ipf man page on FreeBSD

Printed from http://www.polarhome.com/service/man/?qf=ipf&af=0&tf=2&of=FreeBSD

IPF(8)									IPF(8)

NAME
       ipf - alters packet filtering lists for IP packet input and output

SYNOPSIS
       ipf  [  -6AcdDEInoPrsvVyzZ  ] [ -l <block|pass|nomatch> ] [ -T <option‐
       list> ] [ -F <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]

DESCRIPTION
       ipf opens the filenames listed (treating "-" as stdin) and  parses  the
       file  for  a  set  of  rules  which are to be added or removed from the
       packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal  lists  if
       there  are  no  parsing	problems.   Rules  are added to the end of the
       internal lists, matching the order in which they appear when  given  to
       ipf.

OPTIONS
       -6     This  option  is	required  to parse IPv6 rules and to have them
	      loaded.

       -A     Set the list to make changes to the active list (default).

       -c <language>
	      This option causes ipf to generate output files for  a  compiler
	      that  supports  language.	  At present, the only target language
	      supported is C (-cc)  for	 which	two  files  -  ip_rules.c  and
	      ip_rules.h  are  generated  in the CURRENT DIRECTORY when ipf is
	      being run.  These files can be used with	the  IPFILTER_COMPILED
	      kernel option to build filter rules staticly into the kernel.

       -d     Turn debug mode on.  Causes a hexdump of filter rules to be gen‐
	      erated as it processes each one.

       -D     Disable the filter (if enabled).	 Not  effective	 for  loadable
	      kernel versions.

       -E     Enable  the  filter  (if	disabled).  Not effective for loadable
	      kernel versions.

       -F <i|o|a>
	      This option specifies which filter list to flush.	 The parameter
	      should  either  be  "i" (input), "o" (output) or "a" (remove all
	      filter rules).  Either a single letter or an entire word	start‐
	      ing  with	 the appropriate letter maybe used.  This option maybe
	      before, or after, any other with the order on the	 command  line
	      being that used to execute options.

       -F <s|S>
	      To  flush entries from the state table, the -F option is used in
	      conjunction with either "s" (removes state information about any
	      non-fully	 established  connections)  or "S" (deletes the entire
	      state table).  Only one of the two  options  may	be  given.   A
	      fully  established  connection will show up in ipfstat -s output
	      as 5/5, with deviations either way indicating it	is  not	 fully
	      established any more.

       -F<5|6|7|8|9|10|11>
	      For  the	TCP  states that represent the closing of a connection
	      has begun, be it only one side or the complete connection, it is
	      possible	to flush those states directly using the number corre‐
	      sponding to that state.  The numbers relate  to  the  states  as
	      follows:	5 = close-wait, 6 = fin-wait-1, 7 = closing, 8 = last-
	      ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed.

       -F<number>
	      If the argument supplied to -F is greater than  30,  then	 state
	      table  entries  that have been idle for more than this many sec‐
	      onds will be flushed.

       -f <filename>
	      This option specifies which files ipf should use	to  get	 input
	      from for modifying the packet filter rule lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
	      Use  of  the  -l flag toggles default logging of packets.	 Valid
	      arguments to this option are pass, block and nomatch.   When  an
	      option  is set, any packet which exits filtering and matches the
	      set category is logged.  This is most  useful  for  causing  all
	      packets which don't match any of the loaded rules to be logged.

       -n     This  flag  (no-change)  prevents	 ipf  from actually making any
	      ioctl calls or doing anything which would	 alter	the  currently
	      running kernel.

       -o     Force  rules  by	default to be added/deleted to/from the output
	      list, rather than the (default) input list.

       -P     Add rules as temporary entries in the authentication rule table.

       -r     Remove matching filter rules rather than add them to the	inter‐
	      nal lists

       -s     Swap the active filter list in use to be the "other" one.

       -T <optionlist>
	      This  option  allows  run-time changing of IPFilter kernel vari‐
	      ables.  Some variables require IPFilter  to  be  in  a  disabled
	      state  (-D) for changing, others do not.	The optionlist parame‐
	      ter is a comma separated list of tuning commands.	 A tuning com‐
	      mand  is	either "list" (retrieve a list of all variables in the
	      kernel, their maximum, minimum  and  current  value),  a	single
	      variable	name  (retrieve its current value) and a variable name
	      with a following assignment to set a new value.	Some  examples
	      follow.
	      # Print out all IPFilter kernel tunable parameters
	      ipf -T list
	      # Display the current TCP idle timeout and then set it to 3600
	      ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
	      # Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
	      ipf -T fr_pass,fr_chksrc,fr_chksrc=1

       -v     Turn  verbose  mode  on.	 Displays information relating to rule
	      processing.

       -V     Show version information.	 This will display the version	infor‐
	      mation  compiled	into  the  ipf binary and retrieve it from the
	      kernel code (if running/present).	 If it is present in the  ker‐
	      nel,  information	 about	its  current  state  will be displayed
	      (whether logging is active, default filtering, etc).

       -y     Manually resync the in-kernel interface list  maintained	by  IP
	      Filter with the current interface status list.

       -z     For  each rule in the input file, reset the statistics for it to
	      zero and display the statistics prior to them being zeroed.

       -Z     Zero global statistics held in the  kernel  for  filtering  only
	      (this doesn't affect fragment or state statistics).

FILES
       /dev/ipauth
       /dev/ipl
       /dev/ipstate

SEE ALSO
       ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),
       ipnat(8)

DIAGNOSTICS
       Needs to be run as root for the packet filtering lists to  actually  be
       affected inside the kernel.

BUGS
       If you find any, please send email to me at darrenr@pobox.com

									IPF(8)
[top]

List of man pages available for FreeBSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net