From owner-man-jp-reviewer@jp.freebsd.org  Tue Mar  2 19:36:42 1999
Received: (from daemon@localhost)
	by jaz.jp.freebsd.org (8.9.2+3.1W/8.7.3) id TAA02934;
	Tue, 2 Mar 1999 19:36:42 +0900 (JST)
	(envelope-from owner-man-jp-reviewer@jp.FreeBSD.org)
Received: from mail.wbs.ne.jp (mail.wbs.ne.jp [202.219.61.62])
	by jaz.jp.freebsd.org (8.9.2+3.1W/8.7.3) with ESMTP id TAA02927
	for <man-jp-reviewer@jp.freebsd.org>; Tue, 2 Mar 1999 19:36:40 +0900 (JST)
	(envelope-from iss@mail.wbs.ne.jp)
Received: from valkyrie.home (ppph207.wbs.ne.jp [202.219.55.207]) by mail.wbs.ne.jp (8.8.8+2.7Wbeta7/3.7W-1998101501) with ESMTP id TAA13105 for <man-jp-reviewer@jp.freebsd.org>; Tue, 2 Mar 1999 19:36:33 +0900 (JST)
Message-Id: <199903021036.TAA13105@mail.wbs.ne.jp>
Date: Tue, 2 Mar 1999 19:37:25 +0900 (JST)
To: man-jp-reviewer@jp.freebsd.org
From: iss@mail.wbs.ne.jp (HIRAYAMA Issei)
X-Mailer: mnews [version 1.21] 1997-12/23(Tue)
Reply-To: man-jp-reviewer@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+981115
X-Sequence: man-jp-reviewer 1099
Subject: [man-jp-reviewer 1099] ipfirewall.4
Errors-To: owner-man-jp-reviewer@jp.freebsd.org
Sender: owner-man-jp-reviewer@jp.freebsd.org
X-Originator: iss@mail.wbs.ne.jp

