mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-13 10:02:38 +00:00
Not in this commit: Many spammed deltas have been removed to restore
back to the vendor branch. Re-merge changes from the vendor branch. Undo the local spammed changes that I could find. There are probably more local fixes that were clobbered that I've missed.
This commit is contained in:
parent
94fafad064
commit
96c630d7b2
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=57109
@ -1,43 +1,52 @@
|
||||
/* $FreeBSD$ */
|
||||
/*
|
||||
* Copyright (C) 1993-1997 by Darren Reed.
|
||||
* Copyright (C) 1993-1998 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45 darrenr Exp $";
|
||||
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#ifndef SOLARIS
|
||||
#define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun)
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#ifndef __FreeBSD__
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
# if (__FreeBSD_version >= 300000)
|
||||
# include <sys/dirent.h>
|
||||
# else
|
||||
# include <sys/dir.h>
|
||||
# endif
|
||||
#else
|
||||
# include <sys/filio.h>
|
||||
# include <sys/byteorder.h>
|
||||
#endif
|
||||
#include <strings.h>
|
||||
#include <signal.h>
|
||||
#include <sys/dir.h>
|
||||
#else
|
||||
#include <sys/filio.h>
|
||||
#include <sys/byteorder.h>
|
||||
#endif
|
||||
#endif
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/time.h>
|
||||
#include <stdlib.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp_fsm.h>
|
||||
#include <netdb.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <arpa/nameser.h>
|
||||
@ -46,7 +55,6 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.9 1998/05/23 14:29:45
|
||||
#include <sys/uio.h>
|
||||
#ifndef linux
|
||||
# include <sys/protosw.h>
|
||||
# include <sys/user.h>
|
||||
# include <netinet/ip_var.h>
|
||||
#endif
|
||||
|
||||
@ -87,6 +95,15 @@ struct flags tcpfl[] = {
|
||||
{ 0, '\0' }
|
||||
};
|
||||
|
||||
#if SOLARIS
|
||||
static char *pidfile = "/etc/opt/ipf/ipmon.pid";
|
||||
#else
|
||||
# if BSD >= 199306
|
||||
static char *pidfile = "/var/run/ipmon.pid";
|
||||
# else
|
||||
static char *pidfile = "/etc/ipmon.pid";
|
||||
# endif
|
||||
#endif
|
||||
|
||||
static char line[2048];
|
||||
static int opts = 0;
|
||||
@ -101,12 +118,20 @@ static void print_ipflog __P((FILE *, char *, int));
|
||||
static void print_natlog __P((FILE *, char *, int));
|
||||
static void print_statelog __P((FILE *, char *, int));
|
||||
static void dumphex __P((FILE *, u_char *, int));
|
||||
static int read_log __P((int, int *, char *, int, FILE *));
|
||||
static int read_log __P((int, int *, char *, int));
|
||||
static void write_pid __P((char *));
|
||||
|
||||
char *hostname __P((int, struct in_addr));
|
||||
char *portname __P((int, char *, u_short));
|
||||
char *portname __P((int, char *, u_int));
|
||||
int main __P((int, char *[]));
|
||||
|
||||
static void logopts __P((int, char *));
|
||||
static void init_tabs __P((void));
|
||||
static char *getproto __P((u_int));
|
||||
|
||||
static char **protocols = NULL;
|
||||
static char **udp_ports = NULL;
|
||||
static char **tcp_ports = NULL;
|
||||
|
||||
|
||||
#define OPT_SYSLOG 0x001
|
||||
@ -119,14 +144,14 @@ static void logopts __P((int, char *));
|
||||
#define OPT_STATE 0x100
|
||||
#define OPT_FILTER 0x200
|
||||
#define OPT_PORTNUM 0x400
|
||||
#define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER)
|
||||
#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER)
|
||||
|
||||
#ifndef LOGFAC
|
||||
#define LOGFAC LOG_LOCAL0
|
||||
#endif
|
||||
|
||||
|
||||
static void handlehup(sig)
|
||||
void handlehup(sig)
|
||||
int sig;
|
||||
{
|
||||
FILE *fp;
|
||||
@ -134,14 +159,91 @@ int sig;
|
||||
signal(SIGHUP, handlehup);
|
||||
if (logfile && (fp = fopen(logfile, "a")))
|
||||
newlog = fp;
|
||||
init_tabs();
|
||||
donehup = 1;
|
||||
}
|
||||
|
||||
|
||||
static int read_log(fd, lenp, buf, bufsize, log)
|
||||
static void init_tabs()
|
||||
{
|
||||
struct protoent *p;
|
||||
struct servent *s;
|
||||
char *name, **tab;
|
||||
u_int port;
|
||||
|
||||
if (protocols != NULL) {
|
||||
free(protocols);
|
||||
protocols = NULL;
|
||||
}
|
||||
protocols = (char **)malloc(256 * sizeof(*protocols));
|
||||
if (protocols != NULL) {
|
||||
bzero((char *)protocols, 256 * sizeof(*protocols));
|
||||
|
||||
setprotoent(1);
|
||||
while ((p = getprotoent()) != NULL)
|
||||
if (p->p_proto >= 0 && p->p_proto <= 255 &&
|
||||
p->p_name != NULL)
|
||||
protocols[p->p_proto] = strdup(p->p_name);
|
||||
endprotoent();
|
||||
}
|
||||
|
||||
if (udp_ports != NULL) {
|
||||
free(udp_ports);
|
||||
udp_ports = NULL;
|
||||
}
|
||||
udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
|
||||
if (udp_ports != NULL)
|
||||
bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
|
||||
|
||||
if (tcp_ports != NULL) {
|
||||
free(tcp_ports);
|
||||
tcp_ports = NULL;
|
||||
}
|
||||
tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
|
||||
if (tcp_ports != NULL)
|
||||
bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
|
||||
|
||||
setservent(1);
