From owner-man-jp-reviewer@jp.freebsd.org  Fri Sep 25 22:47:14 1998
Received: (from daemon@localhost)
	by jaz.jp.freebsd.org (8.9.1+3.0W/8.7.3) id WAA16342;
	Fri, 25 Sep 1998 22:47:14 +0900 (JST)
	(envelope-from owner-man-jp-reviewer@jp.FreeBSD.org)
Received: from mail.yk.rim.or.jp (root@mail.yk.rim.or.jp [202.247.130.37])
	by jaz.jp.freebsd.org (8.9.1+3.0W/8.7.3) with ESMTP id WAA16337
	for <man-jp-reviewer@jp.freebsd.org>; Fri, 25 Sep 1998 22:47:12 +0900 (JST)
	(envelope-from k-horik@yk.rim.or.jp)
Received: from localhost (ppp150.yk.rim.or.jp [202.247.134.150])
	by mail.yk.rim.or.jp (8.8.5/3.6W-RIMNET-98-06-09) with ESMTP id WAA00494
	for <man-jp-reviewer@jp.freebsd.org>; Fri, 25 Sep 1998 22:47:07 +0900 (JST)
To: man-jp-reviewer@jp.freebsd.org
X-Mailer: Mew version 1.93 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Message-Id: <19980925224614J.k-horik@yk.rim.or.jp>
Date: Fri, 25 Sep 1998 22:46:14 +0900
From: Kazuo Horikawa <k-horik@yk.rim.or.jp>
X-Dispatcher: imput version 980905(IM100)
Lines: 527
Reply-To: man-jp-reviewer@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+980914
X-Sequence: man-jp-reviewer 478
Subject: [man-jp-reviewer 478] ipf.5
Errors-To: owner-man-jp-reviewer@jp.freebsd.org
Sender: owner-man-jp-reviewer@jp.freebsd.org

 ipf.5 $B$G$9!#(B

.\" WORD: filtering rule	$B%U%#%k%?%k!<%k(B
.\" WORD: semantics		$B%;%^%s%F%#%/%9(B
.\" WORD: inbound		$BFb8~$-(B
.\" WORD: outbound		$B308~$-(B
.\" WORD: forward		$BE>Aw(B
.\" WORD: transmit		$BAw=P(B
.\" WORD: fall-through		$B7QB3(B($B!VDL2a!W$K$9$k$H(Bblock/pass$B$H6hJL$G$-$J$$(B)
.TH IPF 5
.\" jpman %Id: ipf.5,v 0.0 1998/09/08 16:17:42 horikawa Stab %
.SH $BL>>N(B
ipf, ipf.conf \- IP $B%Q%1%C%H%U%#%k%?$N%k!<%kJ8K!(B
.SH $B2r@b(B
.PP
\fBipf\fP $B$N%k!<%k%U%!%$%k$O!"$I$s$JL>A0$G$bNI$/!"I8=`F~NO$G$b$+$^$$$^$;$s!#(B
$B%+!<%M%kFbIt$N%U%#%k%?%j%9%H$rI=<($9$k$H$-!"(B
\fBipfstat\fP $B$O2r<a2DG=$J%k!<%k$r=PNO$7$^$9$N$G!"(B
$B$3$N=PNO$r(B \fBipf\fP $B$X$NF~NO$H$7$F%U%#!<%I%P%C%/$9$k$N$K;H$($^$9!#(B
$B$h$C$F!"F~NO%Q%1%C%H$KBP$9$kA4%U%#%k%?$r=|5n$9$k$?$a$K$O!"<!$N$h$&$K$7$^$9(B:
.nf

\fC# ipfstat \-i | ipf \-rf \-\fP
.fi
.SH $BJ8K!(B
.PP
\fBipf\fP $B$,%U%#%k%?%k!<%k9=C[$K;HMQ$9$k%U%)!<%^%C%H$O!"(B
$B<!$N$h$&$K(B BNF $B$r;H$C$?J8K!$G<($9$3$H$,$G$-$^$9(B:
\fC
.nf
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
	      [ proto ] [ ip ] [ group ].

insert	= "@" decnumber .
action	= block | "pass" | log | "count" | skip | auth | call .
in-out	= "in" | "out" .
options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
tos	= "tos" decnumber | "tos" hexnumber .
ttl	= "ttl" decnumber .
proto	= "proto" protocol .
ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
group	= [ "head" decnumber ] [ "group" decnumber ] .

block	= "block" [ "return-icmp"[return-code] | "return-rst" ] .
auth    = "auth" | "preauth" .
log	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
call	= "call" [ "now" ] function-name .
skip	= "skip" decnumber .
dup	= "dup-to" interface-name[":"ipaddr] .
froute	= "fastroute" | "to" interface-name .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
srcdst	= "all" | fromto .
fromto	= "from" object "to" object .

object	= addr [ port-comp | port-range ] .
addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
flags	= "flags" flag { flag } [ "/" flag { flag } ] .
with	= "with" | "and" .
icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
keep	= "keep" "state" | "keep" "frags" .

nummask	= host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
ipaddr	= host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .

withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" ipopts  .
optname	= ipopts [ "," optname ] .
ipopts  = optlist | "sec-class" [ secname ] .
secname	= seclvl [ "," secname ] .
seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
	  "reserv-4" | "secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
	    "inforep" | "maskreq" | "maskrep"  | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
	  "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
	  "addext" | "visa" | "imitd" | "eip" | "finn" .

hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .

compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
	  "gt" | "le" | "ge" .
range	= "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
flag	= "F" | "S" | "R" | "P" | "A" | "U" .