$BJ?;3$G$9!#(B
ipfirewall.4 $B$N=iLu$G$9!#$h$m$7$/$*4j$$$7$^$9!#(B

------------------------------------------------------------------------
.\"
.\"     $Id: ipfirewall.4,v 1.12 1997/09/29 10:10:15 wosch Exp $
.\" jpman %Id: ipfirewall.4,v 0.0 1999/02/22 16:13:39 horikawa Stab %
.\"
.Dd June 22, 1997
.Dt IPFIREWALL 4
.Os
.Sh $BL>>N(B
.Nm ipfirewall
.Nd IP $B%Q%1%C%H%U%#%k%?$*$h$S%H%i%U%#%C%/B,Dj(B
.Sh $B=q<0(B
.Fd #include <sys/types.h>
.Fd #include <sys/queue.h>
.Fd #include <netinet/in.h>
.Fd #include <netinet/ip_fw.h>
.Ft int
.Fn setsockopt raw_socket IPPROTO_IP "ipfw option" "struct ipfw" size
.Sh $B2r@b(B
ipfirewall ($BJLL>(B ipfw) $B$O%7%9%F%`$N%$%s%?%U%'!<%94V$rDL2a$9$k(B IP $B%Q%1%C%H$K(B
$BBP$7$F%U%#%k%?%j%s%0$d%j%@%$%l%/%H$J$I$N=hM}$r9T$&%7%9%F%`$N5!G=$G$9!#(B
$B%Q%1%C%H$OE,9g$9$k$b$N$,8+$D$+$k$^$G%Q%?!<%s%k!<%k$N%j%9%H$H>H$i$79g$o$5$l(B
$B$^$9!#E,9g$9$k%k!<%k$,8+$D$+$C$?;~E@$G$=$l$KBP1~$9$k%"%/%7%g%s$r<B9T$7$^$9!#(B
$B%k!<%k$O(B 1 $B$+$i(B 65534 $B$^$G$NHV9f$r?6$i$l!"(B
$BJ#?t$N%k!<%k$,F1$8HV9f$r6&M-$9$k$3$H$b2DG=$G$9!#(B
.Pp
$BM#0lI,$:B8:_$9$k%k!<%k$H$7$F%k!<%kHV9f(B 65535 $B$,$"$j$^$9!#(B
$B$3$N%k!<%k$ODL>o$OA4$F$N%Q%1%C%H$rGK4~$7$^$9!#(B
$B$7$?$,$C$F!"$3$l$h$j>.$5$JHV9f$N%k!<%k$KE,9g$7$J$+$C$?%Q%1%C%H$O$9$Y$F(B
$BGK4~$5$l$^$9!#(B
$B$7$+$7!"%+!<%M%k$r%3%s%Q%$%k$9$k;~$N%*%W%7%g%s$G(B
.Dq IPFIREWALL_DEFAULT_TO_ACCEPT
$B$r;XDj$9$k$H4IM}<T$O$9$Y$F(B ($B$N%Q%1%C%H$NDL2a$r(B) $B5v2D$9$k$h$&$K(B
$B$3$N8GDj%k!<%k$rJQ99$9$k$3$H$,$G$-$^$9!#(B
.Pp
.Fn setsockopt
$B$XEO$5$l$kCM$O%k!<%k$r5-=R$7$F$$$k(B ip_fw $B9=B$BN(B ($B2<5-;2>H(B) $B$G$9!#(B
(IP_FW_DEL $B$N$h$&$J(B) $B$$$/$D$+$N%1!<%9$G$O%k!<%kHV9f$N$_$,=EMW$K$J$j$^$9!#(B
.Sh $B%3%^%s%I(B
$B%k!<%k%j%9%H$r07$&$?$a$K<!$N%=%1%C%H%*%W%7%g%s$r;H$$$^$9(B:
.Pp
IP_FW_ADD $B%k!<%k%j%9%H$K%k!<%k$rA^F~$7$^$9!#(B
.Pp
IP_FW_DEL $BE,9g$9$k%k!<%kHV9f$r;}$D%k!<%k$r$9$Y$F:o=|$7$^$9!#(B
.Pp
IP_FW_GET $BE,9g$9$k%k!<%kHV9f$N(B ($B:G=i$N(B) $B%k!<%k$rJV$7$^$9!#(B
.Pp
IP_FW_ZERO $BE,9g$9$k%k!<%kHV9f$r;}$DA4$F$N%k!<%k$K4X$9$kE}7W$r%<%m$K$7$^$9!#(B
$B%k!<%kHV9f$,%<%m$N>l9g$K$OA4$F$N%k!<%k$r%<%m$K$7$^$9!#(B
.Pp
IP_FW_FLUSH (65535 $B$r=|$/(B) $B$9$Y$F$N%k!<%k$r>C5n$7$^$9!#(B
.Pp
$B%+!<%M%k$N%;%-%e%j%F%#%l%Y%k$,(B 2 $B0J>e$N>l9g$O(B IP_FW_GET $B$N$_$,5v2D$5$l$^$9!#(B
.Sh $B%k!<%k9=B$BN(B
$B%k!<%k$O<!$N9=B$BN$G5-=R$5$l$F$$$^$9(B:
.Bd -literal
/* Specify an interface */
union ip_fw_if {
    struct in_addr fu_via_ip;   /* Specified by IP address */
    struct {                    /* Specified by interface name */
#define FW_IFNLEN       6       /* To keep structure on 2^x boundary */
            char  name[FW_IFNLEN];
            short unit;         /* -1 means match any unit */
    } fu_via_if;
};

/* One ipfw rule */
struct ip_fw {
    u_long fw_pcnt,fw_bcnt;         /* Packet and byte counters */
    struct in_addr fw_src, fw_dst;  /* Source and destination IP addr */
    struct in_addr fw_smsk, fw_dmsk;/* Mask for src and dest IP addr */
    u_short fw_number;              /* Rule number */
    u_short fw_flg;                 /* Flags word */
#define IP_FW_MAX_PORTS 10          /* A reasonable maximum */
    u_short fw_pts[IP_FW_MAX_PORTS];/* Array of port numbers to match */
    u_char fw_ipopt,fw_ipnopt;      /* IP options set/unset */
    u_char fw_tcpf,fw_tcpnf;        /* TCP flags set/unset */
#define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
    unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
    long timestamp;                 /* timestamp (tv_sec) of last match */
    union ip_fw_if fw_in_if, fw_out_if;/* Incoming / outgoing interfaces */
    union {
        u_short fu_divert_port;     /* Divert/tee port */
        u_short fu_skipto_rule;     /* SKIPTO command rule number */
        u_short fu_reject_code;     /* REJECT response code */
    } fw_un;
    u_char fw_prot;                 /* IP protocol */
    u_char fw_nports;               /* N'of src ports and # of dst ports */
                                    /* in ports array (dst ports follow */
                                    /* src ports; max of 10 ports in all */
                                    /* count of 0 means match all ports) */
};