|
||||
while ((s = getservent()) != NULL) {
|
||||
if (s->s_proto == NULL)
|
||||
continue;
|
||||
else if (!strcmp(s->s_proto, "tcp")) {
|
||||
port = (u_int)s->s_port;
|
||||
name = s->s_name;
|
||||
tab = tcp_ports;
|
||||
} else if (!strcmp(s->s_proto, "udp")) {
|
||||
port = (u_int)s->s_port;
|
||||
name = s->s_name;
|
||||
tab = udp_ports;
|
||||
} else
|
||||
continue;
|
||||
if ((port < 0 || port > 65535) || (name == NULL))
|
||||
continue;
|
||||
tab[port] = strdup(name);
|
||||
}
|
||||
endservent();
|
||||
}
|
||||
|
||||
|
||||
static char *getproto(p)
|
||||
u_int p;
|
||||
{
|
||||
static char pnum[4];
|
||||
char *s;
|
||||
|
||||
p &= 0xff;
|
||||
s = protocols ? protocols[p] : NULL;
|
||||
if (s == NULL) {
|
||||
sprintf(pnum, "%u", p);
|
||||
s = pnum;
|
||||
}
|
||||
return s;
|
||||
}
|
||||
|
||||
|
||||
static int read_log(fd, lenp, buf, bufsize)
|
||||
int fd, bufsize, *lenp;
|
||||
char *buf;
|
||||
FILE *log;
|
||||
{
|
||||
int nr;
|
||||
|
||||
@ -173,18 +275,24 @@ struct in_addr ip;
|
||||
char *portname(res, proto, port)
|
||||
int res;
|
||||
char *proto;
|
||||
u_short port;
|
||||
u_int port;
|
||||
{
|
||||
static char pname[8];
|
||||
struct servent *serv;
|
||||
char *s;
|
||||
|
||||
(void) sprintf(pname, "%hu", htons(port));
|
||||
port = ntohs(port);
|
||||
port &= 0xffff;
|
||||
(void) sprintf(pname, "%u", port);
|
||||
if (!res || (opts & OPT_PORTNUM))
|
||||
return pname;
|
||||
serv = getservbyport((int)port, proto);
|
||||
if (!serv)
|
||||
return pname;
|
||||
return serv->s_name;
|
||||
s = NULL;
|
||||
if (!strcmp(proto, "tcp"))
|
||||
s = tcp_ports[port];
|
||||
else if (!strcmp(proto, "udp"))
|
||||
s = udp_ports[port];
|
||||
if (s == NULL)
|
||||
s = pname;
|
||||
return s;
|
||||
}
|
||||
|
||||
|
||||
@ -254,6 +362,7 @@ int blen;
|
||||
char *t = line;
|
||||
struct tm *tm;
|
||||
int res, i, len;
|
||||
char *proto;
|
||||
|
||||
nl = (struct natlog *)((char *)ipl + sizeof(*ipl));
|
||||
res = (opts & OPT_RESOLVE) ? 1 : 0;
|
||||
@ -274,20 +383,22 @@ int blen;
|
||||
strcpy(t, "NAT:MAP ");
|
||||
else if (nl->nl_type == NL_NEWRDR)
|
||||
strcpy(t, "NAT:RDR ");
|
||||
else if (nl->nl_type == ISL_EXPIRE)
|
||||
else if (nl->nl_type == NL_EXPIRE)
|
||||
strcpy(t, "NAT:EXPIRE ");
|
||||
else
|
||||
sprintf(t, "Type: %d ", nl->nl_type);
|
||||
t += strlen(t);
|
||||
|
||||
proto = getproto(nl->nl_p);
|
||||
|
||||
(void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip),
|
||||
portname(res, NULL, nl->nl_inport));
|
||||
portname(res, proto, (u_int)nl->nl_inport));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip),
|
||||
portname(res, NULL, nl->nl_outport));
|
||||
portname(res, proto, (u_int)nl->nl_outport));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
|
||||
portname(res, NULL, nl->nl_origport));
|
||||
portname(res, proto, (u_int)nl->nl_origport));
|
||||
t += strlen(t);
|
||||
if (nl->nl_type == NL_EXPIRE) {
|
||||
#ifdef USE_QUAD_T
|
||||
@ -315,8 +426,7 @@ int blen;
|
||||
{
|
||||
struct ipslog *sl;
|
||||
iplog_t *ipl = (iplog_t *)buf;
|
||||
struct protoent *pr;
|
||||
char *t = line, *proto, pname[6];
|
||||
char *t = line, *proto;
|
||||
struct tm *tm;
|
||||
int res, i, len;
|
||||
|
||||
@ -337,27 +447,29 @@ int blen;
|
||||
|
||||
if (sl->isl_type == ISL_NEW)
|
||||
strcpy(t, "STATE:NEW ");
|
||||
else if (sl->isl_type == ISL_EXPIRE)
|
||||
strcpy(t, "STATE:EXPIRE ");
|
||||
else if (sl->isl_type == ISL_EXPIRE) {
|
||||
if ((sl->isl_p == IPPROTO_TCP) &&
|
||||
(sl->isl_state[0] > TCPS_ESTABLISHED ||
|
||||
sl->isl_state[1] > TCPS_ESTABLISHED))
|
||||
strcpy(t, "STATE:CLOSE ");
|
||||
else
|
||||
strcpy(t, "STATE:EXPIRE ");
|
||||
} else if (sl->isl_type == ISL_FLUSH)
|
||||
strcpy(t, "STATE:FLUSH ");
|
||||
else
|
||||
sprintf(t, "Type: %d ", sl->isl_type);
|
||||
t += strlen(t);
|
||||
|
||||
pr = getprotobynumber((int)sl->isl_p);
|
||||
if (!pr) {
|
||||
proto = pname;
|
||||
sprintf(proto, "%d", (u_int)sl->isl_p);
|
||||
} else
|
||||
proto = pr->p_name;
|
||||
proto = getproto(sl->isl_p);
|
||||
|
||||
if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
|
||||
(void) sprintf(t, "%s,%s -> ",
|
||||
hostname(res, sl->isl_src),
|
||||
portname(res, proto, sl->isl_sport));
|
||||
portname(res, proto, (u_int)sl->isl_sport));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "%s,%s PR %s",
|
||||
hostname(res, sl->isl_dst),
|
||||
portname(res, proto, sl->isl_dport), proto);
|
||||
portname(res, proto, (u_int)sl->isl_dport), proto);
|
||||
} else if (sl->isl_p == IPPROTO_ICMP) {
|
||||
(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
|
||||
t += strlen(t);
|
||||
@ -439,11 +551,10 @@ FILE *log;
|
||||
char *buf;
|
||||
int blen;
|
||||
{
|
||||
struct protoent *pr;
|
||||
struct tcphdr *tp;
|
||||
tcphdr_t *tp;
|
||||
struct icmp *ic;
|
||||
struct tm *tm;
|
||||
char c[3], pname[8], *t, *proto;
|
||||
char *t, *proto;
|
||||
u_short hl, p;
|
||||
int i, lvl, res, len;
|
||||
ip_t *ipc, *ip;
|
||||
@ -483,60 +594,62 @@ int blen;
|
||||
(defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
|
||||
