Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IPF(8)							   IPF(8)

       ipf  -  alters  packet filtering lists for IP packet input
       and output

       ipf [ -6AdDEInoPrsUvVyzZ ] [ -l <block|pass|nomatch>  ]	[
       -F <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]

       ipf opens the filenames listed (treating "-" as stdin) and
       parses the file for a set of rules which are to	be  added
       or removed from the packet filter rule set.

       Each rule processed by ipf is added to the kernel's inter­
       nal lists if there are no  parsing  problems.   Rules  are
       added to the end of the internal lists, matching the order
       in which they appear when given to ipf.

       -6     This option is required to parse IPv6 rules and  to
	      have them loaded.

       -A     Set  the	list  to  make changes to the active list

       -d     Turn debug mode on.  Causes  a  hexdump  of  filter
	      rules to be generated as it processes each one.

       -D     Disable the filter (if enabled).	Not effective for
	      loadable kernel versions.

       -E     Enable the filter (if disabled).	Not effective for
	      loadable kernel versions.

       -F <i|o|a>
	      This  option  specifies which filter list to flush.
	      The parameter should either  be  "i"  (input),  "o"
	      (output)	or "a" (remove all filter rules).  Either
	      a single letter or an entire word starting with the
	      appropriate  letter  maybe used.	This option maybe
	      before, or after, any other with the order  on  the
	      command line being that used to execute options.

       -F <s|S>
	      To  flush  entries  from	the  state  table, the -F
	      option  is  used	in  conjuction	with  either  "s"
	      (removes	state  information  about  any	non-fully
	      established connections) or "S" (deletes the entire
	      state  table).   Only one of the two options may be
	      given.  A fully established connection will show up
	      in ipfstat -s output as 4/4, with deviations either
	      way indicating it  is  not  fully  established  any


IPF(8)							   IPF(8)

       -f <filename>
	      This option specifies which files ipf should use to
	      get input from for modifying the packet filter rule

       -I     Set  the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
	      Use of the -l flag toggles default logging of pack­
	      ets.   Valid  arguments  to  this  option are pass,
	      block and nomatch.  When	an  option  is	set,  any
	      packet  which  exits  filtering and matches the set
	      category is logged.  This is most useful for  caus­
	      ing all packets which don't match any of the loaded
	      rules to be logged.

       -n     This flag (no-change) prevents  ipf  from  actually
	      making  any  ioctl  calls  or  doing anything which
	      would alter the currently running kernel.

       -o     Force rules by default to be added/deleted  to/from
	      the  output  list,  rather than the (default) input

       -P     Add rules as temporary entries in  the  authentica­
	      tion rule table.

       -r     Remove  matching	filter rules rather than add them
	      to the internal lists

       -s     Swap the active  filter  list  in  use  to  be  the
	      "other" one.

       -U     (SOLARIS 2 ONLY) Block packets travelling along the
	      data stream which aren't recognised as IP  packets.
	      They will be printed out on the console.

       -v     Turn  verbose mode on.  Displays information relat­
	      ing to rule processing.

       -V     Show version information.  This  will  display  the
	      version  information  compiled  into the ipf binary
	      and retrieve it  from  the  kernel  code	(if  run­
	      ning/present).   If  it  is  present in the kernel,
	      information about its current state  will  be  dis­
	      played  (whether logging is active, default filter­
	      ing, etc).

       -y     Manually resync the in-kernel interface list  main­
	      tained by IP Filter with the current interface sta­
	      tus list.

       -z     For each rule in the input file, reset the  statis­
	      tics  for  it  to  zero  and display the statistics


IPF(8)							   IPF(8)

	      prior to them being zero'd.

       -Z     Zero global statistics held in the kernel for  fil­
	      tering  only (this doesn't affect fragment or state


       ipftest(1), mkfilters(1), ipf(4),  ipl(4),  ipf(5),  ipfs­
       tat(8), ipmon(8), ipnat(8)

       Needs  to be run as root for the packet filtering lists to
       actually be affected inside the kernel.

       If  you	find  any,  please  send  email  to  me  at  dar­



Want to link to this manual page? Use this URL:

home | help