6 # ferm, a firewall setup program that makes firewall rules easy!
8 # Copyright (C) 2001-2012 Max Kellermann, Auke Kok
10 # Comments, questions, greetings and additions to this program
11 # may be sent to <ferm@foo-projects.org>
15 # This program is free software; you can redistribute it and/or modify
16 # it under the terms of the GNU General Public License as published by
17 # the Free Software Foundation; either version 2 of the License, or
18 # (at your option) any later version.
20 # This program is distributed in the hope that it will be useful,
21 # but WITHOUT ANY WARRANTY; without even the implied warranty of
22 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 # GNU General Public License for more details.
25 # You should have received a copy of the GNU General Public License
26 # along with this program; if not, write to the Free Software
27 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
32 B<ferm> - a firewall rule parser for linux
36 B<ferm> I<options> I<inputfile>
40 B<ferm> is a frontend for B<iptables>. It reads the rules from a
41 structured configuration file and calls iptables(8) to insert them
42 into the running kernel.
44 B<ferm>'s goal is to make firewall rules easy to write and easy to
45 read. It tries to reduce the tedious task of writing down rules, thus
46 enabling the firewall administrator to spend more time on developing
47 good rules than the proper implementation of the rule.
49 To achieve this, B<ferm> uses a simple but powerful configuration
50 language, which allows variables, functions, arrays, blocks. It also
51 allows you to include other files, allowing you to create libraries of
52 commonly used structures and functions.
54 B<ferm>, pronounced "firm", stands for "For Easy Rule Making".
59 This manual page does I<not> indend to teach you how firewalling works
60 and how to write good rules. There is already enough documentation on
66 Let's start with a simple example:
72 This will add a rule to the predefined input chain, matching and
73 accepting all tcp packets. Ok, let's make it more complicated:
75 chain (INPUT OUTPUT) {
76 proto (udp tcp) ACCEPT;
79 This will insert 4 rules, namely 2 in chain input, and 2 in chain
80 output, matching and accepting both udp and tcp packets. Normally you
83 iptables -A INPUT -p tcp -j ACCEPT
84 iptables -A OUTPUT -p tcp -j ACCEPT
85 iptables -A INPUT -p udp -j ACCEPT
86 iptables -A OUTPUT -p udp -j ACCEPT
88 Note how much less typing we need to do? :-)
90 Basically, this is all there is to it, although you can make it quite
91 more complex. Something to look at:
95 daddr 10.0.0.0/8 proto tcp dport ! ftp jump mychain sport :1023 TOS 4 settos 8 mark 2;
96 daddr 10.0.0.0/8 proto tcp dport ftp REJECT;
99 My point here is, that *you* need to make nice rules, keep
100 them readable to you and others, and not make it into a mess.
102 It would aid the reader if the resulting firewall rules were placed
103 here for reference. Also, you could include the nested version with
106 Try using comments to show what you are doing:
108 # this line enables transparent http-proxying for the internal network:
109 proto tcp if eth0 daddr ! 192.168.0.0/255.255.255.0
110 dport http REDIRECT to-ports 3128;
112 You will be thankful for it later!
116 interface (eth0 ppp0) {
117 # deny access to notorius hackers, return here if no match
118 # was found to resume normal firewalling
121 protocol tcp jump fw_tcp;
122 protocol udp jump fw_udp;
126 The more you nest, the better it looks. Make sure the order you
127 specify is correct, you would not want to do this:
131 proto tcp dport ftp ACCEPT;
134 because the second rule will never match. Best way is to specify
135 first everyting that is allowed, and then deny everything else.
136 Look at the examples for more good snapshots. Most people do
143 dport 1024:65535 ! syn ACCEPT;
147 =head1 STRUCTURE OF A FIREWALL FILE
149 The structure of a proper firewall file looks like simplified
150 C-code. Only a few syntactic characters are used in ferm-
151 configuration files. Besides these special caracters, ferm
152 uses 'keys' and 'values', think of them as options and
153 parameters, or as variables and values, whatever.
155 With these words, you define the characteristics of your firewall.
156 Every firewall consists of two things: First, look if network
157 traffic matches certain conditions, and second, what to do
160 You may specify conditions that are valid for the kernel
161 interface program you are using, probably iptables(8). For
162 instance, in iptables, when you are trying to match tcp
163 packets, you would say:
165 iptables --protocol tcp
167 In ferm, this will become:
171 Just typing this in ferm doesn't do anything, you need to tell
172 ferm (actually, you need to tell iptables(8) and the kernel) what
173 to do with any traffic that matches this condition:
175 iptables --protocol tcp -j ACCEPT
177 Or, translated to B<ferm>:
181 The B<;> character is at the end of every ferm rule. Ferm ignores line
182 breaks, meaning the above example is identical to the following:
187 Here's a list of the special characters:
193 This character finalizes a rule.
195 Separated by semicolons, you may write multiple rules in one line,
196 although this decreases readability:
198 protocol tcp ACCEPT; protocol udp DROP;
202 The nesting symbol defines a 'block' of rules.
204 The curly brackets contain any number of nested rules. All matches
205 before the block are carried forward to these.
207 The closing curly bracket finalizes the rule set. You should not write
208 a ';' after that, because that would be an empty rule.
212 chain INPUT proto icmp {
213 icmp-type echo-request ACCEPT;
217 This block shows two rules inside a block, which will both be merged
218 with anything in front of it, so you will get two rules:
220 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
221 iptables -A INPUT -p icmp -j DROP
223 There can be multiple nesting levels:
227 icmp-type echo-request ACCEPT;
230 daddr 172.16.0.0/12 REJECT;
233 Note that the 'REJECT' rule is not affected by 'proto icmp', although
234 there is no ';' after the closing curly brace. Translated to iptables:
236 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
237 iptables -A INPUT -p icmp -j DROP
238 iptables -A INPUT -d 172.16.0.0/12 -j REJECT
242 Variable expansion. Replaces '$FOO' by the value of the variable. See
243 the section I<VARIABLES> for details.
247 Function call. See the section I<FUNCTIONS> for details.
251 The array symbol. Using the parentheses, you can define
252 a 'list' of values that should be applied for the key to the
257 protocol ( tcp udp icmp )
259 this will result in three rules:
265 Only values can be 'listed', so you cannot do something like this:
267 proto tcp ( ACCEPT LOG );
271 chain (INPUT OUTPUT FORWARD) proto (icmp udp tcp) DROP;
273 (which will result in nine rules!)
