1 '\" te 2 .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed 3 .\" location. 4 .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved. 5 .\" Portions Copyright (c) 2015, Joyent, Inc. 6 .TH IPF 1M "April 9, 2016" 7 .SH NAME 8 ipf \- alter packet filtering lists for IP packet input and output 9 .SH SYNOPSIS 10 .LP 11 .nf 12 \fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch] 13 [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR 14 [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR] 15 .fi 16 17 .SH DESCRIPTION 18 .LP 19 The \fBipf\fR utility is part of a suite of commands associated with the 20 Solaris IP Filter feature. See \fBipfilter\fR(5). 21 .sp 22 .LP 23 The \fBipf\fR utility opens the filenames listed (treating a hyphen (\fB-\fR) 24 as stdin) and parses the file for a set of rules which are to be added or 25 removed from the packet filter rule set. 26 .sp 27 .LP 28 If there are no parsing problems, each rule processed by \fBipf\fR is added to 29 the kernel's internal lists. Rules are added to the end of the internal lists, 30 matching the order in which they appear when given to \fBipf\fR. 31 .sp 32 .LP 33 \fBipf\fR's use is restricted through access to \fB/dev/ipauth\fR, 34 \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files 35 require \fBipf\fR to be run as root for all operations. 36 .SS "Enabling Solaris IP Filter Feature" 37 .LP 38 Solaris IP Filter is installed with the Solaris operating system. However, 39 packet filtering is not enabled by default. Use the following procedure to 40 activate the Solaris IP Filter feature. 41 .RS +4 42 .TP 43 1. 44 Assume a role that includes the IP Filter Management rights profile (see 45 \fBrbac\fR(5)) or become superuser. 46 .RE 47 .RS +4 48 .TP 49 2. 50 Configure system and services' firewall policies. See \fBsvc.ipfd\fR(1M) and 51 \fBipf\fR(4). 52 .RE 53 .RS +4 54 .TP 55 3. 56 (Optional) Create a network address translation (NAT) configuration file. 57 See \fBipnat\fR(4). 58 .RE 59 .RS +4 60 .TP 61 4. 62 (Optional) Create an address pool configuration file. See \fBippool\fR(4). 63 .sp 64 Create an \fBipool.conf\fR file if you want to refer to a group of addresses as 65 a single address pool. If you want the address pool configuration file to be 66 loaded at boot time, create a file called \fB/etc/ipf/ippool.conf\fR in which 67 to put the address pool. If you do not want the address pool configuration file 68 to be loaded at boot time, put the \fBippool.conf\fR file in a location other 69 than \fB/etc/ipf\fR and manually activate the rules. 70 .RE 71 .RS +4 72 .TP 73 5. 74 Enable Solaris IP Filter, as follows: 75 .sp 76 .in +2 77 .nf 78 # \fBsvcadm enable network/ipfilter\fR 79 .fi 80 .in -2 81 .sp 82 83 .RE 84 .sp 85 .LP 86 To re-enable packet filtering after it has been temporarily disabled either 87 reboot the machine or enter the following command: 88 .sp 89 .in +2 90 .nf 91 # \fBsvcadm enable network/ipfilter\fR 92 .fi 93 .in -2 94 .sp 95 96 .sp 97 .LP 98 \&...which essentially executes the following \fBipf\fR commands: 99 .RS +4 100 .TP 101 1. 102 Enable Solaris IP Filter: 103 .sp 104 .in +2 105 .nf 106 # \fBipf -E\fR 107 .fi 108 .in -2 109 .sp 110 111 .RE 112 .RS +4 113 .TP 114 2. 115 Load \fBippools\fR: 116 .sp 117 .in +2 118 .nf 119 \fB# ippool -f\fR \fI<ippool configuration file>\fR 120 .fi 121 .in -2 122 .sp 123 124 See \fBippool\fR(1M). 125 .RE 126 .RS +4 127 .TP 128 3. 129 (Optional) Activate packet filtering: 130 .sp 131 .in +2 132 .nf 133 \fBipf -f\fR \fI<ipf configuration file>\fR 134 .fi 135 .in -2 136 .sp 137 138 .RE 139 .RS +4 140 .TP 141 4. 142 (Optional) Activate NAT: 143 .sp 144 .in +2 145 .nf 146 \fBipnat -f\fR \fI<IPNAT configuration file>\fR 147 .fi 148 .in -2 149 .sp 150 151 See \fBipnat\fR(1M). 152 .RE 153 .LP 154 Note - 155 .sp 156 .RS 2 157 If you reboot your system, the IPfilter configuration is automatically 158 activated. 159 .RE 160 .SH OPTIONS 161 .LP 162 The following options are supported: 163 .sp 164 .ne 2 165 .na 166 \fB\fB-6\fR\fR 167 .ad 168 .sp .6 169 .RS 4n 170 This option is required to parse IPv6 rules and to have them loaded. Loading of 171 IPv6 rules is subject to change in the future. 