Scrigroup - Documente si articole

     

HomeDocumenteUploadResurseAlte limbi doc
AccessAdobe photoshopAlgoritmiAutocadBaze de dateCC sharp
CalculatoareCorel drawDot netExcelFox proFrontpageHardware
HtmlInternetJavaLinuxMatlabMs dosPascal
PhpPower pointRetele calculatoareSqlTutorialsWebdesignWindows
WordXml

AspAutocadCDot netExcelFox proHtmlJava
LinuxMathcadPhotoshopPhpSqlVisual studioWindowsXml

ipfwadm linux command

linux



+ Font mai mare | - Font mai mic



ipfwadm

ipfwadm category command parameters [options]



ipfwadm -M [ -l | -s ] [options]

Administer a firewall and its rules, firewall accounting, and IP masquerading in the 2.0 Linux kernel. This command is replaced with ipchains in the 2.2 kernel, and ipchains is replaced by iptables in the 2.4 kernel.

There are four categories of rules: IP packet accounting, IP input firewall, IP output firewall, and IP forwarding firewall. The rules are maintained in lists, with a separate list for each category. See the manpage for ipfw(4) for a more detailed description of how the lists work.

Each ipfwadm command specifies only one category and one rule. To create a secure firewall, you issue multiple ipfwadm commands; the combination of their rules work together to ensure that your firewall operates as you intend it to. The second form of the command is for masquerading. The commands -l and -s described in the later list are the only ones that can be used with the masquerading category, -M.

Categories

One of the following flags is required to indicate the category of rules to which the command that follows the category applies.

-A [direction

IP accounting rules. Optionally, a direction can be specified:

in

Count only incoming packets.

out

Count only outgoing packets.

both

Count both incoming and outgoing packets; this is the default.

-F

IP forwarding firewall rules.

-I

IP input firewall rules.

-M

IP masquerading administration. Can be used only with the -l or -s command.

-O

IP output firewall rules.

Commands

The category is followed by a command indicating the specific action to be taken. Unless otherwise specified, only one action can be given on a command line. For the commands that can include a policy, the valid policies are:

accept

Allow matching packets to be received, sent, or forwarded.

deny

Block matching packets from being received, sent, or forwarded.

reject

Block matching packets from being received, sent, or forwarded and also return an ICMP error message to the sending host.

The commands are:

-a [policy

Append one or more rules to the end of the rules for the category. No policy is specified for accounting rules. For firewall rules, a policy is required. When the source and/or destination names resolve to more than one address, a rule is added for each possible address combination.

-c

Check whether this IP packet would be accepted, denied, or rejected by the type of firewall represented by this category. Valid only when the category is -I, -O, or -F. Requires the -V parameter to be specified (see 'Parameters,' later).

-d [policy

Delete one or more entries from the list of rules for the category. No policy is specified for accounting rules. The parameters specified with this command must exactly match the parameters from an append or insert command, or no match will be found and the rule will not be removed. Only the first matching rule in the list of rules is deleted.

-f

Remove (flush) all rules for the category.

-h

Display a help message with a brief description of the command syntax. Specified with no category:

% ipfwadm -h

-i [policy

Insert a new rule at the beginning of the selected list for the category. No policy is specified for accounting rules. For firewall rules, a policy is required. When the source and/or destination names resolve to more than one address, a rule is added for each possible address combination.

-l

List all rules for the category. This option may be combined with the -z option to reset the packet and byte counters after listing their current values. Unless the -x option is also specified, the packet and byte counters are shown as numberK or numberM, rounded to the nearest integer. See also the -e option described under 'Options' later.

-p policy

Change the default policy for the selected type of firewall to policy. The default policy is used when no matching rule is found. Valid only with -I, -O, or -F.

-s tcp tcpfin udp

Set the masquerading timeout values; valid only with -M. The three parameters are required and represent the timeout value in seconds for TCP sessions, TCP sessions after receiving a FIN packet, and UDP packets, respectively. A timeout value of 0 preserves the current timeout value of the corresponding entry.

