A rule file for iippff may have any name or even be stdin. As
iippffssttaatt produces parsable rules as output when displaying the internal
kernel filter lists, it is quite plausible to use its output to feed back
into iippff. Thus, to remove all filters on input packets, the following
could be done:
# ipfstat -i | ipf -rf -
The format used by iippff for construction of filtering rules can be
described using the following grammar in BNF:
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] [ proto ] ip [ group ].
insert = "@" decnumber . action = block | "pass" | log | "count" | skip | auth | call . in-out = "in" | "out" . options = [ log ] [ tag ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] [ replyto ] ] . tos = "tos" decnumber | "tos" hexnumber . ttl = "ttl" decnumber . proto = "proto" protocol . ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . group = [ "head" decnumber ] [ "group" decnumber ] .
block = "block" [ return-icmp[return-code] | "return-rst" ] . log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . tag = "tag" tagid . skip = "skip" decnumber . auth = "auth" | "preauth" . call = "call" [ "now" ] function-name . dup = "dup-to" interface-name [ ":" ipaddr ] . froute = "fastroute" | "to" interface-name [ ":" ipaddr ] . replyto = "reply-to" interface-name [ ":" ipaddr ] . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" [ "!" ] object "to" [ "!" ] object .
return-icmp = "return-icmp" | "return-icmp-as-dest" .
return-code = "(" icmp-code ")" .
object = addr [ port-comp | port-range ] .
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
addr = "any" | "
nummask = host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
ipaddr = host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .
state-options = state-opts [ "," state-options ] .
state-opts = "age" decnumber [ "/" decnumber ] | "strict" |
"no-icmp-err" | "limit" decnumber | "newisn" | "sync" .
withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" optname .
optname = ipopts [ "," optname ] .
ipopts = optlist | "sec-class" [ secname ] .
secname = seclvl [ "," secname ] .
seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
"reserv-4" | "secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
"timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
"inforep" | "maskreq" | "maskrep" | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
"filter-prohib" | "host-preced" | "cutoff-preced" .
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
"addext" | "visa" | "imitd" | "eip" | "finn" .
facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
"lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
"audit" | "logalert" | "local0" | "local1" | "local2" |
"local3" | "local4" | "local5" | "local6" | "local7" .
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
"info" | "debug" .
hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
"gt" | "le" | "ge" .
range = "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag = "F" | "S" | "R" | "P" | "A" | "U" .
This syntax is somewhat simplified for readability, some combinations
that match this grammar are disallowed by the software because they do
not make sense (such as tcp ffllaaggss for non-TCP packets).
The "briefest" valid rules are (currently) no-ops and are of the form:
Filter rules are checked in order, with the last matching rule
determining the fate of the packet (but see the qquuiicckk option,
below).
Filters are installed by default at the end of the kernel's filter
lists, prepending the rule with @@nn will cause it to be inserted
as the n'th entry in the current list. This is especially useful when
modifying and testing active filter rulesets. See ipf(8) for more
information.
The action indicates what to do with the packet if it matches the rest
of the filter rule. Each rule MUST have an action. The following
actions are recognised:
Would return a Type-Of-Service (TOS) ICMP unreachable error.
The next word must be either iinn or oouutt. Each packet
moving through the kernel is either inbound (just been received on an
interface, and moving towards the kernel's protocol processing) or
outbound (transmitted or forwarded by the stack, and on its way to an
interface). There is a requirement that each filter rule explicitly
state which side of the I/O it is to be used on.
The list of options is brief, and all are indeed optional. Where
options are used, they must be present in the order shown here. These
are the currently supported options:
The keywords described in this section are used to describe attributes
of the packet to be used when determining whether rules match or don't
match. The following general-purpose attributes are provided for
matching, and must be used in this order:
The ffrroomm and ttoo keywords are used to match against IP
addresses (and optionally port numbers). Rules must specify BOTH
source and destination parameters.
IP addresses may be specified in one of two ways: as a numerical
address//mask, or as a hostname mmaasskk netmask. The hostname
may either be a valid hostname, from either the hosts file or DNS
(depending on your configuration and library) or of the dotted numeric
form. There is no special designation for networks but network names
are recognised. Note that having your filter rules depend on DNS
results can introduce an avenue of attack, and is discouraged.
There is a special case for the hostname aannyy which is taken to
be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
Only the presence of "any" has an implied mask, in all other
situations, a hostname MUST be accompanied by a mask. It is possible
to give "any" a hostmask, but in the context of this language, it is
non-sensical.
