1 IPF(1M) Maintenance Commands IPF(1M) 2 3 4 5 NAME 6 ipf - alter packet filtering lists for IP packet input and output 7 8 SYNOPSIS 9 ipf [-6AdDEGInoPRrsvVyzZ] [-l block | pass | nomatch] 10 [-T optionlist] [-F i | o | a | s | S] -f filename 11 [-f filename...] [zonename] 12 13 14 DESCRIPTION 15 The ipf utility is part of a suite of commands associated with the 16 Solaris IP Filter feature. See ipfilter(5). 17 18 19 The ipf utility opens the filenames listed (treating a hyphen (-) as 20 stdin) and parses the file for a set of rules which are to be added or 21 removed from the packet filter rule set. 22 23 24 If there are no parsing problems, each rule processed by ipf is added 25 to the kernel's internal lists. Rules are added to the end of the 26 internal lists, matching the order in which they appear when given to 27 ipf. 28 29 30 ipf's use is restricted through access to /dev/ipauth, /dev/ipl, and 31 /dev/ipstate. The default permissions of these files require ipf to be 32 run as root for all operations. 33 34 Enabling Solaris IP Filter Feature 35 Solaris IP Filter is installed with the Solaris operating system. 36 However, packet filtering is not enabled by default. Use the following 37 procedure to activate the Solaris IP Filter feature. 38 39 1. Assume a role that includes the IP Filter Management rights 40 profile (see rbac(5)) or become superuser. 41 42 2. Configure system and services' firewall policies. See 43 svc.ipfd(1M) and ipf(4). 44 45 3. (Optional) Create a network address translation (NAT) 46 configuration file. See ipnat(4). 47 48 4. (Optional) Create an address pool configuration file. See 49 ippool(4). 50 51 Create an ippool.conf file if you want to refer to a group 52 of addresses as a single address pool. If you want the 53 address pool configuration file to be loaded at boot time, 54 create a file called /etc/ipf/ippool.conf in which to put 55 the address pool. If you do not want the address pool 56 configuration file to be loaded at boot time, put the 57 ippool.conf file in a location other than /etc/ipf and 58 manually activate the rules. 59 60 5. Enable Solaris IP Filter, as follows: 61 62 # svcadm enable network/ipfilter 63 64 65 66 67 To re-enable packet filtering after it has been temporarily disabled 68 either reboot the machine or enter the following command: 69 70 # svcadm enable network/ipfilter 71 72 73 74 75 ...which essentially executes the following ipf commands: 76 77 1. Enable Solaris IP Filter: 78 79 # ipf -E 80 81 82 83 2. Load ippools: 84 85 # ippool -f <ippool configuration file> 86 87 88 See ippool(1M). 89 90 3. (Optional) Activate packet filtering: 91 92 ipf -f <ipf configuration file> 93 94 95 96 4. (Optional) Activate NAT: 97 98 ipnat -f <IPNAT configuration file> 99 100 101 See ipnat(1M). 102 103 Note - 104 105 If you reboot your system, the IPfilter configuration is 106 automatically activated. 107 108 OPTIONS 109 The following options are supported: 110 111 -6 112 113 This option is required to parse IPv6 rules and to have them 114 loaded. Loading of IPv6 rules is subject to change in the future. 115 116 117 -A 118 119 Set the list to make changes to the active list (default). 120 121 122 -d 123 124 Turn debug mode on. Causes a hex dump of filter rules to be 125 generated as it processes each one. 126 127 128 -D 129 130 Disable the filter (if enabled). Not effective for loadable kernel 131 versions. 132 133 134 -E 135 136 Enable the filter (if disabled). Not effective for loadable kernel 137 versions. 138 139 140 -F i | o | a 141 142 Specifies which filter list to flush. The parameter should either 143 be i (input), o (output) or a (remove all filter rules). Either a 144 single letter or an entire word starting with the appropriate 145 letter can be used. This option can be before or after any other, 146 with the order on the command line determining that used to execute 147 options. 148 149 150 -F s | S 151 152 To flush entries from the state table, use the -F option in 153 conjunction with either s (removes state information about any non- 154 fully established connections) or S (deletes the entire state 155 table). You can specify only one of these two options. A fully 156 established connection will show up in ipfstat -s output as 4/4, 157 with deviations either way indicating the connection is not fully 158 established. 159 160 161 -f filename 162 163 Specifies which files ipf should use to get input from for 164 modifying the packet filter rule lists. 165 166 167 -G 168 169 Make changes to the Global Zone-controlled ipfilter for the zone 170 given as an argument. See the ZONES section for more information. 