275 Values are separated by spaces. The array symbol is both left- and
276 right-associative, in contrast with the nesting block, which is
277 left-associative only.
281 The comment symbol. Anything that follows this symbol up to
282 the end of line is ignored.
286 Execute the command in a shell, and insert the process output. See the
287 section I<backticks> for details.
291 Quote a string which may contain whitespaces, the dollar sign etc.
293 LOG log-prefix ' hey, this is my log prefix!';
297 Quote a string (see above), but variable references with a dollar sign
300 DNAT to "$myhost:$myport";
307 In the previous section, we already introduced some basic keywords
308 like "chain", "protocol" and "ACCEPT". Let's explore their nature.
310 There are three kinds of keywords:
316 B<location> keywords define where a rule will be created. Example:
321 B<match> keywords perform a test on all passing packets. The current
322 rule is without effect if one (or more) of the matches does not
323 pass. Example: "proto", "daddr".
325 Most matches are followed by a parameter: "proto tcp", "daddr
330 B<target> keywords state what to do with a packet. Example: "ACCEPT",
333 Some targets define more keywords to specify details: "REJECT
334 reject-with icmp-net-unreachable".
338 Every rule consists of a B<location> and a B<target>, plus any number
341 table filter # location
342 proto tcp dport (http https) # match
345 Strictly speaking, there is a fourth kind: B<ferm> keywords (which
346 control ferm's internal behaviour), but they will be explained later.
351 Many keywords take parameters. These can be specified as literals,
352 variable references or lists (arrays):
355 saddr $TRUSTED_HOSTS;
356 proto tcp dport (http https ssh);
357 LOG log-prefix "funky wardriver alert: ";
359 Some of them can be negated (lists cannot be negated):
362 proto udp dport !domain;
364 Keywords which take no parameters are negated by a prefixed '!':
368 Read iptables(8) to see where the B<!> can be used.
371 =head1 BASIC KEYWORDS
374 =head2 Location keywords
378 =item B<domain [ip|ip6]>
380 Set the domain. "ip" is default and means "IPv4" (iptables). "ip6" is
381 for IPv6 support, using "ip6tables".
383 =item B<table [filter|nat|mangle]>
385 Specifies which netfilter table this rule will be inserted to:
386 "filter" (default), "nat" or "mangle".
388 =item B<chain [chain-name]>
390 Specifies the netfilter chain (within the current table) this rule
391 will be inserted to. Common predefined chain names are "INPUT",
392 "OUTPUT", "FORWARD", "PREROUTING", "POSTROUTING", depending on the
393 table. See the netfilter documentation for details.
395 If you specify a non-existing chain here, ferm will add the rule to a
396 custom chain with that name.
398 =item B<policy [ACCEPT|DROP|..]>
400 Specifies the default policy for the current chain (built-in
401 only). Can be one of the built-in targets (ACCEPT, DROP, REJECT,
402 ...). A packet that matches no rules in a chain will be treated as
403 specified by the policy.
405 To avoid ambiguity, always specify the policies of all predefined
408 =item B<@subchain ["CHAIN-NAME"] { ... }>
410 Works like the normal block operators (i.e. without the I<@subchain>
411 keyword), except that B<ferm> moves rules within the curly braces into
412 a new custom chain. The name for this chain is chosen automatically by
415 In many cases, this is faster than just a block, because the kernel
416 may skip a huge block of rules when a precondition is false. Imagine
417 the following example:
419 table filter chain INPUT {
420 saddr (1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 5.6.7.8) {
421 proto tcp dport (http https ssh) ACCEPT;
422 proto udp dport domain ACCEPT;
426 This generates 20 rules. When a packet arrives which does not pass the
427 B<saddr> match, it nonetheless checks all 20 rules. With B<@subchain>,
428 this check is done once, resulting in faster network filtering and
431 table filter chain INPUT {
432 saddr (1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 5.6.7.8) @subchain {
433 proto tcp dport (http https ssh) ACCEPT;
434 proto udp dport domain ACCEPT;
438 Optionally, you may define the name of the sub chain:
440 saddr (1.2.3.4 2.3.4.5 3.4.5.6) @subchain "foobar" {
441 proto tcp dport (http https ssh) ACCEPT;
442 proto udp dport domain ACCEPT;
445 The name can either be a quoted string literal, or an expanded ferm
446 expression such as @cat("interface_", $iface) or @substr($var,0,20).
448 You can achieve the same by explicitly declaring a custom chain, but
449 you may feel that using B<@subchain> requires less typing.
451 =item B<@gotosubchain ["CHAIN-NAME"] { ... }>
453 Works like B<@subchain> except that instead of using B<jump> target it
454 uses B<goto> target. See discussion below for the difference between
460 =head2 Basic iptables match keywords
464 =item B<interface [interface-name]>
466 Define the interface name, your outside network card, like eth0,
467 or dialup like ppp1, or whatever device you want to match for
468 passing packets. It is equivalent to the C<-i> switch in
471 =item B<outerface [interface-name]>
473 Same as interface, only for matching the outgoing interface
474 for a packet, as in iptables(8).
476 =item B<protocol [protocol-name|protocol-number]>
478 Currently supported by the kernel are tcp, udp and icmp, or
479 their respective numbers.
481 =item B<saddr|daddr [address-spec]>
483 Matches on packets originating from the specified address (saddr) or
484 targeted at the address (daddr).
488 saddr 192.168/8 ACCEPT; # (identical to the next one:)
489 saddr 192.168.0.0/255.255.255.0 ACCEPT;
490 daddr my.domain.com ACCEPT;
494 Specify that only fragmented IP packets should be matched.
495 When packets are larger that the maximum packet size your
496 system can handle (called Maximum Transmission Unit or MTU)
497 they will be chopped into bits and sent one by one as single
498 packets. See ifconfig(8) if you want to find the MTU for
499 your system (the default is usually 1500 bytes).
501 Fragments are frequently used in DOS attacks, because there
502 is no way of finding out the origin of a fragment packet.
504 =item B<sport|dport [port-spec]>
506 Matches on packets on the specified TCP or UDP port. "sport" matches
507 the source port, and dport matches the destination port.
509 This match can be used only after you specified "protocol tcp" or
510 "protocol udp", because only these two protocols actually have ports.
