ipf - alters packet filtering lists for IP packet input and output
ipf [ -6AdDEInoPrsUvVyzZ ] [ -l <block|pass|nomatch>
] [ -F <i|o|a|s|S> ] -f <filename> [
-f <filename> [...]]
ipf opens the filenames listed (treating "-" as stdin) and
parses the file for a set of rules which are to be added or removed from the
packet filter rule set.
Each rule processed by ipf is added to the kernel's
internal lists if there are no parsing problems. Rules are added to the end
of the internal lists, matching the order in which they appear when given to
ipf.
- -6
- This option is required to parse IPv6 rules and to have them loaded.
- -A
- Set the list to make changes to the active list (default).
- -d
- Turn debug mode on. Causes a hexdump of filter rules to be generated as it
processes each one.
- -D
- Disable the filter (if enabled). Not effective for loadable kernel
versions.
- -E
- Enable the filter (if disabled). Not effective for loadable kernel
versions.
- -F <i|o|a>
- This option specifies which filter list to flush. The parameter should
either be "i" (input), "o" (output) or "a"
(remove all filter rules). Either a single letter or an entire word
starting with the appropriate letter maybe used. This option maybe before,
or after, any other with the order on the command line being that used to
execute options.
- -F <s|S>
- To flush entries from the state table, the -F option is used in
conjuction with either "s" (removes state information about any
non-fully established connections) or "S" (deletes the entire
state table). Only one of the two options may be given. A fully
established connection will show up in ipfstat -s output as 4/4,
with deviations either way indicating it is not fully established any
more.
- -f <filename>
- This option specifies which files ipf should use to get input from
for modifying the packet filter rule lists.
- -I
- Set the list to make changes to the inactive list.
- -l <pass|block|nomatch>
- Use of the -l flag toggles default logging of packets. Valid
arguments to this option are pass, block and nomatch.
When an option is set, any packet which exits filtering and matches the
set category is logged. This is most useful for causing all packets which
don't match any of the loaded rules to be logged.
- -n
- This flag (no-change) prevents ipf from actually making any ioctl
calls or doing anything which would alter the currently running
kernel.
- -o
- Force rules by default to be added/deleted to/from the output list, rather
than the (default) input list.
- -P
- Add rules as temporary entries in the authentication rule table.
- -r
- Remove matching filter rules rather than add them to the internal
lists
- -s
- Swap the active filter list in use to be the "other" one.
- -U
- (SOLARIS 2 ONLY) Block packets travelling along the data stream which
aren't recognised as IP packets. They will be printed out on the
console.
- -v
- Turn verbose mode on. Displays information relating to rule
processing.
- -V
- Show version information. This will display the version information
compiled into the ipf binary and retrieve it from the kernel code (if
running/present). If it is present in the kernel, information about its
current state will be displayed (whether logging is active, default
filtering, etc).
- -y
- Manually resync the in-kernel interface list maintained by IP Filter with
the current interface status list.
- -z
- For each rule in the input file, reset the statistics for it to zero and
display the statistics prior to them being zero'd.
- -Z
- Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
/dev/ipauth
/dev/ipl
/dev/ipstate
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
Needs to be run as root for the packet filtering lists to actually be affected
inside the kernel.
If you find any, please send email to me at darrenr@pobox.com