1 '\" te
   2 .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed
   3 .\" location.
   4 .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved.
   5 .\" Portions Copyright (c) 2015, Joyent, Inc.
   6 .TH IPF 1M "April 9, 2016"
   7 .SH NAME
   8 ipf \- alter packet filtering lists for IP packet input and output
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch]
  13      [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR
  14      [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR]
  15 .fi
  16 
  17 .SH DESCRIPTION
  18 .LP
  19 The \fBipf\fR utility is part of a suite of commands associated with the
  20 Solaris IP Filter feature. See \fBipfilter\fR(5).
  21 .sp
  22 .LP
  23 The \fBipf\fR utility opens the filenames listed (treating a hyphen (\fB-\fR)
  24 as stdin) and parses the file for a set of rules which are to be added or
  25 removed from the packet filter rule set.
  26 .sp
  27 .LP
  28 If there are no parsing problems, each rule processed by \fBipf\fR is added to
  29 the kernel's internal lists. Rules are added to the end of the internal lists,
  30 matching the order in which they appear when given to \fBipf\fR.
  31 .sp
  32 .LP
  33 \fBipf\fR's use is restricted through access to \fB/dev/ipauth\fR,
  34 \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files
  35 require \fBipf\fR to be run as root for all operations.
  36 .SS "Enabling Solaris IP Filter Feature"
  37 .LP
  38 Solaris IP Filter is installed with the Solaris operating system. However,
  39 packet filtering is not enabled by default. Use the following procedure to
  40 activate the Solaris IP Filter feature.
  41 .RS +4
  42 .TP
  43 1.
  44 Assume a role that includes the IP Filter Management rights profile (see
  45 \fBrbac\fR(5)) or become superuser.
  46 .RE
  47 .RS +4
  48 .TP
  49 2.
  50 Configure system and services' firewall policies. See \fBsvc.ipfd\fR(1M) and
  51 \fBipf\fR(4).
  52 .RE
  53 .RS +4
  54 .TP
  55 3.
  56 (Optional) Create a network address translation (NAT) configuration file.
  57 See \fBipnat\fR(4).
  58 .RE
  59 .RS +4
  60 .TP
  61 4.
  62 (Optional) Create an address pool configuration file. See \fBippool\fR(4).
  63 .sp
  64 Create an \fBipool.conf\fR file if you want to refer to a group of addresses as
  65 a single address pool. If you want the address pool configuration file to be
  66 loaded at boot time, create a file called \fB/etc/ipf/ippool.conf\fR in which
  67 to put the address pool. If you do not want the address pool configuration file
  68 to be loaded at boot time, put the \fBippool.conf\fR file in a location other
  69 than \fB/etc/ipf\fR and manually activate the rules.
  70 .RE
  71 .RS +4
  72 .TP
  73 5.
  74 Enable Solaris IP Filter, as follows:
  75 .sp
  76 .in +2
  77 .nf
  78 # \fBsvcadm enable network/ipfilter\fR
  79 .fi
  80 .in -2
  81 .sp
  82 
  83 .RE
  84 .sp
  85 .LP
  86 To re-enable packet filtering after it has been temporarily disabled either
  87 reboot the machine or enter the following command:
  88 .sp
  89 .in +2
  90 .nf
  91 # \fBsvcadm enable network/ipfilter\fR
  92 .fi
  93 .in -2
  94 .sp
  95 
  96 .sp
  97 .LP
  98 \&...which essentially executes the following \fBipf\fR commands:
  99 .RS +4
 100 .TP
 101 1.
 102 Enable Solaris IP Filter:
 103 .sp
 104 .in +2
 105 .nf
 106 # \fBipf -E\fR
 107 .fi
 108 .in -2
 109 .sp
 110 
 111 .RE
 112 .RS +4
 113 .TP
 114 2.
 115 Load \fBippools\fR:
 116 .sp
 117 .in +2
 118 .nf
 119 \fB# ippool -f\fR \fI<ippool configuration file>\fR
 120 .fi
 121 .in -2
 122 .sp
 123 
 124 See \fBippool\fR(1M).
 125 .RE
 126 .RS +4
 127 .TP
 128 3.
