CATEGORII DOCUMENTE |
Asp | Autocad | C | Dot net | Excel | Fox pro | Html | Java |
Linux | Mathcad | Photoshop | Php | Sql | Visual studio | Windows | Xml |
ipfwadm |
ipfwadm category command parameters [options] ipfwadm -M [ -l | -s ] [options] Administer a firewall and its rules, firewall accounting, and IP masquerading in the 2.0 Linux kernel. This command is replaced with ipchains in the 2.2 kernel, and ipchains is replaced by iptables in the 2.4 kernel. There are four categories of rules: IP packet accounting, IP input firewall, IP output firewall, and IP forwarding firewall. The rules are maintained in lists, with a separate list for each category. See the manpage for ipfw(4) for a more detailed description of how the lists work. Each ipfwadm command specifies only one category and one rule. To create a secure firewall, you issue multiple ipfwadm commands; the combination of their rules work together to ensure that your firewall operates as you intend it to. The second form of the command is for masquerading. The commands -l and -s described in the later list are the only ones that can be used with the masquerading category, -M. CategoriesOne of the following flags is required to indicate the category of rules to which the command that follows the category applies. -A [direction IP accounting rules. Optionally, a direction can be specified: in Count only incoming packets. out Count only outgoing packets. both Count both incoming and outgoing packets; this is the default. -F IP forwarding firewall rules. -I IP input firewall rules. -M IP masquerading administration. Can be used only with the -l or -s command. -O IP output firewall rules. CommandsThe category is followed by a command indicating the specific action to be taken. Unless otherwise specified, only one action can be given on a command line. For the commands that can include a policy, the valid policies are: accept Allow matching packets to be received, sent, or forwarded. deny Block matching packets from being received, sent, or forwarded. reject Block matching packets from being received, sent, or forwarded and also return an ICMP error message to the sending host. The commands are: -a [policy Append one or more rules to the end of the rules for the category. No policy is specified for accounting rules. For firewall rules, a policy is required. When the source and/or destination names resolve to more than one address, a rule is added for each possible address combination. -c Check whether this IP packet would be accepted, denied, or rejected by the type of firewall represented by this category. Valid only when the category is -I, -O, or -F. Requires the -V parameter to be specified (see 'Parameters,' later). -d [policy Delete one or more entries from the list of rules for the category. No policy is specified for accounting rules. The parameters specified with this command must exactly match the parameters from an append or insert command, or no match will be found and the rule will not be removed. Only the first matching rule in the list of rules is deleted. -f Remove (flush) all rules for the category. -h Display a help message with a brief description of the command syntax. Specified with no category: % ipfwadm -h-i [policy Insert a new rule at the beginning of the selected list for the category. No policy is specified for accounting rules. For firewall rules, a policy is required. When the source and/or destination names resolve to more than one address, a rule is added for each possible address combination. -l List all rules for the category. This option may be combined with the -z option to reset the packet and byte counters after listing their current values. Unless the -x option is also specified, the packet and byte counters are shown as numberK or numberM, rounded to the nearest integer. See also the -e option described under 'Options' later. -p policy Change the default policy for the selected type of firewall to policy. The default policy is used when no matching rule is found. Valid only with -I, -O, or -F. -s tcp tcpfin udp Set the masquerading timeout values; valid only with -M. The three parameters are required and represent the timeout value in seconds for TCP sessions, TCP sessions after receiving a FIN packet, and UDP packets, respectively. A timeout value of 0 preserves the current timeout value of the corresponding entry. -z Reset the packet and byte counters for all rules in the category. This command may be combined with the -l command. ParametersThe following parameters can be specified with the -a, -i, -d, or -c commands, except as noted. Multiple parameters can be specified on a single ipfwadm command line. -D address mask port The destination specification (optional). See the description of -S for the syntax, default values, and other requirements. ICMP types cannot be specified with -D. -P protocol The protocol of the rule or packet; possible values are tcp, udp, icmp, or all. Defaults to all, which matches all protocols. -P cannot be specified with the -c command. -S address[/mask port The source IP address, specified as a hostname, a network name, or an IP address. The source address and mask default to 0.0.0.0/0. If -S is specified, -P must also be specified. The optional mask is specified as a network mask or as the number of 1s on the left of the network mask (e.g., a mask of 24 is equivalent to 255.255.255.0). The mask defaults to 32. One or more values of port may optionally be specified, indicating what ports or ICMP types the rule applies to. The default is all. Ports may be specified by their /etc/ services entry. The syntax for indicating a range of ports is: lowport:highportFor example: -S 172.29.16.1/24 ftp:ftp-data-V address The address of the network interface the packet is received from (if category is -I) or is being sent to (if category is -O). address can be a hostname or an IP address, and defaults to 0.0.0.0, which matches any interface address. -V is required with the -c command: -V 172.29.16.1-W name Identical to -V but takes a device name instead of its address: -W ppp0Options-b Bidirectional mode. The rule matches IP packets in both directions. This option is valid only with the -a, -i, and -d commands. -e Extended output. Used with the -l command to also show the interface address and any rule options. When listing firewall rules, also shows the packet and byte counters and the TOS (Type of Service) masks. When used with -M, also shows information related to delta sequence numbers. -k Match TCP acknowledgment packets (i.e., only TCP packets with the ACK bit set). This option is ignored for all other protocols and is valid only with the -a, -i, and -d commands. -m Accept masquerade packets for forwarding, making them appear to have originated from the local host. Recognizes reverse packets and automatically demasquerades them, bypassing the forwarding firewall. This option is valid only in forwarding firewall rules with policy accept. The kernel must have been compiled with CONFIG_IP_MASQUERADE defined. -n Numeric output. Print IP addresses and port numbers in numeric format. -o Log packets that match this rule to the kernel log. This option is valid only with the -a, -i, and -d commands. The kernel must have been compiled with CONFIG_IP_FIREWALL_VERBOSE defined. -r [port Redirect packets to a local socket, even if they were sent to a remote host. If port is 0 (the default), the packet's destination port is used. This option is valid only in input firewall rules with policy accept. The kernel must have been compiled with CONFIG_IP_TRANSPARENT_ PROXY defined. -t andmask xormask Specify masks used for modifying the TOS field in the IP header. When a packet is accepted (with or without masquerading) by a firewall rule, its TOS field is bitwise ANDed with andmask, and the result is bitwise XORed with xormask. The masks are specified as 8-bit hexadecimal values. This option is valid only with the -a, -i, and -d commands and has no effect when used with accounting rules or with firewall rules for rejecting or denying a packet. -v Verbose output. Print detailed information about the rule or packet to be added, deleted, or checked. This option is valid only with the -a, -i, -d, and -c commands. -x Expand numbers. Display the exact value of the packet and byte counters, instead of a rounded value. This option is valid only when the counters are being listed anyway (see also the -e option). -y Match TCP packets with the SYN bit set and the ACK bit cleared. This option is ignored for packets of other protocols and is valid only with the -a, -i, and -d commands. |
Politica de confidentialitate | Termeni si conditii de utilizare |
Vizualizari: 691
Importanta:
Termeni si conditii de utilizare | Contact
© SCRIGROUP 2024 . All rights reserved