The numerical format "x//y" indicates that a mask of y
consecutive 1 bits set is generated, starting with the MSB, so a y value
of 16 would give 0xffff0000. The symbolic "x mmaasskk y" indicates
that the mask y is in dotted IP notation or a hexadecimal number of
the form 0x12345678. Note that all the bits of the IP address
indicated by the bitmask must match the address on the packet exactly;
there isn't currently a way to invert the sense of the match, or to
match ranges of IP addresses which do not express themselves easily as
bitmasks (anthropomorphization; it's not just for breakfast anymore).
If a ppoorrtt match is included, for either or both of source and
destination, then it is only applied to
TCP and UDP packets. If there is no pprroottoo match parameter,
packets from both protocols are compared. This is equivalent to "proto
tcp/udp". When composing ppoorrtt comparisons, either the service
name or an integer port number may be used. Port comparisons may be
done in a number of forms, with a number of comparison operators, or
port ranges may be specified. When the port appears as part of the
ffrroomm object, it matches the source port number, when it appears
as part of the ttoo object, it matches the destination port number.
See the examples for more information.
The aallll keyword is essentially a synonym for "from any to any"
with no other match parameters.
Following the source and destination matching parameters, the
following additional parameters may be used:
... flags SA
# becomes "flags SA/AUPRFS" and will match any
# packet with only the SYN and ACK flags set.
... flags S/SA
# will match any packet with just the SYN flag set
# out of the SYN-ACK pair; the common "establish"
# keyword action. "S/SA" will NOT match a packet
# with BOTH SYN and ACK set, but WILL match "SFP".
The second last parameter which can be set for a filter rule is whether or not
to record historical information for that packet, and what sort to keep. The
following information can be kept:
allowing packets which match these to flow straight through, rather
than going through the access control list.
A rule may be both the head for a new group and a member of a non-default
group (hheeaadd and ggrroouupp may be used together in a rule).
When a packet is logged, with either the lloogg action or option,
the headers of the packet are written to the iippll packet logging
pseudo-device. Immediately following the lloogg keyword, the
following qualifiers may be used (in order):
See ipl(4) for the format of records written
to this device. The ipmon(8) program can be used to read and format
this log.
The qquuiicckk option is good for rules such as:
which will match any packet with a non-standard header length (IP
options present) and abort further processing of later rules,
recording a match and also that the packet should be blocked.
The "fall-through" rule parsing allows for effects such as this:
which sets up the range 6000-6003 as being permitted and all others being
denied. Note that the effect of the first rule is overridden by subsequent
rules. Another (easier) way to do the same is:
Note that both the "block" and "pass" are needed here to effect a
result as a failed match on the "block" action does not imply a pass,
only that the rule hasn't taken effect. To then allow ports < 1024, a
rule such as:
would be needed before the first block. To create a new group for
processing all inbound packets on le0/le1/lo0, with the default being to block
all inbound packets, we would do something like:
and to then allow ICMP packets in on le0, only, we would do:
Note that because only inbound packets on le0 are used processed by group 100,
there is no need to respecify the interface name. Likewise, we could further
breakup processing of TCP, etc, as follows:
and so on. The last line, if written without the groups would be:
Note, that if we wanted to say "port = telnet", "proto tcp" would
need to be specified as the parser interprets each rule on its own and
qualifies all service/port names with the protocol specified.
FILTER RULES
block in all
pass in all
log out all
count in all
ACTIONS
block return-icmp(11) ...
OPTIONS
MATCHING PARAMETERS
F - FIN
S - SYN
R - RST
P - PUSH
A - ACK
U - URG
... flags S
# becomes "flags S/AUPRFS" and will match
# packets with ONLY the SYN flag set.
KEEP HISTORY
GROUPS
The last pair of parameters control filter rule "grouping". By default, all
filter rules are placed in group 0 if no other group is specified. To add a
rule to a non-default group, the group must first be started by creating a
group _h_e_a_d. If a packet matches a rule which is the _h_e_a_d of a
group, the filter processing then switches to the group, using that rule as
the default for the group. If qquuiicckk is used with a hheeaadd rule, rule
processing isn't stopped until it has returned from processing the group.
LOGGING
EXAMPLES
block in quick from any to any with ipopts
block in from any to any port < 6000
pass in from any to any port >= 6000
block in from any to any port > 6003
block in from any to any port 6000 <> 6003
pass in from any to any port 5999 >< 6004
pass in quick from any to any port < 1024
block in all
block in quick on le0 all head 100
block in quick on le1 all head 200
block in quick on lo0 all head 300
pass in proto icmp all group 100
block in proto tcp all head 110 group 100
pass in from any to any port = 23 group 110
pass in on le0 proto tcp from any to any port = telnet
FILES
/dev/ipauth
/dev/ipl
/dev/ipstate
/etc/hosts
/etc/services
/usr/share/examples/ipf Directory with examples.
SEE ALSO
ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)