Skip To Main Content Skip To Main Navigation


Networking & Information Security
Texas A&M University
Networking & Information Security

» Home » Security » Firewalls » Drawbridge » Drawbridge Manager

Drawbridge Manager

Usage:  dbmgr [-v] [ command ]

Switches:
        -v    Display the version and copyright notice and exit.


The program dbmgr is the manager portion of the Drawbridge package.  It is
used to control all functions of the Drawbridge filter code within the
kernel.  It can be used to initialize, start, or stop Drawbridge as well as
load or clear the filter configuration, set or show options, or monitor the
operation of Drawbridge.

With no arguments, dbmgr runs interactively, prompting with `dbmgr>'.  If
arguments are supplied, dbmgr interprets the first as a command to execute;
each subsequent argument is taken as a parameter for that command.
Standard input can be redirected so that dbmgr reads commands from a file.


Usage
-----

o Commands

The following is a list of supported commands:

   SET (MULticast | NonIP | OtherIP | SuspectOffset |
        FragmentedICMP | AttackICMP) (FORward | DIScard)
   Load FILters <filename>
   CLeaR (BRidge | FILters | STats)
   SHow (Host <host> | CLass <class | host> [w] | TCPreset |
         ACCept | REJect | OVerride | FLags | STats | BRidge)
   MONitor [ INTerval <seconds> ]
   HELP [ <command> ]
   ! <shell command>

   EXit

Commands are case insentive and may be abbreviated to the capitalized
portion.  For example, CLeaR may be abbreviated to clr.  If a '#' appears
anywhere in a line of input, the remainder of that line will be treated as
a comment.  A '!' at the beginning of a line can be used as a shell escape.

o HELP [ <command> ]

  Display a short description of the specified command or, if no arguments
  are given, a list of all the recognized commands.

o SET (MULticast | NonIP | OtherIP | SuspectOffset |
       FragmentedICMP | AttackICMP) (FORward | DIScard)

  Used to set a flag.  The possible arguments are:

  o Flags

    There are several flags which may be used to alter global filtering
    rules.  The possible settings for these flags are 'forward' or
    'discard'.  They are all set to 'forward' by default.

    o Multicast

      This flag controls whether IP multicast packets are forwarded or
      discarded.

    o NonIP

      This flag controls whether protocol layer traffic other than IP, ARP,
      or RARP is forwarded or discarded.

    o OtherIP

      This flag controls whether IP layer traffic other than TCP, UDP, or
      ICMP is forwarded or discarded.

    o SuspectOffset

      This flag controls whether TCP/IP fragments with an offset of 1 should
      be forwarded or discarded.  This is mainly used to protect internal
      machines that may have poorly written IP fragment reassembly routines.
      The default setting is 'forward' since discarding these packets could,
      though unlikely, discard valid traffic.

    o FragmentedICMP

      This flag controls whether fragmented ICMP packets should be forwarded
      or discarded.  This is mainly used to block denial of service attacks
      which use fragmented ICMP echo reply packets.  For example, the "ping
      of death" is a denial of service attack of this type.  The default
      setting is 'forward' since discarding these packets could, though
      unlikely, discard valid traffic.

    o AttackICMP

      This flag controls whether ICMP packets containing the characteristics
      of a few known ICMP attacks are forwarded or discarded.  The default
      setting is 'forward' since discarding these packets could, though
      unlikely, discard valid traffic.

o Load FILters <filename>

  The load command is used to load the filter tables file 'db_filters'
  which is generated by the filter compiler (see the file COMPILER).  The
  new tables will take effect immediately.  Loading a new filter table file
  will not cause any packets to be dropped or any packets to be "leaked"
  through the filters.  The new tables are inactive as they are being
  loaded/built in memory.  The switch from the old tables to the new tables
  is an atomic operation performed between packets.  The memory containing
  the old tables is then freed.

o CLeaR (BRidge | FILters | STats)

  The clear command can be used to clear the bridge table, filter tables, or 
  statistics.  If the filter tables are cleared, drawbridge will fall back to 
  the default filter tables.  The changes take effect immediately.

o SHow (Host <host> | CLass <class | host> [w] | TCPreset |
        ACCept | REJect | OVerride | FLags | STats | BRidge)

  The show command will display the specified filter table information,
  flags, variables, statistics, or the bridge table.  The optional 'w'
  parameter for 'CLass' will produce output in a wide format.

o MONitor [ INTerval <seconds> ]

  The monitor command will display a full screen of packet statistics which
  is updated once per second.  The stats include total packets and total
  bytes for each interface, aggregate throughput, packets and bytes per
  second (by default), number of bridge table entries, and number of dropped
  packets.  The space bar will change screens to display a breakdown of the
  number of filtered packets.  The 'q' key will quit back to the dbmgr
  prompt.

o Exit

  Exits the filter manager.


Last Updated: Tue, Jun 30, 2009