.fi
.PP
$B$3$NJ8K!$O!"2DFI@-$N$?$a$K$$$/$V$s4JN,2=$7$F$$$^$9!#(B
$B$3$NJ8K!$K%^%C%A$9$kAH$_9g$o$;$K$O!"(B
$B0UL#$r$J$5$J$$$?$a$K%=%U%H%&%'%"$,5v2D$7$J$$$b$N$,$"$j$^$9(B
($BHs(B TCP $B%Q%1%C%H$KBP$9$k(B tcp \fBflags\fP $B$J$I(B)$B!#(B
.SH $B%U%#%k%?%k!<%k(B
.PP
$B!V:GC;!W$+$DM-8z$J%k!<%k$O(B ($B8=:_$N$H$3$m(B) $BL5F0:n$H<!$N7A<0$G$9(B:
.nf
       block in all
       pass in all
       log out all
       count in all
.fi
.PP
$B%U%#%k%?%k!<%k$O=gHVDL$j$K%A%'%C%/$5$l!"(B
$B:G8e$K%^%C%A$7$?%k!<%k$,%Q%1%C%H$N1?L?$r7h$a$^$9(B
($BNc30(B: $B8e=R(B \fBquick\fP $B%*%W%7%g%s$r;2>H(B)$B!#(B
.PP
$B%G%U%)%k%H$G$O!"(B
$B%U%#%k%?$O%+!<%M%k$N%U%#%k%?%j%9%H$N:G8e$K%$%s%9%H!<%k$5$l$^$9!#(B
$B%k!<%k$NA0$K(B \fB@n\fP $B$rIU$1$k$H!"(B
$B8=:_$N%j%9%H$N(B n $BHVL\$N%(%s%H%j$H$7$FA^F~$9$k$h$&$K$J$j$^$9!#(B
$B$3$l$O!"8=:_M-8z$J%U%#%k%?$N%k!<%k%;%C%H$r=$@5$7$?$j%F%9%H$9$k>l9g$KM-MQ$G$9!#(B
$B99$J$k>pJs$O(B ipf(1) $B$r;2>H$7$F$/$@$5$$!#(B
.SH $B%"%/%7%g%s(B
.PP
$B%"%/%7%g%s$O!"(B
$B%U%#%k%?%k!<%k$N;D$j$NItJ,$K%Q%1%C%H$,%^%C%A$9$k>l9g$K!"(B
$B$=$N%Q%1%C%H$r$I$N$h$&$K07$&$N$+$r<($7$^$9!#(B
$B<!$N%"%/%7%g%s$,G'<1$5$l$^$9(B:
.TP
.B block
$B$3$N%Q%1%C%H$r!"%I%m%C%W$9$k$h$&$K0u$rIU$1$k$3$H$r<($7$^$9!#(B
$B%Q%1%C%H$r%V%m%C%/$9$k$3$H$KBP$7!"(B
ICMP $B%Q%1%C%H(B (\fBreturn-icmp\fP) $B$^$?$O(B
TCP $B!V%j%;%C%H!W(B (\fBreturn-rst\fP) $B$N$$$:$l$+$NJVEz%Q%1%C%H$rJV$9$h$&!"(B
$B%U%#%k%?$K;X<($G$-$^$9!#(B
$BG$0U$N(B IP $B%Q%1%C%H$KBP$7$F(B ICMP $B%Q%1%C%H$r@8@.$G$-!"(B
$B$=$N%?%$%W$r;XDj$9$k$3$H$b$G$-$^$9!#(B
TCP $B%j%;%C%H$O!"(BTCP $B%Q%1%C%H$KBP$7$FE,MQ$5$l$k%k!<%k$K$*$$$F$N$_;HMQ$G$-$^$9!#(B
.TP
.B pass
$B$3$N%Q%1%C%H$r!"$=$N$^$^%U%#%k%?$rDL2a$5$;$k$h$&$K0u$rIU$1$^$9!#(B
.TP
.B log
$B$3$N%Q%1%C%H$N%m%0$r<h$j$^$9(B ($B8e=R$N%m%.%s%0@a;2>H(B)$B!#(B
$B%Q%1%C%H$,%U%#%k%?$rDL2a2DG=$+H]$+$K$O!"1F6A$rM?$($^$;$s!#(B
.TP
.B count
$B$3$N%Q%1%C%H$r!"%U%#%k%?$N%"%+%&%s%F%#%s%0E}7W$K4^$a$^$9!#(B
$B%Q%1%C%H$,%U%#%k%?$rDL2a2DG=$+H]$+$K$O!"1F6A$rM?$($^$;$s!#(B
$BE}7W$O(B ipfstat(8) $B$K$F1\Mw2DG=$G$9!#(B
.TP
.B call
$B$3$N%"%/%7%g%s$O;XDj$5$l$?%+!<%M%kFb4X?t$r8F$S=P$9$?$a$K;HMQ$5$l$^$9!#(B
$B%+!<%M%kFb4X?t$O!"FCDj$N8F$S=P$7%$%s%?%U%'!<%9$rK~$9I,MW$,$"$j$^$9!#(B
$B%+%9%?%^%$%:$7$?%"%/%7%g%s$H%;%^%s%F%#%/%9$r<BAu$7!"(B
$BMxMQ2DG=$J%"%/%7%g%s$rJd$&$3$H$,$G$-$^$9!#(B
$BCN<1$,$"$k%O%C%+!<$,;HMQ$9$k5!G=$G$"$j!"8=:_$N$H$3$mJ8=q2=$5$l$F$$$^$;$s!#(B
.TP