512 And some examples of valid ports/ranges:
516 dport ssh:http ACCEPT;
517 dport 0:1023 ACCEPT; # equivalent to :1023
518 dport 1023:65535 ACCEPT;
522 Specify that the SYN flag in a tcp package should be matched,
523 which are used to build new tcp connections. You can identify
524 incoming connections with this, and decide whether you want
525 to allow it or not. Packets that do not have this flag are
526 probably from an already established connection, so it's
527 considered reasonably safe to let these through.
529 =item B<module [module-name]>
531 Load an iptables module. Most modules provide more match
532 keywords. We'll get to that later.
537 =head2 Basic target keywords
541 =item B<jump [custom-chain-name]>
543 Jumps to a custom chain. If no rule in the custom chain matched,
544 netfilter returns to the next rule in the previous chain.
546 =item B<goto [custom-chain-name]>
548 Go to a custom chain. Unlike the B<jump> option, B<RETURN> will not
549 continue processing in this chain but instead in the chain that called
554 Accepts matching packets.
558 Drop matching packets without further notice.
562 Rejects matching packets, i.e. send an ICMP packet to the sender,
563 which is port-unreachable by default. You may specify another ICMP
566 REJECT; # default to icmp-port-unreachable
567 REJECT reject-with icmp-net-unreachable;
569 Type "iptables -j REJECT -h" for details.
573 Finish the current chain and return to the calling chain (if "jump
574 [custom-chain-name]" was used).
583 =head1 ADDITIONAL KEYWORDS
585 Netfilter is modular. Modules may provide additional targets and match
586 keywords. The list of netfilter modules is constantly growing, and
587 ferm tries to keep up with supporting them all. This chapter describes
588 modules which are currently supported.
591 =head2 iptables match modules
597 Account traffic for all hosts in defined network/netmask. This is one
598 of the match modules which behave like a target, i.e. you will mostly
599 have to use the B<NOP> target.
601 mod account aname mynetwork aaddr 192.168.1.0/24 ashort NOP;
605 Check the address type; either source address or destination address.
607 mod addrtype src-type BROADCAST;
608 mod addrtype dst-type LOCAL;
610 Type "iptables -m addrtype -h" for details.
614 Checks the SPI header in an AH packet.
617 mod ah ahspi ! 0x200:0x2ff;
619 Additional arguments for IPv6:
621 mod ah ahlen 32 ACCEPT;
622 mod ah ahlen !32 ACCEPT;
627 Match using Linux Socket Filter.
629 mod bpf bytecode "4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0";
633 Adds a comment of up to 256 characters to a rule, without an effect.
634 Note that unlike ferm comments ('#'), this one will show up in
637 mod comment comment "This is my comment." ACCEPT;
641 Matches if a value in /proc/net/ipt_condition/NAME is 1 (path is
642 /proc/net/ip6t_condition/NAME for the ip6 domain).
644 mod condition condition (abc def) ACCEPT;
645 mod condition condition !foo ACCEPT;
649 Match by how many bytes or packets a connection (or one of the two
650 flows constituting the connection) have tranferred so far, or by
651 average bytes per packet.
653 mod connbytes connbytes 65536: connbytes-dir both connbytes-mode bytes ACCEPT;
654 mod connbytes connbytes !1024:2048 connbytes-dir reply connbytes-mode packets ACCEPT;
656 Valid values for I<connbytes-dir>: I<original>, I<reply>, I<both>; for
657 I<connbytes-mode>: I<packets>, I<bytes>, I<avgpkt>.
661 Module matches or adds connlabels to a connection.
663 mod connlabel label "name";
664 mod connlabel label "name" set;
668 Allows you to restrict the number of parallel TCP connections to a
669 server per client IP address (or address block).
671 mod connlimit connlimit-above 4 REJECT;
672 mod connlimit connlimit-above !4 ACCEPT;
673 mod connlimit connlimit-above 4 connlimit-mask 24 REJECT;
674 mod connlimit connlimit-upto 4 connlimit-saddr REJECT;
675 mod connlimit connlimit-above 4 connlimit-daddr REJECT;
679 Check the mark field associated with the connection, set by the
682 mod connmark mark 64;
683 mod connmark mark 6/7;
687 Check connection tracking information.
689 mod conntrack ctstate (ESTABLISHED RELATED);
690 mod conntrack ctproto tcp;
691 mod conntrack ctorigsrc 192.168.0.2;
692 mod conntrack ctorigdst 1.2.3.0/24;
693 mod conntrack ctorigsrcport 67;
694 mod conntrack ctorigdstport 22;
695 mod conntrack ctreplsrc 2.3.4.5;
696 mod conntrack ctrepldst ! 3.4.5.6;
697 mod conntrack ctstatus ASSURED;
698 mod conntrack ctexpire 60;
699 mod conntrack ctexpire 180:240;
701 Type "iptables -m conntrack -h" for details.
705 Match cpu handling this packet.
711 Check DCCP (Datagram Congestion Control Protocol) specific attributes.
712 This module is automatically loaded when you use "protocol dccp".
714 proto dccp sport 1234 dport 2345 ACCEPT;
715 proto dccp dccp-types (SYNCACK ACK) ACCEPT;
716 proto dccp dccp-types !REQUEST DROP;
717 proto dccp dccp-option 2 ACCEPT;
721 Match the 6 bit DSCP field within the TOS field.
724 mod dscp dscp-class AF41;
728 Match the parameters in Destination Options header (IPv6).
731 mod dst dst-opts (type1 type2 ...);
735 Match the ECN bits of an IPv4 TCP header.
739 mod ecn ecn-ip-ect 2;
741 Type "iptables -m ecn -h" for details.
745 Checks the SPI header in an ESP packet.
747 mod esp espspi 0x101;
748 mod esp espspi ! 0x200:0x2ff;
752 "This module matches the EUI-64 part of a stateless autoconfigured
753 IPv6 address. It compares the EUI-64 derived from the source MAC
754 address in Ehternet frame with the lower 64 bits of the IPv6 source
755 address. But "Universal/Local" bit is not compared. This module
756 doesn't match other link layer frame, and is only valid in the
757 PREROUTING, INPUT and FORWARD chains."
763 "This module matches a rate limit based on a fuzzy logic controller [FLC]."
765 mod fuzzy lower-limit 10 upper-limit 20 ACCEPT;
769 Matches the Hop-by-Hop Options header (ip6).
771 mod hbh hbh-len 8 ACCEPT;
772 mod hbh hbh-len !8 ACCEPT;
773 mod hbh hbh-opts (1:4 2:8) ACCEPT;
777 Matches the Hop Limit field (ip6).
779 mod hl hl-eq (8 10) ACCEPT;
780 mod hl hl-eq !5 ACCEPT;
781 mod hl hl-gt 15 ACCEPT;
782 mod hl hl-lt 2 ACCEPT;
786 Checks which conntrack helper module tracks this connection. The port
787 may be specified with "-portnr".