172 .RE 173 174 .sp 175 .ne 2 176 .na 177 \fB\fB-A\fR\fR 178 .ad 179 .sp .6 180 .RS 4n 181 Set the list to make changes to the active list (default). 182 .RE 183 184 .sp 185 .ne 2 186 .na 187 \fB\fB-d\fR\fR 188 .ad 189 .sp .6 190 .RS 4n 191 Turn debug mode on. Causes a hex dump of filter rules to be generated as it 192 processes each one. 193 .RE 194 195 .sp 196 .ne 2 197 .na 198 \fB\fB-D\fR\fR 199 .ad 200 .sp .6 201 .RS 4n 202 Disable the filter (if enabled). Not effective for loadable kernel versions. 203 .RE 204 205 .sp 206 .ne 2 207 .na 208 \fB\fB-E\fR\fR 209 .ad 210 .sp .6 211 .RS 4n 212 Enable the filter (if disabled). Not effective for loadable kernel versions. 213 .RE 214 215 .sp 216 .ne 2 217 .na 218 \fB\fB-F\fR \fBi\fR | \fBo\fR | \fBa\fR\fR 219 .ad 220 .sp .6 221 .RS 4n 222 Specifies which filter list to flush. The parameter should either be \fBi\fR 223 (input), \fBo\fR (output) or \fBa\fR (remove all filter rules). Either a single 224 letter or an entire word starting with the appropriate letter can be used. This 225 option can be before or after any other, with the order on the command line 226 determining that used to execute options. 227 .RE 228 229 .sp 230 .ne 2 231 .na 232 \fB\fB-F\fR \fBs\fR | \fBS\fR\fR 233 .ad 234 .sp .6 235 .RS 4n 236 To flush entries from the state table, use the \fB-F\fR option in conjunction 237 with either \fBs\fR (removes state information about any non-fully established 238 connections) or \fBS\fR (deletes the entire state table). You can specify only 239 one of these two options. A fully established connection will show up in 240 \fBipfstat\fR \fB-s\fR output as \fB4/4\fR, with deviations either way 241 indicating the connection is not fully established. 242 .RE 243 244 .sp 245 .ne 2 246 .na 247 \fB\fB-f\fR \fIfilename\fR\fR 248 .ad 249 .sp .6 250 .RS 4n 251 Specifies which files \fBipf\fR should use to get input from for modifying the 252 packet filter rule lists. 253 .RE 254 255 .sp 256 .ne 2 257 .na 258 \fB\fB-G\fR\fR 259 .ad 260 .sp .6 261 .RS 4n 262 Make changes to the Global Zone-controlled ipfilter for the zone given as an 263 argument. See the \fBZONES\fR section for more information. 264 .RE 265 266 .sp 267 .ne 2 268 .na 269 \fB\fB-I\fR\fR 270 .ad 271 .sp .6 272 .RS 4n 273 Set the list to make changes to the inactive list. 274 .RE 275 276 .sp 277 .ne 2 278 .na 279 \fB\fB-l\fR \fBpass\fR | \fBblock\fR | \fBnomatch\fR\fR 280 .ad 281 .sp .6 282 .RS 4n 283 Toggles default logging of packets. Valid arguments to this option are 284 \fBpass\fR, \fBblock\fR and \fBnomatch\fR. When an option is set, any packet 285 which exits filtering and matches the set category is logged. This is most 286 useful for causing all packets that do not match any of the loaded rules to be 287 logged. 288 .RE 289 290 .sp 291 .ne 2 292 .na 293 \fB\fB-n\fR\fR 294 .ad 295 .sp .6 296 .RS 4n 297 Prevents \fBipf\fR from making any ioctl calls or doing anything which would 298 alter the currently running kernel. 299 .RE 300 301 .sp 302 .ne 2 303 .na 304 \fB\fB-o\fR\fR 305 .ad 306 .sp .6 307 .RS 4n 308 Force rules by default to be added/deleted to/from the output list, rather than 309 the (default) input list. 310 .RE 311 312 .sp 313 .ne 2 314 .na 315 \fB\fB-P\fR\fR 316 .ad 317 .sp .6 318 .RS 4n 319 Add rules as temporary entries in the authentication rule table. 320 .RE 321 322 .sp 323 .ne 2 324 .na 325 \fB\fB-R\fR\fR 326 .ad 327 .sp .6 328 .RS 4n 329 Disable both IP address-to-hostname resolution and port number-to-service name 330 resolution. 331 .RE 332 333 .sp 334 .ne 2 335 .na 336 \fB\fB-r\fR\fR 337 .ad 338 .sp .6 339 .RS 4n 340 Remove matching filter rules rather than add them to the internal lists. 341 .RE 342 343 .sp 344 .ne 2 345 .na 346 \fB\fB-s\fR\fR 347 .ad 348 .sp .6 349 .RS 4n 350 Swap the currently active filter list to be an alternative list. 351 .RE 352 353 .sp 354 .ne 2 355 .na 356 \fB\fB-T\fR \fIoptionlist\fR\fR 357 .ad 358 .sp .6 359 .RS 4n 360 Allows run-time changing of IPFilter kernel variables. To allow for changing, 361 some variables require IPFilter to be in a disabled state (\fB-D\fR), others do 362 not. The \fIoptionlist\fR parameter is a comma-separated list of tuning 363 commands. A tuning command is one of the following: 364 .sp 365 .ne 2 366 .na 367 \fB\fBlist\fR\fR 368 .ad 369 .sp .6 370 .RS 4n 371 Retrieve a list of all variables in the kernel, their maximum, minimum, and 372 current value. 