 129 (Optional) Activate packet filtering:
 130 .sp
 131 .in +2
 132 .nf
 133 \fBipf -f\fR \fI<ipf configuration file>\fR
 134 .fi
 135 .in -2
 136 .sp
 137 
 138 .RE
 139 .RS +4
 140 .TP
 141 4.
 142 (Optional) Activate NAT:
 143 .sp
 144 .in +2
 145 .nf
 146 \fBipnat -f\fR \fI<IPNAT configuration file>\fR
 147 .fi
 148 .in -2
 149 .sp
 150 
 151 See \fBipnat\fR(1M).
 152 .RE
 153 .LP
 154 Note -
 155 .sp
 156 .RS 2
 157 If you reboot your system, the IPfilter configuration is automatically
 158 activated.
 159 .RE
 160 .SH OPTIONS
 161 .LP
 162 The following options are supported:
 163 .sp
 164 .ne 2
 165 .na
 166 \fB\fB-6\fR\fR
 167 .ad
 168 .sp .6
 169 .RS 4n
 170 This option is required to parse IPv6 rules and to have them loaded. Loading of
 171 IPv6 rules is subject to change in the future.
 172 .RE
 173 
 174 .sp
 175 .ne 2
 176 .na
 177 \fB\fB-A\fR\fR
 178 .ad
 179 .sp .6
 180 .RS 4n
 181 Set the list to make changes to the active list (default).
 182 .RE
 183 
 184 .sp
 185 .ne 2
 186 .na
 187 \fB\fB-d\fR\fR
 188 .ad
 189 .sp .6
 190 .RS 4n
 191 Turn debug mode on. Causes a hex dump of filter rules to be generated as it
 192 processes each one.
 193 .RE
 194 
 195 .sp
 196 .ne 2
 197 .na
 198 \fB\fB-D\fR\fR
 199 .ad
 200 .sp .6
 201 .RS 4n
 202 Disable the filter (if enabled). Not effective for loadable kernel versions.
 203 .RE
 204 
 205 .sp
 206 .ne 2
 207 .na
 208 \fB\fB-E\fR\fR
 209 .ad
 210 .sp .6
 211 .RS 4n
 212 Enable the filter (if disabled). Not effective for loadable kernel versions.
 213 .RE
 214 
 215 .sp
 216 .ne 2
 217 .na
 218 \fB\fB-F\fR \fBi\fR | \fBo\fR | \fBa\fR\fR
 219 .ad
 220 .sp .6
 221 .RS 4n
 222 Specifies which filter list to flush. The parameter should either be \fBi\fR
 223 (input), \fBo\fR (output) or \fBa\fR (remove all filter rules). Either a single
 224 letter or an entire word starting with the appropriate letter can be used. This
 225 option can be before or after any other, with the order on the command line
 226 determining that used to execute options.
 227 .RE
 228 
 229 .sp
 230 .ne 2
 231 .na
 232 \fB\fB-F\fR \fBs\fR | \fBS\fR\fR
 233 .ad
 234 .sp .6
 235 .RS 4n
 236 To flush entries from the state table, use the \fB-F\fR option in conjunction
 237 with either \fBs\fR (removes state information about any non-fully established
 238 connections) or \fBS\fR (deletes the entire state table). You can specify only
 239 one of these two options. A fully established connection will show up in
 240 \fBipfstat\fR \fB-s\fR output as \fB4/4\fR, with deviations either way
 241 indicating the connection is not fully established.
 242 .RE
 243 
 244 .sp
 245 .ne 2
 246 .na
 247 \fB\fB-f\fR \fIfilename\fR\fR
 248 .ad
 249 .sp .6
 250 .RS 4n
 251 Specifies which files \fBipf\fR should use to get input from for modifying the
 252 packet filter rule lists.
 253 .RE
 254 
 255 .sp
 256 .ne 2
 257 .na
 258 \fB\fB-G\fR\fR
 259 .ad
 260 .sp .6
 261 .RS 4n
 262 Make changes to the Global Zone-controlled ipfilter for the zone given as an
 263 argument. See the \fBZONES\fR section for more information.
