ipfilterd(1M) ipfilterd(1M)
NAME
ipfilterd - IP packet filtering daemon
SYNOPSIS
/usr/etc/ipfilterd [ -d ]
DESCRIPTION
ipfilterd is a networking daemon that screens all inbound packets that
use the Internet Protocol (IP). Packets are filtered based on their
source or destination IP address, the network interface they arrived on,
their IP protocol number, their source or destination TCP/UDP port
number, or any combination of the above. Supported IP protocols include
TCP, UDP, ICMP, and IGMP.
ipfilterd is started at system initialization from /etc/init.d/network if
the configuration flag ipfilterd is set ``on'' with chkconfig(1M). When
ipfilterd is started, it reads its configuration information from the
file /etc/ipfilterd.conf and compiles the packet filters specified there,
storing them in an array in the order in which they were specified.
Inbound IP code passes packet information to the daemon, requesting
verdicts based on the filter database. An inbound packet is compared
with each filter in the array until a match is found; the verdict
associated with that filter is then returned to IP, which will process
the packet unless it has been dropped by the filtering code. If no match
is found, the packet is dropped by default.
During filter initialization, ipfilterd reads /etc/ipfilterd.conf one
line at a time. Lines that begin with "#" are comments and are ignored.
All other lines begin with a keyword, followed by either a macro or a
filter. Macros and filters use netsnoop(1M) filter syntax; however, the
optional specification of a network interface must precede all protocol
filter information. All standard netsnoop(1M) macros relating to
ipfilterd's supported protocols can be used.
Currently supported keywords include
accept accept all packets matching this filter
grab grab all packets matching this filter rather than forwarding them
reject silently discard all packets matching this filter
define define a new macro
IP addresses may be specified in hexadecimal, in Internet dot format (see
inet(3N)), or by the fully qualified hostname or its nickname:
0xC000022C 192.0.2.44 bambi.test.com bambi
IP protocols may be referenced either by their assigned IP protocol
number or by their well-known name (TCP, UDP, ICMP, IGMP), as listed in
/etc/protocols. Ports may likewise be referenced directly by number;
port numbers assigned to specific Internet network or UNIX-specific
services may also be referenced by the well-known names found in
/etc/services (e.g., ftp, telnet, snmp, sunrpc, login, etc.).
Page 1
ipfilterd(1M) ipfilterd(1M)
Ipfilterd will support up to 1000 discrete filters. There is no limit on
the number of macros that can be defined.
IP maintains a kernel cache of recent ipfilterd filtering verdicts,
arranged in a most-recently-used linked list. The size of this cache is
configurable, as is the search depth into the cache before a filter match
causes the matched entry to be moved to the head of the cache (MRU
reordering). With the 5.0 release of IRIX, cache entries will be aged
and deleted when idle for a configurable interval (default 60 seconds).
Use of the cache decreases the number of times that IP must poll the
daemon, reducing system overhead associated with context switching out of
the kernel.
Although a larger cache minimizes context switches, its size adds a
longer search path overhead to the IP kernel code before a decision to
consult the daemon can be made. The optimum cache size will vary with
system usage-for example, an external gateway will have more filtering
responsibility and will see many more IP address/protocol/port
combinations than will a workstation on a LAN; hence it will require a
larger cache.
The number of verdicts cached in the kernel is defined by the constant
NUMIPKFLT in the IP filtering configuration file
/var/sysgen/master.d/ipfilter. To change the size, as the superuser,
edit this file and then use autoconfig(1M) to generate a new kernel and
reboot.
The effects of kernel cache size can be empirically observed by
monitoring network performance also by explicitly observing how often and
to what effect the daemon is being used. Executing ipfilterd with the -d
option provides that information. It turns on additional use of
syslogd(1M) to log data about each filter that is built and also about
each daemon-filtering request. This includes an indication of whether
the packet matched a filter or was dropped by default; an idication of
whether the filter was one that specified an interface only or included
protocol information; a timestamp; and a running count of the number of
times that kind of decision happened.
FILES
/var/adm/SYSLOG
is the general syslogd(1M) data file. It contains all events and
data logged by ipfilterd.
/etc/ipfilterd.conf
contains macro and filter definitions.
/dev/ipfilter
is used by ipfilterd to communicate with the kernel. You should
create it on your system by invoking the /dev/MAKEDEV script if
ipfilterd complains it cannot open its device file.
