Unix/Linux Go Back    


NetBSD 6.1.5 - man page for ipf (netbsd section 8)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


IPF(8)											   IPF(8)

NAME
       ipf - alters packet filtering lists for IP packet input and output

SYNOPSIS
       ipf  [  -6AcdDEInoPrsvVyzZ  ]  [  -l  <block|pass|nomatch>  ]  [  -T  <optionlist>  ] [ -F
       <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]

DESCRIPTION
       ipf opens the filenames listed (treating "-" as stdin) and parses the file for  a  set  of
       rules which are to be added or removed from the packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal lists if there are no parsing
       problems.  Rules are added to the end of the internal lists, matching the order	in  which
       they appear when given to ipf.

OPTIONS
       -6     This option is required to parse IPv6 rules and to have them loaded.

       -A     Set the list to make changes to the active list (default).

       -c <language>
	      This  option  causes ipf to generate output files for a compiler that supports lan-
	      guage.  At present, the only target language supported is C  (-cc)  for  which  two
	      files  -	ip_rules.c and ip_rules.h are generated in the CURRENT DIRECTORY when ipf
	      is being run.  These files can be used with the IPFILTER_COMPILED kernel option  to
	      build filter rules staticly into the kernel.

       -d     Turn  debug  mode  on.  Causes a hexdump of filter rules to be generated as it pro-
	      cesses each one.

       -D     Disable the filter (if enabled).	Not effective for loadable kernel versions.

       -E     Enable the filter (if disabled).	Not effective for loadable kernel versions.

       -F <i|o|a>
	      This option specifies which filter list to flush.  The parameter should  either  be
	      "i" (input), "o" (output) or "a" (remove all filter rules).  Either a single letter
	      or an entire word starting with the appropriate letter  maybe  used.   This  option
	      maybe  before,  or  after,  any other with the order on the command line being that
	      used to execute options.

       -F <s|S>
	      To flush entries from the state table, the -F option is used  in	conjunction  with
	      either  "s" (removes state information about any non-fully established connections)
	      or "S" (deletes the entire state table).	Only one of the two options may be given.
	      A fully established connection will show up in ipfstat -s output as 5/5, with devi-
	      ations either way indicating it is not fully established any more.

       -F<5|6|7|8|9|10|11>
	      For the TCP states that represent the closing of a connection has begun, be it only
	      one  side or the complete connection, it is possible to flush those states directly
	      using the number corresponding to that state.  The numbers relate to the states  as
	      follows: 5 = close-wait, 6 = fin-wait-1, 7 = closing, 8 = last-ack, 9 = fin-wait-2,
	      10 = time-wait, 11 = closed.

       -F<number>
	      If the argument supplied to -F is greater than 30, then state  table  entries  that
	      have been idle for more than this many seconds will be flushed.

       -f <filename>
	      This  option  specifies  which files ipf should use to get input from for modifying
	      the packet filter rule lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
	      Use of the -l flag toggles default logging of packets.   Valid  arguments  to  this
	      option  are pass, block and nomatch.  When an option is set, any packet which exits
	      filtering and matches the set category is logged.  This is most useful for  causing
	      all packets which don't match any of the loaded rules to be logged.

       -n     This  flag  (no-change)  prevents ipf from actually making any ioctl calls or doing
	      anything which would alter the currently running kernel.

       -o     Force rules by default to be added/deleted to/from the output list, rather than the
	      (default) input list.

       -P     Add rules as temporary entries in the authentication rule table.

       -r     Remove matching filter rules rather than add them to the internal lists

       -s     Swap the active filter list in use to be the "other" one.

       -T <optionlist>
	      This  option allows run-time changing of IPFilter kernel variables.  Some variables
	      require IPFilter to be in a disabled state (-D) for changing, others do  not.   The
	      optionlist  parameter  is a comma separated list of tuning commands.  A tuning com-
	      mand is either "list" (retrieve a list of all variables in the kernel, their  maxi-
	      mum,  minimum  and  current  value),  a  single variable name (retrieve its current
	      value) and a variable name with a following assignment to set a  new  value.   Some
	      examples follow.
	      # Print out all IPFilter kernel tunable parameters
	      ipf -T list
	      # Display the current TCP idle timeout and then set it to 3600
	      ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
	      # Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
	      ipf -T fr_pass,fr_chksrc,fr_chksrc=1

       -v     Turn verbose mode on.  Displays information relating to rule processing.

       -V     Show  version information.  This will display the version information compiled into
	      the ipf binary and retrieve it from the kernel code (if running/present).  If it is
	      present  in  the	kernel,  information  about  its  current state will be displayed
	      (whether logging is active, default filtering, etc).

       -y     Manually resync the in-kernel interface list maintained by IP Filter with the  cur-
	      rent interface status list.

       -z     For  each  rule  in the input file, reset the statistics for it to zero and display
	      the statistics prior to them being zeroed.

       -Z     Zero global statistics held in the kernel for filtering only (this  doesn't  affect
	      fragment or state statistics).

FILES
       /dev/ipauth
       /dev/ipl
       /dev/ipstate

SEE ALSO
       ipftest(1),  mkfilters(1),  ipf(4), ipl(4), ipf(5), ipf.conf(5), ipf6.conf(5), ipfstat(8),
       ipmon(8), ipnat(8)

DIAGNOSTICS
       Needs to be run as root for the packet filtering lists to actually be affected inside  the
       kernel.

BUGS
       If you find any, please send email to me at darrenr@pobox.com

											   IPF(8)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 04:16 PM.