789 mod helper helper irc ACCEPT;
790 mod helper helper ftp-21 ACCEPT;
794 Check ICMP specific attributes. This module is automatically loaded
795 when you use "protocol icmp".
797 proto icmp icmp-type echo-request ACCEPT;
799 This option can also be used in be I<ip6> domain, although this is
800 called B<icmpv6> in F<ip6tables>.
802 Use "iptables -p icmp C<-h>" to obtain a list of valid ICMP types.
806 Match a range of IPv4 addresses.
808 mod iprange src-range 192.168.2.0-192.168.3.255;
809 mod iprange dst-range ! 192.168.6.0-192.168.6.255;
813 Match on IPv4 header options like source routing, record route,
814 timestamp and router-alert.
816 mod ipv4options ssrr ACCEPT;
817 mod ipv4options lsrr ACCEPT;
818 mod ipv4options no-srr ACCEPT;
819 mod ipv4options !rr ACCEPT;
820 mod ipv4options !ts ACCEPT;
821 mod ipv4options !ra ACCEPT;
822 mod ipv4options !any-opt ACCEPT;
826 Matches the IPv6 extension header (ip6).
828 mod ipv6header header !(hop frag) ACCEPT;
829 mod ipv6header header (auth dst) ACCEPT;
833 Similar to 'mod limit', but adds the ability to add per-destination or
834 per-port limits managed in a hash table.
836 mod hashlimit hashlimit 10/minute hashlimit-burst 30/minute
837 hashlimit-mode dstip hashlimit-name foobar ACCEPT;
839 Possible values for hashlimit-mode: dstip dstport srcip srcport (or a
840 list with more than one of these).
842 There are more possible settings, type "iptables -m hashlimit -h" for
847 Match IPVS connection properties.
849 mod ipvs ipvs ACCEPT; # packet belongs to an IPVS connection
850 mod ipvs vproto tcp ACCEPT; # VIP protocol to match; by number or name, e.g. "tcp
851 mod ipvs vaddr 1.2.3.4/24 ACCEPT; # VIP address to match
852 mod ipvs vport http ACCEPT; # VIP port to match
853 mod ipvs vdir ORIGINAL ACCEPT; # flow direction of packet
854 mod ipvs vmethod GATE ACCEPT; # IPVS forwarding method used
855 mod ipvs vportctl 80; # VIP port of the controlling connection to match
859 Check the package length.
861 mod length length 128; # exactly 128 bytes
862 mod length length 512:768; # range
863 mod length length ! 256; # negated
867 Limits the packet rate.
869 mod limit limit 1/second;
870 mod limit limit 15/minute limit-burst 10;
872 Type "iptables -m limit -h" for details.
876 Match the source MAC address.
878 mod mac mac-source 01:23:45:67:89;
882 Matches packets based on their netfilter mark field. This may be a 32
883 bit integer between 0 and 4294967295.
889 Matches the mobility header (domain I<ip6>).
891 proto mh mh-type binding-update ACCEPT;
895 Match a set of source or destination ports (UDP and TCP only).
897 mod multiport source-ports (https ftp);
898 mod multiport destination-ports (mysql domain);
900 This rule has a big advantage over "dport" and "sport": it generates
901 only one rule for up to 15 ports instead of one rule for every port.
905 Match every 'n'th packet.
908 mod nth counter 5 every 2;
909 mod nth start 2 every 3;
910 mod nth start 5 packet 2 every 6;
912 Type "iptables -m nth -h" for details.
916 Match packets depending on the operating system of the sender.
919 mod osf ! genre FreeBSD ttl 1 log 1;
921 Type "iptables -m osf -h" for details.
925 Check information about the packet creator, namely user id, group id,
926 process id, session id and command name.
928 mod owner uid-owner 0;
929 mod owner gid-owner 1000;
930 mod owner pid-owner 5432;
931 mod owner sid-owner 6543;
932 mod owner cmd-owner "sendmail";
934 ("cmd-owner", "pid-owner" and "sid-owner" require special kernel
935 patches not included in the vanilla Linux kernel)
939 Matches the physical device on which a packet entered or is about to
940 leave the machine. This is useful for bridged interfaces.
942 mod physdev physdev-in ppp1;
943 mod physdev physdev-out eth2;
944 mod physdev physdev-is-in;
945 mod physdev physdev-is-out;
946 mod physdev physdev-is-bridged;
950 Check the link-layer packet type.
952 mod pkttype pkt-type unicast;
953 mod pkttype pkt-type broadcase;
954 mod pkttype pkt-type multicast;
958 Matches IPsec policy being applied to this packet.
960 mod policy dir out pol ipsec ACCEPT;
961 mod policy strict reqid 23 spi 0x10 proto ah ACCEPT;
962 mod policy mode tunnel tunnel-src 192.168.1.2 ACCEPT;
963 mod policy mode tunnel tunnel-dst 192.168.2.1 ACCEPT;
964 mod policy strict next reqid 24 spi 0x11 ACCEPT;
966 Note that the keyword I<proto> is also used as a shorthand version of
967 I<protocol> (built-in match module). You can fix this conflict by
968 always using the long keyword I<protocol>.
972 Detect TCP/UDP port scans.
974 mod psd psd-weight-threshold 21 psd-delay-threshold 300
975 psd-lo-ports-weight 3 psd-hi-ports-weight 1 DROP;
979 Implements network quotas by decrementing a byte counter with each packet.
981 mod quota quota 65536 ACCEPT;
985 Match a random percentage of all packets.
987 mod random average 70;
991 Match the routing realm. Useful in environments using BGP.
997 Temporarily mark source IP addresses.
1000 mod recent rcheck seconds 60;
1001 mod recent set rsource name "badguy";
1002 mod recent set rdest;
1003 mod recent rcheck rsource name "badguy" seconds 60;
1004 mod recent update seconds 120 hitcount 3 rttl;
1006 This netfilter module has a design flaw: although it is implemented as
1007 a match module, it has target-like behaviour when using the "set"