len = (int)sizeof(ipf->fl_ifname);
|
||||
(void) sprintf(t, "%*.*s", len, len, ipf->fl_ifname);
|
||||
t += strlen(t);
|
||||
# if SOLARIS
|
||||
if (isalpha(*(t - 1)))
|
||||
*t++ = '0' + ipf->fl_unit;
|
||||
# endif
|
||||
#else
|
||||
for (len = 0; len < 3; len++)
|
||||
if (!ipf->fl_ifname[len])
|
||||
if (ipf->fl_ifname[len] == '\0')
|
||||
break;
|
||||
if (ipf->fl_ifname[len])
|
||||
len++;
|
||||
(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
|
||||
#endif
|
||||
t += strlen(t);
|
||||
#endif
|
||||
(void) sprintf(t, " @%hu:%hu ", ipf->fl_group, ipf->fl_rule + 1);
|
||||
pr = getprotobynumber((int)p);
|
||||
if (!pr) {
|
||||
proto = pname;
|
||||
sprintf(proto, "%d", (u_int)p);
|
||||
} else
|
||||
proto = pr->p_name;
|
||||
t += strlen(t);
|
||||
proto = getproto(p);
|
||||
|
||||
if (ipf->fl_flags & FF_SHORT) {
|
||||
c[0] = 'S';
|
||||
*t++ = 'S';
|
||||
lvl = LOG_ERR;
|
||||
} else if (ipf->fl_flags & FR_PASS) {
|
||||
if (ipf->fl_flags & FR_LOGP)
|
||||
c[0] = 'p';
|
||||
*t++ = 'p';
|
||||
else
|
||||
c[0] = 'P';
|
||||
*t++ = 'P';
|
||||
lvl = LOG_NOTICE;
|
||||
} else if (ipf->fl_flags & FR_BLOCK) {
|
||||
if (ipf->fl_flags & FR_LOGB)
|
||||
c[0] = 'b';
|
||||
*t++ = 'b';
|
||||
else
|
||||
c[0] = 'B';
|
||||
*t++ = 'B';
|
||||
lvl = LOG_WARNING;
|
||||
} else if (ipf->fl_flags & FF_LOGNOMATCH) {
|
||||
c[0] = 'n';
|
||||
*t++ = 'n';
|
||||
lvl = LOG_NOTICE;
|
||||
} else {
|
||||
c[0] = 'L';
|
||||
*t++ = 'L';
|
||||
lvl = LOG_INFO;
|
||||
}
|
||||
c[1] = ' ';
|
||||
c[2] = '\0';
|
||||
(void) strcat(line, c);
|
||||
t = line + strlen(line);
|
||||
if (ipf->fl_loglevel != 0xffff)
|
||||
lvl = ipf->fl_loglevel;
|
||||
*t++ = ' ';
|
||||
*t = '\0';
|
||||
|
||||
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & 0x1fff)) {
|
||||
tp = (struct tcphdr *)((char *)ip + hl);
|
||||
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) &&
|
||||
!(ip->ip_off & IP_OFFMASK)) {
|
||||
tp = (tcphdr_t *)((char *)ip + hl);
|
||||
if (!(ipf->fl_flags & (FI_SHORT << 16))) {
|
||||
(void) sprintf(t, "%s,%s -> ",
|
||||
hostname(res, ip->ip_src),
|
||||
portname(res, proto, tp->th_sport));
|
||||
portname(res, proto, (u_int)tp->th_sport));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "%s,%s PR %s len %hu %hu ",
|
||||
hostname(res, ip->ip_dst),
|
||||
portname(res, proto, tp->th_dport),
|
||||
portname(res, proto, (u_int)tp->th_dport),
|
||||
proto, hl, ip->ip_len);
|
||||
t += strlen(t);
|
||||
|
||||
@ -545,12 +658,13 @@ int blen;
|
||||
for (i = 0; tcpfl[i].value; i++)
|
||||
if (tp->th_flags & tcpfl[i].value)
|
||||
*t++ = tcpfl[i].flag;
|
||||
}
|
||||
if (opts & OPT_VERBOSE) {
|
||||
(void) sprintf(t, " %lu %lu %hu",
|
||||
(u_long)tp->th_seq,
|
||||
(u_long)tp->th_ack, tp->th_win);
|
||||
t += strlen(t);
|
||||
if (opts & OPT_VERBOSE) {
|
||||
(void) sprintf(t, " %lu %lu %hu",
|
||||
(u_long)(ntohl(tp->th_seq)),
|
||||
(u_long)(ntohl(tp->th_ack)),
|
||||
ntohs(tp->th_win));
|
||||
t += strlen(t);
|
||||
}
|
||||
}
|
||||
*t = '\0';
|
||||
} else {
|
||||
@ -560,7 +674,7 @@ int blen;
|
||||
hostname(res, ip->ip_dst), proto,
|
||||
hl, ip->ip_len);
|
||||
}
|
||||
} else if (p == IPPROTO_ICMP) {
|
||||
} else if ((p == IPPROTO_ICMP) && !(ip->ip_off & IP_OFFMASK)) {
|
||||
ic = (struct icmp *)((char *)ip + hl);
|
||||
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
|
||||
t += strlen(t);
|
||||
@ -573,24 +687,18 @@ int blen;
|
||||
ic->icmp_type == ICMP_REDIRECT ||
|
||||
ic->icmp_type == ICMP_TIMXCEED) {
|
||||
ipc = &ic->icmp_ip;
|
||||
tp = (struct tcphdr *)((char *)ipc + hl);
|
||||
tp = (tcphdr_t *)((char *)ipc + hl);
|
||||
|
||||
p = (u_short)ipc->ip_p;
|
||||
pr = getprotobynumber((int)p);
|
||||
if (!pr) {
|
||||
proto = pname;
|
||||
(void) sprintf(proto, "%d", (int)p);
|
||||
} else
|
||||
proto = pr->p_name;
|
||||
proto = getproto(ipc->ip_p);
|
||||
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, " for %s,%s -",
|
||||
hostname(res, ipc->ip_src),
|
||||
portname(res, proto, tp->th_sport));
|
||||
portname(res, proto, (u_int)tp->th_sport));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, " %s,%s PR %s len %hu %hu",
|
||||
hostname(res, ipc->ip_dst),
|
||||
portname(res, proto, tp->th_dport),
|
||||
portname(res, proto, (u_int)tp->th_dport),
|
||||
proto, ipc->ip_hl << 2, ipc->ip_len);
|
||||
}
|
||||
} else {
|
||||
@ -599,11 +707,12 @@ int blen;
|
||||
(void) sprintf(t, "%s PR %s len %hu (%hu)",
|
||||
hostname(res, ip->ip_dst), proto, hl, ip->ip_len);
|
||||
t += strlen(t);
|
||||
if (ip->ip_off & 0x1fff)
|
||||
if (ip->ip_off & IP_OFFMASK)
|
||||
(void) sprintf(t, " frag %s%s%hu@%hu",
|
||||
ip->ip_off & IP_MF ? "+" : "",
|
||||
ip->ip_off & IP_DF ? "-" : "",
|
||||
ip->ip_len - hl, (ip->ip_off & 0x1fff) << 3);
|
||||
ip->ip_len - hl,
|
||||
(ip->ip_off & IP_OFFMASK) << 3);
|
||||
}
|
||||
t += strlen(t);
|
||||
|
||||
@ -617,6 +726,11 @@ int blen;
|
||||
t += strlen(t);
|
||||
}
|
||||
|
||||
if (ipf->fl_flags & FR_INQUE)
|
||||
strcpy(t, " IN");
|
||||
else if (ipf->fl_flags & FR_OUTQUE)
|
||||
strcpy(t, " OUT");
|
||||
t += strlen(t);
|
||||