.B "skip <n>"
.TP
.B auth
.TP
.B preauth
.PP
$B<!$N8l$O(B \fBin\fP $B$+(B \fBout\fP $B$N$$$:$l$+$G$"$kI,MW$,$"$j$^$9!#(B
$B%+!<%M%kFbIt$rDL2a$9$k%Q%1%C%H$O!"Fb8~$-(B ($B%$%s%?%U%'!<%9$K$F:#<u?.$5$l!"(B
$B%+!<%M%k$N%W%m%H%3%k=hM}It$K8~$C$F0\F0$7$F$$$k(B) $B$+!"(B
$B308~$-(B ($B%9%?%C%/$K$h$jAw=P$^$?$OE>Aw$5$l!"%$%s%?%U%'!<%9$K8~$+$C$F$$$k(B)
$B$+$N$$$:$l$+$G$9!#(B
$B3F%U%#%k%?%k!<%k$,F~=PNO$N$I$A$iB&$KE,MQ$5$l$k$N$+$r!"(B
$BL@<(E*$K<($9I,MW$,$"$j$^$9!#(B
.SH $B%*%W%7%g%s(B
.PP
$B%*%W%7%g%s$N0lMw$OC;$/!";v<B$9$Y$F>JN,2DG=$G$9!#(B
$B%*%W%7%g%s$,;HMQ$5$l$k$H$3$m$G$O!"$3$3$K<($9=g=x$GCV$+$l$kI,MW$,$"$j$^$9!#(B
$B<!$N%*%W%7%g%s$,8=:_%5%]!<%H$5$l$F$$$^$9(B:
.TP
.B log
$B:G8e$K%^%C%A$9$k%k!<%k$N>l9g!"(B
$B%Q%1%C%H%X%C%@$,(B \fBipl\fP $B%m%0$K=q$-9~$^$l$^$9(B ($B8e=R$N%m%.%s%0@a;2>H(B)$B!#(B
.TP
.B quick
$B%U%#%k%?$r9bB.2=$7$?$j8eB3$N%k!<%k$h$j$bM%@h$5$;$k$?$a$K!"(B
$B%k!<%k$N!V%7%g!<%H%+%C%H!W$r5v$7$^$9!#(B
$B%Q%1%C%H$,(B \fBquick\fP $B$N0u$,IU$$$?%U%#%k%?%k!<%k$K%^%C%A$9$k>l9g!"(B
$B$3$N%k!<%k$,:G8e$K%A%'%C%/$5$l$k%k!<%k$K$J$j!"(B
$B!V%7%g!<%H%+%C%H!W%Q%9$K$h$j8eB3$N%k!<%k$,(B
$B$3$N%Q%1%C%H$KBP$7$F=hM}$5$l$J$/$J$j$^$9!#(B
($B8=:_$N%k!<%k$,E,MQ$5$l$?8e$K(B) $B%Q%1%C%H$N8=:_$N>uBV$,!"(B
$B%Q%1%C%H$,DL2a$5$l$k$+%V%m%C%/$5$l$k$+$r7hDj$7$^$9!#(B
.IP
$B$3$N%*%W%7%g%s$,;XDj$5$l$J$$$H!"(B
$B%k!<%k$O!V7QB3(B(fall-through)$B!W%k!<%k$H$5$l$^$9!#(B
$B$D$^$j!"%^%C%A$N7k2L(B ($B%V%m%C%/(B/$BDL2a(B) $B$,J]B8$5$l!"(B
$B99$J$k%^%C%A$,$"$k$+$r$_$k$?$a=hM}$,7QB3$5$l$^$9!#(B
.TP
.B on
$B%^%C%A<jB3$-$K%$%s%?%U%'!<%9L>$rAH$_9~$_$^$9!#(B
$B%$%s%?%U%'!<%9L>$O(B "netstat \-i" $B$GI=<($G$-$^$9!#(B
$B$3$N%*%W%7%g%s$r;HMQ$9$k$H!"(B
$B;XDj$7$?J}8~(B ($BF~=PNO(B) $B$K$3$N%$%s%?%U%'!<%9$rDL2a$9$k%Q%1%C%H$KBP$7$F$N$_!"(B
$B$3$N%k!<%k$,%^%C%A$7$^$9!#(B
$B$3$N%*%W%7%g%s$,;XDj$5$l$J$$$H!"(B
$B%k!<%k$O$3$N%Q%1%C%H$,CV$+$l$?%$%s%?%U%'!<%9$K0MB8$;$:$K(B
($B$9$J$o$AA4%$%s%?%U%'!<%9$K(B) $BE,MQ$5$l$^$9!#(B
$B%U%#%k%?%k!<%k%;%C%H$OA4%$%s%?%U%'!<%9$K6&DL$G$"$j!"(B
$B3F%$%s%?%U%'!<%9$KBP$7$F%U%#%k%?%j%9%H$r;}$D$N$G$O$"$j$^$;$s!#(B
.IP
$B$3$N%*%W%7%g%s$OFC$K!"C1=c$J(B IP $B:>>N(B (IP spoofing) $B$KBP$9$kKI8f$H$7$FM-MQ$G$9(B:
$B;XDj$7$?%$%s%?%U%'!<%9>e$G!"(B
$B;XDj$7$?Aw?.85%"%I%l%9$G$"$k$H$5$l$kF~NO%Q%1%C%H$N$_$rDL$7!"(B
$BB>$N%Q%1%C%H$r%m%0$7$?$j%I%m%C%W$9$k$3$H$,$G$-$^$9!#(B
.TP
.B dup-to
$B%Q%1%C%H$r%3%T!<$7!"(B