1010 L<http://snowman.net/projects/ipt_recent/>
1014 Checks a reply to the packet would be sent via the same interface it arrived on.
1015 Packets from the loopback interface are always permitted.
1017 mod rpfilter proto tcp loose RETURN;
1018 mod rpfilter validmark accept-local RETURN;
1019 mod rpfilter invert DROP;
1021 This netfilter module is the preferred way to perform reverse path filtering for
1022 IPv6, and a powerful alternative to checks controlled by sysctl
1023 I<net.ipv4.conf.*.rp_filter>.
1027 Match the IPv6 routing header (ip6 only).
1029 mod rt rt-type 2 rt-len 20 ACCEPT;
1030 mod rt rt-type !2 rt-len !20 ACCEPT;
1031 mod rt rt-segsleft 2:3 ACCEPT;
1032 mod rt rt-segsleft !4:5 ACCEPT;
1033 mod rt rt-0-res rt-0-addrs (::1 ::2) rt-0-not-strict ACCEPT;
1037 Check SCTP (Stream Control Transmission Protocol) specific attributes.
1038 This module is automatically loaded when you use "protocol sctp".
1040 proto sctp sport 1234 dport 2345 ACCEPT;
1041 proto sctp chunk-types only DATA:Be ACCEPT;
1042 proto sctp chunk-types any (INIT INIT_ACK) ACCEPT;
1043 proto sctp chunk-types !all (HEARTBEAT) ACCEPT;
1045 Use "iptables -p sctp C<-h>" to obtain a list of valid chunk types.
1049 Checks the source or destination IP/Port/MAC against a set.
1051 mod set set badguys src DROP;
1053 See L<http://ipset.netfilter.org/> for more information.
1057 Checks the connection tracking state.
1059 mod state state INVALID DROP;
1060 mod state state (ESTABLISHED RELATED) ACCEPT;
1062 Type "iptables -m state -h" for details.
1066 Successor of B<nth> and B<random>, currently undocumented in the
1067 iptables(8) man page.
1069 mod statistic mode random probability 0.8 ACCEPT;
1070 mod statistic mode nth every 5 packet 0 DROP;
1076 mod string string "foo bar" ACCEPT;
1077 mod string algo kmp from 64 to 128 hex-string "deadbeef" ACCEPT;
1081 Checks TCP specific attributes. This module is automatically loaded
1082 when you use "protocol tcp".
1084 proto tcp sport 1234;
1085 proto tcp dport 2345;
1086 proto tcp tcp-flags (SYN ACK) SYN;
1087 proto tcp tcp-flags ! (SYN ACK) SYN;
1088 proto tcp tcp-flags ALL (RST ACK);
1090 proto tcp tcp-option 2;
1093 Type "iptables -p tcp -h" for details.
1097 Check the TCP MSS field of a SYN or SYN/ACK packet.
1099 mod tcpmss mss 123 ACCEPT;
1100 mod tcpmss mss 234:567 ACCEPT;
1104 Check if the time a packet arrives is in given range.
1106 mod time timestart 12:00;
1107 mod time timestop 13:30;
1108 mod time days (Mon Wed Fri);
1109 mod time datestart 2005:01:01;
1110 mod time datestart 2005:01:01:23:59:59;
1111 mod time datestop 2005:04:01;
1112 mod time monthday (30 31);
1113 mod time weekdays (Wed Thu);
1114 mod time timestart 12:00 utc;
1115 mod time timestart 12:00 localtz;
1117 Type "iptables -m time -h" for details.
1121 Matches a packet on the specified TOS-value.
1123 mod tos tos Minimize-Cost ACCEPT;
1124 mod tos tos !Normal-Service ACCEPT;
1126 Type "iptables -m tos -h" for details.
1130 Matches the ttl (time to live) field in the IP header.
1132 mod ttl ttl-eq 12; # ttl equals
1133 mod ttl ttl-gt 10; # ttl greater than
1134 mod ttl ttl-lt 16; # ttl less than
1138 Compares raw data from the packet. You can specify more than one
1139 filter in a ferm list; these are not expanded into multiple rules.
1141 mod u32 u32 '6&0xFF=1' ACCEPT;
1142 mod u32 u32 ('27&0x8f=7' '31=0x527c4833') DROP;
1146 Matches packets which seem malformed or unusual. This match has no
1152 =head2 iptables target modules
1154 The following additional targets are available in ferm, provided that
1155 you enabled them in your kernel:
1161 Compute packet checksum.
1163 CHECKSUM checksum-fill;
1169 CLASSIFY set-class 3:50;
1173 Configure a simple cluster of nodes that share a certain IP and MAC
1174 address. Connections are statically distributed between the nodes.
1176 CLUSTERIP new hashmode sourceip clustermac 00:12:34:45:67:89
1177 total-nodes 4 local-node 2 hash-init 12345;
1181 Sets the netfilter mark value associated with a connection.
1183 CONNMARK set-xmark 42/0xff;
1184 CONNMARK set-mark 42;
1186 CONNMARK restore-mark;
1187 CONNMARK save-mark nfmask 0xff ctmask 0xff;
1188 CONNMARK save-mark mask 0x7fff;
1189 CONNMARK restore-mark mask 0x8000;
1190 CONNMARK and-mark 0x7;
1191 CONNMARK or-mark 0x4;
1192 CONNMARK xor-mark 0x7;
1193 CONNMARK and-mark 0x7;
1195 =item B<CONNSECMARK>
1197 This module copies security markings from packets to connections (if
1198 unlabeled), and from connections back to packets (also only if
1199 unlabeled). Typically used in conjunction with SECMARK, it is only
1200 valid in the mangle table.
1203 CONNSECMARK restore;
1205 =item B<DNAT to [ip-address|ip-range|ip-port-range]>
1207 Change the destination address of the packet.
1210 DNAT to 10.0.0.4:80;
1211 DNAT to 10.0.0.4:1024-2048;
1212 DNAT to 10.0.1.1-10.0.1.20;
1216 Provides stateless destination IPv6-to-IPv6 Network Prefix Translation.
1218 DNPT src-pfx 2001:42::/16 dst-pfx 2002:42::/16;
1222 This target allows to selectively work around known ECN blackholes.
1223 It can only be used in the mangle table.
1229 Modify the IPv6 Hop Limit field (ip6/mangle only).
1237 Like MARK, i.e. set the fwmark, but the mark is calculated from
1238 hashing packet selector at choice.