*t++ = '\n';
|
||||
*t++ = '\0';
|
||||
if (opts & OPT_SYSLOG)
|
||||
@ -624,7 +738,7 @@ int blen;
|
||||
else
|
||||
(void) fprintf(log, "%s", line);
|
||||
if (opts & OPT_HEXHDR)
|
||||
dumphex(log, (u_char *)buf, sizeof(iplog_t));
|
||||
dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
|
||||
if (opts & OPT_HEXBODY)
|
||||
dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
|
||||
}
|
||||
@ -638,6 +752,25 @@ char *prog;
|
||||
}
|
||||
|
||||
|
||||
static void write_pid(file)
|
||||
char *file;
|
||||
{
|
||||
FILE *fp = NULL;
|
||||
int fd;
|
||||
|
||||
if ((fd = open(file, O_CREAT|O_TRUNC|O_WRONLY, 0644)) >= 0)
|
||||
fp = fdopen(fd, "w");
|
||||
if (!fp) {
|
||||
close(fd);
|
||||
fprintf(stderr, "unable to open/create pid file: %s\n", file);
|
||||
return;
|
||||
}
|
||||
fprintf(fp, "%d", getpid());
|
||||
fclose(fp);
|
||||
close(fd);
|
||||
}
|
||||
|
||||
|
||||
static void flushlogs(file, log)
|
||||
char *file;
|
||||
FILE *log;
|
||||
@ -709,7 +842,7 @@ char *argv[];
|
||||
int fd[3], doread, n, i;
|
||||
int tr, nr, regular[3], c;
|
||||
int fdt[3], devices = 0, make_daemon = 0;
|
||||
char buf[512], *iplfile[3];
|
||||
char buf[512], *iplfile[3], *s;
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
|
||||
@ -719,11 +852,14 @@ char *argv[];
|
||||
iplfile[1] = IPNAT_NAME;
|
||||
iplfile[2] = IPSTATE_NAME;
|
||||
|
||||
while ((c = getopt(argc, argv, "?aDf:FhI:nN:o:O:sS:tvxX")) != -1)
|
||||
while ((c = getopt(argc, argv, "?aDf:FhnN:o:O:pP:sS:tvxX")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'a' :
|
||||
opts |= OPT_ALL;
|
||||
opts |= OPT_LOGALL;
|
||||
fdt[0] = IPL_LOGIPF;
|
||||
fdt[1] = IPL_LOGNAT;
|
||||
fdt[2] = IPL_LOGSTATE;
|
||||
break;
|
||||
case 'D' :
|
||||
make_daemon = 1;
|
||||
@ -759,8 +895,17 @@ char *argv[];
|
||||
case 'p' :
|
||||
opts |= OPT_PORTNUM;
|
||||
break;
|
||||
case 'P' :
|
||||
pidfile = optarg;
|
||||
break;
|
||||
case 's' :
|
||||
openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC);
|
||||
s = strrchr(argv[0], '/');
|
||||
if (s == NULL)
|
||||
s = argv[0];
|
||||
else
|
||||
s++;
|
||||
openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
|
||||
s = NULL;
|
||||
opts |= OPT_SYSLOG;
|
||||
break;
|
||||
case 'S' :
|
||||
@ -786,6 +931,8 @@ char *argv[];
|
||||
usage(argv[0]);
|
||||
}
|
||||
|
||||
init_tabs();
|
||||
|
||||
/*
|
||||
* Default action is to only open the filter log file.
|
||||
*/
|
||||
@ -825,16 +972,19 @@ char *argv[];
|
||||
exit(-1);
|
||||
}
|
||||
setvbuf(log, NULL, _IONBF, 0);
|
||||
}
|
||||
} else
|
||||
log = NULL;
|
||||
|
||||
if (make_daemon && (log != stdout)) {
|
||||
if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
|
||||
if (fork() > 0)
|
||||
exit(0);
|
||||
write_pid(pidfile);
|
||||
close(0);
|
||||
close(1);
|
||||
close(2);
|
||||
setsid();
|
||||
}
|
||||
} else
|
||||
write_pid(pidfile);
|
||||
|
||||
signal(SIGHUP, handlehup);
|
||||
|
||||
@ -859,7 +1009,7 @@ char *argv[];
|
||||
continue;
|
||||
nr += tr;
|
||||
|
||||
tr = read_log(fd[i], &n, buf, sizeof(buf), log);
|
||||
tr = read_log(fd[i], &n, buf, sizeof(buf));
|
||||
if (donehup) {
|
||||
donehup = 0;
|
||||
if (newlog) {
|
||||
|
@ -1,5 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/*
|
||||
* ipsend.c (C) 1995-1997 Darren Reed
|
||||
* ipsend.c (C) 1995-1998 Darren Reed
|
||||
*
|
||||
* This was written to test what size TCP fragments would get through
|
||||
* various TCP/IP packet filters, as used in IP firewalls. In certain
|
||||
@ -12,13 +13,14 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:19 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.1.2.2 1999/11/28 03:43:44 darrenr Exp $";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
@ -32,7 +34,6 @@ static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.0.2.19.2.1 1998/05/14 14:01:1
|
||||
#ifndef linux
|
||||
#include <netinet/ip_var.h>
|
||||
#endif
|
||||
#include <netinet/ip_compat.h>
|
||||
#include "ipsend.h"
|
||||
#include "ipf.h"
|
||||
|
||||
@ -177,7 +178,8 @@ char **argv;
|
||||
struct in_addr gwip;
|
||||
tcphdr_t *tcp;
|
||||
ip_t *ip;
|
||||
char *name = argv[0], host[64], *gateway = NULL, *dev = NULL;
|
||||
char *name = argv[0], host[MAXHOSTNAMELEN + 1];
|
||||
char *gateway = NULL, *dev = NULL;
|
||||
char *src = NULL, *dst, *s;
|
||||
int mtu = 1500, olen = 0, c, nonl = 0;
|
||||
|
||||
|
@ -1,5 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/*
|
||||
* (C)opyright 1995-1997 Darren Reed. (from tcplog)
|
||||
* (C)opyright 1995-1998 Darren Reed. (from tcplog)
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
@ -23,7 +24,11 @@
|
||||
#include <sys/ioctl.h>
|
||||
#if BSD < 199103
|
||||
#include <sys/fcntlcom.h>
|
||||
#include <sys/dir.h>
|
||||
#endif
|
||||
#if (__FreeBSD_version >= 300000)
|
||||
# include <sys/dirent.h>
|
||||
#else
|
||||
# include <sys/dir.h>
|
||||
#endif
|
||||
#include <net/bpf.h>
|
||||
|
||||
@ -39,7 +44,7 @@
|
||||
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.0.2.7 1997/10/23 11:42:47 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -1,5 +1,6 @@
|
||||
