Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IPF(8)			    System Manager's Manual			IPF(8)

       ipf - alters packet filtering lists for IP packet input and output

       ipf  [  -6AcdDEInoPrsvVyzZ  ] [ -l <block|pass|nomatch> ] [ -T <option-
       list> ] [ -F <i|o|a|s|S>	] -f <filename>	[ -f <filename>	[...]]

       ipf opens the filenames listed (treating	"-" as stdin) and  parses  the
       file  for  a  set  of  rules  which are to be added or removed from the
       packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal  lists  if
       there  are  no parsing problems.	 Rules are added to the	end of the in-
       ternal lists, matching the order	in which they  appear  when  given  to

       -6     IPv4 and IPv6 rules are stored in	a single table and can be read
	      from a single file. This option is no longer  required  to  load
	      IPv6  rules.  This  option is ignored when specified with	the -F
	      option and the -F	option will flush IPv4 rules even if this  op-
	      tion is specified.

       -A     Set the list to make changes to the active list (default).

       -c <language>
	      This  option  causes ipf to generate output files	for a compiler
	      that supports language.  At present, the	only  target  language
	      supported	 is  C	(-cc)  for  which  two	files -	ip_rules.c and
	      ip_rules.h are generated in the CURRENT DIRECTORY	 when  ipf  is
	      being  run.   These files	can be used with the IPFILTER_COMPILED
	      kernel option to build filter rules staticlly into the kernel.

       -d     Turn debug mode on.  Causes a hexdump of filter rules to be gen-
	      erated as	it processes each one.

       -D     Disable  the  filter  (if	 enabled).  Not	effective for loadable
	      kernel versions.

       -E     Enable the filter	(if disabled).	 Not  effective	 for  loadable
	      kernel versions.

       -F <i|o|a>
	      This option specifies which filter list to flush.	 The parameter
	      should either be "i" (input), "o"	(output) or  "a"  (remove  all
	      filter  rules).  Either a	single letter or an entire word	start-
	      ing with the appropriate letter maybe used.  This	 option	 maybe
	      before,  or  after, any other with the order on the command line
	      being that used to execute options.

       -F <s|S>
	      To flush entries from the	state table, the -F option is used  in
	      conjunction with either "s" (removes state information about any
	      non-fully	established connections) or "S"	 (deletes  the	entire
	      state  table).   Only  one  of  the two options may be given.  A
	      fully established	connection will	show up	in ipfstat  -s	output
	      as  5/5,	with  deviations either	way indicating it is not fully
	      established any more.

	      For the TCP states that represent	the closing  of	 a  connection
	      has begun, be it only one	side or	the complete connection, it is
	      possible to flush	those states directly using the	number	corre-
	      sponding	to  that  state.   The numbers relate to the states as
	      follows: 5 = close-wait, 6 = fin-wait-1, 7 = closing, 8 =	 last-
	      ack, 9 = fin-wait-2, 10 =	time-wait, 11 =	closed.

	      If  the  argument	 supplied to -F	is greater than	30, then state
	      table entries that have been idle	for more than this  many  sec-
	      onds will	be flushed.

       -f <filename>
	      This  option  specifies  which files ipf should use to get input
	      from for modifying the packet filter rule	lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
	      Use of the -l flag toggles default logging  of  packets.	 Valid
	      arguments	 to  this option are pass, block and nomatch.  When an
	      option is	set, any packet	which exits filtering and matches  the
	      set  category  is	 logged.   This	is most	useful for causing all
	      packets which don't match	any of the loaded rules	to be logged.

       -n     This flag	(no-change) prevents  ipf  from	 actually  making  any
	      ioctl  calls  or	doing anything which would alter the currently
	      running kernel.

       -o     Force rules by default to	be added/deleted  to/from  the	output
	      list, rather than	the (default) input list.

       -P     Add rules	as temporary entries in	the authentication rule	table.

       -r     Remove  matching filter rules rather than	add them to the	inter-
	      nal lists

       -s     Swap the active filter list in use to be the "other" one.

       -T <optionlist>
	      This option allows run-time changing of  IPFilter	 kernel	 vari-
	      ables.   Some  variables	require	 IPFilter  to be in a disabled
	      state (-D) for changing, others do not.  The optionlist  parame-
	      ter is a comma separated list of tuning commands.	 A tuning com-
	      mand is either "list" (retrieve a	list of	all variables  in  the
	      kernel,  their  maximum,	minimum	 and  current value), a	single
	      variable name (retrieve its current value) and a	variable  name
	      with  a  following assignment to set a new value.	 Some examples
	      #	Print out all IPFilter kernel tunable parameters
	      ipf -T list
	      #	Display	the current TCP	idle timeout and then set it to	3600
	      ipf -D -T	fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
	      #	Display	current	values for fr_pass and fr_chksrc, then set fr_chksrc to	1.
	      ipf -T fr_pass,fr_chksrc,fr_chksrc=1

       -v     Turn verbose mode	on.  Displays  information  relating  to  rule

       -V     Show  version information.  This will display the	version	infor-
	      mation compiled into the ipf binary and  retrieve	 it  from  the
	      kernel  code (if running/present).  If it	is present in the ker-
	      nel, information about  its  current  state  will	 be  displayed
	      (whether logging is active, default filtering, etc).

       -y     Manually	resync	the  in-kernel interface list maintained by IP
	      Filter with the current interface	status list.

       -z     For each rule in the input file, reset the statistics for	it  to
	      zero and display the statistics prior to them being zeroed.

       -Z     Zero  global  statistics	held  in the kernel for	filtering only
	      (this doesn't affect fragment or state statistics).

	      ipfilter variables, see VARIABLES	in ipf(5), can be specified in
	      this environment variable	providing shell	access to ipfilter and
	      ipnat variables.	For example,
	      IPF_PREDEFINED='my_server=""; my_client="";'


       ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),

       Needs  to  be run as root for the packet	filtering lists	to actually be
       affected	inside the kernel.

       If you find any,	please send email to me	at



Want to link to this manual page? Use this URL:

home | help