1ipf(1M) System Administration Commands ipf(1M)
2
3
4
6 ipf - alter packet filtering lists for IP packet input and output
7
9 ipf [-6AdDEInoPRrsvVyzZ] [-l block | pass | nomatch]
10 [-T optionlist] [-F i | o | a | s | S] -f filename
11 [-f filename...]
12
13
15 The ipf utility is part of a suite of commands associated with the
16 Solaris IP Filter feature. See ipfilter(5).
17
18
19 The ipf utility opens the filenames listed (treating a hyphen (-) as
20 stdin) and parses the file for a set of rules which are to be added or
21 removed from the packet filter rule set.
22
23
24 If there are no parsing problems, each rule processed by ipf is added
25 to the kernel's internal lists. Rules are added to the end of the
26 internal lists, matching the order in which they appear when given to
27 ipf.
28
29
30 ipf's use is restricted through access to /dev/ipauth, /dev/ipl, and
31 /dev/ipstate. The default permissions of these files require ipf to be
32 run as root for all operations.
33
34 Enabling Solaris IP Filter Feature
35 Solaris IP Filter is installed with the Solaris operating system. How‐
36 ever, packet filtering is not enabled by default. Use the following
37 procedure to activate the Solaris IP Filter feature.
38
39 1. Assume a role that includes the IP Filter Management rights
40 profile (see rbac(5)) or become superuser.
41
42 2. Configure system and services' firewall policies. See
43 svc.ipfd(1M) and ipf(4).
44
45 3. (Optional) Create a network address translation (NAT) con‐
46 figuration file. See ipnat.conf(4).
47
48 4. (Optional) Create an address pool configuration file. See
49 ippool(4).
50
51 Create an ipool.conf file if you want to refer to a group of
52 addresses as a single address pool. If you want the address
53 pool configuration file to be loaded at boot time, create a
54 file called /etc/ipf/ippool.conf in which to put the address
55 pool. If you do not want the address pool configuration file
56 to be loaded at boot time, put the ippool.conf file in a
57 location other than /etc/ipf and manually activate the
58 rules.
59
60 5. Enable Solaris IP Filter, as follows:
61
62 # svcadm enable network/ipfilter
63
64
65
66
67 To re-enable packet filtering after it has been temporarily disabled
68 either reboot the machine or enter the following command:
69
70 # svcadm enable network/ipfilter
71
72
73
74
75 ...which essentially executes the following ipf commands:
76
77 1. Enable Solaris IP Filter:
78
79 # ipf -E
80
81
82
83 2. Load ippools:
84
85 # ippool -f <ippool configuration file>
86
87
88 See ippool(1M).
89
90 3. (Optional) Activate packet filtering:
91
92 ipf -f <ipf configuration file>
93
94
95
96 4. (Optional) Activate NAT:
97
98 ipnat -f <IPNAT configuration file>
99
100
101 See ipnat(1M).
102
103 Note -
104
105 If you reboot your system, the IPfilter configuration is automati‐
106 cally activated.
107
109 The following options are supported:
110
111 -6
112
113 This option is required to parse IPv6 rules and to have them
114 loaded. Loading of IPv6 rules is subject to change in the future.
115
116
117 -A
118
119 Set the list to make changes to the active list (default).
120
121
122 -d
123
124 Turn debug mode on. Causes a hex dump of filter rules to be gener‐
125 ated as it processes each one.
126
127
128 -D
129
130 Disable the filter (if enabled). Not effective for loadable kernel
131 versions.
132
133
134 -E
135
136 Enable the filter (if disabled). Not effective for loadable kernel
137 versions.
138
139
140 -F i | o | a
141
142 Specifies which filter list to flush. The parameter should either
143 be i (input), o (output) or a (remove all filter rules). Either a
144 single letter or an entire word starting with the appropriate let‐
145 ter can be used. This option can be before or after any other, with
146 the order on the command line determining that used to execute
147 options.
148
149
150 -F s | S
151
152 To flush entries from the state table, use the -F option in conjuc‐
153 tion with either s (removes state information about any non-fully
154 established connections) or S (deletes the entire state table). You
155 can specify only one of these two options. A fully established con‐
156 nection will show up in ipfstat -s output as 4/4, with deviations
157 either way indicating the connection is not fully established.