/* $FreeBSD$ */
|
||||
/*
|
||||
* sock.c (C) 1995-1997 Darren Reed
|
||||
* sock.c (C) 1995-1998 Darren Reed
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
@ -7,7 +8,7 @@
|
||||
*/
|
||||
#if !defined(lint)
|
||||
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 darrenr Exp $";
|
||||
static const char rcsid[] = "@(#)$Id: sock.c,v 2.1 1999/08/04 17:31:16 darrenr Exp $";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
@ -22,8 +23,10 @@ static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 d
|
||||
#ifndef ultrix
|
||||
#include <fcntl.h>
|
||||
#endif
|
||||
#ifndef __FreeBSD__
|
||||
#include <sys/dir.h>
|
||||
#if (__FreeBSD_version >= 300000)
|
||||
# include <sys/dirent.h>
|
||||
#else
|
||||
# include <sys/dir.h>
|
||||
#endif
|
||||
#define _KERNEL
|
||||
#define KERNEL
|
||||
|
@ -1,3 +1,4 @@
|
||||
.\" $FreeBSD$
|
||||
.TH IPF 4
|
||||
.SH NAME
|
||||
ipf \- packet filtering kernel interface
|
||||
@ -25,7 +26,19 @@ However, the full complement is as follows:
|
||||
ioctl(fd, SIOCRMIFR, struct frentry *)
|
||||
ioctl(fd, SIOCINAFR, struct frentry *)
|
||||
ioctl(fd, SIOCINIFR, struct frentry *)
|
||||
ioctl(fd, SIOCSETFF, u_int *)
|
||||
ioctl(fd, SIOGGETFF, u_int *)
|
||||
ioctl(fd, SIOCGETFS, struct friostat *)
|
||||
ioctl(fd, SIOCIPFFL, int *)
|
||||
ioctl(fd, SIOCIPFFB, int *)
|
||||
ioctl(fd, SIOCSWAPA, u_int *)
|
||||
ioctl(fd, SIOCFRENB, u_int *)
|
||||
ioctl(fd, SIOCFRSYN, u_int *)
|
||||
ioctl(fd, SIOCFRZST, struct friostat *)
|
||||
ioctl(fd, SIOCZRLST, struct frentry *)
|
||||
ioctl(fd, SIOCAUTHW, struct fr_info *)
|
||||
ioctl(fd, SIOCAUTHR, struct fr_info *)
|
||||
ioctl(fd, SIOCATHST, struct fr_authstat *)
|
||||
.fi
|
||||
.PP
|
||||
The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
|
||||
@ -44,21 +57,24 @@ which it is inserted is stored in the "fr_hits" field, below.
|
||||
typedef struct frentry {
|
||||
struct frentry *fr_next;
|
||||
u_short fr_group; /* group to which this rule belongs */
|
||||
u_short fr_head; /* group # which this rule starts */
|
||||
u_short fr_grhead; /* group # which this rule starts */
|
||||
struct frentry *fr_grp;
|
||||
int fr_ref; /* reference count - for grouping */
|
||||
struct ifnet *fr_ifa;
|
||||
void *fr_ifa;
|
||||
#if BSD >= 199306
|
||||
void *fr_oifa;
|
||||
#endif
|
||||
/*
|
||||
* These are only incremented when a packet matches this rule and
|
||||
* it is the last match
|
||||
*/
|
||||
U_QUAD_T fr_hits;
|
||||
U_QUAD_T fr_bytes;
|
||||
U_QUAD_T fr_hits;
|
||||
U_QUAD_T fr_bytes;
|
||||
/*
|
||||
* Fields after this may not change whilst in the kernel.
|
||||
*/
|
||||
struct fr_ip fr_ip;
|
||||
struct fr_ip fr_mip;
|
||||
struct fr_ip fr_mip; /* mask structure */
|
||||
|
||||
u_char fr_tcpfm; /* tcp flags mask */
|
||||
u_char fr_tcpf; /* tcp flags */
|
||||
@ -67,16 +83,20 @@ typedef struct frentry {
|
||||
u_short fr_icmp;
|
||||
|
||||
u_char fr_scmp; /* data for port comparisons */
|
||||
u_char fr_dcmp;
|
||||
u_char fr_dcmp;
|
||||
u_short fr_dport;
|
||||
u_short fr_sport;
|
||||
u_short fr_stop; /* top port for <> and >< */
|
||||
u_short fr_stop; /* top port for <> and >< */
|
||||
u_short fr_dtop; /* top port for <> and >< */
|
||||
u_long fr_flags; /* per-rule flags && options (see below) */
|
||||
int fr_skip; /* # of rules to skip */
|
||||
int (*fr_func)(); /* call this function */
|
||||
u_32_t fr_flags; /* per-rule flags && options (see below) */
|
||||
u_short fr_skip; /* # of rules to skip */
|
||||
u_short fr_loglevel; /* syslog log facility + priority */
|
||||
int (*fr_func) __P((int, ip_t *, fr_info_t *));
|
||||
char fr_icode; /* return ICMP code */
|
||||
char fr_ifname[IFNAMSIZ];
|
||||
#if BSD > 199306
|
||||
char fr_oifname[IFNAMSIZ];
|
||||
#endif
|
||||
struct frdest fr_tif; /* "to" interface */
|
||||
struct frdest fr_dif; /* duplicate packet interfaces */
|
||||
} frentry_t;
|
||||
@ -96,12 +116,13 @@ Flags which are recognised in fr_pass:
|
||||
FR_OUTQUE 0x000004 /* outgoing packets */
|
||||
FR_INQUE 0x000008 /* ingoing packets */
|
||||
FR_LOG 0x000010 /* Log */
|
||||
FR_LOGP 0x000011 /* Log-pass */
|
||||
FR_LOGB 0x000012 /* Log-fail */
|
||||
FR_LOGB 0x000011 /* Log-fail */
|
||||
FR_LOGP 0x000012 /* Log-pass */
|
||||
FR_LOGBODY 0x000020 /* log the body of packets too */
|
||||
FR_LOGFIRST 0x000040 /* log only the first packet to match */
|
||||
FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
|
||||
FR__RETICMP 0x000100 /* return an ICMP packet if blocked */
|
||||
FR_RETICMP 0x000100 /* return an ICMP packet if blocked */
|
||||
FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
|
||||
FR_NOMATCH 0x000200 /* no match occured */
|
||||
FR_ACCOUNT 0x000400 /* count packet bytes */
|
||||
FR_KEEPFRAG 0x000800 /* keep fragment information */
|
||||
@ -137,9 +158,11 @@ comparisons) :
|
||||
The third ioctl, SIOCIPFFL, flushes either the input filter list, the
|
||||
output filter list or both and it returns the number of filters removed
|
||||
from the list(s). The values which it will take and recognise are FR_INQUE
|
||||
and FR_OUTQUE (see above).
