shortened to the shortest unique form. The valid <span class="emphasis"><iclass="EMPHASIS">commands</i></span> are:</p><div class="VARIABLELIST"><dl><dt>add</dt><dd><p>Add an entry to the firewall/accounting rule list</p></dd><dt>delete</dt><dd><p>Delete an entry from the firewall/accounting rule list</p></dd></dl></div><p>Previous versions of IPFW used separate firewall and accounting entries. The presentversion provides packet accounting with each firewall entry.</p><p>If an <span class="emphasis"><i class="EMPHASIS">index</i></span> value is supplied,it is used to place the entry at a specific point in the chain. Otherwise, the entry isplaced at the end of the chain at an index 100 greater than the last chain entry (thisdoes not include the default policy, rule 65535, deny).</p><p>The <var class="LITERAL">log</var> option causes matching rules to be output to thesystem console if the kernel was compiled with <varclass="LITERAL">IPFIREWALL_VERBOSE</var>.</p><p>Valid <span class="emphasis"><i class="EMPHASIS">actions</i></span> are:</p><div class="VARIABLELIST"><dl><dt>reject</dt><dd><p>Drop the packet, and send an ICMP host or port unreachable (as appropriate) packet tothe source.</p></dd><dt>allow</dt><dd><p>Pass the packet on as normal. (aliases: <var class="LITERAL">pass</var>, <varclass="LITERAL">permit</var>, and <var class="LITERAL">accept</var>)</p></dd><dt>deny</dt><dd><p>Drop the packet. The source is not notified via an ICMP message (thus it appears thatthe packet never arrived at the destination).</p></dd><dt>count</dt><dd><p>Update packet counters but do not allow/deny the packet based on this rule. The searchcontinues with the next chain entry.</p></dd></dl></div><p>Each <span class="emphasis"><i class="EMPHASIS">action</i></span> will be recognizedby the shortest unambiguous prefix.</p><p>The <span class="emphasis"><i class="EMPHASIS">protocols</i></span> which can bespecified are:</p><div class="VARIABLELIST"><dl><dt>all</dt><dd><p>Matches any IP packet</p></dd><dt>icmp</dt><dd><p>Matches ICMP packets</p></dd><dt>tcp</dt><dd><p>Matches TCP packets</p></dd><dt>udp</dt><dd><p>Matches UDP packets</p></dd></dl></div><p>The <span class="emphasis"><i class="EMPHASIS">address</i></span> specificationis:</p><p>from <var class="REPLACEABLE">address/mask</var> [<var class="REPLACEABLE">port</var>]to <var class="REPLACEABLE">address/mask</var> [<var class="REPLACEABLE">port</var>] [via<var class="REPLACEABLE">interface</var>]</p><p>You can only specify <var class="REPLACEABLE">port</var> in conjunction with <spanclass="emphasis"><i class="EMPHASIS">protocols</i></span> which support ports (UDP andTCP).</p><p>The <var class="OPTION">via</var> is optional and may specify the IP address or domainname of a local IP interface, or an interface name (e.g. <tt class="DEVICENAME">ed0</tt>)to match only packets coming through this interface. Interface unit numbers can bespecified with an optional wildcard. For example, <var class="LITERAL">ppp*</var> wouldmatch all kernel PPP interfaces.</p><p>The syntax used to specify an <var class="REPLACEABLE">address/mask</var> is:</p><pre class="SCREEN"><var class="REPLACEABLE">address</var></pre>or <pre class="SCREEN"><var class="REPLACEABLE">address</var>/<var class="REPLACEABLE">mask-bits</var></pre>or <pre class="SCREEN"><var class="REPLACEABLE">address</var>:<var class="REPLACEABLE">mask-pattern</var></pre><br /><br /><p>A valid hostname may be specified in place of the IP address. <var class="OPTION"><varclass="REPLACEABLE">mask-bits</var></var> is a decimal number representing how many bitsin the address mask should be set. e.g. specifying <ttclass="HOSTID">192.216.222.1/24</tt> will create a mask which will allow any address in aclass C subnet (in this case, <tt class="HOSTID">192.216.222</tt>) to be matched. <varclass="OPTION"><var class="REPLACEABLE">mask-pattern</var></var> is an IP address whichwill be logically AND'ed with the address given. The keyword <varclass="LITERAL">any</var> may be used to specify ``any IP address''.