Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
IPF(8)                                                                  IPF(8)

       ipf - alters packet filtering lists for IP packet input and output

       ipf  [  -6AcdDEInoPrsvVyzZ  ] [ -l <block|pass|nomatch> ] [ -T <option-
       list> ] [ -F <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]

       ipf opens the filenames listed (treating "-" as stdin) and  parses  the
       file  for  a  set  of  rules  which are to be added or removed from the
       packet filter rule set.

       Each rule processed by ipf is added to the kernel's internal  lists  if
       there  are  no  parsing  problems.   Rules  are added to the end of the
       internal lists, matching the order in which they appear when  given  to

       -6     This  option  is  required  to parse IPv6 rules and to have them

       -A     Set the list to make changes to the active list (default).

       -c <language>
              This option causes ipf to generate output files for  a  compiler
              that  supports  language.   At present, the only target language
              supported is C (-cc)  for  which  two  files  -  ip_rules.c  and
              ip_rules.h  are  generated  in the CURRENT DIRECTORY when ipf is
              being run.  These files can be used with  the  IPFILTER_COMPILED
              kernel option to build filter rules staticly into the kernel.

       -d     Turn debug mode on.  Causes a hexdump of filter rules to be gen-
              erated as it processes each one.

       -D     Disable the filter (if enabled).   Not  effective  for  loadable
              kernel versions.

       -E     Enable  the  filter  (if  disabled).  Not effective for loadable
              kernel versions.

       -F <i|o|a>
              This option specifies which filter list to flush.  The parameter
              should  either  be  "i" (input), "o" (output) or "a" (remove all
              filter rules).  Either a single letter or an entire word  start-
              ing  with  the appropriate letter maybe used.  This option maybe
              before, or after, any other with the order on the  command  line
              being that used to execute options.

       -F <s|S>
              To  flush entries from the state table, the -F option is used in
              conjunction with either "s" (removes state information about any
              non-fully  established  connections)  or "S" (deletes the entire
              state table).  Only one of the two  options  may  be  given.   A
              fully  established  connection will show up in ipfstat -s output
              as 5/5, with deviations either way indicating it  is  not  fully
              established any more.

       -f <filename>
              This  option  specifies  which files ipf should use to get input
              from for modifying the packet filter rule lists.

       -I     Set the list to make changes to the inactive list.

       -l  <pass|block|nomatch>
              Use of the -l flag toggles default logging  of  packets.   Valid
              arguments  to  this option are pass, block and nomatch.  When an
              option is set, any packet which exits filtering and matches  the
              set  category  is  logged.   This is most useful for causing all
              packets which don't match any of the loaded rules to be  logged.

       -n     This  flag  (no-change)  prevents  ipf  from actually making any
              ioctl calls or doing anything which would  alter  the  currently
              running kernel.

       -o     Force  rules  by  default to be added/deleted to/from the output
              list, rather than the (default) input list.

       -P     Add rules as temporary entries in the authentication rule table.

       -r     Remove  matching filter rules rather than add them to the inter-
              nal lists

       -s     Swap the active filter list in use to be the  "other"  one.   -T
              <optionlist>  This  option  allows run-time changing of IPFilter
              kernel variables.  Some variables require IPFilter to  be  in  a
              disabled state (-D) for changing, others do not.  The optionlist
              parameter is a comma separated list of tuning commands.  A  tun-
              ing  command  is either "list" (retrieve a list of all variables
              in the kernel, their maximum, minimum and current value), a sin-
              gle  variable  name  (retrieve its current value) and a variable
              name with a following assignment to set a new value.  Some exam-
              ples follow.
              # Print out all IPFilter kernel tunable parameters
              ipf -T list
              # Display the current TCP idle timeout and then set it to 3600
              ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
              # Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
              ipf -T fr_pass,fr_chksrc,fr_chksrc=1

       -v     Turn  verbose  mode  on.   Displays information relating to rule

       -V     Show version information.  This will display the version  infor-
              mation  compiled  into  the  ipf binary and retrieve it from the
              kernel code (if running/present).  If it is present in the  ker-
              nel,  information  about  its  current  state  will be displayed
              (whether logging is active, default filtering, etc).

       -y     Manually resync the in-kernel interface list  maintained  by  IP
              Filter with the current interface status list.

       -z     For  each rule in the input file, reset the statistics for it to
              zero and display the statistics prior to them being zeroed.

       -Z     Zero global statistics held in the  kernel  for  filtering  only
              (this doesn't affect fragment or state statistics).


       ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),

       Needs to be run as root for the packet filtering lists to  actually  be
       affected inside the kernel.

       If you find any, please send email to me at



Want to link to this manual page? Use this URL:

home | help