171 172 173 -I 174 175 Set the list to make changes to the inactive list. 176 177 178 -l pass | block | nomatch 179 180 Toggles default logging of packets. Valid arguments to this option 181 are pass, block and nomatch. When an option is set, any packet 182 which exits filtering and matches the set category is logged. This 183 is most useful for causing all packets that do not match any of the 184 loaded rules to be logged. 185 186 187 -n 188 189 Prevents ipf from making any ioctl calls or doing anything which 190 would alter the currently running kernel. 191 192 193 -o 194 195 Force rules by default to be added/deleted to/from the output list, 196 rather than the (default) input list. 197 198 199 -P 200 201 Add rules as temporary entries in the authentication rule table. 202 203 204 -R 205 206 Disable both IP address-to-hostname resolution and port number-to- 207 service name resolution. 208 209 210 -r 211 212 Remove matching filter rules rather than add them to the internal 213 lists. 214 215 216 -s 217 218 Swap the currently active filter list to be an alternative list. 219 220 221 -T optionlist 222 223 Allows run-time changing of IPFilter kernel variables. To allow for 224 changing, some variables require IPFilter to be in a disabled state 225 (-D), others do not. The optionlist parameter is a comma-separated 226 list of tuning commands. A tuning command is one of the following: 227 228 list 229 230 Retrieve a list of all variables in the kernel, their maximum, 231 minimum, and current value. 232 233 234 single variable name 235 236 Retrieve its current value. 237 238 239 variable name with a following assignment 240 241 To set a new value. 242 243 Examples follow: 244 245 # Print out all IPFilter kernel tunable parameters 246 ipf -T list 247 248 # Display the current TCP idle timeout and then set it to 3600 249 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E 250 251 # Display current values for fr_pass and fr_chksrc, then set 252 # fr_chksrc to 1. 253 ipf -T fr_pass,fr_chksrc,fr_chksrc=1 254 255 256 257 258 -v 259 260 Turn verbose mode on. Displays information relating to rule 261 processing. 262 263 264 -V 265 266 Show version information. This will display the version information 267 compiled into the ipf binary and retrieve it from the kernel code 268 (if running or present). If it is present in the kernel, 269 information about its current state will be displayed; for example, 270 whether logging is active, default filtering, and so forth). 271 272 273 -y 274 275 Manually resync the in-kernel interface list maintained by IP 276 Filter with the current interface status list. 277 278 279 -z 280 281 For each rule in the input file, reset the statistics for it to 282 zero and display the statistics prior to them being zeroed. 283 284 285 -Z 286 287 Zero global statistics held in the kernel for filtering only. This 288 does not affect fragment or state statistics. 289 290 291 ZONES 292 Each non-global zone has two ipfilter instances: the in-zone ipfilter, 293 which can be controlled from both the zone itself and the global zone, 294 and the Global Zone-controlled (GZ-controlled) instance, which can only 295 be controlled from the Global Zone. The non-global zone is not able to 296 observe or control the GZ-controlled ipfilter. 297 298 ipf optionally takes a zone name as an argument, which will change the 299 ipfilter settings for that zone, rather than the current one. The 300 zonename option is only available in the Global Zone. Using it in any 301 other zone will return an error. If the -G option is specified with 302 this argument, the Global Zone-controlled ipfilter is operated on. If 303 -G is not specified, the in-zone ipfilter is operated on. Note that ipf 304 differs from the other ipfilter tools in how the zone name is 305 specified. It takes the zone name as the last argument, while all of 306 the other tools take the zone name as an argument to the -G and -z 307 options. 308 309 310 FILES 311 /dev/ipauth 312 /dev/ipl 313 /dev/ipstate 314 315 Links to IP Filter pseudo devices. 316 317 318 /etc/ipf/ipf.conf 319 320 Location of ipf startup configuration file. See ipf(4). 321 322 323 /usr/share/ipfilter/examples/ 324 325 Contains numerous IP Filter examples. 326 327 328 ATTRIBUTES 329 See attributes(5) for descriptions of the following attributes: 330 331 332 333 334 +--------------------+-----------------+ 335 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 336 +--------------------+-----------------+ 337 |Interface Stability | Committed | 338 +--------------------+-----------------+ 339 340 SEE ALSO 341 ipfstat(1M), ipmon(1M), ipnat(1M), ippool(1M), svcadm(1M), 342 svc.ipfd(1M), ipf(4), ipnat(4), ippool(4), attributes(5), ipfilter(5), 343 zones(5) 344 345 346 347 DIAGNOSTICS 348 Needs to be run as root for the packet filtering lists to actually be 349 affected inside the kernel. 350 351 352 353 May 17, 2020 IPF(1M)