</p><p>The port numbers to be blocked are specified as:</p><p><var class="REPLACEABLE">port</var> [,<var class="REPLACEABLE">port</var> [,<varclass="REPLACEABLE">port</var> [...]]]</p>to specify either a single port or a list of ports, or <p><var class="REPLACEABLE">port</var>-<var class="REPLACEABLE">port</var></p>to specify a range of ports. You may also combine a single range with a list, but therange must always be specified first.<br /><br /><p>The <span class="emphasis"><i class="EMPHASIS">options</i></span> available are:</p><div class="VARIABLELIST"><dl><dt>frag</dt><dd><p>Matches if the packet is not the first fragment of the datagram.</p></dd><dt>in</dt><dd><p>Matches if the packet is on the way in.</p></dd><dt>out</dt><dd><p>Matches if the packet is on the way out.</p></dd><dt>ipoptions <var class="REPLACEABLE">spec</var></dt><dd><p>Matches if the IP header contains the comma separated list of options specified in<var class="REPLACEABLE">spec</var>. The supported IP options are: <varclass="LITERAL">ssrr</var> (strict source route), <var class="LITERAL">lsrr</var> (loosesource route), <var class="LITERAL">rr</var> (record packet route), and <varclass="LITERAL">ts</var> (time stamp). The absence of a particular option may bespecified with a leading <var class="LITERAL">!</var>.</p></dd><dt>established</dt><dd><p>Matches if the packet is part of an already established TCP connection (i.e. it hasthe RST or ACK bits set). You can optimize the performance of the firewall by placing<span class="emphasis"><i class="EMPHASIS">established</i></span> rules early in thechain.</p></dd><dt>setup</dt><dd><p>Matches if the packet is an attempt to establish a TCP connection (the SYN bit is setbut the ACK bit is not).</p></dd><dt>tcpflags <var class="REPLACEABLE">flags</var></dt><dd><p>Matches if the TCP header contains the comma separated list of <varclass="REPLACEABLE">flags</var>. The supported flags are <var class="LITERAL">fin</var>,<var class="LITERAL">syn</var>, <var class="LITERAL">rst</var>, <varclass="LITERAL">psh</var>, <var class="LITERAL">ack</var>, and <varclass="LITERAL">urg</var>. The absence of a particular flag may be indicated by a leading<var class="LITERAL">!</var>.</p></dd><dt>icmptypes <var class="REPLACEABLE">types</var></dt><dd><p>Matches if the ICMP type is present in the list <var class="REPLACEABLE">types</var>.The list may be specified as any combination of ranges and/or individual types separatedby commas. Commonly used ICMP types are: <var class="LITERAL">0</var> echo reply (pingreply), <var class="LITERAL">3</var> destination unreachable, <varclass="LITERAL">5</var> redirect, <var class="LITERAL">8</var> echo request (pingrequest), and <var class="LITERAL">11</var> time exceeded (used to indicate TTLexpiration as with <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">traceroute</span>(8)</span>).</p></dd></dl></div></div><div class="SECT3"><h3 class="SECT3"><a id="AEN20381" name="AEN20381">14.8.4.2. Listing the IPFWRules</a></h3><p>The syntax for this form of the command is:</p><p><tt class="COMMAND">ipfw</tt> [-a] [-c] [-d] [-e] [-t] [-N] [-S] list</p><br /><br /><p>There are seven valid flags when using this form of the command:</p><div class="VARIABLELIST"><dl><dt>-a</dt><dd><p>While listing, show counter values. This option is the only way to see accountingcounters.</p></dd><dt>-c</dt><dd><p>List rules in compact form.</p></dd><dt>-d</dt><dd><p>Show dynamic rules in addition to static rules.</p></dd><dt>-e</dt><dd><p>If <var class="OPTION">-d</var> was specified, also show expired dynamic rules.</p></dd><dt>-t</dt><dd><p>Display the last match times for each chain entry. The time listing is incompatiblewith the input syntax used by the <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">ipfw</span>(8)</span> utility.</p></dd><dt>-N</dt><dd>