-z

Reset the packet and byte counters for all rules in the category. This command may be combined with the -l command.

Parameters

The following parameters can be specified with the -a, -i, -d, or -c commands, except as noted. Multiple parameters can be specified on a single ipfwadm command line.

-D address mask port

The destination specification (optional). See the description of -S for the syntax, default values, and other requirements. ICMP types cannot be specified with -D.

-P protocol

The protocol of the rule or packet; possible values are tcp, udp, icmp, or all. Defaults to all, which matches all protocols. -P cannot be specified with the -c command.

-S address[/mask port

The source IP address, specified as a hostname, a network name, or an IP address. The source address and mask default to 0.0.0.0/0. If -S is specified, -P must also be specified. The optional mask is specified as a network mask or as the number of 1s on the left of the network mask (e.g., a mask of 24 is equivalent to 255.255.255.0). The mask defaults to 32. One or more values of port may optionally be specified, indicating what ports or ICMP types the rule applies to. The default is all. Ports may be specified by their /etc/ services entry. The syntax for indicating a range of ports is:

lowport:highport

For example:

-S 172.29.16.1/24 ftp:ftp-data

-V address

The address of the network interface the packet is received from (if category is -I) or is being sent to (if category is -O). address can be a hostname or an IP address, and defaults to 0.0.0.0, which matches any interface address. -V is required with the -c command:

-V 172.29.16.1

-W name

Identical to -V but takes a device name instead of its address:

-W ppp0

Options

-b

Bidirectional mode. The rule matches IP packets in both directions. This option is valid only with the -a, -i, and -d commands.

-e

Extended output. Used with the -l command to also show the interface address and any rule options. When listing firewall rules, also shows the packet and byte counters and the TOS (Type of Service) masks. When used with -M, also shows information related to delta sequence numbers.

-k

Match TCP acknowledgment packets (i.e., only TCP packets with the ACK bit set). This option is ignored for all other protocols and is valid only with the -a, -i, and -d commands.

-m

Accept masquerade packets for forwarding, making them appear to have originated from the local host. Recognizes reverse packets and automatically demasquerades them, bypassing the forwarding firewall. This option is valid only in forwarding firewall rules with policy accept. The kernel must have been compiled with CONFIG_IP_MASQUERADE defined.

-n

Numeric output. Print IP addresses and port numbers in numeric format.

-o

Log packets that match this rule to the kernel log. This option is valid only with the -a, -i, and -d commands. The kernel must have been compiled with CONFIG_IP_FIREWALL_VERBOSE defined.

-r [port

Redirect packets to a local socket, even if they were sent to a remote host. If port is 0 (the default), the packet's destination port is used. This option is valid only in input firewall rules with policy accept. The kernel must have been compiled with CONFIG_IP_TRANSPARENT_ PROXY defined.

-t andmask xormask

Specify masks used for modifying the TOS field in the IP header. When a packet is accepted (with or without masquerading) by a firewall rule, its TOS field is bitwise ANDed with andmask, and the result is bitwise XORed with xormask. The masks are specified as 8-bit hexadecimal values. This option is valid only with the -a, -i, and -d commands and has no effect when used with accounting rules or with firewall rules for rejecting or denying a packet.

-v

Verbose output. Print detailed information about the rule or packet to be added, deleted, or checked. This option is valid only with the -a, -i, -d, and -c commands.

-x

Expand numbers. Display the exact value of the packet and byte counters, instead of a rounded value. This option is valid only when the counters are being listed anyway (see also the -e option).

-y

Match TCP packets with the SYN bit set and the ACK bit cleared. This option is ignored for packets of other protocols and is valid only with the -a, -i, and -d commands.



Politica de confidentialitate | Termeni si conditii de utilizare



DISTRIBUIE DOCUMENTUL

Comentarii


Vizualizari: 702
Importanta: rank

Comenteaza documentul:

Te rugam sa te autentifici sau sa iti faci cont pentru a putea comenta

Creaza cont nou

Termeni si conditii de utilizare | Contact
© SCRIGROUP 2024 . All rights reserved