ipfw man page on BSDOS

Man page or keyword search:  
man Server   6284 pages
apropos Keyword Search (all sections)
Output format
BSDOS logo
[printable version]

IPFW(8)			  BSD System Manager's Manual		       IPFW(8)

NAME
     ipfw - set / retrieve BSD IP Filters

SYNOPSIS
     ipfw [filter] [-command [options]] [...]

DESCRIPTION
     The ipfw utility allows the setting and retrieving of kernel based BSD IP
     Filters, as well as resolution of interface names into interface index
     numbers.  The filter argument must be one of:

     pre-input
	     A filter on all IP packets as they first enter IP processing

     input   A filter on IP packets destined for the local machine, after
	     fragment re-assembly.

     forward
	     A filter on IP packets being forwarded through this machine.

     pre-output
	     A filter on all IP packets leaving this machine, prior to rout-
	     ing.

     output  A filter on IP packets generated locally by this machine.

     call    Not an actual filtering point, this chain should contain filters
	     to be called from a BPF based filter.

     rate    Filters each packet just prior to call the interface's output
	     routine.  If the filter returns a non-zero value then that is the
	     index number of a rate limiting filter that should be applied to
	     this packet

     If no command is given, the chain of filters associated with filter are
     displayed.

     If no filter is given then there must either be no other arguments or the
     only argument must be -list. In these cases, all the above filtering
     points are reported or listed.

     The following commands are available:

     -display
	     Displays the contents of a filter as it was provided to ipfw when
	     installed.	 (See special note about NAT filters below.)  If op-
	     tions are provided, they are to be a list of serial numbers.  The
	     serial number 0 implies the first filter.	If no options are pro-
	     vided then all the filters in this chain are displayed.

     -dontsave
	     Do not save a copy of this filter in /var/run/ipfw. This will
	     prevent the -display command from working for this filter.

     -insert
	     This command takes a filter number and a filter.  The filter is
	     pushed onto the call list and assigned the specified filter num-
	     ber.  The filter number should be a small positive integer.  This
	     number can be used with the call and chain commands when compil-
	     ing filters with ipfwcmp(8).  This command is only valid when the
	     filter is call.

     -list   List the filters in the chain as well as the length of the fil-
	     ters.  This is a much more resource consuming task than the de-
	     fault report which does not include lengths.

     -move   This command takes two serial numbers.  The filter specified by
	     the first serial number is moved just below the filter specified
	     by the second serial number.

     -output
	     This command takes exactly one option, which should be the name
	     of a file into which to write the contents of the filter chain
	     specified for filter.

     -pop    Remove the last filter pushed onto the filter chain.  If options
	     are provided, they are to be a list of serial numbers.  The fil-
	     ters of the specified serial numbers will be removed, rather than
	     the first filter.	The serial number 0 implies the first filter.

     -popall
	     If an option is provided, it should be the serial number of a
	     filter in the chain.  If not provided, the serial number defaults
	     to 0, which implies the first filter in the chain.	 The specified
	     filter in the chain, and all following filters, are removed.
	     (-popall then simply clears the entire filter chain.)

     -priority
	     This command takes exactly one option, which should be a priority
	     (a signed 32 bit value).  All filters, on this command line, that
	     are inserted after the -priority command will have this priority
	     (unless changed by another -priority -command). The default pri-
	     ority of a filter is 0.  When a new filter is pushed on, it is
	     pushed on just before the top most filter with a priority less
	     than or equal to this filters priority.

     -push   The options are a list of file names containing filters to be
	     pushed onto the front of the chain of filters for filter. The
	     last filter specified is pushed on first.	This results in the
	     first filer listed being at the top of the chain.	This command
	     requires at least one option.

     -replace
	     The command is identical to -push with the exception that filter
	     which used to be at the top of the chain will be popped once the
	     new filter(s) are installed.

     -replaceall
	     The command is identical to -push with the exception that all the
	     old filters will be removed once the new filter(s) are installed.
	     This command requires at least one option.

     -serialpush
	     The command is identical to -push but each filter requires a se-
	     rial number following each file name.  Use the -serial command to
	     retrieve a new serial number.

     -secure
	     Mark filter as secure (immutable).	 This command takes no op-
	     tions.

     -serial
	     Print out an available serial number to use with the -serialpush
	     command.

     -stats  Display statistics for filter This command takes no options.

     -tag    This command takes a single option which is the tag to be as-
	     signed to the next filter installed (on this command line).  Each
	     filter may have a 32 byte tag (shorter tags are automatically NUL
	     padded).  If a tag does not start with a NUL byte and another
	     filter on the chain exists with the same tag, that filter is re-
	     placed by the new filter and its location is not modified.	 The
	     priority is not used to position the filter, though the new pri-
	     ority may alter how future filters are inserted.

     For the -push, -replace, and -replaceall commands, the options refer to
     files which should be descriptions of BSD IP Filters.  Unless the file
     name ends with .ipfw, the file is expected to be a compiled filter (see
     ipfwcmp(8) and ipfwcisco(8))  otherwise ipfw will use the ipfwcmp(8)
     utility to compile the filter.

NAT FILTERS
     When using the -display command on a NAT filter both the configuration
     and any active NAT sessions are displayed.	 The NAT configuration is com-
     puted from the current active configuration and does not include any
     prefill values (see ipfwnat(8)).  timeouts and buckets are only display
     if the filter is using values other than the defaults.

     The active NAT sessions are displayed one per line.  The first two char-
     acters of each line indicate how the session was created.	``->'' implies
     the session was created on an incoming packet that matched a service.
     ``<-'' implies the session was created by an outgoing packet that matched
     a map.

     The remote address and port are of the endpoint outside of the NAT envi-
     ronment.  The external address and port are what the remote end sees.
     The internal address and port are for the endpoint within the NAT envi-
     ronment.

SEE ALSO
     ipfwasm(8),  ipfwcisco(8),	 ipfwcmp(8),  ipfwdump(8),  ipfwlog(8)

			      September 20, 1996			     3
[top]
                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 
More information is available in HTML format for server BSDOS

List of man pages available for BSDOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net