$BJ#<L$7$?%Q%1%C%H$r;XDj$7$?%$%s%?%U%'!<%9$KBP$7$F308~$-$KAw$j$^$9!#(B
$B$^$?!"08@h(B IP $B%"%I%l%9$r;XDj$7$F!"JQ99$9$k$3$H$,$G$-$^$9!#(B
$B%M%C%H%o!<%/%9%K%U%!$r;HMQ$7$F!"%[%9%H30$G%m%0$9$k$?$a$KM-MQ$G$9!#(B
.TP
.B to
$B;XDj$7$?%$%s%?%U%'!<%9$K$*$$$F!"%Q%1%C%H$r308~$-%-%e!<$K0\F0$5$;$^$9!#(B
$B%+!<%M%k$N%k!<%F%#%s%0$r2sHr$9$k$?$a$K;HMQ$G$-!"(B
$B%Q%1%C%H$KBP$9$k;D$j$N%+!<%M%k=hM}$r%P%$%Q%9$9$k$?$a$K$b;HMQ$G$-$^$9(B
($BFb8~$-%k!<%k$KE,MQ$5$l$?>l9g(B)$B!#(B
$B$h$C$F!"%k!<%?$G$O$J$/!"%U%#%k%?%j%s%0%O%V$d%9%$%C%A$N$h$&$K!"(B
$BF)2aE*$KF0:n$9$k%U%!%$%"%&%)!<%k$r9=C[$9$k$3$H$,$G$-$^$9!#(B
\fBfastroute\fP $B%-!<%o!<%I$O!"$3$N%*%W%7%g%s$NF15A8l$G$9!#(B
.SH $B%^%C%A%s%0%Q%i%a!<%?(B
.PP 
$B$3$N@a$K5-:\$5$l$F$$$k%-!<%o!<%I$O!"%k!<%k$,%^%C%A$9$k$+H]$+$r7hDj$9$k$H$-$K!"(B
$B%Q%1%C%H$N$I$NB0@-$r;HMQ$9$k$N$+$r5-=R$9$k$?$a$K;HMQ$5$l$^$9!#(B
$B0J2<$NHFMQB0@-$,%^%C%A%s%0$K;HMQ$G$-!"$3$N=g=x$G;HMQ$9$kI,MW$,$"$j$^$9(B:
.TP
.B tos
$B0[$J$k%5!<%S%97?(B (Type-Of-Service) $BCM$r;}$D%Q%1%C%H$r%U%#%k%?$G$-$^$9!#(B
$B$3$N>e!"8D!9$N%5!<%S%9%l%Y%k$dAH$_9g$o$;$G%U%#%k%?$G$-$^$9!#(B
TOS $B%^%9%/$KBP$9$kCM$O!"(B16 $B?J?t$^$?$O(B 10 $B?J?t$N@0?t$GI=8=$5$l$^$9!#(B
.TP
.B ttl
$B%Q%1%C%H$r@8B8;~4V(B (Time-To-Live) $BCM$GA*Br$9$k$3$H$b$G$-$^$9!#(B
$B%U%#%k%?%k!<%k$GM?$($i$l$kCM$O!"(B
$B%^%C%A$,9T$o$l$k%Q%1%C%H$NCM$H87L)$K%^%C%A$9$kI,MW$,$"$j$^$9!#(B
$B$3$NCM$O!"(B10 $B?J?t$N@0?t$G$N$_M?$($k$3$H$,$G$-$^$9!#(B
.TP
.B proto
$BFCDj$N%W%m%H%3%k$KBP$7$F%^%C%A$9$k$3$H$,$G$-$^$9!#(B
\fB/etc/protocols\fP $BCf$NA4%W%m%H%3%kL>$,G'<1$5$l$^$9$7!";HMQ2DG=$G$9!#(B
$B$^$?!"%W%m%H%3%k$r(B 10 $B?J?t$G;XDj$9$k$3$H$b$G$-$^$9!#(B
$B$3$l$K$h$j!"$"$J$?FH<+$N%W%m%H%3%k$d(B
$B?7$7$$%W%m%H%3%k$G$"$k$?$a%j%9%H$,8E$/$F7G:\$5$l$F$$$J$$$b$N$KBP$7!"(B
$B%^%C%A$9$k%k!<%k$r:n@.$G$-$^$9!#(B
.IP
TCP $B$^$?$O(B UDP $B%Q%1%C%H$K%^%C%A$9$k!"(B
$BFC<l$J%W%m%H%3%k%-!<%o!<%I(B \fBtcp/udp\fP $B$r;HMQ$9$k$3$H$,$G$-$^$9!#(B
$B$3$N%-!<%o!<%I$O!"(B
$BF1$8%k!<%k$r$$$/$D$b=q$+$J$/$F$b$h$$$h$&$K$9$k$?$a!"DI2C$5$l$^$7$?!#(B
.\" XXX grammar should reflect this (/etc/protocols)
.PP
\fBfrom\fP $B$H(B \fBto\fP $B$N%-!<%o!<%I$O!"(B
IP $B%"%I%l%9(B ($B$*$h$S>JN,2DG=$J%]!<%HHV9f(B) $B$H%^%C%A$5$;$k$?$a$K;HMQ$5$l$^$9!#(B
$BAw?.85$HAw?.@h$N!VN>J}$N!W%Q%i%a!<%?$r;XDj$9$kI,MW$,$"$j$^$9!#(B
.PP 
IP $B%"%I%l%9$N;XDjJ}K!$O!"<!$N(B 2 $B$D$N$&$A$N$$$:$l$+$G$9(B:
$B?tCM$K$h$k%"%I%l%9(B\fB/\fP$B%^%9%/$^$?$O!"%[%9%HL>(B \fBmask\fP $B%M%C%H%^%9%/!#(B
