• Start
• Documentation
  • PostgreSQL
  • mnoGoSearch
  • Apache 2.4
  • FreeBSD handbook
  • FreeBSD Manual
  • FreeBSD Source
• Tools
• Search
• Protected Area

plain

FreeBSD manual

keyword 1 2 3 4 5 6 7 8 9 n l

download PDF document: ipf.8.pdf

IPF(8) FreeBSD System Manager's Manual IPF(8)
NAME ipf - alters packet filtering lists for IP packet input and output
SYNOPSIS ipf [ -6AcdDEInoPrsvVyzZ ] [ -l <block|pass|nomatch> ] [ -T <optionlist> ] [ -F <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]
DESCRIPTION ipf opens the filenames listed (treating "-" as stdin) and parses the file for a set of rules which are to be added or removed from the packet filter rule set.
Each rule processed by ipf is added to the kernel's internal lists if there are no parsing problems. Rules are added to the end of the internal lists, matching the order in which they appear when given to ipf.
OPTIONS -6 IPv4 and IPv6 rules are stored in a single table and can be read from a single file. This option is no longer required to load IPv6 rules. This option is ignored when specified with the -F option and the -F option will flush IPv4 rules even if this option is specified.
-A Set the list to make changes to the active list (default).
-c <language> This option causes ipf to generate output files for a compiler that supports language. At present, the only target language supported is C (-cc) for which two files - ip_rules.c and ip_rules.h are generated in the CURRENT DIRECTORY when ipf is being run. These files can be used with the IPFILTER_COMPILED kernel option to build filter rules staticlly into the kernel.
-d Turn debug mode on. Causes a hexdump of filter rules to be generated as it processes each one.
-D Disable the filter (if enabled). Not effective for loadable kernel versions.
-E Enable the filter (if disabled). Not effective for loadable kernel versions.
-F <i|o|a> This option specifies which filter list to flush. The parameter should either be "i" (input), "o" (output) or "a" (remove all filter rules). Either a single letter or an entire word starting with the appropriate letter maybe used. This option maybe before, or after, any other with the order on the command line being that used to execute options.
-F <s|S> To flush entries from the state table, the -F option is used in conjunction with either "s" (removes state information about any non-fully established connections) or "S" (deletes the entire state table). Only one of the two options may be given. A fully established connection will show up in ipfstat -s output corresponding to that state. The numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1, 7 = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed.
-F<number> If the argument supplied to -F is greater than 30, then state table entries that have been idle for more than this many seconds will be flushed.
-f <filename> This option specifies which files ipf should use to get input from for modifying the packet filter rule lists.
-I Set the list to make changes to the inactive list.
-l <pass|block|nomatch> Use of the -l flag toggles default logging of packets. Valid arguments to this option are pass, block and nomatch. When an option is set, any packet which exits filtering and matches the set category is logged. This is most useful for causing all packets which don't match any of the loaded rules to be logged.
-n This flag (no-change) prevents ipf from actually making any ioctl calls or doing anything which would alter the currently running kernel.
-o Force rules by default to be added/deleted to/from the output list, rather than the (default) input list.
-P Add rules as temporary entries in the authentication rule table.
-r Remove matching filter rules rather than add them to the internal lists
-s Swap the active filter list in use to be the "other" one.
-T <optionlist> This option allows run-time changing of IPFilter kernel variables. Some variables require IPFilter to be in a disabled state (-D) for changing, others do not. The optionlist parameter is a comma separated list of tuning commands. A tuning command is either "list" (retrieve a list of all variables in the kernel, their maximum, minimum and current value), a single variable name (retrieve its current value) and a variable name with a following assignment to set a new value. Some examples follow. # Print out all IPFilter kernel tunable parameters ipf -T list # Display the current TCP idle timeout and then set it to 3600 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E # Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1. ipf -T fr_pass,fr_chksrc,fr_chksrc=1
-v Turn verbose mode on. Displays information relating to rule processing.
-V Show version information. This will display the version information compiled into the ipf binary and retrieve it from the kernel code (if running/present). If it is present in the zero and display the statistics prior to them being zeroed.
-Z Zero global statistics held in the kernel for filtering only (this doesn't affect fragment or state statistics).
ENVIRONMENT IPF_PREDEFINED ipfilter variables, see VARIABLES in ipf(5), can be specified in this environment variable providing shell access to ipfilter and ipnat variables. For example, IPF_PREDEFINED='my_server="10.1.1.1"; my_client="10.1.1.2";'
FILES /dev/ipauth /dev/ipl /dev/ipstate
SEE ALSO ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
DIAGNOSTICS Needs to be run as root for the packet filtering lists to actually be affected inside the kernel.
BUGS If you find any, please send email to me at darrenr@pobox.com
IPF(8)