<PRE>
NAME
ipfwadm - IP firewall and accounting administration

SYNOPSIS
ipfwadm -A command parameters [options]
ipfwadm -I command parameters [options]
ipfwadm -O command parameters [options]
ipfwadm -F command parameters [options]
ipfwadm -M [ -l | -s ] [options]

DESCRIPTION
Ipfwadm  is  used  to set up, maintain, and inspect the IP
firewall and accounting rules in the Linux kernel.   These
rules can be divided into 4 different categories: account­
ing of IP packets, the IP input firewall,  the  IP  output
firewall,  and  the  IP  forwarding firewall.  For each of
these categories, a separate list of rules is  maintained.
See ipfw(4) for more details.

OPTIONS
The  options that are recognized by ipfwadm can be divided
into several different groups.

CATEGORIES
The following flags are used to  select  the  category  of
rules to which the given command applies:

-A [direction]
IP  accounting  rules.  Optionally, a direction can
be specified (in, out, or both), indicating whether
only   incoming   or  outgoing  packets  should  be
counted.  The default direction is both.

-I     IP input firewall rules.

-O     IP output firewall rules.

-F     IP forwarding firewall rules.

-M     IP masquerading administration.  This category  can
only  be  used in combination with the -l (list) or
-s (set timeout values) command.

Exactly one of these options has to be specified.

COMMANDS
The next options specify the specific action  to  perform.
Only  one  of  them  can be specified on the command line,
unless something else is listed in the description.

-a [policy]
Append one or more rules to the end of the selected
list.   For  the accounting chain, no policy should
be specified.  For firewall chains, it is  required


July 30, 1996                         1


IPFWADM(8)                                             IPFWADM(8)


to  specify  one of the following policies: accept,
deny, or reject.  When the source  and/or  destina­
tion names resolve to more than one address, a rule
will be added for each  possible  address  combina­
tion.

-i [policy]
Insert  one  or  more rules at the beginning of the
selected list.  See the description of the -a  com­
mand for more details.

-d [policy]
Delete  one  or more entries from the selected list
of rules.  The semantics are equal to those of  the
append/insert  commands.   The specified parameters
should exactly match the parameters given  with  an
append  or  insert command, otherwise no match will
be found and the rule will not be removed from  the
list.   Only  the  first  matching rule in the list
will be deleted.

-l     List all the rules in the selected list.  This com­
mand may be combined with the -z (reset counters to
zero) command.  In that case, the packet  and  byte
counters  will  be  reset immediately after listing
their current values.  Unless the -x option is pre­
sent,  packet and byte counters (if listed) will be
shown as numberK or numberM, where  1K  means  1000
and  1M means 1000K (rounded to the nearest integer
value).  See also the -e  and  -x  flags  for  more
capabilities.

-z     Reset the packet and byte counters of all the rules
in selected list.  This  command  may  be  combined
with the -l (list) command.

-f     Flush the selected list of rules.

-p policy
Change  the default policy for the selected type of
firewall.  The  given  policy  has  to  be  one  of
accept,  deny,  or  reject.   The default policy is
used when no matching rule is found.   This  opera­
tion  is  only  valid for IP firewalls, that is, in
combination with the -I, -O, or -F flag.

-s tcp tcpfin udp
Change the timeout values  used  for  masquerading.
This  command always takes 3 parameters, represent­
ing the timeout values (in seconds)  for  TCP  ses­
sions,  TCP  sessions after receiving a FIN packet,
and UDP packets, respectively.  A timeout  value  0
means  that the current timeout value of the corre­
sponding entry is  preserved.   This  operation  is


July 30, 1996                         2


IPFWADM(8)                                             IPFWADM(8)


only allowed in combination with the -M flag.

-c     Check  whether  this  IP  packet would be accepted,
denied, or rejected by the selected type  of  fire­
wall.   This  operation  is only valid for IP fire­
walls, that is, in combination with the -I, -O,  or
-F flag.

-h     Help.  Give a (currently very brief) description of
the command syntax.

PARAMETERS
The following parameters can be used in  combination  with
the append, insert, delete, or check commands:

-P protocol
The protocol of the rule or of the packet to check.
The specified protocol can  be  one  of  tcp,  udp,
icmp,  or  all.   Protocol  all will match with all
protocols and is taken as default when this  option
is  omitted.  All may not be used in in combination
with the check command.

-S address[/mask] [port ...]
Source specification (optional).   Address  can  be
either  a  hostname,  a network name, or a plain IP
address.  The mask can be either a network mask  or
a plain number, specifying the number of 1's at the
left side of the network mask.  Thus, a mask of  24
is equivalent with 255.255.255.0.
The  source may include one or more port specifica­
tions or ICMP types.  Each of them can either be  a
service  name,  a  port number, or a (numeric) ICMP
type.  In the rest of this paragraph, a port  means
either  a  port specification or an ICMP type.  One
of these specifications may be a range of ports, in
the  format port:port.  Furthermore, the total num­
ber of ports specified with the source and destina­
tion   addresses   should   not   be  greater  than
IP_FW_MAX_PORTS (currently 10).  Here a port  range
counts as 2 ports.
Packets not being the first fragment of a TCP, UDP,
or ICMP packet are always accepted by the firewall.
For  accounting  purposes, these second and further
fragments are treated special, to be able to  count
them  in  some way.  The port number 0xFFFF (65535)
is used for a match with  the  second  and  further
fragments  of  TCP  or  UDP packets.  These packets
will be treated for accounting purposes as if  both
their  port  numbers  are  0xFFFF.  The number 0xFF
(255) is used for a match with the second and  fur­
ther fragments of ICMP packets.  These packets will
be treated for acounting purposes as if their  ICMP
types  are  0xFF.   Note that the specified command


July 30, 1996                         3


IPFWADM(8)                                             IPFWADM(8)


and protocol may imply restrictions on the ports to
be  specified.  Ports may only be specified in com­
bination with the tcp, udp, or icmp protocol.
When  this   option   is   omitted,   the   default
address/mask  0.0.0.0/0 (matching with any address)
is used as source address.  This option is required
in  combination  with  the  check command, in which
case also exactly one port has to be specified.

