ipf (ADMN)


     ipf - alters packet filtering lists for IP packet input  and


     ipf [ -6AdDEInoPrsvVyzZ ] [ -cc ] [ -l
     <block|pass|nomatch|state|nat> ] [ -T <optionlist> ]
     [ -F <i|o|a|s|S|u> ] -f <filename>
     [ -f <filename> [...]]


     ipf opens the filenames listed (treating "-" as  stdin)  and
     parses  the file for a set of rules which are to be added or
     removed from the packet filter rule set.

     Each rule processed by ipf is added to the kernel's internal
     lists  if there are no parsing problems.  Rules are added to
     the end of the internal lists, matching the order  in  which
     they appear when given to ipf.


     -6   This option is required to parse IPv6 rules and to have
          them loaded.

     -A   Set the  list  to  make  changes  to  the  active  list

     -c <language>
          This option causes ipf to generate output files  for  a
          compiler  that supports language.  At present, the only
          target language supported is  C  (-cc)  for  which  two
          files  - ip_rules.c and ip_rules.h are generated in the
          CURRENT DIRECTORY when ipf is being run.   These  files
          can be used with the IPFILTER_COMPILED kernel option to
          build filter rules staticly into the kernel.

     -d   Turn debug mode on.  Causes a hexdump of  filter  rules
          to be generated as it processes each one.

     -D   Disable the filter (if  enabled).   Not  effective  for
          loadable kernel versions.

     -E   Enable the filter (if  disabled).   Not  effective  for
          loadable kernel versions.

     -F <i|o|a>
          This option specifies which filter list to flush.   The
          parameter should either be "i" (input), "o" (output) or
          "a" (remove all filter rules).  Either a single  letter
          or  an entire word starting with the appropriate letter
          maybe used.  This option maybe before,  or  after,  any
          other  with  the  order  on the command line being that
          used to execute options.

     -F <s|S>
          To flush entries from the state table, the -F option is
          used  in  conjunction  with  either  "s" (removes state
          information about  any  non-fully  established  connec-
          tions)  or  "S" (deletes the entire state table).  Only
          one of the two options may be  given.   A  fully  esta-
          blished connection will show up in ipfstat -s output as
          5/5, with deviations either way indicating  it  is  not
          fully established any more.

     -F <uS>
          Flush the authentication tables.

     -f <filename>
          This option specifies which files ipf should use to get
          input from for modifying the packet filter rule lists.

     -I   Set the list to make changes to the inactive list.

     -l  <pass|block|nomatch|state|nat>
          Use of the -l flag toggles default logging of  packets.
          Valid  arguments  to  this option  are pass, block, and
          nomatch, state and nat.  When an option is set,
          any packet which  exits  filtering  and  matches the set
          category is logged.  This is most useful for causing all
          packets which don't match any of the loaded  rules to be

     -n   This flag (no-change) prevents ipf from actually making
          any ioctl calls or doing anything which would alter the
          currently running kernel.

     -o   Force rules by default to be added/deleted to/from  the
          output list, rather than the (default) input list.

     -P   Add rules as temporary entries  in  the  authentication
          rule table.

     -r   Remove matching filter rules rather than  add  them  to
          the internal lists

     -s   Swap the active filter list in use to  be  the  "other"
          one.   -T  <optionlist>  This  option  allows  run-time
          changing of IPFilter kernel variables.  Some  variables
          require  IPFilter  to  be  in a disabled state (-D) for
          changing, others do not.  The optionlist parameter is a
          comma separated list of tuning commands.  A tuning com-
          mand is either "list" (retrieve a list of all variables
          in  the  kernel,  their  maximum,  minimum  and current
          value), a single variable name  (retrieve  its  current
          value)  and a variable name with a following assignment
          to set a new value.  Some examples follow.
          # Print out all IPFilter kernel tunable parameters
          ipf -T list
          # Display the current TCP idle timeout and then set it to 3600
          ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
          # Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
          ipf -T fr_pass,fr_chksrc,fr_chksrc=1

     -v   Turn verbose mode on.  Displays information relating to
          rule processing.

     -V   Show version information.  This will display  the  ver-
          sion  information  compiled  into  the  ipf  binary and
          retrieve it from the kernel code (if  running/present).
          If  it  is present in the kernel, information about its
          current state will be  displayed  (whether  logging  is
          active, default filtering, etc).

     -y   Manually resync the in-kernel interface list maintained
          by IP Filter with the current interface status list.

     -z   For each rule in the input file, reset  the  statistics
          for it to zero and display the statistics prior to them
          being zeroed.

     -Z   Zero global statistics held in the kernel for filtering
          only  (this  doesn't  affect  fragment or state statis-




     ipftest(ADMN), mkfilters(ADMN), ipf(SFF), ipl(SFF),  ipf(M),
     ipfstat(TC), ipmon(TC), ipnat(ADMN)


     Needs to be run as root for the packet  filtering  lists  to
     actually be affected inside the kernel.


     If  you   find   any,   please   send   email   to   me   at

Man(1) output converted with man2html