$B%[%9%HL>$O!"(Bhosts $B%U%!%$%k$^$?$O(B DNS $BCf(B ($B@_Dj$d%i%$%V%i%j$K0MB8$7$^$9(B)
$B$NM-8z$J%[%9%HL>$+!"%I%C%HIU$-?tCM7A<0$G$9!#(B
$B%M%C%H%o!<%/$KBP$9$kFC<l$JAw?.@h$O$"$j$^$;$s$,!"%M%C%H%o!<%/L>$OG'<1$5$l$^$9!#(B
$B%U%#%k%?%k!<%k$r(B DNS $B$K0MB8$5$;$k$H967b$NM>CO$rF3F~$7$F$7$^$&$N$G!"(B
$B4+$a$i$l$^$;$s!#(B
.PP
$B%[%9%HL>$K$OFC<l$J(B \fBany\fP $B$,5v$5$l!"(B0.0.0.0/0 $B$HG'<1$5$l$^$9(B
($B8e=R$N%^%9%/=q<0;2>H(B)$B!#$3$l$OA4(B IP $B%"%I%l%9$K%^%C%A$7$^$9!#(B
"any" $B$@$1$,%^%9%/$r0EL[E*$K;XDj$7$^$9$N$G!"(B
$BB>$N>u67$G$O!"%[%9%HL>$O%^%9%/$H$H$b$K;XDj$9$kI,MW$,$"$j$^$9!#(B
$B%[%9%H$H%^%9%/$KBP$7$F(B "any" $B$r;XDj$G$-$k$b$N$N!"(B
$B$3$N8@8l$K$*$$$F$O!"0UL#$r;}$?$J$/$J$j$^$9!#(B
.PP
$B?tCM%U%)!<%^%C%H(B "x\fB/\fPy" $B$O!"(B
1 $B$N%S%C%H$,(B MSB $B$+$i3+;O$7$F(B y $B8DO"B3$9$k%^%9%/$N@8@.$r<($7$^$9!#(B
$B$h$C$F!"(By $B$NCM$,(B 16 $B$G$"$k>l9g$K$O!"(B0xffff0000 $B$K$J$j$^$9!#(B
$B%7%s%\%j%C%/$J(B "x \fBmask\fP y" $B$O!"(B
$B%^%9%/(B y $B$,%I%C%HIU$-(B IP $BI=8=!"(B
$B$^$?$O(B 0x12345678 $B$N7A<0$N(B 16 $B?J?t$G$"$k$3$H$r<($7$^$9!#(B
$B%S%C%H%^%9%/$,<($9(B IP $B%"%I%l%9$NA4%S%C%H$H!"(B
$B%Q%1%C%H$N%"%I%l%9$H$,!"87L)$K%^%C%A$9$kI,MW$,$"$j$^$9(B;
$B8=:_!"%^%C%A$N0UL#$rH?E>$9$kJ}K!$O$"$j$^$;$s$7!"(B
$B%S%C%H%^%9%/$K$FMF0W$KI=8=2DG=$G$O$J$$(B
IP $B%"%I%l%9HO0O$K%^%C%A$5$;$kJ}K!$b$"$j$^$;$s(B
($B$?$H$($k$J$i!"$3$3$^$G<B8=$9$k$H!"$b$O$dD+?)$H$O8@$($J$$$G$9$M(B)$B!#(B
.PP
$BAw?.85$HAw?.@h$N$I$A$i$+$^$?$ON><T$K(B \fBport\fP $B%^%C%A$r4^$`>l9g!"(B
TCP $B$H(B UDP $B$N%Q%1%C%H$KBP$7$F$N$_E,MQ$5$l$^$9!#(B
.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
\fBproto\fP $B%^%C%A%Q%i%a!<%?$,L5$$>l9g!"(B
$B$I$A$i$N%W%m%H%3%k$N%Q%1%C%H$bHf3S$5$l$^$9!#(B
$B$3$l$O!"(B"proto tcp/udp" $B$HEy2A$G$9!#(B
\fBport\fP $B$NHf3S$r9T$&$H$-$K$O!"(B
$B%5!<%S%9L>$*$h$S?tCM$N%]!<%HHV9f$N$I$A$i$G$b;HMQ$G$-$^$9!#(B
$B%]!<%H$NHf3S$r9T$&:]!"?tCM7A<0$rHf3S1i;;;R$H$H$b$K;HMQ$7$?$j!"(B
$B%]!<%HHO0O$r;XDj$7$?$j$G$-$^$9!#(B
$B%]!<%H$,(B \fBfrom\fP $B%*%V%8%'%/%H$N0lIt$H$7$FEP>l$9$k>l9g!"(B
$BAw?.85%]!<%HHV9f$K%^%C%A$7$^$9!#(B
$B%]!<%H$,(B \fBto\fP $B%*%V%8%'%/%H$N0lIt$H$7$FEP>l$9$k>l9g!"(B
$BAw?.@h%]!<%HHV9f$K%^%C%A$7$^$9!#(B
$B99$J$k>pJs$O;HMQNc$r;2>H$7$F$/$@$5$$!#(B
.PP
\fBall\fP $B%-!<%o!<%I$O!"K\<AE*$K!"(B
$BB>$N%^%C%A%Q%i%a!<%?$rH<$o$J$$(B "from any to any" $B$NF15A8l$G$9!#(B
.PP
