ipf - alters packet filtering lists for IP packet input and
ipf [ -6AdDEInoPrsvVyzZ ] [ -cc ] [ -l
<block|pass|nomatch|state|nat> ] [ -T <optionlist> ]
[ -F <i|o|a|s|S|u> ] -f <filename>
[ -f <filename> [...]]
ipf opens the filenames listed (treating "-" as stdin) and
parses the file for a set of rules which are to be added or
removed from the packet filter rule set.
Each rule processed by ipf is added to the kernel's internal
lists if there are no parsing problems. Rules are added to
the end of the internal lists, matching the order in which
they appear when given to ipf.
-6 This option is required to parse IPv6 rules and to have
-A Set the list to make changes to the active list
This option causes ipf to generate output files for a
compiler that supports language. At present, the only
target language supported is C (-cc) for which two
files - ip_rules.c and ip_rules.h are generated in the
CURRENT DIRECTORY when ipf is being run. These files
can be used with the IPFILTER_COMPILED kernel option to
build filter rules staticly into the kernel.
-d Turn debug mode on. Causes a hexdump of filter rules
to be generated as it processes each one.
-D Disable the filter (if enabled). Not effective for
loadable kernel versions.
-E Enable the filter (if disabled). Not effective for
loadable kernel versions.
This option specifies which filter list to flush. The
parameter should either be "i" (input), "o" (output) or
"a" (remove all filter rules). Either a single letter
or an entire word starting with the appropriate letter
maybe used. This option maybe before, or after, any
other with the order on the command line being that
used to execute options.
To flush entries from the state table, the -F option is
used in conjunction with either "s" (removes state
information about any non-fully established connec-
tions) or "S" (deletes the entire state table). Only
one of the two options may be given. A fully esta-
blished connection will show up in ipfstat -s output as
5/5, with deviations either way indicating it is not
fully established any more.
Flush the authentication tables.
This option specifies which files ipf should use to get
input from for modifying the packet filter rule lists.
-I Set the list to make changes to the inactive list.
Use of the -l flag toggles default logging of packets.
Valid arguments to this option are pass, block, and
nomatch, state and nat. When an option is set,
any packet which exits filtering and matches the set
category is logged. This is most useful for causing all
packets which don't match any of the loaded rules to be
-n This flag (no-change) prevents ipf from actually making
any ioctl calls or doing anything which would alter the
currently running kernel.
-o Force rules by default to be added/deleted to/from the
output list, rather than the (default) input list.
-P Add rules as temporary entries in the authentication
-r Remove matching filter rules rather than add them to
the internal lists
-s Swap the active filter list in use to be the "other"
one. -T <optionlist> This option allows run-time
changing of IPFilter kernel variables. Some variables
require IPFilter to be in a disabled state (-D) for
changing, others do not. The optionlist parameter is a
comma separated list of tuning commands. A tuning com-
mand is either "list" (retrieve a list of all variables
in the kernel, their maximum, minimum and current
value), a single variable name (retrieve its current
value) and a variable name with a following assignment
to set a new value. Some examples follow.
# Print out all IPFilter kernel tunable parameters
ipf -T list
# Display the current TCP idle timeout and then set it to 3600
ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
ipf -T fr_pass,fr_chksrc,fr_chksrc=1
-v Turn verbose mode on. Displays information relating to
-V Show version information. This will display the ver-
sion information compiled into the ipf binary and
retrieve it from the kernel code (if running/present).
If it is present in the kernel, information about its
current state will be displayed (whether logging is
active, default filtering, etc).
-y Manually resync the in-kernel interface list maintained
by IP Filter with the current interface status list.
-z For each rule in the input file, reset the statistics
for it to zero and display the statistics prior to them
-Z Zero global statistics held in the kernel for filtering
only (this doesn't affect fragment or state statis-
ipftest(ADMN), mkfilters(ADMN), ipf(SFF), ipl(SFF), ipf(M),
ipfstat(TC), ipmon(TC), ipnat(ADMN)
Needs to be run as root for the packet filtering lists to
actually be affected inside the kernel.
If you find any, please send email to me at
Man(1) output converted with