373 .RE 374 375 .sp 376 .ne 2 377 .na 378 \fBsingle variable name\fR 379 .ad 380 .sp .6 381 .RS 4n 382 Retrieve its current value. 383 .RE 384 385 .sp 386 .ne 2 387 .na 388 \fBvariable name with a following assignment\fR 389 .ad 390 .sp .6 391 .RS 4n 392 To set a new value. 393 .RE 394 395 Examples follow: 396 .sp 397 .in +2 398 .nf 399 # Print out all IPFilter kernel tunable parameters 400 ipf -T list 401 402 # Display the current TCP idle timeout and then set it to 3600 403 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E 404 405 # Display current values for fr_pass and fr_chksrc, then set 406 # fr_chksrc to 1. 407 ipf -T fr_pass,fr_chksrc,fr_chksrc=1 408 .fi 409 .in -2 410 .sp 411 412 .RE 413 414 .sp 415 .ne 2 416 .na 417 \fB\fB-v\fR\fR 418 .ad 419 .sp .6 420 .RS 4n 421 Turn verbose mode on. Displays information relating to rule processing. 422 .RE 423 424 .sp 425 .ne 2 426 .na 427 \fB\fB-V\fR\fR 428 .ad 429 .sp .6 430 .RS 4n 431 Show version information. This will display the version information compiled 432 into the \fBipf\fR binary and retrieve it from the kernel code (if running or 433 present). If it is present in the kernel, information about its current state 434 will be displayed; for example, whether logging is active, default filtering, 435 and so forth). 436 .RE 437 438 .sp 439 .ne 2 440 .na 441 \fB\fB-y\fR\fR 442 .ad 443 .sp .6 444 .RS 4n 445 Manually resync the in-kernel interface list maintained by IP Filter with the 446 current interface status list. 447 .RE 448 449 .sp 450 .ne 2 451 .na 452 \fB\fB-z\fR\fR 453 .ad 454 .sp .6 455 .RS 4n 456 For each rule in the input file, reset the statistics for it to zero and 457 display the statistics prior to them being zeroed. 458 .RE 459 460 .sp 461 .ne 2 462 .na 463 \fB\fB-Z\fR\fR 464 .ad 465 .sp .6 466 .RS 4n 467 Zero global statistics held in the kernel for filtering only. This does not 468 affect fragment or state statistics. 469 .RE 470 471 .SH ZONES 472 .LP 473 Each non-global zone has two ipfilter instances: the in-zone ipfilter, which 474 can be controlled from both the zone itself and the global zone, and the 475 Global Zone-controlled (GZ-controlled) instance, which can only be controlled 476 from the Global Zone. The non-global zone is not able to observe or control 477 the GZ-controlled ipfilter. 478 479 ipf optionally takes a zone name as an argument, which will change the 480 ipfilter settings for that zone, rather than the current one. The zonename 481 option is only available in the Global Zone. Using it in any other zone will 482 return an error. If the \fB-G\fR option is specified with this argument, the 483 Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified, 484 the in-zone ipfilter is operated on. Note that ipf differs from the other 485 ipfilter tools in how the zone name is specified. It takes the zone name as the 486 last argument, while all of the other tools take the zone name as an argument 487 to the \fB-G\fR and \fB-z\fR options. 488 489 .SH FILES 490 .ne 2 491 .na 492 \fB\fB/dev/ipauth\fR\fR 493 .ad 494 .br 495 .na 496 \fB\fB/dev/ipl\fR\fR 497 .ad 498 .br 499 .na 500 \fB\fB/dev/ipstate\fR\fR 501 .ad 502 .sp .6 503 .RS 4n 504 Links to IP Filter pseudo devices. 505 .RE 506 507 .sp 508 .ne 2 509 .na 510 \fB\fB/etc/ipf/ipf.conf\fR\fR 511 .ad 512 .sp .6 513 .RS 4n 514 Location of \fBipf\fR startup configuration file. See \fBipf\fR(4). 515 .RE 516 517 .sp 518 .ne 2 519 .na 520 \fB\fB/usr/share/ipfilter/examples/\fR\fR 521 .ad 522 .sp .6 523 .RS 4n 524 Contains numerous IP Filter examples. 525 .RE 526 527 .SH ATTRIBUTES 528 .LP 529 See \fBattributes\fR(5) for descriptions of the following attributes: 530 .sp 531 532 .sp 533 .TS 534 box; 535 c | c 536 l | l . 537 ATTRIBUTE TYPE ATTRIBUTE VALUE 538 _ 539 Interface Stability Committed 540 .TE 541 542 .SH SEE ALSO 543 .LP 544 \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M), 545 \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4), 546 \fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR 547 .sp 548 .LP 549 \fI\fR 550 .SH DIAGNOSTICS 551 .LP 552 Needs to be run as root for the packet filtering lists to actually be affected 553 inside the kernel.