Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IPF(8)									IPF(8)

NAME
       ipf - alters packet filtering lists for IP packet input and output

SYNOPSIS
       ipf  [  -6AcdDEInoPrsvVyzZ  ] [ -l <block|pass|nomatch> ] [ -T <option-
       list> ] [ -F <i|o|a|s|S>	] -f <filename>	[ -f <filename>	[...]]

DESCRIPTION
       ipf opens the filenames listed (treating	"-" as stdin) and  parses  the
       file  for  a  set  of  rules  which are to be added or removed from the
       packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal  lists  if
       there  are  no  parsing	problems.   Rules  are added to	the end	of the
       internal	lists, matching	the order in which they	appear when  given  to
       ipf.

OPTIONS
       -6     IPv4 and IPv6 rules are stored in	a single table and can be read
	      from a single file. This option is no longer  required  to  load
	      IPv6  rules.  This  option is ignored when specified with	the -F
	      option and the -F	option will flush  IPv4	 rules	even  if  this
	      option is	specified.

       -A     Set the list to make changes to the active list (default).

       -c <language>
	      This  option  causes ipf to generate output files	for a compiler
	      that supports language.  At present, the	only  target  language
	      supported	 is  C	(-cc)  for  which  two	files -	ip_rules.c and
	      ip_rules.h are generated in the CURRENT DIRECTORY	 when  ipf  is
	      being  run.   These files	can be used with the IPFILTER_COMPILED
	      kernel option to build filter rules staticlly into the kernel.

       -d     Turn debug mode on.  Causes a hexdump of filter rules to be gen-
	      erated as	it processes each one.

       -D     Disable  the  filter  (if	 enabled).  Not	effective for loadable
	      kernel versions.

       -E     Enable the filter	(if disabled).	 Not  effective	 for  loadable
	      kernel versions.

       -F <i|o|a>
	      This option specifies which filter list to flush.	 The parameter
	      should either be "i" (input), "o"	(output) or  "a"  (remove  all
	      filter  rules).  Either a	single letter or an entire word	start-
	      ing with the appropriate letter maybe used.  This	 option	 maybe
	      before,  or  after, any other with the order on the command line
	      being that used to execute options.

       -F <s|S>
	      To flush entries from the	state table, the -F option is used  in
	      conjunction with either "s" (removes state information about any
	      non-fully	established connections) or "S"	 (deletes  the	entire
	      state  table).   Only  one  of  the two options may be given.  A
	      fully established	connection will	show up	in ipfstat  -s	output
	      as  5/5,	with  deviations either	way indicating it is not fully
	      established any more.

       -F<5|6|7|8|9|10|11>
	      For the TCP states that represent	the closing  of	 a  connection
	      has begun, be it only one	side or	the complete connection, it is
	      possible to flush	those states directly using the	number	corre-
	      sponding	to  that  state.   The numbers relate to the states as
	      follows: 5 = close-wait, 6 = fin-wait-1, 7 = closing, 8 =	 last-
	      ack, 9 = fin-wait-2, 10 =	time-wait, 11 =	closed.

       -F<number>
	      If  the  argument	 supplied to -F	is greater than	30, then state
	      table entries that have been idle	for more than this  many  sec-
	      onds will	be flushed.

       -f <filename>
	      This  option  specifies  which files ipf should use to get input
	      from for modifying the packet filter rule	lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
	      Use of the -l flag toggles default logging  of  packets.	 Valid
	      arguments	 to  this option are pass, block and nomatch.  When an
	      option is	set, any packet	which exits filtering and matches  the
	      set  category  is	 logged.   This	is most	useful for causing all
	      packets which don't match	any of the loaded rules	to be  logged.

       -n     This  flag  (no-change)  prevents	 ipf  from actually making any
	      ioctl calls or doing anything which would	 alter	the  currently
	      running kernel.

       -o     Force  rules  by	default	to be added/deleted to/from the	output
	      list, rather than	the (default) input list.

       -P     Add rules	as temporary entries in	the authentication rule	table.

       -r     Remove  matching filter rules rather than	add them to the	inter-
	      nal lists

       -s     Swap the active filter list in use to be the "other" one.

       -T <optionlist>
	      This option allows run-time changing of  IPFilter	 kernel	 vari-
	      ables.   Some  variables	require	 IPFilter  to be in a disabled
	      state (-D) for changing, others do not.  The optionlist  parame-
	      ter is a comma separated list of tuning commands.	 A tuning com-
	      mand is either "list" (retrieve a	list of	all variables  in  the
	      kernel,  their  maximum,	minimum	 and  current value), a	single
	      variable name (retrieve its current value) and a	variable  name
	      with  a  following assignment to set a new value.	 Some examples
	      follow.
	      #	Print out all IPFilter kernel tunable parameters
	      ipf -T list
	      #	Display	the current TCP	idle timeout and then set it to	3600
	      ipf -D -T	fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
	      #	Display	current	values for fr_pass and fr_chksrc, then set fr_chksrc to	1.
	      ipf -T fr_pass,fr_chksrc,fr_chksrc=1

       -v     Turn verbose mode	on.  Displays  information  relating  to  rule
	      processing.

       -V     Show  version information.  This will display the	version	infor-
	      mation compiled into the ipf binary and  retrieve	 it  from  the
	      kernel  code (if running/present).  If it	is present in the ker-
	      nel, information about  its  current  state  will	 be  displayed
	      (whether logging is active, default filtering, etc).

       -y     Manually	resync	the  in-kernel interface list maintained by IP
	      Filter with the current interface	status list.

       -z     For each rule in the input file, reset the statistics for	it  to
	      zero and display the statistics prior to them being zeroed.

       -Z     Zero  global  statistics	held  in the kernel for	filtering only
	      (this doesn't affect fragment or state statistics).

FILES
       /dev/ipauth
       /dev/ipl
       /dev/ipstate

SEE ALSO
       ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),
       ipnat(8)

DIAGNOSTICS
       Needs  to  be run as root for the packet	filtering lists	to actually be
       affected	inside the kernel.

BUGS
       If you find any,	please send email to me	at darrenr@pobox.com

									IPF(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | FILES | SEE ALSO | DIAGNOSTICS | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ipf&manpath=FreeBSD+11.0-RELEASE+and+Ports>

home | help