ipfilterd(1M)ipfilterd(1M)NAMEipfilterd - IP packet filtering daemon
SYNOPSIS
/usr/etc/ipfilterd [ -d ]
OPTIONS-d This enables ipfilterd into a debug mode in which it will display
each filter that is being created when reading the configuration
file.
Information on packets that are passed to the ipfilterd daemon for a
accept/reject/grab decision will be logged using the syslog(3C)
function with the log facility set to LOG_DAEMON. This includes an
indication of whether the packet matched a filter or was dropped by
default; an indication of whether the filter was one that specified
an interface only or included protocol information; a time-stamp;
and a running count of the number of times that kind of decision
happened. The rest of the packets are handled in the kernel based
upon this earlier decision which is cached. Detailed per-packet
logging is handled with log facility LOG_KERN. See the -l keyword
option below.
Increasing the debug level using additional -d options provides more
debugging information.
DESCRIPTION
Ipfilterd is a networking daemon that screens all inbound packets that
use the Internet Protocol (IP). Packets are filtered based on their
source or destination IP address, the network interface they arrived on,
their IP protocol number, their source or destination TCP/UDP port
number, or any combination of the above. Supported IP protocols include
TCP, UDP, ICMP, and IGMP.
Ipfilterd does not currently support NAT (network address translation).
ipfilterd is started at system initialization from /etc/init.d/network if
the configuration flag ipfilterd is set ``on'' with chkconfig(1M). When
ipfilterd is started, it reads its configuration information from the
file /etc/ipfilterd.conf and compiles the packet filters specified there,
storing them in an array in the order in which they were specified.
Inbound IP code passes packet information to the daemon, requesting
verdicts based on the filter database. An inbound packet is compared
with each filter in the array until a match is found; the verdict
associated with that filter is then returned to IP, which will process
the packet unless it has been dropped by the filtering code. If no match
is found, the packet is dropped by default.
During filter initialization, ipfilterd reads /etc/ipfilterd.conf one
line at a time. Lines that begin with "#" are comments and are ignored.
All other lines must begin with a keyword, followed by either a macro or
Page 1
ipfilterd(1M)ipfilterd(1M)
a filter. Blank lines or lines beginning with tabs/spaces will generate
an error and be discarded. Macros and filters use netsnoop(1M) filter
syntax; however, the optional specification of a network interface must
precede all protocol filter information. All standard netsnoop(1M)
macros relating to ipfilterd's supported protocols can be used.
Available keywords are
accept accept all packets matching this filter
reject silently discard all packets matching this filter
define define a new macro
grab grab all packets matching this filter rather than forwarding them
The grab keyword is mostly reserved for firewall products that uses
ipfilterd as their mechanism of intercepting packets which would have
normally been forwarded. It requires a user level daemon or proxy that
will process the packets being grabbed by ipfilterd.
The -i <interface> option can be appended after "accept", "reject" or
"grab" to filter packets on a particular interface.
NOTE: ipfilterd does not filter on lo0 interface.
The -l option can be appended after "accept", "reject" or "grab" to log a
message for each packet which meets the filter criteria. If both the -i
<interface> and the -l options are being used, -i <interface> must come
first.
Example message:
NOTICE: ipfilter - drop: SRC 10.0.0.20 DST 192.0.2.45
SPT 4350 DPT 23 TCP < SYN >
The message is generated by the IRIX Kernel (with the log facility
LOG_KERN). This is indicated by the word "ipfilter" at the start of the
logged line. Messages logged by the daemon start with the word
"ipfilterd". The message format may change in future releases.
NOTE: The -l option should be used with care to prevent excessive
logging.
IP addresses may be specified in hexadecimal, in Internet dot format (see
inet(3N)), or by the fully qualified hostname or its nickname:
0xC000022C 192.0.2.44 bambi.test.com bambi
The last accept or reject statement should either allow or deny all
remaining packets which did not match the previous statements. It is
more secure to have the last filter default to rejecting all remaining
packets.
Page 2
ipfilterd(1M)ipfilterd(1M)
Protocols may be referenced either by their assigned protocol number or
by their well-known name (TCP, UDP, ICMP, IGMP), as listed in
/etc/protocols. Ports may likewise be referenced directly by number;
port numbers assigned to specific Internet network or UNIX-specific
services may also be referenced by the well-known names found in
/etc/services (e.g., ftp, telnet, snmp, sunrpc, login, etc.).
In order to write rule-sets, some keywords can be used to define specific
protocol flags or options. The source or destination IP address can be
defined in the following format using keywords src and/or dst:
For hosts: src=x.x.x.x dst=x.x.x.x
For networks: (src&0xffffff00)=x.x.x.0 or (dst&0xffffff00)=x.x.x.0
The netmask can be changed to accommodate different values.