|
||||
and FR_OUTQUE (see above). This ioctl is also implemented for
|
||||
\fB/dev/ipstate\fP and will flush all state tables entries if passed 0
|
||||
or just all those which are not established if passed 1.
|
||||
|
||||
\fBGeneral Logging Flags\fP
|
||||
.IP "\fBGeneral Logging Flags\fP" 0
|
||||
There are two flags which can be set to log packets independently of the
|
||||
rules used. These allow for packets which are either passed or blocked
|
||||
to be logged. To set (and clear)/get these flags, two ioctls are
|
||||
@ -157,8 +180,7 @@ those provided (clearing/setting all in one).
|
||||
.IP SIOCGETFF 16
|
||||
Takes a pointer to an unsigned integer as the parameter. A copy of the
|
||||
flags currently in used is copied to user space.
|
||||
.LP
|
||||
\fBFilter statistics\fP
|
||||
.IP "\fBFilter statistics\fP" 0
|
||||
Statistics on the various operations performed by this package on packets
|
||||
is kept inside the kernel. These statistics apply to packets traversing
|
||||
through the kernel. To retrieve this structure, use this ioctl:
|
||||
@ -173,7 +195,12 @@ struct friostat {
|
||||
struct frentry *f_acctin[2];
|
||||
struct frentry *f_acctout[2];
|
||||
struct frentry *f_auth;
|
||||
int f_active;
|
||||
u_long f_froute[2];
|
||||
int f_active; /* 1 or 0 - active rule set */
|
||||
int f_defpass; /* default pass - from fr_pass */
|
||||
int f_running; /* 1 if running, else 0 */
|
||||
int f_logging; /* 1 if enabled, else 0 */
|
||||
char f_version[32]; /* version string */
|
||||
};
|
||||
|
||||
struct filterstats {
|
||||
@ -195,12 +222,28 @@ struct filterstats {
|
||||
u_long fr_chit; /* cached hit */
|
||||
u_long fr_pull[2]; /* good and bad pullup attempts */
|
||||
#if SOLARIS
|
||||
u_long fr_notdata; /* PROTO/PCPROTO that have no data */
|
||||
u_long fr_nodata; /* mblks that have no data */
|
||||
u_long fr_bad; /* bad IP packets to the filter */
|
||||
u_long fr_notip; /* packets passed through no on ip queue */
|
||||
u_long fr_drop; /* packets dropped - no info for them! */
|
||||
#endif
|
||||
};
|
||||
.fi
|
||||
If we wanted to retrieve all the statistics and reset the counters back to
|
||||
0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
|
||||
In addition to the statistics above, each rule keeps a hit count, counting
|
||||
both number of packets and bytes. To reset these counters for a rule,
|
||||
load the various rule information into a frentry structure and call
|
||||
SIOCZRLST.
|
||||
.IP "Swapping Active lists" 0
|
||||
IP Filter supports two lists of rules for filtering and accounting: an
|
||||
active list and an inactive list. This allows for large scale rule base
|
||||
changes to be put in place atomically with otherwise minimal interruption.
|
||||
Which of the two is active can be changed using the SIOCSWAPA ioctl. It
|
||||
is important to note that no passed argument is recognised and that the
|
||||
value returned is that of the list which is now inactive.
|
||||
.br
|
||||
.SH FILES
|
||||
/dev/ipauth
|
||||
.br
|
||||
|
@ -1,3 +1,4 @@
|
||||
.\" $FreeBSD$
|
||||
.TH IPF 5
|
||||
.SH NAME
|
||||
ipf, ipf.conf \- IP packet filter rule syntax
|
||||
@ -31,17 +32,18 @@ proto = "proto" protocol .
|
||||
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
|
||||
group = [ "head" decnumber ] [ "group" decnumber ] .
|
||||
|
||||
block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
|
||||
block = "block" [ icmp[return-code] | "return-rst" ] .
|
||||
auth = "auth" | "preauth" .
|
||||
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
|
||||
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
|
||||
call = "call" [ "now" ] function-name .
|
||||
skip = "skip" decnumber .
|
||||
dup = "dup-to" interface-name[":"ipaddr] .
|
||||
froute = "fastroute" | "to" interface-name .
|
||||
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
|
||||
srcdst = "all" | fromto .
|
||||
fromto = "from" object "to" object .
|
||||
fromto = "from" [ "!" ] object "to" [ "!" ] object .
|
||||
|
||||
icmp = "return-icmp" | "return-icmp-as-dest" .
|
||||
object = addr [ port-comp | port-range ] .
|
||||
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
|
||||
port-comp = "port" compare port-num .
|
||||
@ -51,6 +53,7 @@ with = "with" | "and" .
|
||||
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
|
||||
return-code = "("icmp-code")" .
|
||||
keep = "keep" "state" | "keep" "frags" .
|
||||
loglevel = facility"."priority | priority .
|
||||
|
||||
nummask = host-name [ "/" decnumber ] .
|
||||
host-name = ipaddr | hostname | "any" .
|
||||
@ -70,10 +73,17 @@ icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
|
||||
"inforep" | "maskreq" | "maskrep" | decnumber .
|
||||
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
|
||||
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
|
||||
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
|
||||
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
|
||||
"filter-prohib" | "host-preced" | "cutoff-preced" .
|
||||
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
|
||||
"tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
|
||||
"addext" | "visa" | "imitd" | "eip" | "finn" .
|
||||
facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
|
||||
"lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
|
||||
"audit" | "logalert" | "local0" | "local1" | "local2" |
|
||||
"local3" | "local4" | "local5" | "local6" | "local7" .
|
||||
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
|
||||
"info" | "debug" .
|
||||
|
||||
hexnumber = "0" "x" hexstring .
|
||||
hexstring = hexdigit [ hexstring ] .
|
||||
@ -118,11 +128,23 @@ actions are recognised:
|
||||
.B block
|
||||
indicates that the packet should be flagged to be dropped. In response
|
||||
to blocking a packet, the filter may be instructed to send a reply
|
||||
packet, either an ICMP packet (\fBreturn-icmp\fP) or a TCP "reset"
|
||||
(\fBreturn-rst\fP). An ICMP packet may be generated in response to
|
||||
any IP packet, and its type may optionally be specified, but a TCP
|
||||
reset may only be used with a rule which is being applied to TCP
|
||||
packets.
