X/OS - Linux IP firewall and accounting
---------------------------------------------------------------
Original of this document is at
http://www.xos.nl/linux/ipfwadm/
---------------------------------------------------------------
Ipfwadm is a utility to administer the
IP accounting and IP firewall services offered by the Linux kernel.
The current stable versions of ipfwadm are version 1.2,
requiring Linux version 1.2.1 or later, and version 2.3.0,
requiring Linux version 1.3.66 or later.
One of the previous beta-test versions of ipfwadm, version 2.0beta1,
works for Linux versions 1.3.61 till 1.3.65.
Please Note:
The transparent proxy facility does not work properly in kernel versions
2.0.30 and most 2.1 versions up to at least 2.1.27, due to internal networking
code changes. A fix is being worked on.
Look at the accompanying manual page,
ipfwadm(8),
for a description
of how to use this program.
The
ipfw(4)
manual page describes the
kernel level interface of the IP accounting/firewall services.
A paper introducing the Linux IP firewall and accounting facilities
and the use of ipfwadm, with some examples, is available now.
Note: this paper was written in April 1996 and presented on a UNIX conference
in May 1996, so it is still based on Linux 1.3.88 and ipfwadm 2.0.
A revision, updated for Linux 2.0.x and ipfwadm 2.3.0, is planned,
but not yet available.
But most, if not all, of the examples will still work with the current
versions.
Some additions made after Linux 1.3.88, such as support for true transparent
proxying, are not yet described in the paper.
The ipfwadm utility is meant to be a replacement for the existing ipfw(8)
utility, as found in the net-tools package. Ipfwadm was made to be
more complete and easier to use than ipfw.
Among the features offered by ipfwadm are:
- Changing default policies for all firewall categories.
- Automatically adding the necessary extra rules when the named
hosts have more than one IP address.
- Support for specifying the interface address for the rules.
- Support for specifying the interface name for the rules.
- Listing and resetting packet/byte counters "atomically" for
setting up a reliable accounting scheme.
- Listing the existing rules in a number of formats.
- Support for optional functions (bidirectional rules, TCP ACK,
and TCP SYN matching).
- Support for redirection (used for transparent proxying).
- Support for masquerading in the forwarding firewall.
- A complete manual page. (Yes! Really!)
Note that some of the features are only available in the 2.3.0 version.
Also, some of the features in 2.3.0 are not available when ipfwadm is
compiled with kernels older than 1.99.7 (aka pre2.0.7).
Of course, you can find the
source
of ipfwadm in our FTP archive:
For users of Red Hat Linux or any derived system (like Caldera), there
are ready-to-use RPM files available for ipfwadm 1.2 (Red Hat Picasso with
Linux 1.2.13) and ipfwadm 2.3.0 (Red Hat Picasso or Red Hat Rembrandt, used
in combination with Linux 2.0.x):
[
X/OS home page
]
Copyright © 1995 by X/OS Experts in Open Systems BV. All rights reserved.