
                         Drawbridge Manager 3.0


Drawbridge Manager (dbmgr) is a tool for managing the drawbridge filter
engine within the FreeBSD kernel.  It is used to control all functions of
Drawbridge.

How To Use
----------

o Introduction

dbmgr is an interactive program with an interface that has been modeled
after lpc.  It provides more feedback and help than your typical Unix tool
however.  It takes no command line switches and is suitable for scripting.

o Commands

Once you have started dbmgr, you can use "help" or "?" to get help.  The
following is a list of supported commands:

   INIT <inside dev> <outside dev> <listen mode>
   START
   STOP
   SET (LogFacility | LogMask) <val>
   SET (MULticast | NonIP | OtherIP | SuspectOffset |
        FragmentedICMP | AttackICMP) (FORward | DIScard)
   Load FILters <filename>
   CLeaR (FILters | STats | BRidge)
   SHow (Host <host> | CLass <class | host> | NETworks | ACCept | REJect |
         OVerride | FLags | STats | LogFacility | LogMask | BRidge)
   MONitor [ INTerval <val> ]
   HELP [ <command> ]
   ! <shell command>
   EXit

Commands are case insentive and may be abbreviated to the capitalized
portion.  For example, CLeaR may be abbreviated to clr.  If a '#' appears
anywhere in a line of input, the remainder of that line will be treated as a
comment.  A '!' at the beginning of a line can be used as a shell escape.
If you type "help <command>", dbmgr will print help about that <command>.

o Init

  The 'init' command initializes the Drawbrige code within the kernel and
  must be done before Drawbrige will function.  The only commands valid
  before 'init' are 'set logfacility' and 'set logmask'.  The "init"
  command has three parameters, the device name of the inside interface,
  the device name of the outside interface, and the listen interface.  The
  listen interface may be "inside", "outside", "both", or "none".
  If listening is enabled for an interface, packets from that interface
  which are addressed to the Drawbridge system will be accepted. Otherwise,
  they will be discarded.  If listening is not enabled for either
  interface, all packets addressed to the Drawbridge system will be
  discarded and the system will be completely isolated from the network.

o Start/Stop

  Enable or disable the drawbridge filter engine within the FreeBSD kernel.
  No packets will pass between the two interfaces before drawbridge is
  started or after it has been stoped.

o Set

  Used to set a global variable or flag.  The possible arguments are:

  o LogFacility

    The LogFacility variable controls which messages are generated by
    drawbridge to be passed to the unix syslog daemon for processing.  The
    log facility that drawbridge uses may be set to any valid syslog
    facility.  Some examples are: "user", "daemon", "local0".

  o LogMask

    The LogMask variable controls which messages will be generated by the
    drawbridge filter engine.  The value of the mask is a hexadecimal or
    decimal number such as 0x123ABC or 1194684.  The default log mask is 0
    which disables all filter messages.  Each filter message may be enabled
    or disabled by setting or clearing the approiate bit in the log mask.

    The following table of syslog messages and values may be used to
    generate a mask.  Simply add up the decimal values (or bitwise OR the
    hex values) for the messages that you wish to receive and set LogMask to
    that value.  Note that this table is different than it was in version
    2.x of drawbridge so the equivalent log masks will also be different.

    Message                                        Hex Value  (Decimal)
    --------------------------------------------------------------------
    unknown event                                  0x00000001 (       1)
    initialized                                    0x00000002 (       2)
    incoming class D ...                           0x00000004 (       4)
    outgoing class D ...                           0x00000008 (       8)
    incoming port ...                              0x00000010 (      16)
    outgoing port ...                              0x00000020 (      32)
    incoming type ...                              0x00000040 (      64)
    outgoing type ...                              0x00000080 (     128)
    outgoing via accept table ...                  0x00000100 (     256)
    incoming via reject table ...                  0x00000200 (     512)
    outgoing via override table ...                0x00000400 (    1024)
    incoming header too short ...                  0x00000800 (    2048)
    outgoing header too short ...                  0x00001000 (    4096)
    incoming D-O-S attack ...                      0x00002000 (    8192)
    outgoing D-O-S attack ...                      0x00004000 (   16384)
    incoming IP ...                                0x00008000 (   32768)
    outgoing IP ...                                0x00010000 (   65536)
    incoming fragment with IP offset == 1 ...      0x00020000 (  131072)
    outgoing fragment with IP offset == 1 ...      0x00040000 (  262144)
    incoming fragment ...                          0x00080000 (  524288)
    outgoing fragment  ...                         0x00100000 ( 1048576)
    incoming MAC layer protocol                    0x00200000 ( 2097152)
    outgoing MAC layer protocol                    0x00400000 ( 4194304)

  o Flags

    There are several flags which may be used to alter global filtering
    rules.  The possible settings for these flags are 'forward' or
    'discard'.  They are all set to 'forward' by default.

    o Multicast

      This flag controls whether IP multicast packets are forwarded or
      discarded.

    o NonIP

      This flag controls whether protocol layer traffic other than IP, ARP,
      or RARP is forwarded or discarded.

    o OtherIP

      This flag controls whether IP layer traffic other than TCP, UDP, or
      ICMP is forwarded or discarded.

    o SuspectOffset

      This flag controls whether TCP/IP fragments with an offset of 1 should
      be forwarded or discarded.  This is mainly used to protect internal
      machines that may have poorly written IP fragment reassembly routines.
      The default setting is 'forward' since discarding these packets could,
      though unlikely, discard valid traffic.

    o FragmentedICMP

      This flag controls whether fragmented ICMP packets should be forwarded
      or discarded.  This is mainly used to block denial of service attacks
      which use fragmented ICMP echo reply packets.  For example, the "ping
      of death" is a denial of service attack of this type.  The default
      setting is 'forward' since discarding these packets could, though
      unlikely, discard valid traffic.

    o AttackICMP

      This flag controls whether ICMP packets containing the characteristics
      of a few known ICMP attacks are forwarded or discarded.  The default
      setting is 'forward' since discarding these packets could, though
      unlikely, discard valid traffic.

o Load

  The load command is used to load the filter tables file 'db_filters' which
  is generated by the filter compiler (see the file COMPILER).  The newly
  loaded tables will take effect immediately.

o Clear

  The clear command can be used to clear the filter tables, the statistics,
  or the bridge table.  If the filter tables are cleared, drawbridge will
  fall back to the default filter tables.  The changes take effect
  immediately.

o Show

  The show command will display the specified filter table information,
  flags, variables, statistics, or the bridge table.

o Monitor

  The monitor command will display a full screen of packet statistics which
  is updated once per second.  The stats include total packets and total
  bytes for each interface, aggregate throughput, packets and bytes per
  second (by default), number of bridge table entries, and number of dropped
  packets.  The space bar will change screens to display a breakdown of the
  number of filtered packets.  The 'q' key will quit back to the dbmgr
  prompt.

o Exit

  Exits the filter manager.
