IPF(1M)IPF(1M)NAMEipf - alter packet filtering lists for IP packet input and output
SYNOPSISipf [-6AdDEGInoPRrsvVyzZ] [-l block | pass | nomatch]
[-T optionlist] [-F i | o | a | s | S] -f filename
[-f filename...] [zonename]
DESCRIPTION
The ipf utility is part of a suite of commands associated with the
Solaris IP Filter feature. See ipfilter(5).
The ipf utility opens the filenames listed (treating a hyphen (-) as
stdin) and parses the file for a set of rules which are to be added or
removed from the packet filter rule set.
If there are no parsing problems, each rule processed by ipf is added
to the kernel's internal lists. Rules are added to the end of the
internal lists, matching the order in which they appear when given to
ipf.
ipf's use is restricted through access to /dev/ipauth, /dev/ipl, and
/dev/ipstate. The default permissions of these files require ipf to be
run as root for all operations.
Enabling Solaris IP Filter Feature
Solaris IP Filter is installed with the Solaris operating system. How‐
ever, packet filtering is not enabled by default. Use the following
procedure to activate the Solaris IP Filter feature.
1. Assume a role that includes the IP Filter Management rights
profile (see rbac(5)) or become superuser.
2. Configure system and services' firewall policies. See
svc.ipfd(1M) and ipf(4).
3. (Optional) Create a network address translation (NAT) con‐
figuration file. See ipnat.conf(4).
4. (Optional) Create an address pool configuration file. See
ippool(4).
Create an ipool.conf file if you want to refer to a group of
addresses as a single address pool. If you want the address
pool configuration file to be loaded at boot time, create a
file called /etc/ipf/ippool.conf in which to put the address
pool. If you do not want the address pool configuration file
to be loaded at boot time, put the ippool.conf file in a
location other than /etc/ipf and manually activate the
rules.
5. Enable Solaris IP Filter, as follows:
# svcadm enable network/ipfilter
To re-enable packet filtering after it has been temporarily disabled
either reboot the machine or enter the following command:
# svcadm enable network/ipfilter
...which essentially executes the following ipf commands:
1. Enable Solaris IP Filter:
# ipf-E
2. Load ippools:
# ippool -f <ippool configuration file>
See ippool(1M).
3. (Optional) Activate packet filtering:
ipf-f <ipf configuration file>
4. (Optional) Activate NAT:
ipnat -f <IPNAT configuration file>
See ipnat(1M).
Note -
If you reboot your system, the IPfilter configuration is automati‐
cally activated.
OPTIONS
The following options are supported:
-6
This option is required to parse IPv6 rules and to have them
loaded. Loading of IPv6 rules is subject to change in the future.
-A
Set the list to make changes to the active list (default).
-d
Turn debug mode on. Causes a hex dump of filter rules to be gener‐
ated as it processes each one.
-D
Disable the filter (if enabled). Not effective for loadable kernel
versions.
-E
Enable the filter (if disabled). Not effective for loadable kernel
versions.
-F i | o | a
Specifies which filter list to flush. The parameter should either
be i (input), o (output) or a (remove all filter rules). Either a
single letter or an entire word starting with the appropriate let‐
ter can be used. This option can be before or after any other, with
the order on the command line determining that used to execute
options.
-F s | S
To flush entries from the state table, use the -F option in conjuc‐
tion with either s (removes state information about any non-fully
established connections) or S (deletes the entire state table). You
can specify only one of these two options. A fully established con‐
nection will show up in ipfstat -s output as 4/4, with deviations
either way indicating the connection is not fully established.
-f filename
Specifies which files ipf should use to get input from for modify‐
ing the packet filter rule lists.
-G
Make changes to the Global Zone-controlled ipfilter for the zone
given as an argument. See the ZONES section for more information.
-I
Set the list to make changes to the inactive list.
-l pass | block | nomatch
Toggles default logging of packets. Valid arguments to this option
are pass, block and nomatch. When an option is set, any packet
which exits filtering and matches the set category is logged. This
is most useful for causing all packets that do not match any of the
loaded rules to be logged.
-n
Prevents ipf from making any ioctl calls or doing anything which
would alter the currently running kernel.
-o
Force rules by default to be added/deleted to/from the output list,
rather than the (default) input list.
-P
Add rules as temporary entries in the authentication rule table.
-R
Disable both IP address-to-hostname resolution and port number-to-
service name resolution.
-r
Remove matching filter rules rather than add them to the internal
lists.
-s
Swap the currently active filter list to be an alternative list.
-T optionlist
Allows run-time changing of IPFilter kernel variables. To allow for
changing, some variables require IPFilter to be in a disabled state
(-D), others do not. The optionlist parameter is a comma-separated
list of tuning commands. A tuning command is one of the following:
list
Retrieve a list of all variables in the kernel, their maximum,
minimum, and current value.
single variable name
Retrieve its current value.
variable name with a following assignment
To set a new value.
Examples follow:
# Print out all IPFilter kernel tunable parameters
ipf-T list
# Display the current TCP idle timeout and then set it to 3600
ipf-D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
# Display current values for fr_pass and fr_chksrc, then set
# fr_chksrc to 1.
ipf-T fr_pass,fr_chksrc,fr_chksrc=1
-v
Turn verbose mode on. Displays information relating to rule pro‐
cessing.
-V
Show version information. This will display the version information
compiled into the ipf binary and retrieve it from the kernel code
(if running or present). If it is present in the kernel, informa‐
tion about its current state will be displayed; for example,
whether logging is active, default filtering, and so forth).
-y
Manually resync the in-kernel interface list maintained by IP Fil‐
ter with the current interface status list.
-z
For each rule in the input file, reset the statistics for it to
zero and display the statistics prior to them being zeroed.
-Z
Zero global statistics held in the kernel for filtering only. This
does not affect fragment or state statistics.
ZONES
Each non-global zone has two ipfilter instances: the in-zone ipfilter,
which can be controlled from both the zone itself and the global zone,
and the Global Zone-controlled (GZ-controlled) instance, which can only
be controlled from the Global Zone. The non-global zone is not able to
observe or control the GZ-controlled ipfilter.
ipf optionally takes a zone name as an argument, which will change the
ipfilter settings for that zone, rather than the current one. The zone‐
name option is only available in the Global Zone. Using it in any other
zone will return an error. If the -G option is specified with this
argument, the Global Zone-controlled ipfilter is operated on. If -G is
not specified, the in-zone ipfilter is operated on.
FILES
/dev/ipauth
/dev/ipl
/dev/ipstate
Links to IP Filter pseudo devices.
/etc/ipf/ipf.conf
Location of ipf startup configuration file. See ipf(4).
/usr/share/ipfilter/examples/
Contains numerous IP Filter examples.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌────────────────────┬─────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├────────────────────┼─────────────────┤
│Interface Stability │ Committed │
└────────────────────┴─────────────────┘
SEE ALSOipfstat(1M), ipmon(1M), ipnat(1M), ippool(1M), svcadm(1M),
svc.ipfd(1M), ipf(4), ipnat.conf(4), ippool(4), attributes(5), ipfil‐
ter(5), zones(5)DIAGNOSTICS
Needs to be run as root for the packet filtering lists to actually be
affected inside the kernel.
Oct 30, 2013 IPF(1M)
