DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

ipfilter (M)




NAME

     ipfilter - Introduction to IP packet filtering


DESCRIPTION

     IP Filter is a TCP/IP packet filter, suitable for use  in  a
     firewall  environment.  To  use,  it can either be used as a
     loadable kernel module or incorporated into your  UNIX  ker-
     nel;  use  as  a  loadable  kernel  module where possible is
     highly recommended. Scripts  are  provided  to  install  and
     patch system files, as required.


FEATURES

     The IP packet filter can:

          explicitly deny/permit any packet from passing through

          distinguish between various interfaces

          filter by IP networks or hosts

          selectively filter any IP protocol

          selectively filter fragmented IP packets

          selectively filter packets with IP options

          send back an ICMP error/TCP reset for blocked packets

          keep packet state information for  TCP,  UDP  and  ICMP
          packet flows

          keep fragment state  information  for  any  IP  packet,
          applying the same rule to all fragments.

          act as a Network Address Translator (NAT)

          use redirection to setup true transparent proxy connec-
          tions

          provide packet header details to  a  user  program  for
          authentication

          in  addition,  supports  temporary  storage   of   pre-
          authenticated rules for passing packets through

     Special provision is made for the three most common Internet
     protocols,  TCP,  UDP  and ICMP. The IP Packet filter allows
     filtering of:

          Inverted  host/net  matchingTCP/UDP  packets  by   port
          number or a port number range

          ICMP packets by type/code

          "established" TCP packets

          On any arbitrary combination of TCP flags

          "short" (fragmented) IP packets with incomplete headers
          can be filtered

          any of the 19 IP options or 8  registered  IP  security
          classes TOS (Type of Service) field in packets

     To keep track of the performance of the IP packet filter,  a
     logging device is used which supports logging of:

          the TCP/UDP/ICMP and IP packet headers

          the first 128 bytes of the packet (including headers)

     A packet can be logged when:

          it is successfully passed through

          it is blocked from passing through

          it matches a rule setup to look for suspicious packets

     IP Filter keeps its own set of statistics on:

          packets blocked

          packets (and bytes!) used for accounting

          packets passed packets logged

          attempts to log which failed (buffer full)

          and much more, for packets going both in and out.


Tools

     The current implementation provides a small  set  of  tools,
     which  can  easily  be used and integrated with regular unix
     shells and tools. A brief description of the tools provided:

     ipf(ADMN) reads in a set of rules, from either stdin or a file,
     and  adds them to the kernels current list (appending them).
     It can also be used to  flush  the  current  filter  set  or
     delete individual filter rules. The file format is described
     in ipf(SFF).

     ipfs(ADMN) is a utility to temporarily lock the IP Filter  ker-
     nel tables (state tables and NAT mappings) and write them to
     disk. After that the system can be rebooted, and ipfs can be
     used  to  read  these tables from disk and restore them into
     the kernel. This way the system can be rebooted without  the
     connections being terminated.

     ipfstat(ADMN) interrogates the kernel for statistics on  packet
     filtering,  so  far,  and  retrieves  the list of filters in
     operation for inbound and outbound packets.

     ipftest(ADMN) reads in a filter rule file and then applies sam-
     ple  IP packets to the rule file. This allows for testing of
     filter list and examination of how a packet is passed  along
     through it.

     ipmon(TC)  reads  buffered  data  from  the  logging   device
     (default is /dev/ipl) for output to either:

          screen (standard output)

          file

          syslog

     ipsend(C) generates arbitary IP packets  for  ethernet  con-
     nected machines.

     ipresend(C) reads in a data file of  saved  IP  packets  (ie
     snoop/tcpdump/etherfind output) and sends it back across the
     network.

     ipnat(ADMN) reads in a set of rules, from  either  stdin  or  a
     file and adds them to the kernels current list of active NAT
     rules. NAT rules can also be deleted using ipnat. The format
     of the configuration file to be used with ipnat is described
     in ipnat(SFF).

     For use in your own programs  (e.g.  for  writing  of  tran-
     sparent  application proxies), the programming interface and
     the associated ioctl's are documented in ipf(ADMP).

     Documentation on ioctl's and the format of data saved to the
     logging  character  device is provided in ipl(ADMP) so that you
     may develop your own applications to work with or  in  place
     of any of the above.

     Similar, the interface to the  NAT  code  is  documented  in
     ipnat(ADMP).


PACKET PROCESSING FLOW

     The following diagram illustrates the flow of TCP/IP packets
     through the various stages introduced by IP Filter.

                                        IN
                                         |
                                         V
               +-------------------------+--------------------------+
               |                         |                          |
               |                         V                          |
               |            Network Address Translation             |
               |                         |                          |
               |         authenticated   |                          |
               |       +-------<---------+                          |
               |       |                 |                          |
               |       |                 V                          |
               |       V           IP Accounting                    |
               |       |                 |                          |
               |       |                 V                          |
               |       |        Fragment Cache Check--+             |
               |       |                 |            |             |
               |       V                 V            V             |
               |       |         Packet State Check-->+             |
               |       |                 |            |             |
               |       |       +->--+    |            |             |
               |       |       |    |    V            |             |
               |       V   groups   IP Filtering      V             |
               |       |       |    |    |            |             |
               |       |       +--<-+    |            |             |
               |       |                 |            |             |
               |       +---------------->|<-----------+             |
               |                         |                          |
               |                         V                          |
               |                +---<----+                          |
               |                |        |                          |
               |            function     |                          |
               |                |        V                          |
               |                +--->----+                          |
               |                         |                          |
               |                         V                          |
            +--|---<--- fast-route ---<--+                          |
            |  |                         |                          |
            |  |                         V                          |
            |  +-------------------------+--------------------------+
            |                            |
            |                        pass only
            |                            |
            |                            V
            V               [KERNEL TCP/IP Processing]
            |                            |
            |  +-------------------------+--------------------------+
            |  |                         |                          |
            |  |                         V                          |
            |  |                Fragment Cache Check--+             |
            |  |                         |            |             |
            |  |                         V            V             |
            |  |                 Packet State Check-->+             |
            |  |                         |            |             |
            |  |                         V            |             |
            V  |                    IP Filtering      |             |
            |  |                         |            V             |
            |  |                         |<-----------+             |
            |  |                         V                          |
            |  |                   IP Accounting                    |
            |  |                         |                          |
            |  |                         V                          |
            |  |            Network Address Translation             |
            |  |                         |                          |
            |  |                         V                          |
            |  +-------------------------+--------------------------+
            |                            |
            |                        pass only
            V                            |
            +--------------------------->|
                                         V
                                        OUT


MORE INFORMATION

     More information (including pointers  to  the  FAQ  and  the
     mailing  list)  can  be obtained from the sofware's official
     homepage: www.ipfilter.org


SEE ALSO

     ipf(SFF),  ipf(ADMP),  ipf(ADMN),  ipfilter(M),  ipfs(ADMN),
     ipfstat(TC),     ipftest(ADMN),    ipl(ADMP),    ipmon(SFF),
     ipnat(SFF), ipnat(SFF),


Man(1) output converted with man2html