$BAw?.85$*$h$SAw?.@h$N%^%C%A%Q%i%a!<%?$N8e$K!"<!$NDI2C$N%Q%i%a!<%?$r;HMQ2DG=$G$9(B:
.TP
.B with
$B$"$k<o$N%Q%1%C%H$N$_$,;}$DFC<l$JB0@-$K%^%C%A$9$k>l9g$K;HMQ$7$^$9!#(B
$B0lHL$K!"(BIP $B%*%W%7%g%s$,B8:_$9$k>l9g$K%^%C%A$5$;$k$K$O!"(B\fBwith ipopts\fP
$B$r;HMQ$7$^$9!#(B
$B40A4$J%X%C%@$r3JG<$9$k$K$OC;$+$9$.$k%Q%1%C%H$K%^%C%A$5$;$k$K$O!"(B
\fBwith short\fP $B$r;HMQ$7$^$9!#(B
$BCGJR2=$5$l$?%Q%1%C%H$K%^%C%A$5$;$k$?$a$K$O!"(B\fBwith frag\fP $B$r;HMQ$7$^$9!#(B
$B99$K!"(BIP $B%*%W%7%g%s8GM-$N%U%#%k%?%j%s%0$K4X$7$F$O!"(B
$B3F%*%W%7%g%s$rNs5s2DG=$G$9!#(B
.IP
\fBwith\fP $B%-!<%o!<%I$N8e$K%Q%i%a!<%?$rB3$1$kA0$K!"(B
$B8l(B \fBnot\fP $B$^$?$O(B \fBno\fP $B$rA^F~$7!"(B
$B%*%W%7%g%s$,B8:_$7$J$$>l9g$K$N$_%U%#%k%?%k!<%k$,%^%C%A$9$k$h$&$K$G$-$^$9!#(B
.IP
\fBwith\fP $B@a$rO"B3$7$F5-=R$9$k$3$H$,5v$5$l$^$9!#(B
$B$^$?!"%-!<%o!<%I(B \fBand\fP $B$r!"(B\fBwith\fP $B$NBe$j$K;HMQ$9$k$3$H$,$G$-$^$9!#(B
$B$3$l$O!"=c?h$K2DFI@-8~>e$N$?$a$G$9(B ("with ... and ...")$B!#(B
$BJ#?t$N@a$rNs5s$7$?$H$-!"$9$Y$F$,%^%C%A$9$k$H$-$K!"%k!<%k$,%^%C%A$7$^$9!#(B
.\" XXX describe the options more specifically in a separate section
.TP
.B flags
TCP $B%U%#%k%?%j%s%0$K$*$$$F$N$_M-8z$G$9!#(B
$B;HMQ2DG=$J%l%?!<$O!"(BTCP $B%X%C%@$K$F@_Dj2DG=$J%U%i%0$N(B 1 $B$D$rI=8=$7$^$9!#(B
$B4XO"$O<!$NDL$j$G$9(B:
.LP
.nf
        F - FIN
        S - SYN
        R - RST
        P - PUSH
        A - ACK
        U - URG
.fi
.IP
$BMM!9$J%U%i%0%7%s%\%k$rAH$_9g$o$;$F;HMQ$G$-$^$9$N$G!"(B
"SA" $B$O%Q%1%C%HCf$N(B SYN-ACK $B$NAH$_9g$o$;$rI=8=$7$^$9!#(B
"SFR" $B$J$I$NAH$_9g$o$;$N;XDj$r@)8B$9$k$b$N$O$"$j$^$;$s!#(B
$B$3$NAH$_9g$o$;$O!"5,B'$r<i$C$F$$$k(B TCP $B<BAu$G$ODL>o@8@.$5$l$^$;$s!#(B
$B$7$+$7$J$,$i!"0[>o$rHr$1$k$?$a$K!"(B
$B$I$N%U%i%0$KBP$7$F%U%#%k%?%j%s%0$7$F$$$k$N$+$r<($9I,MW$,$"$j$^$9!#(B
$B$3$N$?$a$K!"$I$N(B TCP $B%U%i%0$rHf3S$9$k$N$+(B
($B$9$J$o$A!"$I$N%U%i%0$r=EMW$H9M$($k$+(B) $B$r<($9%^%9%/$r;XDj$G$-$^$9!#(B
$B$3$l$O!"%^%C%ABP>]$N(B TCP $B%U%i%0=89g$N8e$K!"(B"/<flags>" $B$rIU$1$k$3$H$G(B
$B<B8=$G$-$^$9!#(B
$BNc$($P(B:
.LP
.nf
	... flags S
			# "flags S/AUPRFS" $B$K$J$j!"(BSYN $B%U%i%0!V$N$_!W(B
			# $B$,@_Dj$5$l$F$$$k%Q%1%C%H$K%^%C%A$7$^$9!#(B

	... flags SA
			# "flags SA/AUPRFS" $B$K$J$j!"(BSYN $B$*$h$S(B ACK $B$N%U%i%0(B
			# $B$N$_$,@_Dj$5$l$F$$$k%Q%1%C%H$K%^%C%A$7$^$9!#(B

	... flags S/SA
			# SYN-ACK $B$NAH$N$&$A!"(BSYN $B%U%i%0$N$_$,@_Dj$5$l$F$$$k(B