|
||||
packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet
|
||||
masquerading as being from the original packet's destination
|
||||
(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An
|
||||
ICMP packet may be generated in response to any IP packet, and its
|
||||
type may optionally be specified, but a TCP reset may only be used
|
||||
with a rule which is being applied to TCP packets. When using
|
||||
\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify
|
||||
the actual unreachable `type'. That is, whether it is a network
|
||||
unreachable, port unreachable or even administratively
|
||||
prohibitied. This is done by enclosing the ICMP code associated with
|
||||
it in parenthesis directly following \fBreturn-icmp\fP or
|
||||
\fBreturn-icmp-as-dest\fP as follows:
|
||||
.nf
|
||||
block return-icmp(11) ...
|
||||
.fi
|
||||
.PP
|
||||
Would return a Type-Of-Service (TOS) ICMP unreachable error.
|
||||
.TP
|
||||
.B pass
|
||||
will flag the packet to be let through the filter.
|
||||
@ -145,10 +167,27 @@ feature is for use by knowledgeable hackers, and is not currently
|
||||
documented.
|
||||
.TP
|
||||
.B "skip <n>"
|
||||
causes the filter to skip over the next \fIn\fP filter rules. If a rule is
|
||||
inserted or deleted inside the region being skipped over, then the value of
|
||||
\fIn\fP is adjusted appropriately.
|
||||
.TP
|
||||
.B auth
|
||||
this allows authentication to be performed by a user-space program running
|
||||
and waiting for packet information to validate. The packet is held for a
|
||||
period of time in an internal buffer whilst it waits for the program to return
|
||||
to the kernel the \fIreal\fP flags for whether it should be allowed through
|
||||
or not. Such a program might look at the source address and request some sort
|
||||
of authentication from the user (such as a password) before allowing the
|
||||
packet through or telling the kernel to drop it if from an unrecognised source.
|
||||
.TP
|
||||
.B preauth
|
||||
tells the filter that for packets of this class, it should look in the
|
||||
pre-authenticated list for further clarification. If no further matching
|
||||
rule is found, the packet will be dropped (the FR_PREAUTH is not the same
|
||||
as FR_PASS). If a further matching rule is found, the result from that is
|
||||
used in its instead. This might be used in a situation where a person
|
||||
\fIlogs in\fP to the firewall and it sets up some temporary rules defining
|
||||
the access for that person.
|
||||
.PP
|
||||
The next word must be either \fBin\fP or \fBout\fP. Each packet
|
||||
moving through the kernel is either inbound (just been received on an
|
||||
@ -195,7 +234,10 @@ which the specified source address would be expected, others may be
|
||||
logged and/or dropped.
|
||||
.TP
|
||||
.B dup-to
|
||||
causes the packet to be copied, and the duplicate packet to be sent outbound on the specified interface, optionally with the destination IP address changed to that specified. This is useful for off-host logging, using a network sniffer.
|
||||
causes the packet to be copied, and the duplicate packet to be sent
|
||||
outbound on the specified interface, optionally with the destination
|
||||
IP address changed to that specified. This is useful for off-host
|
||||
logging, using a network sniffer.
|
||||
.TP
|
||||
.B to
|
||||
causes the packet to be moved to the outbound queue on the
|
||||
@ -394,10 +436,19 @@ indicates that the first 128 bytes of the packet contents will be
|
||||
logged after the headers.
|
||||
.TP
|
||||
.B first
|
||||
??
|
||||
If log is being used in conjunction with a "keep" option, it is recommended
|
||||
that this option is also applied so that only the triggering packet is logged
|
||||
and not every packet which thereafter matches state information.
|
||||
.TP
|
||||
.B or-block
|
||||
indicates that, if for some reason the filter is unable to log the packet (such as the log reader being too slow) then the rule should be interpreted as if the action was \fBblock\fP for this packet.
|
||||
indicates that, if for some reason the filter is unable to log the
|
||||
packet (such as the log reader being too slow) then the rule should be
|
||||
interpreted as if the action was \fBblock\fP for this packet.
|
||||
.TP
|
||||
.B "level <loglevel>"
|
||||
indicates what logging facility and priority, or just priority with
|
||||
the default facility being used, will be used to log information about
|
||||
this packet using ipmon's -s option.
|
||||
.PP
|
||||
See ipl(4) for the format of records written
|
||||
to this device. The ipmon(8) program can be used to read and format
|
||||
@ -419,7 +470,7 @@ The "fall-through" rule parsing allows for effects such as this:
|
||||
.nf
|
||||
block in from any to any port < 6000
|
||||
pass in from any to any port >= 6000
|
||||
block in from any to port > 6003
|
||||
block in from any to any port > 6003
|
||||
.fi
|
||||
.PP
|
||||
which sets up the range 6000-6003 as being permitted and all others being
|
||||
@ -441,14 +492,14 @@ rule such as:
|
||||
.fi
|
||||
.PP
|
||||
would be needed before the first block. To create a new group for
|
||||
processing all inbould packets on le0/le1/lo0, with the default being to block
|
||||
processing all inbound packets on le0/le1/lo0, with the default being to block
|
||||
all inbound packets, we would do something like:
|
||||
.LP
|
||||
.nf
|
||||
block in all
|
||||
block in on le0 quick all head 100
|
||||
block in on le1 quick all head 200
|
||||
block in on lo0 quick all head 300
|
||||
block in quick on le0 all head 100
|
||||
block in quick on le1 all head 200
|
||||
block in quick on lo0 all head 300
|
||||
.fi
|
||||
.PP
|
||||
|
||||
@ -487,4 +538,4 @@ qualifies all service/port names with the protocol specified.
|
||||
.br
|
||||
/etc/services
|
||||
.SH SEE ALSO
|
||||
ipftest(1), iptest(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
|
||||
ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8)
|
||||
|
@ -1,10 +1,11 @@
|
||||
.\" $FreeBSD$
|
||||
.TH IPF 8
|
||||
.SH NAME
|
||||
ipf \- alters packet filtering lists for IP packet input and output
|
||||
.SH SYNOPSIS
|
||||
.B ipf
|
||||
[
|
||||
.B \-AdDEInorsUvyzZ
|
||||
.B \-AdDEInoPrsUvVyzZ
|
||||
] [
|
||||
.B \-l
|
||||
<block|pass|nomatch>
|
||||
@ -81,6 +82,9 @@ calls or doing anything which would alter the currently running kernel.
|
||||
Force rules by default to be added/deleted to/from the output list, rather
|
||||
than the (default) input list.
