ipfilter (M)
NAME
ipfilter - Introduction to IP packet filtering
DESCRIPTION
IP Filter is a TCP/IP packet filter, suitable for use in a
firewall environment. To use, it can either be used as a
loadable kernel module or incorporated into your UNIX ker-
nel; use as a loadable kernel module where possible is
highly recommended. Scripts are provided to install and
patch system files, as required.
FEATURES
The IP packet filter can:
explicitly deny/permit any packet from passing through
distinguish between various interfaces
filter by IP networks or hosts
selectively filter any IP protocol
selectively filter fragmented IP packets
selectively filter packets with IP options
send back an ICMP error/TCP reset for blocked packets
keep packet state information for TCP, UDP and ICMP
packet flows
keep fragment state information for any IP packet,
applying the same rule to all fragments.
act as a Network Address Translator (NAT)
use redirection to setup true transparent proxy connec-
tions
provide packet header details to a user program for
authentication
in addition, supports temporary storage of pre-
authenticated rules for passing packets through
Special provision is made for the three most common Internet
protocols, TCP, UDP and ICMP. The IP Packet filter allows
filtering of:
Inverted host/net matchingTCP/UDP packets by port
number or a port number range
ICMP packets by type/code
"established" TCP packets
On any arbitrary combination of TCP flags
"short" (fragmented) IP packets with incomplete headers
can be filtered
any of the 19 IP options or 8 registered IP security
classes TOS (Type of Service) field in packets
To keep track of the performance of the IP packet filter, a
logging device is used which supports logging of:
the TCP/UDP/ICMP and IP packet headers
the first 128 bytes of the packet (including headers)
A packet can be logged when:
it is successfully passed through
it is blocked from passing through
it matches a rule setup to look for suspicious packets
IP Filter keeps its own set of statistics on:
packets blocked
packets (and bytes!) used for accounting
packets passed packets logged
attempts to log which failed (buffer full)
and much more, for packets going both in and out.
Tools
The current implementation provides a small set of tools,
which can easily be used and integrated with regular unix
shells and tools. A brief description of the tools provided:
ipf(ADMN) reads in a set of rules, from either stdin or a file,
and adds them to the kernels current list (appending them).
It can also be used to flush the current filter set or
delete individual filter rules. The file format is described
in ipf(SFF).
ipfs(ADMN) is a utility to temporarily lock the IP Filter ker-
nel tables (state tables and NAT mappings) and write them to
disk. After that the system can be rebooted, and ipfs can be
used to read these tables from disk and restore them into
the kernel. This way the system can be rebooted without the
connections being terminated.
ipfstat(ADMN) interrogates the kernel for statistics on packet
filtering, so far, and retrieves the list of filters in
operation for inbound and outbound packets.
ipftest(ADMN) reads in a filter rule file and then applies sam-
ple IP packets to the rule file. This allows for testing of
filter list and examination of how a packet is passed along
through it.
ipmon(TC) reads buffered data from the logging device
(default is /dev/ipl) for output to either:
screen (standard output)
file
syslog
ipsend(C) generates arbitary IP packets for ethernet con-
nected machines.
ipresend(C) reads in a data file of saved IP packets (ie
snoop/tcpdump/etherfind output) and sends it back across the
network.
ipnat(ADMN) reads in a set of rules, from either stdin or a
file and adds them to the kernels current list of active NAT
rules. NAT rules can also be deleted using ipnat. The format
of the configuration file to be used with ipnat is described
in ipnat(SFF).
For use in your own programs (e.g. for writing of tran-
sparent application proxies), the programming interface and
the associated ioctl's are documented in ipf(ADMP).
Documentation on ioctl's and the format of data saved to the
logging character device is provided in ipl(ADMP) so that you
may develop your own applications to work with or in place
of any of the above.
Similar, the interface to the NAT code is documented in
ipnat(ADMP).
PACKET PROCESSING FLOW
The following diagram illustrates the flow of TCP/IP packets
through the various stages introduced by IP Filter.
IN
|
V
+-------------------------+--------------------------+
| | |
| V |
| Network Address Translation |
| | |
| authenticated | |
| +-------<---------+ |
| | | |
| | V |
| V IP Accounting |
| | | |
| | V |
| | Fragment Cache Check--+ |
| | | | |
| V V V |
| | Packet State Check-->+ |
| | | | |
| | +->--+ | | |
| | | | V | |
| V groups IP Filtering V |
| | | | | | |
| | +--<-+ | | |
| | | | |
| +---------------->|<-----------+ |
| | |
| V |
| +---<----+ |
| | | |
| function | |
| | V |
| +--->----+ |
| | |
| V |
+--|---<--- fast-route ---<--+ |
| | | |
| | V |
| +-------------------------+--------------------------+
| |
| pass only
| |
| V
V [KERNEL TCP/IP Processing]
| |
| +-------------------------+--------------------------+
| | | |
| | V |
| | Fragment Cache Check--+ |
| | | | |
| | V V |
| | Packet State Check-->+ |
| | | | |
| | V | |
V | IP Filtering | |
| | | V |
| | |<-----------+ |
| | V |
| | IP Accounting |
| | | |
| | V |
| | Network Address Translation |
| | | |
| | V |
| +-------------------------+--------------------------+
| |
| pass only
V |
+--------------------------->|
V
OUT
MORE INFORMATION
More information (including pointers to the FAQ and the
mailing list) can be obtained from the sofware's official
homepage: www.ipfilter.org
SEE ALSO
ipf(SFF), ipf(ADMP), ipf(ADMN), ipfilter(M), ipfs(ADMN),
ipfstat(TC), ipftest(ADMN), ipl(ADMP), ipmon(SFF),
ipnat(SFF), ipnat(SFF),
Man(1) output converted with
man2html