			# $B%Q%1%C%H$K$N$_%^%C%A$7$^$9!#$3$l$O6&DL$N!V3NN)!W(B
			# $B%-!<%o!<%IF0:n$G$9!#(B"S/SA" $B$O(B SYN $B$H(B ACK $B$NAH$N(B
			# $B!VN>J}!W$,@_Dj$5$l$F$$$k$b$N$K$O%^%C%A!V$7$^$;$s!W(B
			# $B$,!"(B"SFP" $B$K$O%^%C%A!V$7$^$9!W!#(B
.fi
.TP
.B icmp-type
\fBproto icmp\fP $B$H$H$b$K;HMQ$7$?>l9g$K$N$_M-8z$G$"$j!"(B
\fBflags\fP $B$H$H$b$K;HMQ$7$F$O!V$J$j$^$;$s!W!#(B
$BB?$/$N%?%$%W$,$"$j!"$3$N8@8l$GG'<1$5$l$kC;=L7A$d!"(B
$B$3$l$K4XO"IU$1$i$l$??tCM$G;XDj$G$-$^$9!#(B
$B%;%-%e%j%F%#$N4QE@$K$*$1$k:G=EMW;v9`$O(B ICMP $B%j%@%$%l%/%H$G$9!#(B
.SH $BMzNrJ]B8(B
.PP
$B%U%#%k%?%k!<%k$K@_Dj2DG=$J!":G8e$+$i(B 2 $BHVL\$N%Q%i%a!<%?$O!"(B
$B%Q%1%C%H$NMzNr>pJs$r5-O?$9$k$+H]$+!"$*$h$S$I$N$h$&$JMzNr$rJ]B8$9$k$+$G$9!#(B
$B0J2<$N>pJs$rJ]B8$G$-$^$9(B:
.TP
.B state
$BDL?.%;%C%7%g%s$N%U%m!<>pJs$rJ]B8$7$^$9!#(B
TCP, UDP, ICMP $B$N3F%Q%1%C%H$K4X$7$F>uBV$,J]B8$5$l$^$9!#(B
.TP
.B frags
$BCGJR2=$5$l$?%Q%1%C%H$N>pJs$rJ]B8$7$^$9!#(B
$B$3$N>pJs$O!"8e$KCGJR2=$9$k:]$K;HMQ$7$^$9!#(B
.PP
$B$3$l$i$K%^%C%A$9$k%Q%1%C%H$OAGDL$7$7!"%"%/%;%9@)8f%j%9%H$rDL$7$^$;$s!#(B
.SH $B%0%k!<%W(B
$B%Q%i%a!<%?$N:G8e$NAH$O%U%#%k%?%k!<%k$N!V%0%k!<%T%s%0!W$r@)8f$7$^$9!#(B
$BB>$N%0%k!<%W$,;XDj$5$l$J$$8B$j!"(B
$B%G%U%)%k%H$G$O!"A4%U%#%k%?%k!<%k$O%0%k!<%W(B 0 $B$KCV$+$l$^$9!#(B
$BHs%G%U%)%k%H$N%0%k!<%W$K%k!<%k$rDI2C$9$k$K$O!"(B
$B%0%k!<%W$N!VF,(B (head)$B!W$r:n@.$9$k$H$3$m$+$i!"%0%k!<%W$r3+;O$7$^$9!#(B
$B%Q%1%C%H$,%0%k!<%W$N!VF,!W$N%k!<%k$K%^%C%A$9$k>l9g!"(B
$B$=$N%k!<%k$r$=$N%0%k!<%W$N%G%U%)%k%H$H$7$F;HMQ$7$^$9!#(B
\fBquick\fP $B$r(B \fBhead\fP $B%k!<%k$H$H$b$K;HMQ$9$k>l9g!"(B
$B%0%k!<%W=hM}$+$iLa$k$^$G$O!"%k!<%k=hM}$ODd;_$7$^$;$s!#(B
.PP
$B$"$k%k!<%k$O!"?75,%0%k!<%W$NF,$G$"$j$+$D!"(B
$BHs%G%U%)%k%H%0%k!<%W$N%a%s%P$G$"$k$3$H$,2DG=$G$9(B
(\fBhead\fP $B$H(B \fBgroup\fP $B$rF10l%k!<%kFb$GF1;~$K;HMQ2DG=$G$9(B)$B!#(B
.TP
.B "head <n>"
$B?75,%0%k!<%W(B ($BHV9f(B n) $B$r:n@.$9$k$3$H$r<($7$^$9!#(B
.TP
.B "group <n>"
$B$3$N%k!<%k$r!"%0%k!<%W(B 0 $B$G$O$J$/!"%0%k!<%W(B ($BHV9f(B n) $B$KCV$/$3$H$r<($7$^$9!#(B
.SH $B%m%.%s%0(B
.PP
\fBlog\fP $B%"%/%7%g%s$^$?$O%*%W%7%g%s$K$F!"%Q%1%C%H$N%m%0$r9T$&$H$-!"(B
$B%Q%1%C%H$N%X%C%@$,(B \fBipl\fP $B%Q%1%C%H%m%.%s%05<;w%G%P%$%9$K=q$-9~$^$l$^$9!#(B
\fBlog\fP $B%-!<%o!<%I$ND>8e$K!"<!$N=$>~8l6g$r(B ($B$3$N=g=x$G(B) $B;HMQ$G$-$^$9(B:
.TP
.B body
$B%Q%1%C%H$NFbMF$N:G=i$N(B 128 $B%P%$%H$r!"%X%C%@$N8e$G%m%0$9$k$3$H$r<($7$^$9!#(B
.TP
.B first
??
