IPF(8)                                                     IPF(8)


NAME
       ipf  -  alters  packet filtering lists for IP packet input
       and output

SYNOPSIS
       ipf [ -6AdDEInoPrsUvVyzZ ] [ -l <block|pass|nomatch>  ]  [
       -F <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]

DESCRIPTION
       ipf opens the filenames listed (treating "-" as stdin) and
       parses the file for a set of rules which are to  be  added
       or removed from the packet filter rule set.

       Each rule processed by ipf is added to the kernel's inter-
       nal lists if there are no  parsing  problems.   Rules  are
       added to the end of the internal lists, matching the order
       in which they appear when given to ipf.

OPTIONS
       -6     This option is required to parse IPv6 rules and  to
              have them loaded.

       -A     Set  the  list  to  make changes to the active list
              (default).

       -d     Turn debug mode on.  Causes  a  hexdump  of  filter
              rules to be generated as it processes each one.

       -D     Disable the filter (if enabled).  Not effective for
              loadable kernel versions.

       -E     Enable the filter (if disabled).  Not effective for
              loadable kernel versions.

       -F <i|o|a>
              This  option  specifies which filter list to flush.
              The parameter should either  be  "i"  (input),  "o"
              (output)  or "a" (remove all filter rules).  Either
              a single letter or an entire word starting with the
              appropriate  letter  maybe used.  This option maybe
              before, or after, any other with the order  on  the
              command line being that used to execute options.

       -F <s|S>
              To  flush  entries  from  the  state  table, the -F
              option  is  used  in  conjuction  with  either  "s"
              (removes  state  information  about  any  non-fully
              established connections) or "S" (deletes the entire
              state  table).   Only one of the two options may be
              given.  A fully established connection will show up
              in ipfstat -s output as 4/4, with deviations either
              way indicating it  is  not  fully  established  any
              more.




                                                                1





IPF(8)                                                     IPF(8)


       -f <filename>
              This option specifies which files ipf should use to
              get input from for modifying the packet filter rule
              lists.

       -I     Set  the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
              Use of the -l flag toggles default logging of pack-
              ets.   Valid  arguments  to  this  option are pass,
              block and nomatch.  When  an  option  is  set,  any
              packet  which  exits  filtering and matches the set
              category is logged.  This is most useful for  caus-
              ing all packets which don't match any of the loaded
              rules to be logged.

       -n     This flag (no-change) prevents  ipf  from  actually
              making  any  ioctl  calls  or  doing anything which
              would alter the currently running kernel.

       -o     Force rules by default to be added/deleted  to/from
              the  output  list,  rather than the (default) input
              list.

       -P     Add rules as temporary entries in  the  authentica-
              tion rule table.

       -r     Remove  matching  filter rules rather than add them
              to the internal lists

       -s     Swap the active  filter  list  in  use  to  be  the
              "other" one.

       -U     (SOLARIS 2 ONLY) Block packets travelling along the
              data stream which aren't recognised as IP  packets.
              They will be printed out on the console.

       -v     Turn  verbose mode on.  Displays information relat-
              ing to rule processing.

       -V     Show version information.  This  will  display  the
              version  information  compiled  into the ipf binary
              and retrieve it  from  the  kernel  code  (if  run-
              ning/present).   If  it  is  present in the kernel,
              information about its current state  will  be  dis-
              played  (whether logging is active, default filter-
              ing, etc).

       -y     Manually resync the in-kernel interface list  main-
              tained by IP Filter with the current interface sta-
              tus list.

       -z     For each rule in the input file, reset the  statis-
              tics  for  it  to  zero  and display the statistics



                                                                2





IPF(8)                                                     IPF(8)


              prior to them being zero'd.

       -Z     Zero global statistics held in the kernel for  fil-
              tering  only (this doesn't affect fragment or state
              statistics).

FILES
       /dev/ipauth
       /dev/ipl
       /dev/ipstate

SEE ALSO
       ipftest(1),   mkfilters(1),   ipf(4),   ipl(4),    ipf(5),
       ipf.conf(5), ipf6.conf(5), ipfstat(8), ipmon(8), ipnat(8)

DIAGNOSTICS
       Needs  to be run as root for the packet filtering lists to
       actually be affected inside the kernel.

BUGS
       If  you  find  any,  please  send  email  to  me  at  dar-
       renr@pobox.com



































                                                                3



You can also request any man page by name and (optionally) by section:

Command: 
Section: 
Architecture: 
Collection: 
 

Use the DEFAULT collection to view manual pages for third-party software.


©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2018 Modified for NetBSD by Kimmo Suominen