ipf(8)
- NetBSD Manual Pages
IPF(8) IPF(8)
NAME
ipf - alters packet filtering lists for IP packet input
and output
SYNOPSIS
ipf [ -6AdDEInoPrsUvVyzZ ] [ -l <block|pass|nomatch> ] [
-F <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]
DESCRIPTION
ipf opens the filenames listed (treating "-" as stdin) and
parses the file for a set of rules which are to be added
or removed from the packet filter rule set.
Each rule processed by ipf is added to the kernel's inter-
nal lists if there are no parsing problems. Rules are
added to the end of the internal lists, matching the order
in which they appear when given to ipf.
OPTIONS
-6 This option is required to parse IPv6 rules and to
have them loaded.
-A Set the list to make changes to the active list
(default).
-d Turn debug mode on. Causes a hexdump of filter
rules to be generated as it processes each one.
-D Disable the filter (if enabled). Not effective for
loadable kernel versions.
-E Enable the filter (if disabled). Not effective for
loadable kernel versions.
-F <i|o|a>
This option specifies which filter list to flush.
The parameter should either be "i" (input), "o"
(output) or "a" (remove all filter rules). Either
a single letter or an entire word starting with the
appropriate letter maybe used. This option maybe
before, or after, any other with the order on the
command line being that used to execute options.
-F <s|S>
To flush entries from the state table, the -F
option is used in conjuction with either "s"
(removes state information about any non-fully
established connections) or "S" (deletes the entire
state table). Only one of the two options may be
given. A fully established connection will show up
in ipfstat -s output as 4/4, with deviations either
way indicating it is not fully established any
more.
1
IPF(8) IPF(8)
-f <filename>
This option specifies which files ipf should use to
get input from for modifying the packet filter rule
lists.
-I Set the list to make changes to the inactive list.
-l <pass|block|nomatch>
Use of the -l flag toggles default logging of pack-
ets. Valid arguments to this option are pass,
block and nomatch. When an option is set, any
packet which exits filtering and matches the set
category is logged. This is most useful for caus-
ing all packets which don't match any of the loaded
rules to be logged.
-n This flag (no-change) prevents ipf from actually
making any ioctl calls or doing anything which
would alter the currently running kernel.
-o Force rules by default to be added/deleted to/from
the output list, rather than the (default) input
list.
-P Add rules as temporary entries in the authentica-
tion rule table.
-r Remove matching filter rules rather than add them
to the internal lists
-s Swap the active filter list in use to be the
"other" one.
-U (SOLARIS 2 ONLY) Block packets travelling along the
data stream which aren't recognised as IP packets.
They will be printed out on the console.
-v Turn verbose mode on. Displays information relat-
ing to rule processing.
-V Show version information. This will display the
version information compiled into the ipf binary
and retrieve it from the kernel code (if run-
ning/present). If it is present in the kernel,
information about its current state will be dis-
played (whether logging is active, default filter-
ing, etc).
-y Manually resync the in-kernel interface list main-
tained by IP Filter with the current interface sta-
tus list.
-z For each rule in the input file, reset the statis-
tics for it to zero and display the statistics
2
IPF(8) IPF(8)
prior to them being zero'd.
-Z Zero global statistics held in the kernel for fil-
tering only (this doesn't affect fragment or state
statistics).
FILES
/dev/ipauth
/dev/ipl
/dev/ipstate
SEE ALSO
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5),
ipf.conf(5), ipf6.conf(5), ipfstat(8), ipmon(8), ipnat(8)
DIAGNOSTICS
Needs to be run as root for the packet filtering lists to
actually be affected inside the kernel.
BUGS
If you find any, please send email to me at dar-
renr@pobox.com
3
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.