.TP
.B or-block
$B$J$s$i$+$NM}M3$G%U%#%k%?$,%m%0$r<h$l$J$$>l9g(B
($B%m%0FI$_<h$j$,Hs>o$KCY$$>l9g$J$I(B)$B!"(B
$B$3$N%Q%1%C%H$KBP$9$k$3$N%k!<%k$N%"%/%7%g%s$,(B \fBblock\fP $B$G$"$C$?$H2r<a(B
$B$5$;$^$9!#(B
.PP
$B$3$N%G%P%$%9$K=q$-9~$^$l$k%l%3!<%I$N%U%)!<%^%C%H$K$D$$$F$O(B
ipl(4) $B$r;2>H$7$F$/$@$5$$!#(B
.SH $B;HMQNc(B
.PP
\fBquick\fP $B%*%W%7%g%s$O<!$N$h$&$J%k!<%k$KBP$7$FET9g$,NI$$$G$9(B:
\fC
.nf
block in quick from any to any with ipopts
.fi
.PP
$B$3$l$O!"(B
$BI8=`E*$JD9$5$G$O$J$$%X%C%@$r;}$D(B (IP $B%*%W%7%g%s$r;}$D(B) $B%Q%1%C%H$K%^%C%A$7!"(B
$B$3$N@h$N%k!<%k=hM}$r9T$o$:$K!"(B
$B%^%C%A$,H/@8$7$?$3$H$H%Q%1%C%H$r%V%m%C%/$9$Y$-$3$H$r5-O?$7$^$9!#(B
.PP
$B<!$N$h$&$J!V7QB3!W%k!<%k$N2r<a$K$h$j(B:
.LP
.nf
        block in from any to any port < 6000
        pass in from any to any port >= 6000
        block in from any to port > 6003
.fi
.PP
$BHO0O(B 6000-6003 $B$,5v$5$l!"B>$O5v$5$J$$$h$&$K@_Dj$G$-$^$9!#(B
$B:G=i$N%k!<%k$N8z2L$h$j$b!"8eB3%k!<%k$,M%@h$9$k$3$H$KCm0U$7$F$/$@$5$$!#(B
$BF1$8$3$H$r9T$&!"B>$N(B ($BMF0W$J(B) $BJ}K!$O<!$NDL$j$G$9(B:
.LP
.nf
        block in from any to any port 6000 <> 6003
        pass in from any to any port 5999 >< 6004
.fi
.PP
$B8z2L$r;}$?$;$k$?$a$K$O!"(B
"block" $B$*$h$S(B "pass" $B$NN>J}$r$3$3$K=q$/I,MW$,$"$j$^$9!#(B
$B$J$<$J$i!"(B"block" $B%"%/%7%g%s$K%^%C%A$7$J$$$3$H$,DL2a$r0UL#$9$k$o$1$G$O$J$/!"(B
$B%k!<%k$,8z2L$r;}$?$J$$$3$H$r0UL#$9$k$@$1$@$+$i$G$9!#(B
$B%]!<%H$,(B1024$BL$K~$N$b$N$r5v$9$K$O!"<!$N$h$&$J%k!<%k$r;HMQ$7$^$9(B:
.LP
.nf
        pass in quick from any to any port < 1024
.fi
.PP
$B$3$l$O!":G=i$N%V%m%C%/$NA0$KCV$/I,MW$,$"$j$^$9!#(B
le0/le1/lo0 $B$+$i$N$9$Y$F$NFb8~$-%Q%1%C%H$r=hM}$7!"(B
$B%G%U%)%k%H$G$OFb8~$-$NA4%Q%1%C%H%"$r%V%m%C%/$9$k(B
$B?75,%0%k!<%W$r:n@.$9$k$K$O!"<!$N$h$&$K$7$^$9(B:
.LP
.nf
       block in all
       block in on le0 quick all head 100
       block in on le1 quick all head 200
       block in on lo0 quick all head 300
.fi
.PP

$B$=$7$F!"(Ble0 $B$G(B ICMP $B%Q%1%C%H$N$_$r5v$9$K$O!"<!$N$h$&$K$7$^$9(B:
.LP
.nf
       pass in proto icmp all group 100
.fi
.PP
le0 $B$+$i$NFb8~$-%Q%1%C%H$N$_$,%0%k!<%W(B 100 $B$G=hM}$5$l$^$9$N$G!"(B
$B%$%s%?%U%'!<%9L>$r;XDj$9$kI,MW$,$J$$$3$H$KCm0U$7$F$/$@$5$$!#(B
$BF1MM$K!"<!$N$h$&$K(B TCP $B$J$I$N=hM}$rJ,2r$G$-$^$9(B:
.LP
.nf
       block in proto tcp all head 110 group 100
       pass in from any to any port = 23 group 110
.fi
.PP
$B:G=*9T$r!"%0%k!<%W$r;HMQ$;$:$K5-=R$9$k$H!"<!$N$h$&$K$J$j$^$9(B:
.LP
.nf
       pass in on le0 proto tcp from any to any port = telnet
.fi
.PP
"port = telnet" $B$H5-=R$7$?$$>l9g$K$O!"(B"proto tcp" $B$r;XDj$9$kI,MW$,$"$k$3$H$K(B
$BCm0U$7$F$/$@$5$$!#(B
$B$J$<$J$i!"(B
$B%Q!<%6$O<+8J$K4p$E$$$F%k!<%k$r2r<a$7!"(B
$B;XDj$5$l$?%W%m%H%3%k$K$h$C$FA4%5!<%S%9(B/$B%]!<%HL>$r=$>~$9$k$+$i$G$9!#(B
.SH $B4XO"%U%!%$%k(B
/dev/ipauth
.br
/dev/ipl
.br
/dev/ipstate
.br
/etc/hosts
.br
/etc/services
.SH $B4XO"9`L\(B
ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