1240 HMARK hmark-tuple "src" hmark-mod "1" hmark-offset "1"
1241 hmark-src-prefix 192.168.1.0/24 hmark-dst-prefix 192.168.2.0/24
1242 hmark-sport-mask 0x1234 hmark-dport-mask 0x2345
1243 hmark-spi-mask 0xdeadbeef hmark-proto-mask 0x42 hmark-rnd 0xcoffee;
1247 This target can be used to identify when interfaces have been idle for
1248 a certain period of time.
1250 IDLETIMER timeout 60 label "foo";
1252 =item B<IPV4OPTSSTRIP>
1254 Strip all the IP options from a packet. This module does not take any
1261 This creates an LED-trigger that can then be attached to system
1262 indicator lights, to blink or illuminate them when certain packets
1263 pass through the system.
1265 LED led-trigger-id "foo" led-delay 100 led-always-blink;
1269 Log all packets that match this rule in the kernel log. Be carefull
1270 with log flooding. Note that this is a "non-terminating target",
1271 i.e. rule traversal continues at the next rule.
1273 LOG log-level warning log-prefix "Look at this: ";
1274 LOG log-tcp-sequence log-tcp-options;
1279 Sets the netfilter mark field for the packet (a 32 bit integer between
1290 Masquerades matching packets. Optionally followed by a port or
1291 port-range for iptables. Specify as "123", "123-456" or "123:456".
1292 The port range parameter specifies what local ports masqueraded
1293 connections should originate from.
1296 MASQUERADE to-ports 1234:2345;
1297 MASQUERADE to-ports 1234:2345 random;
1301 Experimental demonstration target which inverts the source and
1302 destination fields in the IP header.
1308 Map a whole network onto another network in the B<nat> table.
1310 NETMAP to 192.168.2.0/24;
1314 Disable connection tracking for all packets matching that rule.
1316 proto tcp dport (135:139 445) NOTRACK;
1320 RATEEST rateest-name "foo" rateest-interval 60s rateest-ewmalog 100;
1322 proto tcp dport (135:139 445) NOTRACK;
1326 Log packets over netlink; this is the successor of I<ULOG>.
1328 NFLOG nflog-group 5 nflog-prefix "Look at this: ";
1329 NFLOG nflog-range 256;
1330 NFLOG nflog-threshold 10;
1334 Userspace queueing, requires nfnetlink_queue kernel support.
1336 proto tcp dport ftp NFQUEUE queue-num 20;
1340 Userspace queueing, the predecessor to B<NFQUEUE>. All packets go to
1343 proto tcp dport ftp QUEUE;
1345 =item B<REDIRECT to-ports [ports]>
1347 Transparent proxying: alter the destination IP of the packet to the
1350 proto tcp dport http REDIRECT to-ports 3128;
1351 proto tcp dport http REDIRECT to-ports 3128 random;
1355 Similar to SNAT, but a client is mapped to the same source IP for all
1358 SAME to 1.2.3.4-1.2.3.7;
1359 SAME to 1.2.3.8-1.2.3.15 nodst;
1360 SAME to 1.2.3.16-1.2.3.31 random;
1364 This is used to set the security mark value associated with the packet
1365 for use by security subsystems such as SELinux. It is only valid in
1368 SECMARK selctx "system_u:object_r:httpd_packet_t:s0";
1370 =item B<SET [add-set|del-set] [setname] [flag(s)]>
1372 Add the IP to the specified set. See L<http://ipset.netfilter.org/>
1374 proto icmp icmp-type echo-request SET add-set badguys src;
1375 SET add-set "foo" timeout 60 exist;
1377 =item B<SNAT to [ip-address|ip-range|ip-port-range]>
1379 Change the source address of the packet.
1382 SNAT to 1.2.3.4:20000-30000;
1383 SNAT to 1.2.3.4 random;
1387 Provides stateless source IPv6-to-IPv6 Network Prefix Translation.
1389 SNPT src-pfx 2001:42::/16 dst-pfx 2002:42::/16;
1393 TCP 3-way handshake proxy: let the firewall handle the TCP 3-way handshake and
1394 only establish connection with the server socket once the client handshake has
1397 SYNPROXY wscale 7 mss 1460 timestamp sack-perm
1401 Alter the MSS value of TCP SYN packets.
1403 TCPMSS set-mss 1400;
1404 TCPMSS clamp-mss-to-pmtu;
1406 =item B<TCPOPTSTRIP>
1408 This target will strip TCP options off a TCP packet.
1410 TCPOPTSTRIP strip-options (option1 option2 ...);
1412 =item B<TOS set-tos [value]>
1414 Set the tcp package Type Of Service bit to this value. This will be
1415 used by whatever traffic scheduler is willing to, mostly your own
1416 linux-machine, but maybe more. The original tos-bits are blanked and
1417 overwritten by this value.
1419 TOS set-tos Maximize-Throughput;
1424 Type "iptables -j TOS -h" for details.
1428 Modify the TTL header field.
1431 TTL ttl-dec 1; # decrease by 1
1432 TTL ttl-inc 4; # increase by 4
1436 Log packets to a userspace program.
1438 ULOG ulog-nlgroup 5 ulog-prefix "Look at this: ";
1439 ULOG ulog-cprange 256;
1440 ULOG ulog-qthreshold 10;
1444 =head1 OTHER DOMAINS
1446 Since version 2.0, B<ferm> supports not only I<ip> and I<ip6>, but
1447 also I<arp> (ARP tables) and I<eb> (ethernet bridging tables). The
1448 concepts are similar to I<iptables>.
1450 =head2 arptables keywords
1454 =item B<source-ip>, B<destination-ip>
1456 Matches the source or destination IPv4 address. Same as B<saddr> and
1457 B<daddr> in the I<ip> domain.
1459 =item B<source-mac>, B<destination-mac>
1461 Matches the source or destination MAC address.
1463 =item B<interface>, B<outerface>
1465 Input and output interface.
1469 Hardware length of the packet.
1471 chain INPUT h-length 64 ACCEPT;
1475 Operation code, for details see the iptables(8).
1489 proto-type 0x800 ACCEPT;
1493 The keywords B<mangle-ip-s>, B<mangle-ip-d>, B<mangle-mac-s>,
1494 B<mangle-mac-d>, B<mangle-target> may be used for ARP mangling. See
1495 iptables(8) for details.
