1ipf(1M)                 System Administration Commands                 ipf(1M)
2
3
4

NAME

6       ipf - alter packet filtering lists for IP packet input and output
7

SYNOPSIS

9       ipf [-6AdDEInoPRrsvVyzZ] [-l block | pass | nomatch]
10            [-T optionlist] [-F i | o | a | s | S] -f filename
11            [-f filename...]
12
13

DESCRIPTION

15       The  ipf  utility  is  part  of a suite of commands associated with the
16       Solaris IP Filter feature. See ipfilter(5).
17
18
19       The ipf utility opens the filenames listed (treating a  hyphen  (-)  as
20       stdin)  and parses the file for a set of rules which are to be added or
21       removed from the packet filter rule set.
22
23
24       If there are no parsing problems, each rule processed by ipf  is  added
25       to  the  kernel's  internal  lists.  Rules  are added to the end of the
26       internal lists, matching the order in which they appear when  given  to
27       ipf.
28
29
30       ipf's  use  is  restricted through access to /dev/ipauth, /dev/ipl, and
31       /dev/ipstate. The default permissions of these files require ipf to  be
32       run as root for all operations.
33
34   Enabling Solaris IP Filter Feature
35       Solaris  IP Filter is installed with the Solaris operating system. How‐
36       ever, packet filtering is not enabled by  default.  Use  the  following
37       procedure to activate the Solaris IP Filter feature.
38
39           1.     Assume  a role that includes the IP Filter Management rights
40                  profile (see rbac(5)) or become superuser.
41
42           2.     Configure  system  and  services'  firewall  policies.   See
43                  svc.ipfd(1M) and ipf(4).
44
45           3.     (Optional)  Create  a network address translation (NAT) con‐
46                  figuration file. See ipnat.conf(4).
47
48           4.     (Optional) Create an address pool  configuration  file.  See
49                  ippool(4).
50
51                  Create an ipool.conf file if you want to refer to a group of
52                  addresses as a single address pool. If you want the  address
53                  pool  configuration file to be loaded at boot time, create a
54                  file called /etc/ipf/ippool.conf in which to put the address
55                  pool. If you do not want the address pool configuration file
56                  to be loaded at boot time, put the  ippool.conf  file  in  a
57                  location  other  than  /etc/ipf  and  manually  activate the
58                  rules.
59
60           5.     Enable Solaris IP Filter, as follows:
61
62                    # svcadm enable network/ipfilter
63
64
65
66
67       To re-enable packet filtering after it has  been  temporarily  disabled
68       either reboot the machine or enter the following command:
69
70         # svcadm enable network/ipfilter
71
72
73
74
75       ...which essentially executes the following ipf commands:
76
77           1.     Enable Solaris IP Filter:
78
79                    # ipf -E
80
81
82
83           2.     Load ippools:
84
85                    # ippool -f <ippool configuration file>
86
87
88                  See ippool(1M).
89
90           3.     (Optional) Activate packet filtering:
91
92                    ipf -f <ipf configuration file>
93
94
95
96           4.     (Optional) Activate NAT:
97
98                    ipnat -f <IPNAT configuration file>
99
100
101                  See ipnat(1M).
102
103       Note -
104
105         If  you  reboot  your system, the IPfilter configuration is automati‐
106         cally activated.
107

