1. Computing & Technology
About.com
Linux

Linux Network Administrators Guide

From

9.6.3. Summary of ipfwadm Arguments

The ipfwadm has many different arguments that relate to IP firewall configuration. The general syntax is:


   


ipfwadm category command parameters [options]

Let's take a look at each of these.

9.6.3.1. Categories
9.6.3.2. Commands
9.6.3.3. Parameters
9.6.3.4. Optional arguments
9.6.3.5. ICMP datagram types
Notes

9.6.3.1. Categories

One and only one of the following must be supplied. The category tells the firewall what sort of firewall rule you are configuring:

  • -I
    •    

    Input rule


  • -O
    •    

    Output rule


  • -F
    •    

    Forwarding rule


9.6.3.2. Commands

At least one of the following must be supplied and applies only to those rules that relate to the supplied category. The command tells the firewall what action to take.

  • -a [policy]
    •    

    Append a new rule


  • -i [policy]
    •    

    Insert a new rule


  • -d [policy]
    •    

    Delete an existing rule


  • -p policy
    •    

    Set the default policy


  • -l
    •    

    List all existing rules


  • -f
    •    

    Flush all existing rules


The policies relevant to IP firewall and their meanings are:

  • accept
    •    

    Allows matching datagrams to be received, forwarded, or transmitted


  • deny
    •    

    Blocks matching datagrams from being received, forwarded, or transmitted


  • reject
    •    

    Blocks matching datagrams from being received, forwarded, or transmitted, and sends the host that sent the datagram and ICMP error message


9.6.3.3. Parameters

At least one of the following must be supplied. Use the parameters to specify to which datagrams this rule applies:

  • -P protocol
    •    

    Can be TCP, UDP, ICMP, or all. Example:

    -P tcp


  • -S address[/mask] [port]
    •    

    Source IP address that this rule will match. A netmask of "/32" will be assumed if you don't supply one. You may optionally specify which ports this rule will apply to. You must also specify the protocol using the -P argument described above for this to work. If you don't specify a port or port range, "all" ports will be assumed to match. Ports may be specified by name, using their /etc/services entry if you wish. In the case of the ICMP protocol, the port field is used to indicate the ICMP datagram types. Port ranges may be described; use the general syntax: lowport :highport . Here is an example:

    -S 172.29.16.1/24 ftp:ftp-data


  • -D address[/mask] [port]
    •    

    Specify the destination IP address that this rule will match. The destination address is coded with the same rules as the source address described previously. Here is an example:

    -D 172.29.16.1/24 smtp


  • -V address
    •    

    Specify the address of the network interface on which the packet is received (-I  ) or is being sent (-O ). This allows us to create rules that apply only to certain network interfaces on our machine. Here is an example:

    -V 172.29.16.1


  • -W name
    •    

    Specify the name of the network interface. This argument works in the same way as the -V argument, except you supply the device name instead of its address. Here is an example:

    -W ppp0


9.6.3.4. Optional

* License

* Linux Network Administrators Guide Guide Index

©2012 About.com. All rights reserved.

A part of The New York Times Company.