To reference specific TCP source or destination port numbers, they can be
referenced with tcp.sport or tcp.dport respectively. The same option is
available for UDP packets. The generic port keyword is used to match for
packets having either the source or destination port set to that value.
It is possible to match for a specific tcp flag by using the keyword
tcp.flags. The possible flag types are: FIN, SYN, RST, PUSH, ACK and By
using the "SYN" flag in rule-sets, it is possible to deny the
establishment of incoming tcp connections while still allowing the
establishment of outgoing tcp connections. This, for example, could be
used to stop incoming telnet sessions, while still allowing outgoing
telnet connections.
It is possible to control the ICMP type by using icmp.type where the
possible values can be ECHO, ECHOREPLY, UNREACHABLE, SOURCEQUENCH,
REDIRECT, ROUTEADVERT, ROUTERSOLICIT, TIMXCEED, PARAMPROB, TSTAMP,
TSTAMPREPLY, IREQ, IREQREPLY, MASKREQ, MASKREPLY. This enables a finer
control on the ICMP packets being filtered. One could deny ICMP echo
requests while still permitting other ICMP types.
To combine or negate expressions, the operators "and, or, not" can be
used. The "between" operator can be used to identify traffic between two
hosts or networks.
Ipfilterd will support up to 1000 discrete filters. There is no limit on
the number of macros that can be defined.
IP maintains a kernel cache of recent ipfilterd filtering verdicts,
arranged in a most-recently-used linked list. The size of this cache is
configurable, as is the search depth into the cache before a filter match
causes the matched entry to be moved to the head of the cache (MRU
reordering). With the 5.0 release of IRIX, cache entries will be aged
and deleted when idle for a configurable interval (default 60 seconds).
Page 3
ipfilterd(1M)ipfilterd(1M)
Use of the cache decreases the number of times that IP must poll the
daemon, reducing system overhead associated with context switching out of
the kernel.
Although a larger cache minimizes context switches, its size adds a
longer search path overhead to the IP kernel code before a decision to
consult the daemon can be made. The optimum cache size will vary with
system usage-for example, an external gateway will have more filtering
responsibility and will see many more IP address/protocol/port
combinations than will a workstation on a LAN; hence it will require a
larger cache.
The number of verdicts cached in the kernel is defined by the constant
NUMIPKFLT in the IP filtering configuration file
/var/sysgen/master.d/ipfilter. To change the size, as the superuser,
edit this file and then use autoconfig(1M) to generate a new kernel and
reboot.
The effects of kernel cache size can be empirically observed by
monitoring network performance also by explicitly observing how often and
to what effect the daemon is being used.
FILES
/var/adm/SYSLOG
is the general syslogd(1M) data file. It contains all events and
data logged by ipfilterd.
/etc/ipfilterd.conf
contains macro and filter definitions.
/dev/ipfilter
is used by ipfilterd to communicate with the kernel. You should
create it on your system by invoking the /dev/MAKEDEV script if
ipfilterd complains it cannot open its device file.
/var/sysgen/master.d/ipfilter
is used when generating a kernel to specify the size of the kernel
cache of recent filtering verdicts, the cache search depth that must
be exceeded before any MRU reordering of the cache is performed, and
the treatment of inbound IP packets when the filtering daemon has
died or been killed.
The constant NUMIPKFLT defines the size of the kernel cache of
recent filtering verdicts. This should be tuned based on system
load.
The filtercache_search_depth variable is used to minimize the
thrashing of the cache that would occur if every filter hit were
moved to the head of the cache. It is defaulted to 4, which permits
two simultaneous file transfers to occur withour MRU reordering.
This value should be tuned based on the expected system workload.
The ipfilterd_inactive_behavior varible specifies how inbound IP
packets will be treated when the daemon has died or been killed. A
value of 0 specifies that inbound IP processing should proceed as
though filtering were not configured. A value of 1 specifies that
all inbound IP packets (except those from the local host) will be
dropped. Use of this value ensures that routing will be disabled in
Page 4
ipfilterd(1M)ipfilterd(1M)
IP firewalls whose daemon is inactive, preventing security holes.
With the 5.0 release of IRIX, the ipfilter_ttl variable is used to
set a maximum lifetime for idle kernel cache entries. Entries idle
longer than that interval (default 60 seconds) are deleted.
EXAMPLES
Examples of use of "define" to create macros:
A filter for all possible traffic between two machines, each of which is
multi-homed:
define ip.betwixt between($1,$3) || between($1,$4) || between($2,$3)
|| between($2,$4)
(Note: This one-line example is shown on two lines because of formatting
constraints.)
A macro to specify any host not on a given Class C network (or on a Class
B network with 8-bit subnet masks) as the source. When masking against
an IP address in a macro, hex must be used. However, the IP (sub)network
number specified in the filter may be either in hex or dot format.