1499 =head2 ebtables keywords
1505 Matches the protocol which created the frame, e.g. I<IPv4> or B<PPP>.
1506 For a list, see F</etc/ethertypes>.
1508 =item B<interface>, B<outerface>
1510 Physical input and output interface.
1512 =item B<logical-in>, B<logical-out>
1514 The logical bridge interface.
1516 =item B<saddr>, B<daddr>
1518 Matches source or destination MAC address.
1520 =item B<Match modules>
1522 The following match modules are supported: 802.3, arp, ip, mark_m,
1523 pkttype, stp, vlan, log.
1525 =item B<Target extensions>
1527 The following target extensions are supported: arpreply, dnat, mark,
1530 Please note that there is a conflict between I<--mark> from the
1531 I<mark_m> match module and I<-j mark>. Since both would be
1532 implemented with the ferm keyword B<mark>, we decided to solve this by
1533 writing the target's name in uppercase, like in the other domains.
1534 The following example rewrites mark 1 to 2:
1540 =head1 ADVANCED FEATURES
1544 In complex firewall files, it is helpful to use variables, e.g. to
1545 give a network interface a meaningful name.
1547 To set variables, write:
1549 @def $DEV_INTERNET = eth0;
1550 @def $PORTS = (http ftp);
1551 @def $MORE_PORTS = ($PORTS 8080);
1553 In the real ferm code, variables are used like any other keyword
1556 chain INPUT interface $DEV_INTERNET proto tcp dport $MORE_PORTS ACCEPT;
1558 Note that variables can only be used in keyword parameters
1559 ("192.168.1.1", "http"); they cannot contain ferm keywords like
1560 "proto" or "interface".
1562 Variables are only valid in the current block:
1564 @def $DEV_INTERNET = eth1;
1567 @def $DEV_INTERNET = ppp0;
1568 interface $DEV_INTERNET dport http ACCEPT;
1570 interface $DEV_INTERNET DROP;
1573 will be expanded to:
1577 interface ppp0 dport http ACCEPT;
1579 interface eth1 DROP;
1582 The "def $DEV_INTERNET = ppp0" is only valid in the "proto tcp" block;
1583 the parent block still knows "set $DEV_INTERNET = eth1".
1585 Include files are special - variables declared in an included file are
1586 still available in the calling block. This is useful when you include
1587 a file which only declares variables.
1589 =head2 Automatic variables
1591 Some variables are set internally by ferm. Ferm scripts can use them
1592 just like any other variable.
1598 The name of the configuration file relative to the directory ferm was
1603 The base name of the configuration file.
1607 The directory of the configuration file.
1611 The current domain. One of I<ip>, I<ip6>, I<arp>, I<eb>.
1615 The current netfilter table.
1619 The current netfilter chain.
1623 The line of the current script. It can be used like this:
1626 LOG log-prefix "rule=$msg:$LINE ";
1631 &log("log message");
1637 Functions are similar to variables, except that they may have
1638 parameters, and they provide ferm commands, not values.
1640 @def &FOO() = proto (tcp udp) dport domain;
1643 @def &TCP_TUNNEL($port, $dest) = {
1644 table filter chain FORWARD interface ppp0 proto tcp dport $port daddr $dest outerface eth0 ACCEPT;
1645 table nat chain PREROUTING interface ppp0 proto tcp dport $port daddr 1.2.3.4 DNAT to $dest;
1648 &TCP_TUNNEL(http, 192.168.1.33);
1649 &TCP_TUNNEL(ftp, 192.168.1.30);
1650 &TCP_TUNNEL((ssh smtp), 192.168.1.2);
1652 A function call which contains a block (like '{...}') must be the last
1653 command in a ferm rule, i.e. it must be followed by ';'. The '&FOO()'
1654 example does not contain a block, thus you may write 'ACCEPT' after
1655 the call. To circumvent this, you can reorder the keywords:
1657 @def &IPSEC() = { proto (esp ah); proto udp dport 500; }
1658 chain INPUT ACCEPT &IPSEC();
1662 With backticks, you may use the output of an external command:
1664 @def $DNSSERVERS = `grep nameserver /etc/resolv.conf | awk '{print $2}'`;
1665 chain INPUT proto tcp saddr $DNSSERVERS ACCEPT;
1667 The command is executed with the shell (F</bin/sh>), just like
1668 backticks in perl. ferm does not do any variable expansion here.
1670 The output is then tokenized, and saved as a ferm list (array). Lines
1671 beginning with '#' are ignored; the other lines may contain any number
1672 of values, separated by whitespace.
1676 The B<@include> keyword allows you to include external files:
1678 @include 'vars.ferm';
1680 The file name is relative to the calling file, e.g. when including
1681 from F</etc/ferm/ferm.conf>, the above statement includes
1682 F</etc/ferm/vars.ferm>. Variables and functions declared in an
1683 included file are still available in the calling file.
1685 B<include> works within a block:
1688 @include 'input.ferm';
1691 If you specify a directory (with a trailing '/'), all files in this
1692 directory are included, sorted alphabetically:
1696 The function @glob can be used to expand wild cards:
1698 @include @glob('*.include');
1700 With a trailing pipe symbol, B<ferm> executes a shell command and
1703 @include "/root/generate_ferm_rules.sh $HOSTNAME|"
1705 B<ferm> aborts, if return code is not 0.
1709 The keyword B<@if> introduces a conditional expression:
1711 @if $condition DROP;
1713 A value is evaluated true just like in Perl: zero, empty list, empty
1714 string are false, everything else is true. Examples for true values:
1716 (a b); 1; 'foo'; (0 0)
1718 Examples for false values:
1722 There is also B<@else>:
1724 @if $condition DROP; @else REJECT;
1726 Note the semicolon before the B<@else>.
1728 It is possible to use curly braces after either B<@if> or B<@else>:
1737 Since the closing curly brace also finishes the command, there is no
1740 There is no B<@elsif>, use B<@else @if> instead.
1744 @def $have_ipv6 = `test -f /proc/net/ip6_tables_names && echo 1 || echo`;
1753 To run custom commands, you may install hooks:
1755 @hook pre "echo 0 >/proc/sys/net/ipv4/conf/eth0/forwarding";
1756 @hook post "echo 1 >/proc/sys/net/ipv4/conf/eth0/forwarding";
1757 @hook flush "echo 0 >/proc/sys/net/ipv4/conf/eth0/forwarding";
