Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   10987 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

ipf(1M)								       ipf(1M)

NAME
       ipf - loads and manages filter rules for HP-UX IPFilter, and enables or
       disables Dynamic Connection Allocation (DCA) mode

SYNOPSIS
DESCRIPTION
       ipf opens the specified filenames and parses them for filter rules that
       are to be added or removed from the IPFilter ruleset.  without any com‐
       mand line option or with only the option shows the usage information.

       Each rule processed by is added to the kernel's internal	 lists	(rule‐
       sets)  if there are no parsing problems.	 Rules are added to the end of
       the internal lists, matching the order in which reads them.

OPTIONS
       Parse and load IPv6 filter rules.
	      You must specify this option if the  input  file	contains  IPv6
	      filter  rules.  An  input	 file must contain either IPv6 or IPv4
	      rules (an input file cannot contain  a  mix  of  IPv6  and  IPv4
	      rules).	To  use	 this  option, insert it immediately after the
	      command and before any other options.

       Set the list to make changes to the active list (default).

       Turn debug mode on.  Causes a hexdump of filter rules to	 be  generated
       as
	      it processes each one.

       Flush the specified type of filter rule, where
	      are  input rules, are output rules, is all filter rules.	Either
	      a single letter or an entire word starting with the  appropriate
	      letter maybe used.  This option maybe before or after any other,
	      with the order on the command line being that  used  to  execute
	      options. If you specify this option with the option, this option
	      affects the IPv6 rulesets; if you specify it without the option,
	      this option affects the IPv4 rulesets.

       Flush the entries from the state table. The
	      option  is  used	in  conjuction	with  the option (remove state
	      information about any non-fully established connections) or  the
	      option  (delete  the  entire  state table).  Only one of the two
	      options may be  given.   A  fully	 established  connection  will
	      appear  in  ipfstat -s output with state value with other values
	      indicating it is not a fully established connection.  The option
	      is not needed with this option because this option alone removes
	      state information for both IPv4 and IPv6 connections.

       This option specifies input files that contain filter rules.

	      The utility can also read rules from For	example,  the  command
	      outputs  parseable rules when displaying rulesets, which you can
	      use as input to The following command  uses  to  output  inbound
	      rules and uses this list of rules as input to that specifies the
	      rules to remove This removes all filters on input packets:

       Set the list to make changes to the inactive list. If you specify  this
       option
	      with  the	 option,  this option affects the IPv6 ruleset; if you
	      specify it without the option,  this  option  affects  the  IPv4
	      ruleset.

       Toggles the default logging of packets.	Valid
	      parameters are and When an option is set, any packet which exits
	      filtering and matches the specified  category  is	 logged.   The
	      most commonly used option is which is useful for logging packets
	      that do not match any of the active rules.

       Enable or disable Dynamic Connection Allocation (DCA) mode.
	      DCA mode is disabled by default. The default can be  changed  at
	      system  startup  time by setting the flag in the file The quali‐
	      fiers for this option are which queries the current state, which
	      enables DCA, which disables DCA, and which toggles the DCA mode.
	      DCA mode	must be	 enabled  for rules to work.   The  option  is
	      not needed with this option because this option alone enables or
	      disables DCA mode for both IPv4 and IPv6 rulesets.

       These options require an interface name as a qualifier.
	      The -D option disables and -E option enables the	IPFilter  pro‐
	      cessing  for  the specified interface.  The -Q option queries if
	      processing is enabled or disabled for the specified interface

	      The option can be used to improve IPFilter performance but  must
	      must  be	used  with caution.  Incorrect use of this option will
	      lead to undesirable consequences.

	      The option can be used on an intermediate	 node  with  DCA  mode
	      enabled.	 DCA  works  without disabling any interface, but dis‐
	      abling one of the interfaces when	 IPFilter  is  running	on  an
	      intermediate  system  will  improve performance because the net‐
	      working traffic will be processed only once (i,e in the incoming
	      or outgoing interface depending on which one is disabled). Never
	      use the option when using IPFilter as a firewall.

	      If you specify this option with the -6 option, it disables  IPv6
	      IPFilter	processing;  if you specify this option without the -6
	      option, it disables IPv4 IPFilter processing.

       This flag (no-change) prevents
	      from making any ioctl calls or doing anything  that  alters  the
	      currently running kernel.

       Force  rules  by	 default  to be added/deleted to/from the output list,
       rather
	      than the (default) input list.

       Add rules as temporary entries in the authentication rule table.

       Remove matching filter rules rather than add them to the internal lists

       Swap the active and inactive filter rule sets. If specified with the
	      option, swaps the IPv6 active and inactive filter rule sets.  If
	      specified	 without  the  .C -6 option, swaps the IPv4 active and
	      inactive filter rule sets.

       Enable verbose mode.  Displays information relating to rule processing.
	      If this is the only option specified,  displays  usage  informa‐
	      tion.

       Display version information.  This displays the version from the
	      the binary and from from the kernel module (if running/present).
	      If is present in the kernel, information about its current state
	      will be displayed (whether logging is active, default filtering,
	      etc).

       Manually resync the in-kernel interface	list  maintained  by  IPFilter
       with
	      the current interface status list.

       For each rule in the input file, reset statistics to zero and
	      display the statistics prior to them being zeroed.

       Zeroes  global  statistics  held in the kernel for filtering only (this
       does not
	      affect fragment or state statistics).

FILES
SEE ALSO
       ipftest(1M), mkfilters(1M), ipl(7), ipf(4), ipfstat(1M), ipmon(1M)

DIAGNOSTICS
       You must have superuser or equivalent capabilities to modify the active
       (kernel-resident) ruleset.

AUTHOR
       IPFilter	  was	originally   developed	 by  Darren  Reed.  This HP-UX
       enhanced	 version  of IPFilter  is based	 on the	 open  source  version
       3.5  Alpha 5.

								       ipf(1M)

Vote for polarhome