Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IPF(8)			    System Manager's Manual			IPF(8)

       ipf - alters packet filtering lists for IP packet input and output

       ipf  [  -6AcdDEInoPrsvVyzZ  ] [ -l <block|pass|nomatch> ] [ -T <option-
       list> ] [ -F <i|o|a|s|S>	] -f <filename>	[ -f <filename>	[...]]

       ipf opens the filenames listed (treating	"-" as stdin) and  parses  the
       file  for  a  set  of  rules  which are to be added or removed from the
       packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal  lists  if
       there  are  no parsing problems.	 Rules are added to the	end of the in-
       ternal lists, matching the order	in which they  appear  when  given  to

       -6     This  option  is	required  to parse IPv6	rules and to have them

       -A     Set the list to make changes to the active list (default).

       -c <language>
	      This option causes ipf to	generate output	files for  a  compiler
	      that  supports  language.	  At present, the only target language
	      supported	is C (-cc)  for	 which	two  files  -  ip_rules.c  and
	      ip_rules.h  are  generated  in the CURRENT DIRECTORY when	ipf is
	      being run.  These	files can be used with	the  IPFILTER_COMPILED
	      kernel option to build filter rules staticly into	the kernel.

       -d     Turn debug mode on.  Causes a hexdump of filter rules to be gen-
	      erated as	it processes each one.

       -D     Disable the filter (if enabled).	 Not  effective	 for  loadable
	      kernel versions.

       -E     Enable  the  filter  (if	disabled).  Not	effective for loadable
	      kernel versions.

       -F <i|o|a>
	      This option specifies which filter list to flush.	 The parameter
	      should  either  be  "i" (input), "o" (output) or "a" (remove all
	      filter rules).  Either a single letter or	an entire word	start-
	      ing  with	 the appropriate letter	maybe used.  This option maybe
	      before, or after,	any other with the order on the	 command  line
	      being that used to execute options.

       -F <s|S>
	      To  flush	entries	from the state table, the -F option is used in
	      conjunction with either "s" (removes state information about any
	      non-fully	 established  connections)  or "S" (deletes the	entire
	      state table).  Only one of the two  options  may	be  given.   A
	      fully  established  connection will show up in ipfstat -s	output
	      as 5/5, with deviations either way indicating it	is  not	 fully
	      established any more.

       -f <filename>
	      This  option  specifies  which files ipf should use to get input
	      from for modifying the packet filter rule	lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
	      Use of the -l flag toggles default logging  of  packets.	 Valid
	      arguments	 to  this option are pass, block and nomatch.  When an
	      option is	set, any packet	which exits filtering and matches  the
	      set  category  is	 logged.   This	is most	useful for causing all
	      packets which don't match	any of the loaded rules	to be logged.

       -n     This flag	(no-change) prevents  ipf  from	 actually  making  any
	      ioctl  calls  or	doing anything which would alter the currently
	      running kernel.

       -o     Force rules by default to	be added/deleted  to/from  the	output
	      list, rather than	the (default) input list.

       -P     Add rules	as temporary entries in	the authentication rule	table.

       -r     Remove  matching filter rules rather than	add them to the	inter-
	      nal lists

       -s     Swap the active filter list in use to be the  "other"  one.   -T
	      <optionlist>  This  option  allows run-time changing of IPFilter
	      kernel variables.	 Some variables	require	IPFilter to  be	 in  a
	      disabled state (-D) for changing,	others do not.	The optionlist
	      parameter	is a comma separated list of tuning commands.  A  tun-
	      ing  command  is either "list" (retrieve a list of all variables
	      in the kernel, their maximum, minimum and	current	value),	a sin-
	      gle  variable  name  (retrieve its current value)	and a variable
	      name with	a following assignment to set a	new value.  Some exam-
	      ples follow.
	      #	Print out all IPFilter kernel tunable parameters
	      ipf -T list
	      #	Display	the current TCP	idle timeout and then set it to	3600
	      ipf -D -T	fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
	      #	Display	current	values for fr_pass and fr_chksrc, then set fr_chksrc to	1.
	      ipf -T fr_pass,fr_chksrc,fr_chksrc=1

       -v     Turn  verbose  mode  on.	 Displays information relating to rule

       -V     Show version information.	 This will display the version	infor-
	      mation  compiled	into  the  ipf binary and retrieve it from the
	      kernel code (if running/present).	 If it is present in the  ker-
	      nel,  information	 about	its  current  state  will be displayed
	      (whether logging is active, default filtering, etc).

       -y     Manually resync the in-kernel interface list  maintained	by  IP
	      Filter with the current interface	status list.

       -z     For  each	rule in	the input file,	reset the statistics for it to
	      zero and display the statistics prior to them being zeroed.

       -Z     Zero global statistics held in the  kernel  for  filtering  only
	      (this doesn't affect fragment or state statistics).


       ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),

       Needs to	be run as root for the packet filtering	lists to  actually  be
       affected	inside the kernel.

       If you find any,	please send email to me	at



Want to link to this manual page? Use this URL:

home | help