/* Encoding of number of source/dest ports from "fw_nports" */

#define IP_FW_GETNSRCP(rule)            ((rule)->fw_nports & 0x0f)
#define IP_FW_SETNSRCP(rule, n)         do {                            \\
                                          (rule)->fw_nports &= ~0x0f;   \\
                                          (rule)->fw_nports |= (n);     \\
                                        } while (0)
#define IP_FW_GETNDSTP(rule)            ((rule)->fw_nports >> 4)
#define IP_FW_SETNDSTP(rule, n)         do {                            \\
                                          (rule)->fw_nports &= ~0xf0;   \\
                                          (rule)->fw_nports |= (n) << 4;\\
                                        } while (0)

/* Flags values for "flags" field */

#define IP_FW_F_IN      0x0001  /* Check inbound packets                */
#define IP_FW_F_OUT     0x0002  /* Check outbound packets               */
#define IP_FW_F_IIFACE  0x0004  /* Apply inbound interface test         */
#define IP_FW_F_OIFACE  0x0008  /* Apply outbound interface test        */

#define IP_FW_F_COMMAND 0x0070  /* Mask for type of chain entry:        */
#define IP_FW_F_DENY    0x0000  /* This is a deny rule                  */
#define IP_FW_F_REJECT  0x0010  /* Deny and send a response packet      */
#define IP_FW_F_ACCEPT  0x0020  /* This is an accept rule               */
#define IP_FW_F_COUNT   0x0030  /* This is a count rule                 */
#define IP_FW_F_DIVERT  0x0040  /* This is a divert rule                */
#define IP_FW_F_TEE     0x0050  /* This is a tee rule                   */
#define IP_FW_F_SKIPTO  0x0060  /* This is a skipto rule                */

#define IP_FW_F_PRN     0x0080  /* Print if this rule matches           */

#define IP_FW_F_SRNG    0x0100  /* The first two src ports are a min    *
                                 * and max range (stored in host byte   *
                                 * order).                              */

#define IP_FW_F_DRNG    0x0200  /* The first two dst ports are a min    *
                                 * and max range (stored in host byte   *
                                 * order).                              */

#define IP_FW_F_IIFNAME 0x0400  /* In interface by name/unit (not IP)   */
#define IP_FW_F_OIFNAME 0x0800  /* Out interface by name/unit (not IP)  */

#define IP_FW_F_INVSRC  0x1000  /* Invert sense of src check            */
#define IP_FW_F_INVDST  0x2000  /* Invert sense of dst check            */

#define IP_FW_F_FRAG    0x4000  /* Fragment                             */

#define IP_FW_F_ICMPBIT 0x8000  /* ICMP type bitmap is valid            */

#define IP_FW_F_MASK    0xFFFF  /* All possible flag bits mask          */
.Ed

.Sh $B%k!<%k$NF0:n(B
$B%k!<%k$K$O$=$l$>$l%U%i%0$NCf$N(B IP_FW_F_COMMAND $B%S%C%H$G5-=R$5$l$?F0:n$,$"$j$^$9(B:

