Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IPF(8)									IPF(8)

       ipf - alters packet filtering lists for IP packet input and output

       ipf [ -6AdDEInoPrsUvVyzZ	] [ -l <block|pass|nomatch> ] [	-F <i|o|a|s|S>
       ] -f <filename> [ -f <filename> [...]]

       ipf opens the filenames listed (treating	"-" as stdin) and  parses  the
       file  for  a  set  of  rules  which are to be added or removed from the
       packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal  lists  if
       there  are  no  parsing	problems.   Rules  are added to	the end	of the
       internal	lists, matching	the order in which they	appear when  given  to

       -6     This  option  is	required  to parse IPv6	rules and to have them

       -A     Set the list to make changes to the active list (default).

       -d     Turn debug mode on.  Causes a hexdump of filter rules to be gen-
	      erated as	it processes each one.

       -D     Disable  the  filter  (if	 enabled).  Not	effective for loadable
	      kernel versions.

       -E     Enable the filter	(if disabled).	 Not  effective	 for  loadable
	      kernel versions.

       -F <i|o|a>
	      This option specifies which filter list to flush.	 The parameter
	      should either be "i" (input), "o"	(output) or  "a"  (remove  all
	      filter  rules).  Either a	single letter or an entire word	start-
	      ing with the appropriate letter maybe used.  This	 option	 maybe
	      before,  or  after, any other with the order on the command line
	      being that used to execute options.

       -F <s|S>
	      To flush entries from the	state table, the -F option is used  in
	      conjunction with either "s" (removes state information about any
	      non-fully	established connections) or "S"	 (deletes  the	entire
	      state  table).   Only  one  of  the two options may be given.  A
	      fully established	connection will	show up	in ipfstat  -s	output
	      as  4/4,	with  deviations either	way indicating it is not fully
	      established any more.

       -f <filename>
	      This option specifies which files	ipf should use	to  get	 input
	      from for modifying the packet filter rule	lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
	      Use  of  the  -l flag toggles default logging of packets.	 Valid
	      arguments	to this	option are pass, block and nomatch.   When  an
	      option  is set, any packet which exits filtering and matches the
	      set category is logged.  This is most  useful  for  causing  all
	      packets  which don't match any of	the loaded rules to be logged.

       -n     This flag	(no-change) prevents  ipf  from	 actually  making  any
	      ioctl  calls  or	doing anything which would alter the currently
	      running kernel.

       -o     Force rules by default to	be added/deleted  to/from  the	output
	      list, rather than	the (default) input list.

       -P     Add rules	as temporary entries in	the authentication rule	table.

       -r     Remove matching filter rules rather than add them	to the	inter-
	      nal lists

       -s     Swap the active filter list in use to be the "other" one.

       -U     (SOLARIS	2 ONLY)	Block packets travelling along the data	stream
	      which aren't recognised as IP packets.  They will	be printed out
	      on the console.

       -v     Turn  verbose  mode  on.	 Displays information relating to rule

       -V     Show version information.	 This will display the version	infor-
	      mation  compiled	into  the  ipf binary and retrieve it from the
	      kernel code (if running/present).	 If it is present in the  ker-
	      nel,  information	 about	its  current  state  will be displayed
	      (whether logging is active, default filtering, etc).

       -y     Manually resync the in-kernel interface list  maintained	by  IP
	      Filter with the current interface	status list.

       -z     For  each	rule in	the input file,	reset the statistics for it to
	      zero and display the statistics prior to them being zero'd.

       -Z     Zero global statistics held in the  kernel  for  filtering  only
	      (this doesn't affect fragment or state statistics).


       ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),

       Needs to	be run as root for the packet filtering	lists to  actually  be
       affected	inside the kernel.

       If you find any,	please send email to me	at



Want to link to this manual page? Use this URL:

home | help