|
||||
.TP
|
||||
.B \-P
|
||||
Add rules as temporary entries in the authentication rule table.
|
||||
.TP
|
||||
.B \-r
|
||||
Remove matching filter rules rather than add them to the internal lists
|
||||
.TP
|
||||
@ -94,6 +98,12 @@ recognised as IP packets. They will be printed out on the console.
|
||||
.B \-v
|
||||
Turn verbose mode on. Displays information relating to rule processing.
|
||||
.TP
|
||||
.B \-V
|
||||
Show version information. This will display the version information compiled
|
||||
into the ipf binary and retrieve it from the kernel code (if running/present).
|
||||
If it is present in the kernel, information about its current state will be
|
||||
displayed (whether logging is active, default filtering, etc).
|
||||
.TP
|
||||
.B \-y
|
||||
Manually resync the in-kernel interface list maintained by IP Filter with
|
||||
the current interface status list.
|
||||
@ -113,7 +123,7 @@ affect fragment or state statistics).
|
||||
.br
|
||||
/dev/ipstate
|
||||
.SH SEE ALSO
|
||||
ipftest(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
|
||||
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
|
||||
.SH DIAGNOSTICS
|
||||
.PP
|
||||
Needs to be run as root for the packet filtering lists to actually
|
||||
|
@ -1,7 +1,11 @@
|
||||
.\" $FreeBSD$
|
||||
.TH IPFILTER 1
|
||||
.SH NAME
|
||||
IP FIlter
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
IP Filter is a package providing packet filtering capabilities for a variety
|
||||
of operating systems. On a properly setup system, it can be used to build a
|
||||
firewall.
|
||||
.SH SEE ALSO
|
||||
ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5)
|
||||
ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)
|
||||
|
@ -1,10 +1,11 @@
|
||||
.\" $FreeBSD$
|
||||
.TH ipfstat 8
|
||||
.SH NAME
|
||||
ipfstat \- reports on packet filter statistics and filter list
|
||||
.SH SYNOPSIS
|
||||
.B ipfstat
|
||||
[
|
||||
.B \-aAfhIinosv
|
||||
.B \-aAfghIinosv
|
||||
] [
|
||||
.B \-d
|
||||
<device>
|
||||
@ -34,6 +35,9 @@ Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
|
||||
Show fragment state information (statistics) and held state information (in
|
||||
the kernel) if any is present.
|
||||
.TP
|
||||
.B \-g
|
||||
Show groups currently configured (both active and inactive).
|
||||
.TP
|
||||
.B \-h
|
||||
Show per-rule the number of times each one scores a "hit". For use in
|
||||
combination with \fB\-i\fP.
|
||||
|
@ -1,3 +1,4 @@
|
||||
.\" $FreeBSD$
|
||||
.TH ipmon 8
|
||||
.SH NAME
|
||||
ipmon \- monitors /dev/ipl for logged packets
|
||||
@ -28,6 +29,46 @@ default or a filename, if given on the command line. Should the \fB\-s\fP
|
||||
option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent
|
||||
via syslog have the day, month and year removed from the message, but the
|
||||
time (including microseconds), as recorded in the log, is still included.
|
||||
.LP
|
||||
Messages generated by ipmon consist of whitespace separated fields.
|
||||
Fields common to all messages are:
|
||||
.LP
|
||||
1. The date of packet receipt. This is suppressed when the message is
|
||||
sent to syslog.
|
||||
.LP
|
||||
2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
|
||||
minutes seconds, and fractions of a second (which can be several digits
|
||||
long).
|
||||
.LP
|
||||
3. The name of the interface the packet was processed on, e.g., \fBwe1\fP.
|
||||
.LP
|
||||
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
|
||||
viewed with \fBipfstat -n\fP.
|
||||
.LP
|
||||
5. The action: \fBp\fP for passed or \fBb\fP for blocked.
|
||||
.LP
|
||||
6. The addresses.
|
||||
This is actually three fields: the source address and port
|
||||
(separted by a comma), the \fB->\fP symbol, and the destination address
|
||||
and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
|
||||
.LP
|
||||
7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
|
||||
.LP
|
||||
8. \fBlen\fP followed by the header length and total length of the packet,
|
||||
e.g., \fBlen 20 40\fP.
|
||||
.LP
|
||||
If the packet is a TCP packet, there will be an additional field starting
|
||||
with a hyphen followed by letters corresponding to any flags that were set.
|
||||
See the ipf.conf manual page for a list of letters and their flags.
|
||||
.LP
|
||||
If the packet is an ICMP packet, there will be two fields at the end,
|
||||
the first always being `icmp', and the next being the ICMP message and
|
||||
submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port
|
||||
unreachable message.
|
||||
.LP
|
||||
In order for \fBipmon\fP to properly work, the kernel option
|
||||
\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see
|
||||
\fBoptions(4)\fP for more details.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-a
|
||||
@ -61,7 +102,12 @@ as for \fB-o\fP.
|
||||
.TP
|
||||
.B \-s
|
||||
Packet information read in will be sent through syslogd rather than
|
||||
saved to a file. The following levels are used:
|
||||
saved to a file. The default facility when compiled and installed is
|
||||
\fBlocal0\fP. The following levels are used:
|
||||
.TP
|
||||
.B "\-S <device>"
|
||||
Set the logfile to be opened for reading state log records from to <device>.
|
||||
.TP
|
||||
.IP
|
||||
.B LOG_INFO
|
||||
\- packets logged using the "log" keyword as the action rather
|
||||
@ -77,12 +123,12 @@ than pass or block.
|
||||
\- packets which have been logged and which can be considered
|
||||
"short".
|
||||
.TP
|
||||
.B "\-S <device>"
|
||||
Set the logfile to be opened for reading state log records from to <device>.
|
||||
.TP
|
||||
.B \-t
|
||||
read the input file/device in a manner akin to tail(1).
|
||||
.TP
|
||||
.B \-v
|
||||
show tcp window, ack and sequence fields.
|
||||
.TP
|
||||
.B \-x
|
||||
show the packet data in hex.
|
||||
.TP
|
||||
|
@ -1,3 +1,4 @@
|
||||
.\" $FreeBSD$
|
||||
.TH IPNAT 4
|
||||
.SH NAME
|
||||
ipnat \- Network Address Translation kernel interface
|
||||
@ -65,7 +66,7 @@ Recognised values for in_redir:
|
||||
.PP
|
||||
.LP
|
||||
\fBNAT statistics\fP
|
||||
Statistics on the the number of packets mapped, going in and out are kept,
|
||||
Statistics on the number of packets mapped, going in and out are kept,
|
||||
the number of times a new entry is added and deleted (through expiration) to
|
||||
the NAT table and the current usage level of the NAT table.
|
||||
.PP
|
||||
|
Loading…
Reference in New Issue
Block a user