 264 .RE
 265 
 266 .sp
 267 .ne 2
 268 .na
 269 \fB\fB-I\fR\fR
 270 .ad
 271 .sp .6
 272 .RS 4n
 273 Set the list to make changes to the inactive list.
 274 .RE
 275 
 276 .sp
 277 .ne 2
 278 .na
 279 \fB\fB-l\fR \fBpass\fR | \fBblock\fR | \fBnomatch\fR\fR
 280 .ad
 281 .sp .6
 282 .RS 4n
 283 Toggles default logging of packets. Valid arguments to this option are
 284 \fBpass\fR, \fBblock\fR and \fBnomatch\fR. When an option is set, any packet
 285 which exits filtering and matches the set category is logged. This is most
 286 useful for causing all packets that do not match any of the loaded rules to be
 287 logged.
 288 .RE
 289 
 290 .sp
 291 .ne 2
 292 .na
 293 \fB\fB-n\fR\fR
 294 .ad
 295 .sp .6
 296 .RS 4n
 297 Prevents \fBipf\fR from making any ioctl calls or doing anything which would
 298 alter the currently running kernel.
 299 .RE
 300 
 301 .sp
 302 .ne 2
 303 .na
 304 \fB\fB-o\fR\fR
 305 .ad
 306 .sp .6
 307 .RS 4n
 308 Force rules by default to be added/deleted to/from the output list, rather than
 309 the (default) input list.
 310 .RE
 311 
 312 .sp
 313 .ne 2
 314 .na
 315 \fB\fB-P\fR\fR
 316 .ad
 317 .sp .6
 318 .RS 4n
 319 Add rules as temporary entries in the authentication rule table.
 320 .RE
 321 
 322 .sp
 323 .ne 2
 324 .na
 325 \fB\fB-R\fR\fR
 326 .ad
 327 .sp .6
 328 .RS 4n
 329 Disable both IP address-to-hostname resolution and port number-to-service name
 330 resolution.
 331 .RE
 332 
 333 .sp
 334 .ne 2
 335 .na
 336 \fB\fB-r\fR\fR
 337 .ad
 338 .sp .6
 339 .RS 4n
 340 Remove matching filter rules rather than add them to the internal lists.
 341 .RE
 342 
 343 .sp
 344 .ne 2
 345 .na
 346 \fB\fB-s\fR\fR
 347 .ad
 348 .sp .6
 349 .RS 4n
 350 Swap the currently active filter list to be an alternative list.
 351 .RE
 352 
 353 .sp
 354 .ne 2
 355 .na
 356 \fB\fB-T\fR \fIoptionlist\fR\fR
 357 .ad
 358 .sp .6
 359 .RS 4n
 360 Allows run-time changing of IPFilter kernel variables. To allow for changing,
 361 some variables require IPFilter to be in a disabled state (\fB-D\fR), others do
 362 not. The \fIoptionlist\fR parameter is a comma-separated list of tuning
 363 commands. A tuning command is one of the following:
 364 .sp
 365 .ne 2
 366 .na
 367 \fB\fBlist\fR\fR
 368 .ad
 369 .sp .6
 370 .RS 4n
 371 Retrieve a list of all variables in the kernel, their maximum, minimum, and
 372 current value.
 373 .RE
 374 
 375 .sp
 376 .ne 2
 377 .na
 378 \fBsingle variable name\fR
 379 .ad
 380 .sp .6
 381 .RS 4n
 382 Retrieve its current value.
 383 .RE
 384 
 385 .sp
 386 .ne 2
 387 .na
 388 \fBvariable name with a following assignment\fR
 389 .ad
 390 .sp .6
 391 .RS 4n
 392 To set a new value.
 393 .RE
 394 
 395 Examples follow:
 396 .sp
 397 .in +2
 398 .nf
 399 # Print out all IPFilter kernel tunable parameters
 400 ipf -T list
 401 
 402 # Display the current TCP idle timeout and then set it to 3600
 403 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
 404 
 405 # Display current values for fr_pass and fr_chksrc, then set
 406 # fr_chksrc to 1.