1759 The specified command is executed using the shell. "pre" means run
1760 the command before applying the firewall rules, and "post" means run
1761 the command afterwards. "flush" hooks are run after ferm has flushed
1762 the firewall rules (option --flush). You may install any number of
1765 =head1 BUILT-IN FUNCTIONS
1767 There are several built-in functions which you might find useful.
1769 =head2 @defined($name), @defined(&name)
1771 Tests if the variable or function is defined.
1774 @if @defined($a) good;
1775 @if @not(@defined($a)) bad;
1776 @if @defined(&funcname) good;
1780 Tests two values for equality. Example:
1782 @if @eq($DOMAIN, ip6) DROP;
1786 Similar to @eq, this tests for non-equality.
1790 Negates a boolean value.
1792 =head2 @resolve((hostname1 hostname2 ...), [type])
1794 Usually, host names are resolved by iptables. To let ferm resolve
1795 host names, use the function @resolve:
1797 saddr @resolve(my.host.foo) proto tcp dport ssh ACCEPT;
1798 saddr @resolve((another.host.foo third.host.foo)) proto tcp dport openvpn ACCEPT;
1799 daddr @resolve(ipv6.google.com, AAAA) proto tcp dport http ACCEPT;
1801 Note the double parentheses in the second line: the inner pair for
1802 creating a ferm list, and the outer pair as function parameter
1805 The second parameter is optional, and specifies the DNS record type.
1808 Be careful with resolved host names in firewall configuration. DNS
1809 requests may block the firewall configuration for a long time, leaving
1810 the machine vulnerable, or they may fail.
1812 =head2 @cat(a, b, ...)
1814 Concatenate all parameters into one string.
1816 =head2 @substr(expression, offset, length)
1818 Extracts a substring out of expression and returns it. First
1819 character is at offset 0. If OFFSET is negative, starts that far from
1820 the end of the string.
1822 =head2 @length(expression)
1824 Returns the length in characters of the value of EXPR.
1826 =head2 @basename(path)
1828 Return the base name of the file for a given path
1829 (File::Spec::splitpath).
1831 =head2 @dirname(path)
1833 Return the name of the last directory for a given path, assuming the
1834 last component is a file name (File::Spec::splitpath).
1838 Expand shell wildcards in the given paths (assumed to be relative to
1839 the current script). Returns a list of matching files. This function
1840 is useful as parameter of @include.
1842 =head2 @ipfilter(list)
1844 Filters out the IP addresses that obviously do not match the current
1845 domain. That is useful to create common variables and rules for IPv4
1848 @def $TRUSTED_HOSTS = (192.168.0.40 2001:abcd:ef::40);
1850 domain (ip ip6) chain INPUT {
1851 saddr @ipfilter($TRUSTED_HOSTS) proto tcp dport ssh ACCEPT;
1856 The F<./examples/> directory contains numerous ferm configuration
1857 which can be used to begin a new firewall. This sections contains more
1858 samples, recipes and tricks.
1860 =head2 Easy port forwarding
1862 Ferm function make routine tasks quick and easy:
1864 @def &FORWARD_TCP($proto, $port, $dest) = {
1865 table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT;
1866 table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest;
1869 &FORWARD_TCP(tcp, http, 192.168.1.2);
1870 &FORWARD_TCP(tcp, smtp, 192.168.1.3);
1871 &FORWARD_TCP((tcp udp), domain, 192.168.1.4);
1873 =head2 Remote B<ferm>
1875 If the target machine is not able to run B<ferm> for some reason
1876 (maybe an embedded device without Perl), you can edit the B<ferm>
1877 configuration file on another computer and let B<ferm> generate a
1880 Example for OpenWRT:
1882 ferm --remote --shell mywrt/ferm.conf >mywrt/firewall.user
1883 chmod +x mywrt/firewall.user
1884 scp mywrt/firewall.user mywrt.local.net:/etc/
1885 ssh mywrt.local.net /etc/firewall.user
1893 Do not execute the iptables(8) commands, but skip instead. This way
1894 you can parse your data, use B<--lines> to view the output.
1898 Clears the firewall rules and sets the policy of all chains to ACCEPT.
1899 B<ferm> needs a configuration file for that to determine which domains
1900 and tables are affected.
1904 Show the firewall lines that were generated from the rules. They
1905 will be shown just before they are executed, so if you get error
1906 messages from iptables(8) etc., you can see which rule caused
1909 =item B<--interactive>
1911 Apply the firewall rules and ask the user for confirmation. Reverts
1912 to the previous ruleset if there is no valid user response within 30
1913 seconds (see B<--timeout>). This is useful for remote firewall
1914 administration: you can test the rules without fearing to lock
1917 =item B<--timeout S>
1919 If B<--interactive> is used, then roll back if there is no valid user
1920 response after this number of seconds. The default is 30.
1924 Show a brief list of available commandline options.
1928 Shows the version number of the program.
1932 Enable fast mode: ferm generates an iptables-save(8) file, and
1933 installs it with iptables-restore(8). This is much faster, because
1934 ferm calls iptables(8) once for every rule by default.
1936 Fast mode is enabled by default since B<ferm> 2.0, deprecating this
1941 Disable fast mode, i.e. run iptables(8) for every rule, and don't use
1942 iptables-restore(8).
1946 Generate a shell script which calls iptables-restore(8) and prints it.
1947 Implies --fast --lines.
1951 Generate rules for a remote machine. Implies B<--noexec> and
1952 B<--lines>. Can be combined with B<--shell>.
1954 =item B<--domain {ip|ip6}>
1956 Handle only the specified domain. B<ferm> output may be empty if the
1957 domain is not configured in the input file.
1959 =item B<--def '$name=value'>
1961 Override a variable defined in the configuration file.
1973 =head2 Operating system
1975 Linux 2.4 or newer, with netfilter support and all netfilter modules
1976 used by your firewall script
1980 iptables and perl 5.6
1986 If you find a bug, please tell us: ferm@foo-projects.org
1990 Copyright (C) 2001-2012 Max Kellermann <max@foo-projects.org>, Auke
1991 Kok <sofar@foo-projects.org>
1993 This program is free software; you can redistribute it and/or modify
1994 it under the terms of the GNU General Public License as published by
1995 the Free Software Foundation; either version 2 of the License, or (at
1996 your option) any later version.
1998 This program is distributed in the hope that it will be useful, but
1999 WITHOUT ANY WARRANTY; without even the implied warranty of
2000 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
2001 General Public License for more details.
2003 You should have received a copy of the GNU General Public License
2004 along with this program; if not, write to the Free Software
2005 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
2010 Max Kellermann <max@foo-projects.org>, Auke Kok
2011 <sofar@foo-projects.org>