System Administration Commands ipf(1M)
NAME
ipf - alter packet filtering lists for IP packet input and
output
SYNOPSIS
ipf [-6AdDEInoPRrsvVyzZ] [-l block pass nomatch]
[-T optionlist] [-F i o a s S] -f filename
[-f filename...]
DESCRIPTION
The ipf utility is part of a suite of commands associated
with the Solaris IP Filter feature. See ipfilter(5).
The ipf utility opens the filenames listed (treating a
hyphen (-) as stdin) and parses the file for a set of rules
which are to be added or removed from the packet filter rule
set.
If there are no parsing problems, each rule processed by ipf
is added to the kernel's internal lists. Rules are added to
the end of the internal lists, matching the order in which
they appear when given to ipf.
ipf's use is restricted through access to /dev/ipauth,
/dev/ipl, and /dev/ipstate. The default permissions of these
files require ipf to be run as root for all operations.
Enabling Solaris IP Filter Feature
Solaris IP Filter is installed with the Solaris operating
system. However, packet filtering is not enabled by default.
Use the following procedure to activate the Solaris IP
Filter feature.
1. Assume a role that includes the IP Filter Manage-
ment rights profile (see rbac(5)) or become
superuser.
2. Configure system and services' firewall policies.
See svc.ipfd(1M) and ipf(4).
3. (Optional) Create a network address translation
(NAT) configuration file. See ipnat.conf(4).
4. (Optional) Create an address pool configuration
file. See ippool(4).
Create an ipool.conf file if you want to refer to a
group of addresses as a single address pool. If you
SunOS 5.11 Last change: 25 Feb 2009 1
System Administration Commands ipf(1M)
want the address pool configuration file to be
loaded at boot time, create a file called
/etc/ipf/ippool.conf in which to put the address
pool. If you do not want the address pool confi-
guration file to be loaded at boot time, put the
ippool.conf file in a location other than /etc/ipf
and manually activate the rules.
5. Enable Solaris IP Filter, as follows:
# svcadm enable network/ipfilter
To re-enable packet filtering after it has been temporarily
disabled either reboot the machine or enter the following
command:
# svcadm enable network/ipfilter
...which essentially executes the following ipf commands:
1. Enable Solaris IP Filter:
# ipf -E
2. Load ippools:
# ippool -f
See ippool(1M).
3. (Optional) Activate packet filtering:
ipf -f
4. (Optional) Activate NAT:
ipnat -f
See ipnat(1M).
SunOS 5.11 Last change: 25 Feb 2009 2
System Administration Commands ipf(1M)
Note -
If you reboot your system, the IPfilter configuration is
automatically activated.
OPTIONS
The following options are supported:
-6
This option is required to parse IPv6 rules and to have
them loaded. Loading of IPv6 rules is subject to change
in the future.
-A
Set the list to make changes to the active list
(default).
-d
Turn debug mode on. Causes a hex dump of filter rules to
be generated as it processes each one.
-D
Disable the filter (if enabled). Not effective for load-
able kernel versions.
-E
Enable the filter (if disabled). Not effective for load-
able kernel versions.
-F i o a
Specifies which filter list to flush. The parameter
should either be i (input), o (output) or a (remove all
filter rules). Either a single letter or an entire word
starting with the appropriate letter can be used. This
option can be before or after any other, with the order
on the command line determining that used to execute
options.
-F s S
SunOS 5.11 Last change: 25 Feb 2009 3
System Administration Commands ipf(1M)
To flush entries from the state table, use the -F option
in conjuction with either s (removes state information
about any non-fully established connections) or S
(deletes the entire state table). You can specify only
one of these two options. A fully established connection
will show up in ipfstat -s output as 4/4, with devia-
tions either way indicating the connection is not fully
established.
-f filename
Specifies which files ipf should use to get input from
for modifying the packet filter rule lists.
-I
Set the list to make changes to the inactive list.
-l pass block nomatch
Toggles default logging of packets. Valid arguments to
this option are pass, block and nomatch. When an option
is set, any packet which exits filtering and matches the
set category is logged. This is most useful for causing
all packets that do not match any of the loaded rules to
be logged.
-n
Prevents ipf from making any ioctl calls or doing any-
thing which would alter the currently running kernel.
-o
Force rules by default to be added/deleted to/from the
output list, rather than the (default) input list.
-P
Add rules as temporary entries in the authentication
rule table.
-R
Disable both IP address-to-hostname resolution and port
SunOS 5.11 Last change: 25 Feb 2009 4
System Administration Commands ipf(1M)
number-to-service name resolution.
-r
Remove matching filter rules rather than add them to the
internal lists.
-s
Swap the currently active filter list to be an alterna-
tive list.
-T optionlist
Allows run-time changing of IPFilter kernel variables.
To allow for changing, some variables require IPFilter
to be in a disabled state (-D), others do not. The
optionlist parameter is a comma-separated list of tuning
commands. A tuning command is one of the following:
list
Retrieve a list of all variables in the kernel,
their maximum, minimum, and current value.
single variable name
Retrieve its current value.
variable name with a following assignment
To set a new value.
Examples follow:
# Print out all IPFilter kernel tunable parameters
ipf -T list
# Display the current TCP idle timeout and then set it to 3600
ipf -D -T frtcpidletimeout,frtcpidletimeout=3600 -E
# Display current values for frpass and frchksrc, then set
# frchksrc to 1.
ipf -T frpass,frchksrc,frchksrc=1
SunOS 5.11 Last change: 25 Feb 2009 5
System Administration Commands ipf(1M)
-v
Turn verbose mode on. Displays information relating to
rule processing.
-V
Show version information. This will display the version
information compiled into the ipf binary and retrieve it
from the kernel code (if running or present). If it is
present in the kernel, information about its current
state will be displayed; for example, whether logging is
active, default filtering, and so forth).
-y
Manually resync the in-kernel interface list maintained
by IP Filter with the current interface status list.
-z
For each rule in the input file, reset the statistics
for it to zero and display the statistics prior to them
being zeroed.
-Z
Zero global statistics held in the kernel for filtering
only. This does not affect fragment or state statistics.
FILES
/dev/ipauth
/dev/ipl
/dev/ipstate
Links to IP Filter pseudo devices.
/etc/ipf/ipf.conf
Location of ipf startup configuration file. See ipf(4).
/usr/share/ipfilter/examples/
Contains numerous IP Filter examples.
SunOS 5.11 Last change: 25 Feb 2009 6
System Administration Commands ipf(1M)
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWipfu
Interface Stability Committed
SEE ALSO
ipfstat(1M), ipmon(1M), ipnat(1M), ippool(1M), svcadm(1M),
svc.ipfd(1M), ipf(4), ipnat.conf(4), ippool(4), attri-
butes(5), ipfilter(5)
DIAGNOSTICS
Needs to be run as root for the packet filtering lists to
actually be affected inside the kernel.
SunOS 5.11 Last change: 25 Feb 2009 7
|