OPTIONS

109       The following options are supported:
110
111       -6
112
113           This option is required to  parse  IPv6  rules  and  to  have  them
114           loaded. Loading of IPv6 rules is subject to change in the future.
115
116
117       -A
118
119           Set the list to make changes to the active list (default).
120
121
122       -d
123
124           Turn  debug mode on. Causes a hex dump of filter rules to be gener‐
125           ated as it processes each one.
126
127
128       -D
129
130           Disable the filter (if enabled). Not effective for loadable  kernel
131           versions.
132
133
134       -E
135
136           Enable  the filter (if disabled). Not effective for loadable kernel
137           versions.
138
139
140       -F i | o | a
141
142           Specifies which filter list to flush. The parameter  should  either
143           be  i  (input), o (output) or a (remove all filter rules). Either a
144           single letter or an entire word starting with the appropriate  let‐
145           ter can be used. This option can be before or after any other, with
146           the order on the command line  determining  that  used  to  execute
147           options.
148
149
150       -F s | S
151
152           To flush entries from the state table, use the -F option in conjuc‐
153           tion with either s (removes state information about  any  non-fully
154           established connections) or S (deletes the entire state table). You
155           can specify only one of these two options. A fully established con‐
156           nection  will  show up in ipfstat -s output as 4/4, with deviations
157           either way indicating the connection is not fully established.
158
159
160       -f filename
161
162           Specifies which files ipf should use to get input from for  modify‐
163           ing the packet filter rule lists.
164
165
166       -I
167
168           Set the list to make changes to the inactive list.
169
170
171       -l pass | block | nomatch
172
173           Toggles  default logging of packets. Valid arguments to this option
174           are pass, block and nomatch. When an  option  is  set,  any  packet
175           which  exits filtering and matches the set category is logged. This
176           is most useful for causing all packets that do not match any of the
177           loaded rules to be logged.
178
179
180       -n
181
182           Prevents  ipf  from  making any ioctl calls or doing anything which
183           would alter the currently running kernel.
184
185
186       -o
187
188           Force rules by default to be added/deleted to/from the output list,
189           rather than the (default) input list.
190
191
192       -P
193
194           Add rules as temporary entries in the authentication rule table.
195
196
197       -R
198
199           Disable  both IP address-to-hostname resolution and port number-to-
200           service name resolution.
201
202
203       -r
204
205           Remove matching filter rules rather than add them to  the  internal
206           lists.
207
208
209       -s
210
211           Swap the currently active filter list to be an alternative list.
212
213
214       -T optionlist
215
216           Allows run-time changing of IPFilter kernel variables. To allow for
217           changing, some variables require IPFilter to be in a disabled state
218           (-D),  others do not. The optionlist parameter is a comma-separated
219           list of tuning commands. A tuning command is one of the following:
220
221           list
222
223               Retrieve a list of all variables in the kernel, their  maximum,
224               minimum, and current value.
225
226
227           single variable name
228
229               Retrieve its current value.
230
231
232           variable name with a following assignment
233
234               To set a new value.
235
236           Examples follow:
237
238             # Print out all IPFilter kernel tunable parameters
239             ipf -T list
240
241             # Display the current TCP idle timeout and then set it to 3600
242             ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
243
244             # Display current values for fr_pass and fr_chksrc, then set
245             # fr_chksrc to 1.
246             ipf -T fr_pass,fr_chksrc,fr_chksrc=1
247
248
249
250
251       -v
252
253           Turn  verbose  mode  on. Displays information relating to rule pro‐
254           cessing.
255
256
257       -V
258
259           Show version information. This will display the version information
260           compiled  into  the ipf binary and retrieve it from the kernel code
261           (if running or present). If it is present in the  kernel,  informa‐
262           tion  about  its  current  state  will  be  displayed; for example,
263           whether logging is active, default filtering, and so forth).
264
265
266       -y
267
268           Manually resync the in-kernel interface list maintained by IP  Fil‐
269           ter with the current interface status list.
270
271
272       -z
273
274           For  each  rule  in  the input file, reset the statistics for it to
275           zero and display the statistics prior to them being zeroed.
276
277
278       -Z
279
280           Zero global statistics held in the kernel for filtering only.  This
281           does not affect fragment or state statistics.
282
283

FILES

285       /dev/ipauth
286       /dev/ipl
287       /dev/ipstate
288
289           Links to IP Filter pseudo devices.
290
291
292       /etc/ipf/ipf.conf
293
294           Location of ipf startup configuration file. See ipf(4).
295
296
297       /usr/share/ipfilter/examples/
298
299           Contains numerous IP Filter examples.
300
301

ATTRIBUTES

303       See attributes(5) for descriptions of the following attributes:
304
305
306
307
308       ┌─────────────────────────────┬─────────────────────────────┐
309       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
310       ├─────────────────────────────┼─────────────────────────────┤
311       │Availability                 │SUNWipfu                     │
312       ├─────────────────────────────┼─────────────────────────────┤
313       │Interface Stability          │Committed                    │
314       └─────────────────────────────┴─────────────────────────────┘
315

SEE ALSO

317       ipfstat(1M),     ipmon(1M),    ipnat(1M),    ippool(1M),    svcadm(1M),
318       svc.ipfd(1M), ipf(4), ipnat.conf(4), ippool(4),  attributes(5),  ipfil‐
319       ter(5)
320
321
322
323

DIAGNOSTICS

325       Needs  to  be run as root for the packet filtering lists to actually be
326       affected inside the kernel.
327
328
329
330SunOS 5.11                        25 Feb 2009                          ipf(1M)
Impressum