 407 ipf -T fr_pass,fr_chksrc,fr_chksrc=1
 408 .fi
 409 .in -2
 410 .sp
 411 
 412 .RE
 413 
 414 .sp
 415 .ne 2
 416 .na
 417 \fB\fB-v\fR\fR
 418 .ad
 419 .sp .6
 420 .RS 4n
 421 Turn verbose mode on. Displays information relating to rule processing.
 422 .RE
 423 
 424 .sp
 425 .ne 2
 426 .na
 427 \fB\fB-V\fR\fR
 428 .ad
 429 .sp .6
 430 .RS 4n
 431 Show version information. This will display the version information compiled
 432 into the \fBipf\fR binary and retrieve it from the kernel code (if running or
 433 present). If it is present in the kernel, information about its current state
 434 will be displayed; for example, whether logging is active, default filtering,
 435 and so forth).
 436 .RE
 437 
 438 .sp
 439 .ne 2
 440 .na
 441 \fB\fB-y\fR\fR
 442 .ad
 443 .sp .6
 444 .RS 4n
 445 Manually resync the in-kernel interface list maintained by IP Filter with the
 446 current interface status list.
 447 .RE
 448 
 449 .sp
 450 .ne 2
 451 .na
 452 \fB\fB-z\fR\fR
 453 .ad
 454 .sp .6
 455 .RS 4n
 456 For each rule in the input file, reset the statistics for it to zero and
 457 display the statistics prior to them being zeroed.
 458 .RE
 459 
 460 .sp
 461 .ne 2
 462 .na
 463 \fB\fB-Z\fR\fR
 464 .ad
 465 .sp .6
 466 .RS 4n
 467 Zero global statistics held in the kernel for filtering only. This does not
 468 affect fragment or state statistics.
 469 .RE
 470 
 471 .SH ZONES
 472 .LP
 473 Each non-global zone has two ipfilter instances: the in-zone ipfilter, which
 474 can be controlled from both the zone itself and the global zone, and the
 475 Global Zone-controlled (GZ-controlled) instance, which can only be controlled
 476 from the Global Zone. The non-global zone is not able to observe or control
 477 the GZ-controlled ipfilter.
 478 
 479 ipf optionally takes a zone name as an argument, which will change the
 480 ipfilter settings for that zone, rather than the current one. The zonename
 481 option is only available in the Global Zone. Using it in any other zone will
 482 return an error. If the \fB-G\fR option is specified with this argument, the
 483 Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified,
 484 the in-zone ipfilter is operated on. Note that ipf differs from the other
 485 ipfilter tools in how the zone name is specified. It takes the zone name as the
 486 last argument, while all of the other tools take the zone name as an argument
 487 to the \fB-G\fR and \fB-z\fR options.
 488 
 489 .SH FILES
 490 .ne 2
 491 .na
 492 \fB\fB/dev/ipauth\fR\fR
 493 .ad
 494 .br
 495 .na
 496 \fB\fB/dev/ipl\fR\fR
 497 .ad
 498 .br
 499 .na
 500 \fB\fB/dev/ipstate\fR\fR
 501 .ad
 502 .sp .6
 503 .RS 4n
 504 Links to IP Filter pseudo devices.
 505 .RE
 506 
 507 .sp
 508 .ne 2
 509 .na
 510 \fB\fB/etc/ipf/ipf.conf\fR\fR
 511 .ad
 512 .sp .6
 513 .RS 4n
 514 Location of \fBipf\fR startup configuration file. See \fBipf\fR(4).
 515 .RE
 516 
 517 .sp
 518 .ne 2
 519 .na
 520 \fB\fB/usr/share/ipfilter/examples/\fR\fR
 521 .ad
 522 .sp .6
 523 .RS 4n
 524 Contains numerous IP Filter examples.
 525 .RE
 526 
 527 .SH ATTRIBUTES
 528 .LP
 529 See \fBattributes\fR(5) for descriptions of the following attributes:
 530 .sp
 531 
 532 .sp
 533 .TS
 534 box;
 535 c | c
 536 l | l .
 537 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 538 _
 539 Interface Stability     Committed
 540 .TE
 541 
 542 .SH SEE ALSO
 543 .LP
 544 \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M),
 545 \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4),
 546 \fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR
 547 .sp
 548 .LP
 549 \fI\fR
 550 .SH DIAGNOSTICS
 551 .LP
 552 Needs to be run as root for the packet filtering lists to actually be affected
 553 inside the kernel.