158
159
160 -f filename
161
162 Specifies which files ipf should use to get input from for modify‐
163 ing the packet filter rule lists.
164
165
166 -I
167
168 Set the list to make changes to the inactive list.
169
170
171 -l pass | block | nomatch
172
173 Toggles default logging of packets. Valid arguments to this option
174 are pass, block and nomatch. When an option is set, any packet
175 which exits filtering and matches the set category is logged. This
176 is most useful for causing all packets that do not match any of the
177 loaded rules to be logged.
178
179
180 -n
181
182 Prevents ipf from making any ioctl calls or doing anything which
183 would alter the currently running kernel.
184
185
186 -o
187
188 Force rules by default to be added/deleted to/from the output list,
189 rather than the (default) input list.
190
191
192 -P
193
194 Add rules as temporary entries in the authentication rule table.
195
196
197 -R
198
199 Disable both IP address-to-hostname resolution and port number-to-
200 service name resolution.
201
202
203 -r
204
205 Remove matching filter rules rather than add them to the internal
206 lists.
207
208
209 -s
210
211 Swap the currently active filter list to be an alternative list.
212
213
214 -T optionlist
215
216 Allows run-time changing of IPFilter kernel variables. To allow for
217 changing, some variables require IPFilter to be in a disabled state
218 (-D), others do not. The optionlist parameter is a comma-separated
219 list of tuning commands. A tuning command is one of the following:
220
221 list
222
223 Retrieve a list of all variables in the kernel, their maximum,
224 minimum, and current value.
225
226
227 single variable name
228
229 Retrieve its current value.
230
231
232 variable name with a following assignment
233
234 To set a new value.
235
236 Examples follow:
237
238 # Print out all IPFilter kernel tunable parameters
239 ipf -T list
240
241 # Display the current TCP idle timeout and then set it to 3600
242 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
243
244 # Display current values for fr_pass and fr_chksrc, then set
245 # fr_chksrc to 1.
246 ipf -T fr_pass,fr_chksrc,fr_chksrc=1
247
248
249
250
251 -v
252
253 Turn verbose mode on. Displays information relating to rule pro‐
254 cessing.
255
256
257 -V
258
259 Show version information. This will display the version information
260 compiled into the ipf binary and retrieve it from the kernel code
261 (if running or present). If it is present in the kernel, informa‐
262 tion about its current state will be displayed; for example,
263 whether logging is active, default filtering, and so forth).
264
265
266 -y
267
268 Manually resync the in-kernel interface list maintained by IP Fil‐
269 ter with the current interface status list.
270
271
272 -z
273
274 For each rule in the input file, reset the statistics for it to
275 zero and display the statistics prior to them being zeroed.
276
277
278 -Z
279
280 Zero global statistics held in the kernel for filtering only. This
281 does not affect fragment or state statistics.
282
283
285 /dev/ipauth
286 /dev/ipl
287 /dev/ipstate
288
289 Links to IP Filter pseudo devices.
290
291
292 /etc/ipf/ipf.conf
293
294 Location of ipf startup configuration file. See ipf(4).
295
296
297 /usr/share/ipfilter/examples/
298
299 Contains numerous IP Filter examples.
300
301
303 See attributes(5) for descriptions of the following attributes:
304
305
306
307
308 ┌─────────────────────────────┬─────────────────────────────┐
309 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
310 ├─────────────────────────────┼─────────────────────────────┤
311 │Availability │SUNWipfu │
312 ├─────────────────────────────┼─────────────────────────────┤
313 │Interface Stability │Committed │
314 └─────────────────────────────┴─────────────────────────────┘
315
317 ipfstat(1M), ipmon(1M), ipnat(1M), ippool(1M), svcadm(1M),
318 svc.ipfd(1M), ipf(4), ipnat.conf(4), ippool(4), attributes(5), ipfil‐
319 ter(5)
320
321
322
323
325 Needs to be run as root for the packet filtering lists to actually be
326 affected inside the kernel.
327
328
329
330SunOS 5.11 25 Feb 2009 ipf(1M)