NAME ipfilterd - IP packet filtering daemon SYNOPSIS /usr/etc/ipfilterd [ -d ] OPTIONS -d This enables ipfilterd into a debug mode in which it will display each filter that is being created when reading the configuration file. This is useful when creating rule-sets. -dd This enables more verbose logging in /var/adm/SYSLOG of packets being processed. This includes an indication of whether the packet matched a filter or was dropped by default; an indication of whether the filter was one that specified an interface only or included protocol information; a time-stamp; and a running count of the number of times that kind of decision happened. This is helpful to trouble-shoot configuration problems as to why packets are being accepted or denied. DESCRIPTION ipfilterd is a networking daemon that screens all inbound packets that use the Internet Protocol (IP). Packets are filtered based on their source or destination IP address, the network interface they arrived on, their IP protocol number, their source or destination TCP/UDP port number, or any combination of the above. Supported IP protocols include TCP, UDP, ICMP, and IGMP. ipfilterd is started at system initialization from /etc/init.d/network if the configuration flag ipfilterd is set ``on'' with chkconfig(1M). When ipfilterd is started, it reads its configuration information from the file /etc/ipfilterd.conf and compiles the packet filters specified there, storing them in an array in the order in which they were specified. Inbound IP code passes packet information to the daemon, requesting verdicts based on the filter database. An inbound packet is compared with each filter in the array until a match is found; the verdict associated with that filter is then returned to IP, which will process the packet unless it has been dropped by the filtering code. If no match is found, the packet is dropped by default. During filter initialization, ipfilterd reads /etc/ipfilterd.conf one line at a time. Lines that begin with "#" are comments and are ignored. All other lines must begin with a keyword, followed by either a macro or a filter. Blank lines or lines beginning with tabs/spaces will generate an error and be discarded. Available keywords are: accept accept all packets matching this filter grab grab all packets matching this filter rather than forwarding them reject silently discard all packets matching this filter define define a new macro IP addresses may be specified in hexadecimal, in Internet dot format (see inet(3N)), or by the fully qualified hostname or its nickname: 0xC000022C 192.0.2.44 bambi.test.com bambi The -i option can be appended after "accept, reject or grab" to filter packets on a particular interface. The last accept or reject statement should either allow or deny all remaining packets which did not match the previous statements. It is more secure to have the last filter default to rejecting all remaining packets. Protocols may be referenced either by their assigned protocol number or by their well-known name (TCP, UDP, ICMP, IGMP), as listed in /etc/protocols. Ports may likewise be referenced directly by number; port numbers assigned to specific Internet network or UNIX-specific services may also be referenced by the well-known names found in /etc/services (e.g., ftp, telnet, snmp, sunrpc, login, etc.). In order to write rule-sets, some keywords can be used to define specific protocol flags or options. The source or destination IP address needs to be defined in the following format: For hosts: src=x.x.x.x dst=x.x.x.x For networks: (src&0xffffff00)=x.x.x.0 or (dst&0xffffff00)=x.x.x.0 The netmask can be changed to accommodate different values. To reference specific TCP source or destination port numbers, they can be reference with tcp.sport or tcp.dport respectively. It is possible to match for a specific tcp flag by using the keyword tcp.flags The possible flag types are: FIN, SYN, RST, PUSH, ACK and URG By using the "SYN" flag in rule-sets, it is possible to deny new tcp connections while allowing existing tcp connections to be accepted. It is possible to control the ICMP type by using icmp.type where the possible values can be "ECHO, ECHOREPLY, UNREACHABLE, SOURCEQUENCH, REDIRECT, ROUTEADVERT, ROUTERSOLICIT, TIMXCEED, PARAMPROB, TSTAMP, TSTAMPREPLY, IREQ, IREQREPLY, MASKREQ, MASKREPLY. This enables a finer control on the ICMP packets being filtered.One could deny ICMP echo requests while still permitting other ICMP types. To combine or negate expressions, the keywords "and, or, not" can be used. The "between" keyword can be used to identify traffic between two hosts or networks. Ipfilterd will support up to 1000 discrete filters. There is no limit on the number of macros that can be defined. IP maintains a kernel cache of recent ipfilterd filtering verdicts, arranged in a most-recently-used linked list. The size of this cache is configurable, as is the search depth into the cache before a filter match causes the matched entry to be moved to the head of the cache (MRU reordering). With the 5.0 release of IRIX, cache entries will be aged and deleted when idle for a configurable interval (default 60 seconds). Use of the cache decreases the number of times that IP must poll the daemon, reducing system overhead associated with context switching out of the kernel. Although a larger cache minimizes context switches, its size adds a longer search path overhead to the IP kernel code before a decision to consult the daemon can be made. The optimum cache size will vary with system usage-for example, an external gateway will have more filtering responsibility and will see many more IP address/protocol/port combinations than will a workstation on a LAN; hence it will require a larger cache. The number of verdicts cached in the kernel is defined by the constant NUMIPKFLT in the IP filtering configuration file /var/sysgen/master.d/ipfilter. To change the size, as the superuser, edit this file and then use autoconfig(1M) to generate a new kernel and reboot. The effects of kernel