4 ipf \- alters packet filtering lists for IP packet input and output
27 \fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
28 file for a set of rules which are to be added or removed from the packet
31 Each rule processed by \fBipf\fP
32 is added to the kernel's internal lists if there are no parsing problems.
33 Rules are added to the end of the internal lists, matching the order in
34 which they appear when given to \fBipf\fP.
38 IPv4 and IPv6 rules are stored in a single table and can be read from a
39 single file. This option is no longer required to load IPv6 rules. This
40 option is ignored when specified with the -F option and the -F option
41 will flush IPv4 rules even if this option is specified.
44 Set the list to make changes to the active list (default).
47 This option causes \fBipf\fP to generate output files for a compiler that
48 supports \fBlanguage\fI. At present, the only target language supported is
49 \fBC\fB (-cc) for which two files - \fBip_rules.c\fP
50 and \fBip_rules.h\fP are generated in the \fBCURRENT DIRECTORY\fP when
51 \fBipf\fP is being run. These files can be used with the
52 \fBIPFILTER_COMPILED\fP kernel option to build filter rules staticlly into
56 Turn debug mode on. Causes a hexdump of filter rules to be generated as
57 it processes each one.
60 Disable the filter (if enabled). Not effective for loadable kernel versions.
63 Enable the filter (if disabled). Not effective for loadable kernel versions.
66 This option specifies which filter list to flush. The parameter should
67 either be "i" (input), "o" (output) or "a" (remove all filter rules).
68 Either a single letter or an entire word starting with the appropriate
69 letter maybe used. This option maybe before, or after, any other with
70 the order on the command line being that used to execute options.
73 To flush entries from the state table, the \fB-F\fP option is used in
74 conjunction with either "s" (removes state information about any non-fully
75 established connections) or "S" (deletes the entire state table). Only
76 one of the two options may be given. A fully established connection
77 will show up in \fBipfstat -s\fP output as 5/5, with deviations either
78 way indicating it is not fully established any more.
80 .BR \-F <5|6|7|8|9|10|11>
81 For the TCP states that represent the closing of a connection has begun,
82 be it only one side or the complete connection, it is possible to flush
83 those states directly using the number corresponding to that state.
84 The numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1,
85 7 = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed.
88 If the argument supplied to \fB-F\fP is greater than 30, then state table
89 entries that have been idle for more than this many seconds will be flushed.
92 This option specifies which files
93 \fBipf\fP should use to get input from for modifying the packet filter rule
97 Set the list to make changes to the inactive list.
99 .B \-l \0<pass|block|nomatch>
100 Use of the \fB-l\fP flag toggles default logging of packets. Valid
101 arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
102 When an option is set, any packet which exits filtering and matches the
103 set category is logged. This is most useful for causing all packets
104 which don't match any of the loaded rules to be logged.
107 This flag (no-change) prevents \fBipf\fP from actually making any ioctl
108 calls or doing anything which would alter the currently running kernel.
111 Force rules by default to be added/deleted to/from the output list, rather
112 than the (default) input list.
115 Add rules as temporary entries in the authentication rule table.
118 Remove matching filter rules rather than add them to the internal lists
121 Swap the active filter list in use to be the "other" one.
124 This option allows run-time changing of IPFilter kernel variables. Some
125 variables require IPFilter to be in a disabled state (\fB-D\fP) for changing,
126 others do not. The optionlist parameter is a comma separated list of tuning
127 commands. A tuning command is either "list" (retrieve a list of all variables
128 in the kernel, their maximum, minimum and current value), a single variable
129 name (retrieve its current value) and a variable name with a following
130 assignment to set a new value. Some examples follow.
132 # Print out all IPFilter kernel tunable parameters
134 # Display the current TCP idle timeout and then set it to 3600
135 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
136 # Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
137 ipf -T fr_pass,fr_chksrc,fr_chksrc=1
141 Turn verbose mode on. Displays information relating to rule processing.
144 Show version information. This will display the version information compiled
145 into the ipf binary and retrieve it from the kernel code (if running/present).
146 If it is present in the kernel, information about its current state will be
147 displayed (whether logging is active, default filtering, etc).
150 Manually resync the in-kernel interface list maintained by IP Filter with
151 the current interface status list.
154 For each rule in the input file, reset the statistics for it to zero and
155 display the statistics prior to them being zeroed.
158 Zero global statistics held in the kernel for filtering only (this doesn't
159 affect fragment or state statistics).
162 .NM utilizes the following environment variable.
165 ipfilter variables, see VARIABLES in ipf(5), can be specified in this
166 environment variable providing shell access to ipfilter and ipnat variables.
169 IPF_PREDEFINED='my_server="10.1.1.1"; my_client="10.1.1.2";'
177 ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
180 Needs to be run as root for the packet filtering lists to actually
181 be affected inside the kernel.
184 If you find any, please send email to me at darrenr@pobox.com
projects / FreeBSD / stable / 10.git / blob