  IP_FW_F_DENY          - $B%Q%1%C%H$rGK4~$7$^$9(B
  IP_FW_F_REJECT        - $B%Q%1%C%H$rGK4~$7!"(BICMP $B$^$?$O(B TCP $B$r7PM3$7$F5qH]$rDLCN$7$^$9(B
  IP_FW_F_ACCEPT        - $B%Q%1%C%H$r<u$1F~$l$^$9(B
  IP_FW_F_COUNT         - $B%+%&%s%?$r99?7$7!"%^%C%A%s%0$rB3$1$^$9(B
  IP_FW_F_DIVERT        - $B%Q%1%C%H$r(B divert(4) $B%=%1%C%H$K0o$7$^$9(B
  IP_FW_F_TEE           - $B%Q%1%C%H$r(B divert(4) $B$K%3%T!<$7!"7QB3$7$^$9(B
  IP_FW_F_SKIPTO        - $B%k!<%kHV9f(B fu_skipto_rule $B$X%9%-%C%W$7$^$9(B
.Pp
IP_FW_F_REJECT $B$N>l9g!"(B fu_reject_code $B$NHV9f$,(B 0 $B$+$i(B 255 $B$J$i$P(B
$BBP1~$9$k%3!<%I$H$H$b$K:G=i$N%Q%1%C%H$NH/?.85$N(B IP $B%"%I%l%9$X(B
ICMP unreachable $B$rAw$jJV$7$^$9!#(B
$B$=$&$G$O$J$/!"CM$,(B 256 $B$G%W%m%H%3%k$,(B IPPROTO_TCP $B$N>l9g$K$O(B
$BBe$o$j$K(B TCP reset $B%Q%1%C%H$,Aw$i$l$^$9!#(B
.Pp
IP_FW_F_SKIPTO $B$r;HMQ$9$k$H(B fu_skipto_rule $B$h$j>.$5$$%k!<%kHV9f$r;}$D(B
$B$9$Y$F$NO"B3$9$k%k!<%k$,%9%-%C%W$5$l$^$9!#(B
.Sh $B%+!<%M%k%*%W%7%g%s(B
$B%+!<%M%k@_Dj%U%!%$%k$G$N%*%W%7%g%s(B:
  IPFIREWALL               - ipfirewall $B$rM-8z$K$7$^$9(B
  IPFIREWALL_VERBOSE       - firewall $B$N=PNO$rM-8z$K$7$^$9(B
  IPFIREWALL_VERBOSE_LIMIT - firewall $B$N=PNO$rM^@)$7$^$9(B
  DIVERT                   - divert(4) sockets $B$rM-8z$K$7$^$9(B
.Pp
$B%Q%1%C%H$,(B IP_FW_F_PRN bit $B$,%;%C%H$5$l$F$$$k%k!<%k$KE,9g$7!"(B
IPFIREWALL_VERBOSE $B$,M-8z$K$5$l$F$$$k>l9g$K$O%a%C%;!<%8$,%3%s%=!<%k$K(B
$B=PNO$5$l$^$9!#(B
IPFIREWALL_VERBOSE_LIMIT $B$O$=$l$>$l$N%k!<%k$,%m%0%a%C%;!<%8$r=PNO$G$-$k(B
$B2s?t$N:GBgCM$r@)8B$7$^$9!#(B
$B$3$l$i$NJQ?t$b(B
.Xr sysctl 3
$B%$%s%?%U%'!<%9$r7PM3$7$FMxMQ$G$-$^$9!#(B
.Sh $B?GCG(B

[EINVAL]  IP $B%*%W%7%g%s$NMs$,:G>.CM$h$jC;$$$+!"Ds6!$5$l$?%*%W%7%g%s(B
          $B%P%C%U%!$h$jD9$/ITE,@Z$J7A<0$G$7$?!#(Bip_fw $B9=B$BN$G9=B$E*(B
          $B$J%(%i!<$,H/@8$7$^$7$?!#(B(n_src_p+n_dst_p $B2aBg!"(BALL/ICMP
          $B%W%m%H%3%k$N$?$a$N%]!<%H%;%C%H$J$I(B) $BIT@5$J%k!<%kHV9f$,(B
          $B;H$o$l$^$7$?!#(B
.Sh $B4XO"9`L\(B
.Xr setsockopt 2 ,
.Xr divert 4 ,
.Xr ip 4 ,
.Xr ipfw 8 ,
.Xr sysctl 8
.Sh $B%P%0(B
``tee'' $B%k!<%k$O$^$@<BAu$5$l$F$$$^$;$s!#(B ($B8=:_$O8z2L$,$"$j$^$;$s(B)
.Pp
$B$3$N(B man $B%Z!<%8$O$^$@:n6H$,I,MW$G$9!#(B
.Sh $BNr;K(B
ipfw $B5!G=$O:G=i$K(B BSDI $B$X$N%Q%C%1!<%8$H$7$F(B
Daniel Boulet <danny@BouletFermat.ab.ca>
$B$K$h$C$F=q$+$l$^$7$?!#(B
Ugen J.S.Antsilevich <ugen@NetVision.net.il>
$B$,BgI}$KJQ99$7!"(BFreeBSD $B$X0\?"$7$^$7$?!#(B
.Pp
Archie Cobbs <archie@whistle.com> $B$K$h$C$F$$$/$D$+$N3HD%$,2C$($i$l$^$7$?!#(B
