6.4.4. Configuring IPFW

The configuration of the IPFW software is done through the ipfw(8) utility. The syntax for this command looks quite complicated, but it is relatively simple once you understand it's structure.

There are currently two different command line formats for the utility, depending on what you are doing. The first form is used when adding/deleting entries from the firewall or accounting chains, or when clearing the counters for an entry on the accounting chain. The second form is used for more general actions, such as flushing the rule chains, listing the rule chains or setting the default policy.

6.4.4.1. Altering the IPFW rules

The syntax for this form of the command is:

ipfw -n command action protocol addresses

There is one valid flag when using this form of the command:

-n

Do not attempt to resolve given addresses.

The command given can be shortened to the shortest unique form. The valid commands are:

addfirewall

Add an entry to the firewall rule list

delfirewall

Delete an entry from the firewall rule list

addaccounting

Add an entry to the accounting rule list

delaccounting

Delete an entry from the accounting rule list

clraccounting

Clear the counters for an accounting rule entry.

If no command is given, it will default addfirewall or addaccounting depending on the arguments given.

Currently, the firewall support in the kernel applies a set of weights to the rule being added. This means that the rules will not be evaluated in the order that they are given to the system. The weighting system is designed so that rules which are very specific are evaluated first, and rules which cover very large ranges are evaluated last. In other words, a rule which applies to a specific port on a specific host will have a higher priority than a rule which applies to that same port, but on a range of hosts, or that host on a range of ports.

The weighting system is not perfect, however, and can lead to problems. The best way to see what order it has put your rules in is to use the list command, as that command lists the rules in the order that they are evaluated, not the order that they were fed to the system.

The actions available depend on which rule chain the entry is destined for. For the firewall chain, valid actions are:

reject

Drop the packet, and send an ICMP HOST_UNREACHABLE or ICMP PORT_UNREACHABLE (as appropriate) packet to the source.

lreject

As reject, but also log the packet details.

deny

Drop the packet.

ldeny

As deny, but also log the packet details.

log

Log the packets details and pass it on as normal.

accept

Pass the packet on as normal.

pass

Synonym for accept.

For the accounting chain, valid actions are:

single

Count packets matching the address specifier.

bidirectional

Count packets matching the address specifier, and also packets travelling in the opposite direction (i.e. those going from ``destination'' to ``source'').

Each action will be recognized by the shortest unambigious prefix.

The protocols which can be specified are:

all

Matches any IP packet

icmp

Matches ICMP packets

tcp

Matches TCP packets

udp

Matches UDP packets

syn

Matches the TCP SYN (synchronization) packet used during TCP connection negotiation. You can use this to block ``incoming'' TCP connections, but allow ``outgoing'' TCP connections.

The address specification is:

[from <address/mask>[port]] [to <address/mask>[port]] [via <interface>]

You can only specify port in conjunction with protocols which support ports (UDP, TCP and SYN).

The order of the from, to, and via keywords is unimportant. Any of them can be omitted, in which case a default entry for that keyword will be supplied which matches everything.

The via is optional and may specify the IP address or domain name of a local IP interface, or an interface name (e.g. ed0) to match only packets coming through this interface. The keyword via can be substituted by on, for readability reasons.

The syntax used to specify an <address/mask> is:

<address>

<address>/mask-bits

<address>:mask-pattern

A valid hostname may be specified in place of the IP address. mask-bits is a decimal number representing how many bits in the address mask should be set. e.g. specifying

192.216.222.1/24

The port numbers to be blocked are specified as:

port[,port[,port[...]]]

port:port

6.4.4.2. Listing/flushing the IPFW rules

The syntax for this form of the command is:

ipfw [-ans] command [argument]

There are three valid flags when using this form of the command:

-a

While listing, show counter values. This option is the only way to see accounting counters. Works only with -s.

-n

Do not attempt to resolve given addresses.

-s

Use short listing form. This should be used with -a to see accounting counters. The short form listing is incompatible with the input syntax used by the ipfw(8) utility.

The command given can be shortened to the shortest unique form. The valid commands are:

list

List the chain rule entries. Unless the -s flag is given, the format is compatable with the command line syntax.

flush

Flush the chain rule entries.

zero

Clear counters for the entire accounting chain.

policy

Set or display the default policy for the firewall code. Without an argument, the current policy will be displayed.

The list and flush commands may optionally be passed an argument to specify which chain to flush. Valid arguments are:

firewall

The packet filter chain.

accounting

The accounting chain.

The policy command can be given one of two arguments:

accept

If a packet is not matched by any rule, pass it on.

deny

If a packet is not matched by any rule, do not pass it on.

As usual, the arguments can be shortened to the shortest unique form (in this case, the first letter).