-D address[/mask] [port ...]
Destination  specification  (optional).   See   the
desciption  of  the -S (source) flag for a detailed
description of  the  syntax,  default  values,  and
other  requirements.   Note that ICMP types are not
allowed in combination with the -D flag: ICMP types
can only be specified after the the -S flag.

-V address
Optional address of an interface via which a packet
is received, or via which is packet is going to  be
sent.   Address can be either a hostname or a plain
IP address.   When  a  hostname  is  specified,  it
should  resolve  to  exactly  one IP address.  When
this option is  omitted,  the  address  0.0.0.0  is
assumed, which has a special meaning and will match
with any interface address.  For the check command,
this option is mandatory.

-W name
Optional name of an interface via which a packet is
received, or via which is packet  is  going  to  be
sent.   When  this  option  is  omitted,  the empty
string is assumed, which has a special meaning  and
will  match with any interface name.  For the check
command, this option is mandatory.

OTHER OPTIONS
The following additional options can be specified:

-b     Bidirectional mode.  The rule will  match  with  IP
packets  in  both  directions.  This option is only
valid in combination with the  append,  insert,  or
delete commands.

-e     Extended  output.   This option makes the list com­
mand also show the interface address and  the  rule
options  (if  any).   For  firewall lists, also the
packet and byte counters (the default  is  to  only
show  these  counters for the accounting rules) and
the TOS masks will be listed.  When used in  combi­
nation   with  -M,  information  related  to  delta
sequence numbers will also be listed.  This  option
is only valid in combination with the list command.


July 30, 1996                         4


IPFWADM(8)                                             IPFWADM(8)


-k     Only match TCP packets with the ACK bit  set  (this
option  will be ignored for packets of other proto­
cols).  This option is only  valid  in  combination
with the append, insert, or delete command.

-m     Masquerade  packets  accepted for forwarding.  When
this option is set, packets accepted by  this  rule
will  be masqueraded as if they originated from the
local host.  Furthermore, reverse packets  will  be
recognized  as  such and they will be demasqueraded
automatically, bypassing the  forwarding  firewall.
This  option  is  only valid in forwarding firewall
rules with policy accept (or when specifying accept
as  default  policy)  and can only be used when the
kernel  is   compiled   with   CONFIG_IP_MASQUERADE
defined.

-n     Numeric output.  IP addresses and port numbers will
be printed in numeric format.  By default, the pro­
gram  will  try to display them as host names, net­
work names, or services (whenever applicable).

-o     Turn on kernel logging of matching  packets.   When
this  option  is  set  for a rule, the Linux kernel
will print some information of all matching packets
(like  most  IP  header fields) via printk().  This
option will only be effective when the Linux kernel
is    compiled    with   CONFIG_IP_FIREWALL_VERBOSE
defined.  This option is only valid in  combination
with the append, insert or delete command.

-r [port]
Redirect  packets  to  a  local  socket.  When this
option is set, packets accepted by this  rule  will
be  redirected to a local socket, even if they were
sent to a remote host.  If the  specified  redirec­
tion  port  is  0,  which is the default value, the
destination port of a packet will be  used  as  the
redirection  port.   This  option  is only valid in
input firewall rules with  policy  accept  and  can
only be used when the Linux kernel is compiled with
CONFIG_IP_TRANSPARENT_PROXY defined.

-t andmask xormask
Masks used for modifying the TOS field  in  the  IP
header.  When a packet is accepted (with or without
masquerading) by a firewall rule, its TOS field  is
first bitwise and'ed with first mask and the result
of this will be  bitwise  xor'ed  with  the  second
mask.  The masks should be specified as hexadecimal
8-bit values.  This option is only valid in  combi­
nation  with  the  append, insert or delete command
and will have no effect when  used  in  combination
with   accounting   rules  or  firewall  rules  for


July 30, 1996                         5


IPFWADM(8)                                             IPFWADM(8)


rejecting or denying a packet.

-v     Verbose output.  Print detailed information of  the
rule  or  packet  to be added, deleted, or checked.
This option will only have effect with the  append,
insert, delete, or check command.

-x     Expand  numbers.   Display  the  exact value of the
packet and  byte  counters,  instead  of  only  the
rounded  number  in  K's (multiples of 1000) or M's
(multiples of 1000K).  This option will  only  have
effect  when  the  counters  are listed anyway (see
also the -e option).

-y     Only match TCP packets with the SYN bit set and the
ACK  bit  cleared  (this option will be ignored for
packets of other protocols).  This option  is  only
valid  in  combination  with the append, insert, or
delete command.

FILES
/proc/net/ip_acct
/proc/net/ip_input
/proc/net/ip_output
/proc/net/ip_forward
/proc/net/ip_masquerade

SEE ALSO
ipfw(4)

AUTHOR
Jos Vos <jos@xos.nl>
X/OS Experts in Open Systems BV,  Amsterdam,  The  Nether­
lands


</PRE>