1 .\" $FreeBSD: src/contrib/ipfilter/man/ipf.8,v 1.3.2.2 2003/03/01 03:55:53 darrenr Exp $
2 .\" $FreeBSD: src/contrib/ipfilter/man/ipf.8,v 1.3.2.3 2004/07/04 09:24:40 darrenr Exp $
5 ipf \- alters packet filtering lists for IP packet input and output
25 \fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
26 file for a set of rules which are to be added or removed from the packet
29 Each rule processed by \fBipf\fP
30 is added to the kernel's internal lists if there are no parsing problems.
31 Rules are added to the end of the internal lists, matching the order in
32 which they appear when given to \fBipf\fP.
36 This option is required to parse IPv6 rules and to have them loaded.
39 Set the list to make changes to the active list (default).
42 Turn debug mode on. Causes a hexdump of filter rules to be generated as
43 it processes each one.
46 Disable the filter (if enabled). Not effective for loadable kernel versions.
49 Enable the filter (if disabled). Not effective for loadable kernel versions.
52 This option specifies which filter list to flush. The parameter should
53 either be "i" (input), "o" (output) or "a" (remove all filter rules).
54 Either a single letter or an entire word starting with the appropriate
55 letter maybe used. This option maybe before, or after, any other with
56 the order on the command line being that used to execute options.
59 To flush entries from the state table, the \fB-F\fP option is used in
60 conjunction with either "s" (removes state information about any non-fully
61 established connections) or "S" (deletes the entire state table). Only
62 one of the two options may be given. A fully established connection
63 will show up in \fBipfstat -s\fP output as 4/4, with deviations either
64 way indicating it is not fully established any more.
67 This option specifies which files
68 \fBipf\fP should use to get input from for modifying the packet filter rule
72 Set the list to make changes to the inactive list.
74 .B \-l \0<pass|block|nomatch>
75 Use of the \fB-l\fP flag toggles default logging of packets. Valid
76 arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
77 When an option is set, any packet which exits filtering and matches the
78 set category is logged. This is most useful for causing all packets
79 which don't match any of the loaded rules to be logged.
82 This flag (no-change) prevents \fBipf\fP from actually making any ioctl
83 calls or doing anything which would alter the currently running kernel.
86 Force rules by default to be added/deleted to/from the output list, rather
87 than the (default) input list.
90 Add rules as temporary entries in the authentication rule table.
93 Remove matching filter rules rather than add them to the internal lists
96 Swap the active filter list in use to be the "other" one.
99 (SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
100 recognised as IP packets. They will be printed out on the console.
103 Turn verbose mode on. Displays information relating to rule processing.
106 Show version information. This will display the version information compiled
107 into the ipf binary and retrieve it from the kernel code (if running/present).
108 If it is present in the kernel, information about its current state will be
109 displayed (whether logging is active, default filtering, etc).
112 Manually resync the in-kernel interface list maintained by IP Filter with
113 the current interface status list.
116 For each rule in the input file, reset the statistics for it to zero and
117 display the statistics prior to them being zeroed.
120 Zero global statistics held in the kernel for filtering only (this doesn't
121 affect fragment or state statistics).
130 ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
133 Needs to be run as root for the packet filtering lists to actually
134 be affected inside the kernel.
137 If you find any, please send email to me at darrenr@pobox.com
projects / dragonfly.git / blob