Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
IPF(8)                  FreeBSD System Manager's Manual                 IPF(8)

NAME
       ipf - alters packet filtering lists for IP packet input and output

SYNOPSIS
       ipf [ -6AdDEInoPrsUvVyzZ ] [ -l <block|pass|nomatch> ] [ -F <i|o|a|s|S>
       ] -f <filename> [ -f <filename> [...]]

DESCRIPTION
       ipf opens the filenames listed (treating "-" as stdin) and parses the
       file for a set of rules which are to be added or removed from the
       packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal lists if
       there are no parsing problems.  Rules are added to the end of the
       internal lists, matching the order in which they appear when given to
       ipf.

OPTIONS
       -6     This option is required to parse IPv6 rules and to have them
              loaded.

       -A     Set the list to make changes to the active list (default).

       -d     Turn debug mode on.  Causes a hexdump of filter rules to be
              generated as it processes each one.

       -D     Disable the filter (if enabled).  Not effective for loadable
              kernel versions.

       -E     Enable the filter (if disabled).  Not effective for loadable
              kernel versions.

       -F <i|o|a>
              This option specifies which filter list to flush.  The parameter
              should either be "i" (input), "o" (output) or "a" (remove all
              filter rules).  Either a single letter or an entire word
              starting with the appropriate letter maybe used.  This option
              maybe before, or after, any other with the order on the command
              line being that used to execute options.

       -F <s|S>
              To flush entries from the state table, the -F option is used in
              conjunction with either "s" (removes state information about any
              non-fully established connections) or "S" (deletes the entire
              state table).  Only one of the two options may be given.  A
              fully established connection will show up in ipfstat -s output
              as 4/4, with deviations either way indicating it is not fully
              established any more.

       -f <filename>
              This option specifies which files ipf should use to get input
              from for modifying the packet filter rule lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
              Use of the -l flag toggles default logging of packets.  Valid
              arguments to this option are pass, block and nomatch.  When an
              option is set, any packet which exits filtering and matches the
              set category is logged.  This is most useful for causing all
              packets which don't match any of the loaded rules to be logged.

       -n     This flag (no-change) prevents ipf from actually making any
              ioctl calls or doing anything which would alter the currently
              running kernel.

       -o     Force rules by default to be added/deleted to/from the output
              list, rather than the (default) input list.

       -P     Add rules as temporary entries in the authentication rule table.

       -r     Remove matching filter rules rather than add them to the
              internal lists

       -s     Swap the active filter list in use to be the "other" one.

       -U     (SOLARIS 2 ONLY) Block packets travelling along the data stream
              which aren't recognised as IP packets.  They will be printed out
              on the console.

       -v     Turn verbose mode on.  Displays information relating to rule
              processing.

       -V     Show version information.  This will display the version
              information compiled into the ipf binary and retrieve it from
              the kernel code (if running/present).  If it is present in the
              kernel, information about its current state will be displayed
              (whether logging is active, default filtering, etc).

       -y     Manually resync the in-kernel interface list maintained by IP
              Filter with the current interface status list.

       -z     For each rule in the input file, reset the statistics for it to
              zero and display the statistics prior to them being zero'd.

       -Z     Zero global statistics held in the kernel for filtering only
              (this doesn't affect fragment or state statistics).

FILES
       /dev/ipauth
       /dev/ipl
       /dev/ipstate

SEE ALSO
       ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),
       ipnat(8)

DIAGNOSTICS
       Needs to be run as root for the packet filtering lists to actually be
       affected inside the kernel.

BUGS
       If you find any, please send email to me at darrenr@pobox.com

                                                                        IPF(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | FILES | SEE ALSO | DIAGNOSTICS | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ipf&sektion=8&manpath=FreeBSD+5.2.1-RELEASE>

home | help