ipftest man page on PC-BSD

Man page or keyword search:  
man Server   9747 pages
apropos Keyword Search (all sections)
Output format
PC-BSD logo
[printable version]

ipftest(1)							    ipftest(1)

NAME
       ipftest - test packet filter rules with arbitrary input.

SYNOPSIS
       ipftest	[  -6bCdDoRvx  ]  [  -F	 input-format ] [ -i <filename> ] [ -I
       interface ] [ -l <filename> ] [ -N <filename> ] [ -P <filename> ] [  -r
       <filename> ] [ -S <ip_address> ] [ -T <optionlist> ]

DESCRIPTION
       ipftest is provided for the purpose of being able to test a set of fil‐
       ter rules without having to put them in place, in operation and proceed
       to  test	 their effectiveness.  The hope is that this minimises disrup‐
       tions in providing a secure IP environment.

       ipftest will parse any standard ruleset for use with ipf, ipnat	and/or
       ippool  and  apply  input, returning output as to the result.  However,
       ipftest will return one of three values for packets passed through  the
       filter:	pass, block or nomatch.	 This is intended to give the operator
       a better idea of what is happening with packets passing	through	 their
       filter ruleset.

       At least one of -N, -P or -r must be specified.

OPTIONS
       -6     Use IPv6.

       -b     Cause  the output to be a brief summary (one-word) of the result
	      of passing the packet through the filter; either "pass", "block"
	      or "nomatch".  This is used in the regression testing.

       -C     Force  the  checksums to be (re)calculated for all packets being
	      input into ipftest.  This may be necessary if  pcap  files  from
	      tcpdump  are  being  fed	in  where  there are partial checksums
	      present due to hardware offloading.

       -d     Turn on filter rule debugging.  Currently, this only  shows  you
	      what  caused  the	 rule  to  not match in the IP header checking
	      (addresses/netmasks, etc).

       -D     Dump internal tables before exiting.   This  excludes  log  mes‐
	      sages.

       -F     This  option is used to select which input format the input file
	      is in.  The following formats  are  available:  etherfind,  hex,
	      pcap, snoop, tcpdump,text.

	      etherfind
		     The  input file is to be text output from etherfind.  The
		     text formats which	 are  currently	 supported  are	 those
		     which result from the following etherfind option combina‐
		     tions:

			etherfind -n
			etherfind -n -t

	      hex    The input file is to  be  hex  digits,  representing  the
		     binary  makeup  of	 the  packet.  No length correction is
		     made, if an incorrect length is put in the IP header.   A
		     packet may be broken up over several lines of hex digits,
		     a blank line indicating the end of	 the  packet.	It  is
		     possible to specify both the interface name and direction
		     of the packet (for filtering purposes) at	the  start  of
		     the  line	using  this  format: [direction,interface]  To
		     define a packet going in on le0, we would use [in,le0]  -
		     the []'s are required and part of the input syntax.

	      pcap  The	 input	file specified by -i is a binary file produced
		     using libpcap (i.e., tcpdump  version  3).	  Packets  are
		     read  from	 this file as being input (for rule purposes).
		     An interface maybe specified using -I.

	      snoop  The input file is to be in "snoop" format (see RFC 1761).
		     Packets  are  read	 from this file and used as input from
		     any interface.  This is perhaps  the  most	 useful	 input
		     type, currently.

	      tcpdump
		     The  input	 file  is to be text output from tcpdump.  The
		     text formats which	 are  currently	 supported  are	 those
		     which  result  from the following tcpdump option combina‐
		     tions:

			tcpdump -n
			tcpdump -nq
			tcpdump -nqt
			tcpdump -nqtt
			tcpdump -nqte

	      text   The input file is in ipftest text input format.  This  is
		     the  default  if no -F argument is specified.  The format
		     used is as follows:
			  "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
			       srchost[,srcport] dsthost[,destport] [FSRPAU]

	      This allows for a packet going "in" or  "out"  of	 an  interface
	      (if)  to	be  generated,	being  one of the three main protocols
	      (optionally), and if either TCP or UDP, a port parameter is also
	      expected.	  If  TCP  is selected, it is possible to (optionally)
	      supply TCP flags at the end.  Some examples are:
		   # a UDP packet coming in on le0
		   in on le0 udp 10.1.1.1,2210 10.2.1.5,23
		   # an IP packet coming in on le0 from localhost - hmm :)
		   in on le0 localhost 10.4.12.1
		   # a TCP packet going out of le0 with the SYN flag set.
		   out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S

       -i <filename>
	      Specify the filename from	 which	to  take  input.   Default  is
	      stdin.

       -I <interface>
	      Set  the	interface  name (used in rule matching) to be the name
	      supplied.	 This is useful where it is not otherwise possible  to
	      associate a packet with an interface.  Normal "text packets" can
	      override this setting.

       -l <filename>
	      Dump log messages generated  during  testing  to	the  specified
	      file.

       -N <filename>
	      Specify  the  filename  from which to read NAT rules in ipnat(5)
	      format.

       -o     Save output packets that would have been written to each	inter‐
	      face in a file /tmp/interface_name in raw format.

       -P <filename>
	      Read  IP pool configuration information in ippool(5) format from
	      the specified file.

       -r <filename>
	      Specify the filename from which to read filter rules  in	ipf(5)
	      format.

       -R     Don't attempt to convert IP addresses to hostnames.

       -S <ip_address>
	      The IP address specifived with this option is used by ipftest to
	      determine whether a packet should be treated as "input" or "out‐
	      put".   If the source address in an IP packet matches then it is
	      considered to be inbound.	 If it does not match then it is  con‐
	      sidered  to be outbound.	This is primarily for use with tcpdump
	      (pcap) files where there is no  in/out  information  saved  with
	      each packet.

       -T <optionlist>
	      This  option  simulates the run-time changing of IPFilter kernel
	      variables available with the -T option of ipf.   The  optionlist
	      parameter	 is a comma separated list of tuning commands.	A tun‐
	      ing command is either "list" (retrieve a list of	all  variables
	      in the kernel, their maximum, minimum and current value), a sin‐
	      gle variable name (retrieve its current value)  and  a  variable
	      name with a following assignment to set a new value.  See ipf(8)
	      for examples.

       -v     Verbose mode.  This provides more information about which	 parts
	      of rule matching the input packet passes and fails.

       -x     Print a hex dump of each packet before printing the decoded con‐
	      tents.

SEE ALSO
       ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)

BUGS
       Not all of the input formats are sufficiently capable of introducing  a
       wide enough variety of packets for them to be all useful in testing.

								    ipftest(1)
[top]

List of man pages available for PC-BSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net