ipf - alters packet filtering lists for IP packet input and output
ipf [ -6ACdDEInoPrsvVyzZ ] [ -l <block|pass|nomatch> ] [ -T <optionlist> ]
[ -F <i|o|a|s|S> ] -f <filename> [ -f <filename> [...]]
ipf opens the filenames listed (treating "-" as stdin) and parses the file
for a set of rules which are to be added or removed from the packet filter
Each rule processed by ipf is added to the kernel's internal lists if there
are no parsing problems. Rules are added to the end of the internal lists,
matching the order in which they appear when given to ipf.
-6 This option is required to parse IPv6 rules and to have them loaded.
-A Set the list to make changes to the active list (default).
-C This option causes ipf to generate two files - ip_rules.c and
ip_rules.h in the CURRENT DIRECTORY when ipf is being run. These
files can be used with the IPFILTER_COMPILED kernel option to build
filter rules staticly into the kernel.
-d Turn debug mode on. Causes a hexdump of filter rules to be generated
as it processes each one.
-D Disable the filter (if enabled). Not effective for loadable kernel
-E Enable the filter (if disabled). Not effective for loadable kernel
This option specifies which filter list to flush. The parameter
should either be "i" (input), "o" (output) or "a" (remove all filter
rules). Either a single letter or an entire word starting with the
appropriate letter maybe used. This option maybe before, or after,
any other with the order on the command line being that used to exe-
To flush entries from the state table, the -F option is used in con-
juction with either "s" (removes state information about any non-fully
established connections) or "S" (deletes the entire state table).
Only one of the two options may be given. A fully established connec-
tion will show up in ipfstat -s output as 4/4, with deviations either
way indicating it is not fully established any more.
This option specifies which files ipf should use to get input from for
modifying the packet filter rule lists.
-I Set the list to make changes to the inactive list.
Use of the -l flag toggles default logging of packets. Valid argu-
ments to this option are pass, block and nomatch. When an option is
set, any packet which exits filtering and matches the set category is
logged. This is most useful for causing all packets which don't match
any of the loaded rules to be logged.
-n This flag (no-change) prevents ipf from actually making any ioctl
calls or doing anything which would alter the currently running ker-
-o Force rules by default to be added/deleted to/from the output list,
rather than the (default) input list.
-P Add rules as temporary entries in the authentication rule table.
-r Remove matching filter rules rather than add them to the internal
-s Swap the active filter list in use to be the "other" one. -T <<option-
list>> This option allows run-time changing of IPFilter kernel vari-
ables. Some variables require IPFilter to be in a disabled state (-D)
for changing, others do not. The optionlist parameter is a comma
separated list of tuning commands. A tuning command is either "list"
(retrieve a list of all variables in the kernel, their maximum,
minimum and current value), a single variable name (retrieve its
current value) and a variable name with a following assignment to set
a new value. Some examples follow.
# Print out all IPFilter kernel tunable parameters
ipf -T list
# Display the current TCP idle timeout and then set it to 3600
ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
ipf -T fr_pass,fr_chksrc,fr_chksrc=1
-v Turn verbose mode on. Displays information relating to rule process-
-V Show version information. This will display the version information
compiled into the ipf binary and retrieve it from the kernel code (if
running/present). If it is present in the kernel, information about
its current state will be displayed (whether logging is active,
default filtering, etc).
-y Manually resync the in-kernel interface list maintained by IP Filter
with the current interface status list.
-z For each rule in the input file, reset the statistics for it to zero
and display the statistics prior to them being zeroed.
-Z Zero global statistics held in the kernel for filtering only (this
doesn't affect fragment or state statistics).
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8),
Needs to be run as root for the packet filtering lists to actually be
affected inside the kernel.
If you find any, please send email to me at darrenrATpobox.com