/var/sysgen/master.d/ipfilter
is used when generating a kernel to specify the size of the kernel
cache of recent filtering verdicts, the cache search depth that must
be exceeded before any MRU reordering of the cache is performed, and
Page 2
ipfilterd(1M) ipfilterd(1M)
the treatment of inbound IP packets when the filtering daemon has
died or been killed.
The constant NUMIPKFLT defines the size of the kernel cache of
recent filtering verdicts. This should be tuned based on system
load.
The filtercache_search_depth variable is used to minimize the
thrashing of the cache that would occur if every filter hit were
moved to the head of the cache. It is defaulted to 4, which permits
two simultaneous file transfers to occur withour MRU reordering.
This value should be tuned based on the expected system workload.
The ipfilterd_inactive_behavior varible specifies how inbound IP
packets will be treated when the daemon has died or been killed. A
value of 0 specifies that inbound IP processing should proceed as
though filtering were not configured. A value of 1 specifies that
all inbound IP packets (except those from the local host) will be
dropped. Use of this value ensures that routing will be disabled in
IP firewalls whose daemon is inactive, preventing security holes.
With the 5.0 release of IRIX, the ipfilter_ttl variable is used to
set a maximum lifetime for idle kernel cache entries. Entries idle
longer than that interval (default 60 seconds) are deleted.
EXAMPLES
Examples of use of "define" to create macros:
A filter for all possible traffic between two machines, each of which is
multi-homed:
define ip.betwixt between($1,$3) || between($1,$4) || between($2,$3)
|| between($2,$4)
(Note: This one-line example is shown on two lines because of formatting
constraints.)
A macro to specify any host not on a given Class C network (or on a Class
B network with 8-bit subnet masks) as the source. When masking against
an IP address in a macro, hex must be used. However, the IP (sub)network
number specified in the filter may be either in hex or dot format.
Parentheses are used to establish binding and precedence:
define ip.notnetCsrc not((src & 0xffffff00) = $1)
Filter examples:
To accept all IP traffic between two single-homed hosts:
accept between speaker squaw
To reject all IP traffic over one network interface between two hosts:
reject -i ec0 between speaker dizzy
To reject Sun RPC traffic between two hosts:
Page 3
ipfilterd(1M) ipfilterd(1M)
reject between teton 192.99.99.99 and udp.port sunrpc
To grab all packets from one host over a given network interface:
grab -i ec0 src=boston
An example of ip.betwixt:
reject ip.betwixt foo1 foo2 boo1 boo2 and tcp.port login
To reject all FTP connections that do not originate from a given Class B
net:
reject ip.notnetBsrc 192.26.00.00 and tcp.port ftp
NOTES
IP filtering may be initiated or disabled only by the superuser. The
command
/etc/killall ipfilterd
kills the filtering daemon and zeros out the kernel cache of filtering
verdicts. It may also disable all IP forwarding and receipt of any
inbound IP traffic except that from the local host (see the discussion of
the ipfilterd_inactive_behavior variable in the FILES section above).
The command
/usr/etc/ipfilterd
which is normally executed from /etc/init.d/network, starts up the daemon
and initializes the configured filters. Only one instance of ipfilterd
may be active at any time; attempts to start a second daemon will fail
benignly.
Macros must be defined before they are referenced in filters in
/etc/ipfilterd.conf. Each macro definition must be on one line and have
a maximum of 255 characters.
The daemon's array of filters is generated in the order specified in
/etc/ipfilterd.conf. The filtering daemon examines filters from the top
of the array each time. As soon as it detects a match, it returns the
associated verdict. It is possible to have more than one filter match a
given packet, such as wishing to reject rlogin requests from a given net
except one particular host. In that case, the particular filter should
appear first:
accept ip.src bambi and tcp.port login
followed by the general case:
reject ip.netBsrc 199.0.2.0 and tcp.port login
Several macros relating to (sub)networks rather than hosts are predefined
in /etc/ipfilterd.conf.
Page 4
ipfilterd(1M) ipfilterd(1M)
NOTES
By default rejects all packets for which no 'accept' entry is defined.
SEE ALSO
netsnoop(1M), master(4).
FILES
/etc/ipfilterd.conf /dev/ipfilter
Page 5