cache size can be empirically observed by monitoring network performance also by explicitly observing how often and to what effect the daemon is being used. FILES /var/adm/SYSLOG is the general syslogd(1M) data file. It contains all events and data logged by ipfilterd. /etc/ipfilterd.conf contains macro and filter definitions. /dev/ipfilter is used by ipfilterd to communicate with the kernel. You should create it on your system by invoking the /dev/MAKEDEV script if ipfilterd complains it cannot open its device file. /var/sysgen/master.d/ipfilter is used when generating a kernel to specify the size of the kernel cache of recent filtering verdicts, the cache search depth that must be exceeded before any MRU reordering of the cache is performed, and the treatment of inbound IP packets when the filtering daemon has died or been killed. The constant NUMIPKFLT defines the size of the kernel cache of recent filtering verdicts. This should be tuned based on system load. The filtercache_search_depth variable is used to minimize the thrashing of the cache that would occur if every filter hit were moved to the head of the cache. It is defaulted to 4, which permits two simultaneous file transfers to occur without MRU reordering. This value should be tuned based on the expected system workload. EXAMPLES Examples of use of "define" to create macros: A filter for all possible traffic between two machines, each of which is multi-homed: define ip.betwixt between($1,$3) || between($1,$4) || between($2,$3) || between($2,$4) (Note: This one-line example is shown on two lines because of formatting constraints.) A macro to specify any host not on a given Class C network (or on a Class B network with 8-bit subnet masks) as the source. When masking against an IP address in a macro, hex must be used. However, the IP (sub)network number specified in the filter may be either in hex or dot format. Parentheses are used to establish binding and precedence: define ip.notnetCsrc not((src & 0xffffff00) = $1) Simple filter examples: To accept all IP traffic between two single-homed hosts: accept between speaker squaw To reject all IP traffic over one network interface between two hosts: reject -i ec0 between speaker dizzy To reject Sun RPC traffic between two hosts: reject between teton 192.99.99.99 and udp.port sunrpc To grab all packets from one host over a given network interface: grab -i ec0 src=boston An example of the macro ip.betwixt: reject ip.betwixt foo1 foo2 boo1 boo2 and tcp.port login To reject all FTP connections that do not originate from a given Class B net: reject ip.notnetBsrc 192.26.00.00 and tcp.dport ftp The following rule-sets are provided as a simple example to minimize exposure on an IRIX host with one network interface. # # Accept packets with a loopback source address only if they come over # the loopback interface. accept -i localhost src=127.0.0.1 reject src=127.0.0.1 # # Accept all packets originating from this trusted network accept (src&0xFFFFFF00)=123.45.67.0 # # Reject spoofed packets from private address space which should not be used # on the Internet. reject (src&0xFF000000)=10.0.0.0 reject (src&0xFFFF0000)=192.168.0.0 reject (src&0xFFFF0000)=172.16.0.0 # # Explicit deny of NFS traffic reject udp.dport=2049 reject udp.sport=2049 # # Allow RIP broadcasts if running gated/routed accept udp.dport=520 # # Allow DNS replies from the name servers listed in /etc/resolv.conf accept udp.sport=53 and ip.src=192.26.210.1 accept udp.sport=53 and ip.src=205.151.69.200 # # Allow only connections to sendmail, httpd, ftpd and telnetd. # Other services defined in /etc/services can be added here accept tcp.dport=smtp accept tcp.dport=ftp accept tcp.dport=ftp-data accept tcp.dport=telnet accept tcp.dport=http # # Allow existing outgoing tcp connections. This will deny all new tcp # connections to other tcp ports not defined in the above section. accept tcp and not(tcp.flags == SYN) # # Deny ICMP time-stamps requests reject icmp.type==TSTAMP # # Accept all other types of ICMP packets accept icmp # # Explicitly Deny everything else (this is the default behavior) reject (src&0)=0 NOTES IP filtering may be initiated or disabled only by the superuser. When killed the filtering daemon zeros out the kernel cache of filtering verdicts. It may also disable all IP forwarding and receipt of any inbound IP traffic except that from the local host (see the discussion of the ipfilterd_inactive_behavior variable below). The SIGHUP signal can be sent to ipfilterd to reload its configuration file. ipfilterd is normally executed from /etc/init.d/network, starts up the daemon and initializes the configured filters. Only one instance of ipfilterd may be active at any time; attempts to start a second daemon will fail silently. If a syntax error is found when reading ipfilterd.conf, ipfilterd will exit abnormally and send out the error messages to stderr. The default behavior is to deny all traffic when not running. This can be changed by setting the systune variable ipfilterd_inactive_behavior to 0. Macros must be defined before they are referenced in filters in /etc/ipfilterd.conf. Each macro definition must be on one line and have a maximum of 255 characters. The daemon's array of filters is generated in the order specified in /etc/ipfilterd.conf. The filtering daemon examines filters from the top of the array each time. As soon as it detects a match, it returns the associated verdict. It is possible to have more than one filter match a given packet, such as wishing to reject rlogin requests from a given net except one particular host. In that case, the particular filter should appear first: accept ip.src bambi and tcp.dport login followed by the general case: reject ip.netBsrc 199.0.2.0 and tcp.dport login Several macros relating to (sub)networks rather than hosts are predefined in /etc/ipfilterd.conf. NOTES By default rejects all packets for which no 'accept' entry is defined. SEE ALSO master(4). FILES /etc/ipfilterd.conf /dev/ipfilter /var/sysgen/master.d/ipfilter