VERBOSE_LIMIT
162	limit firewall logging
163	.It Cd options IPDIVERT
164	enable
165	.Xr divert 4
166	sockets
167	.El
168	.Pp
169	When packets match a rule with the
170	.Dv IP_FW_F_PRN
171	bit set, and if
172	.Dv IPFIREWALL_VERBOSE
173	has been enabled,a message is written to
174	.Pa /dev/klog
175	with the
176	.Dv LOG_SECURITY
177	facility
178	(see
179	.Xr syslog 3 )
180	for further logging by
181	.Xr syslogd 8 ;
182	.Dv IPFIREWALL_VERBOSE_LIMIT
183	limits the maximum number of times each rule can cause a log message. These variables are also
184	available via the
185	.Xr sysctl 3
186	interface.
187	.\"--------------------------------------------------------------------------------------------
188	.Sh RETURN VALUES
189	.\"--------------------------------------------------------------------------------------------
190	The
191	.Fn setsockopt
192	function returns 0 on success. Otherwise, -1 is returned and the global variable
193	.Va errno
194	is set to indicate the error.
195	.\"--------------------------------------------------------------------------------------------
196	.Sh ERRORS
197	.\"--------------------------------------------------------------------------------------------
198	The
199	.Fn setsockopt
200	function will fail if:
201	.Bl -tag -width Er
202	.It Bq Er EINVAL
203	The IP option field was improperly formed;
204	an option field was shorter than the minimum value
205	or longer than the option buffer provided.
206	.It Bq Er EINVAL
207	A structural error in ip_fw structure occurred
208	(n_src_p+n_dst_p too big, ports set for ALL/ICMP protocols etc.).
209	.It Bq Er EINVAL
210	The version field of the ip_fw structure was set to a value not supported by the
211	currently-installed
212	.Dv IPFirewall,
213	or no ip_fw structure was passed to it at all.
214	.It Bq Er EINVAL
215	An invalid rule number was used.
216	.El
217	.\"--------------------------------------------------------------------------------------------
218	.Sh SEE ALSO
219	.\"--------------------------------------------------------------------------------------------
220	.Xr setsockopt 2 ,
221	.Xr divert 4 ,
222	.Xr ip 4 ,
223	.Xr ipfw 8 ,
224	.Xr sysctl 8 ,
225	.Xr syslogd 8
226	.\"--------------------------------------------------------------------------------------------
227	.Sh BUGS
228	.\"--------------------------------------------------------------------------------------------
229	The ``tee'' rule is not yet implemented (currently it has no effect).
230	.Pp
231	This man page still needs work.
232	.\"--------------------------------------------------------------------------------------------
233	.Sh HISTORY
234	.\"--------------------------------------------------------------------------------------------
235	The ipfw facility was initially written as package to BSDI by
236	.An Daniel Boulet
237	.Aq danny@BouletFermat.ab.ca .
238	It has been heavily modified and ported to
239	.Fx
240	by
241	.An Ugen J.S. Antsilevich
242	.Aq ugen@NetVision.net.il .
243	.Pp
244	Several enhancements added by
245	.An Archie Cobbs
246	.Aq archie@FreeBSD.org .