Alter packet filtering lists for IP packet input and output
ipf [-6AdDEInoPrsUvVyzZ] [-l block|pass|nomatch]
[-F i|o|a|s|S] -f filename [-f filename [...]]
Neutrino
- -6
- Parse IPv6 rules and have them loaded.
- -A
- Set the list to make changes to the active list (default).
- -d
- Turn debug mode on. Cause a hexdump of filter rules as it processes each one.
- -D
- Disable the filter (if enabled). Not effective for
loadable TCP/IP stack versions.
- -E
- Enable the filter (if disabled). Not effective for
loadable TCP/IP stack versions.
- -Fi|o|a
- Specify which filter list to flush.
The parameter should be i (input), o
(output), or a (remove all filter rules). Use either
a single letter or an entire word starting with the appropriate letter.
- -Fs|S
- Flush entries from the state table. Use
in conjunction with either s
(removes state information about any non-fully
established connections) or S
(deletes the entire state table). A fully
established connection show up
in ipfstat -s with output as 4/4.
- -f filename
- Specify the files ipf should use to
get input from for modifying the packet filter rule
lists.
- -I
- Set the list to make changes to the inactive list.
- -lpass|block|nomatch
- Toggle the default logging of packets.
Valid arguments to this option are pass,
block, and nomatch.
- -n
- Prevent ipf from actually
making any ioctl() calls or doing anything that
would alter the currently running TCP/IP stack.
- o
- Force rules by default to add to or delete from
the output list, rather than the (default) input
list.
- -P
- Add rules as temporary entries in the authentication rule table.
- -r
- Remove matching filter rules rather than add them
to the internal lists.
- -s
- Swap the active filter list in use to the "other" list.
- -U
- Block any packets traveling along the data stream that aren't recognized as IP packets.
They are printed out on the console.
- -v
- Turn verbose mode on. Display information relating to rule processing.
- -V
- Show version information.
- -y
- Resync the interface list in the TCP/IP stack maintained by IP Filter
with the current interface status list.
- -z
- Reset the statistics to zero. Also, display the statistics before
they are zeroed.
- -Z
- Hold the zero global statistics for filtering only (this doesn't affect fragment or state
statistics).
The ipf utility opens the listed filenames (treating "-" as
stdin) and parses the file for a set of rules to be added
or removed from the packet filter rule set.
Each rule processed by ipf is added to the TCP/IP stack's internal
lists if there are no parsing problems. Rules are
added to the end of the internal lists, matching the order
in which they appear when given to ipf.
Depending on the error, the utility displays messages indicating:
- the specified interface doesn't exist
- the requested address is unknown
- you tried to alter an interface's configuration, but you don't have
the appropriate privileges.
ipfs,
ipfstat,
ipmon,
ipnat,
lsm-ipfilter-*.so
"Setting up a firewall"
in the Securing Your System chapter of the Neutrino User's Guide
![[Previous]](../prev.gif)
![[Contents]](../contents.gif)
![[Index]](../keyword_index.gif)
![[Next]](../next.gif)