Parentheses are used to establish binding and precedence:
define ip.notnetCsrc not((src & 0xffffff00) = $1)
Filter examples:
To accept all IP traffic between two single-homed hosts:
accept between speaker squaw
To reject all IP traffic over one network interface between two hosts:
reject -i ec0 between speaker dizzy
To reject Sun RPC traffic between two hosts:
reject between boston 192.99.99.99 and udp.port sunrpc
To grab all packets from one host over a given network interface:
grab -i ec0 src=boston
An example of ip.betwixt:
reject ip.betwixt foo1 foo2 boo1 boo2 and tcp.port login
To reject all FTP connections that do not originate from a given Class B
net:
reject ip.notnetBsrc 192.26.00.00 and tcp.port ftp
The following rule-sets are provided as a simple example to minimize
exposure on an IRIX host with one network interface.
Page 5
ipfilterd(1M)ipfilterd(1M)
#
# Accept packets with a loopback source address only if they
# come over the loopback interface.
accept -i localhost src=127.0.0.1
reject src=127.0.0.1
#
# Accept all packets originating from this trusted network.
accept (src&0xFFFFFF00)=123.45.67.0
#
# Reject spoofed packets from private address space which
# should not be used on the Internet according to RFC 1918.
reject (src&0xFF000000)=10.0.0.0
reject (src&0xFFFF0000)=192.168.0.0
reject (src&0xFFF00000)=172.16.0.0
#
#
# Allow RIP broadcasts if running gated/routed.
accept udp.dport=520
#
# Allow DNS replies from the name servers
# This is required for host name resolution to work.
accept udp.sport=53 and ip.src=192.26.210.1
accept udp.sport=53 and ip.src=205.151.69.200
#
# Explicitly reject all UDP packets not accepted above
reject udp
#
#
#
#
# Allow only connections to httpd, sshd and telnetd.
# Other services defined in /etc/services or by using
# their respective port numbers can be added here.
accept tcp.dport=telnet
accept tcp.dport=22
accept tcp.dport=http
#
# Allow all TCP packets related to outgoing connections.
# The most efficient way of accomplishing this is to
# accept all TCP packets which don't have the SYN flag set.
accept tcp and not(tcp.flags=SYN)
#
# Explicitly reject all tcp packets not accepted above
reject tcp
#
#
# Deny ICMP time-stamps requests in order to prevent
# remote hosts from querying the local time.
# Do not use if your host is a time server.
reject icmp.type=TSTAMP
Page 6
ipfilterd(1M)ipfilterd(1M)
#
# Accept all other types of ICMP packets.
accept icmp
#
# Explicitly Deny everything else (default behavior).
reject (src&0)=0
NOTES
IP filtering may be initiated or disabled only by the superuser.
The command
/etc/killall ipfilterd
kills the filtering daemon and zeros out the kernel cache of filtering
verdicts. It may also disable all IP forwarding and receipt of any
inbound IP traffic except that from the local host (see the discussion of
the ipfilterd_inactive_behavior variable in the FILES section above).
The SIGHUP signal can be sent to ipfilterd to reload its configuration
file.
The command
/usr/etc/ipfilterd
which is normally executed from /etc/init.d/network, starts up the daemon
and initializes the configured filters. Only one instance of ipfilterd
may be active at any time; attempts to start a second daemon will fail
silently.
If a syntax error is found when reading ipfilterd.conf, ipfilterd will
exit abnormally and send out the error messages to STDERR. The default
behavior is to deny all traffic when not running. This can be changed by
setting the systune variable ipfilterd_inactive_behavior to 0.
Macros must be defined before they are referenced in filters in
/etc/ipfilterd.conf. Each macro definition must be on one line and have
a maximum of 255 characters.
The daemon's array of filters is generated in the order specified in
/etc/ipfilterd.conf. The filtering daemon examines filters from the top
of the array each time. As soon as it detects a match, it returns the
associated verdict. It is possible to have more than one filter match a
given packet, such as wishing to reject rlogin requests from a given net
except one particular host. In that case, the particular filter should
appear first:
accept ip.src bambi and tcp.port login
followed by the general case:
reject ip.netBsrc 199.0.2.0 and tcp.port login
Several macros relating to (sub)networks rather than hosts are predefined
in /etc/ipfilterd.conf.
By default ipfilterd rejects all packets for which no 'accept' entry is
defined.
CAVEATSipfilterd does not filter on lo0 interface.
Page 7
ipfilterd(1M)ipfilterd(1M)SEE ALSOnetsnoop(1M), master(4).
FILES
/etc/ipfilterd.conf /dev/ipfilter /var/sysgen/master.d/ipfilter
Page 8
