1 '\" te
   2 .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed
   3 .\" location.
   4 .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved.
   5 .\" Portions Copyright (c) 2015, Joyent, Inc.
   6 .TH IPF 1M "May 17, 2020"
   7 .SH NAME
   8 ipf \- alter packet filtering lists for IP packet input and output
   9 .SH SYNOPSIS
  10 .nf
  11 \fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch]
  12      [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR
  13      [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR]
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 The \fBipf\fR utility is part of a suite of commands associated with the
  18 Solaris IP Filter feature. See \fBipfilter\fR(5).
  19 .sp
  20 .LP
  21 The \fBipf\fR utility opens the filenames listed (treating a hyphen (\fB-\fR)
  22 as stdin) and parses the file for a set of rules which are to be added or
  23 removed from the packet filter rule set.
  24 .sp
  25 .LP
  26 If there are no parsing problems, each rule processed by \fBipf\fR is added to
  27 the kernel's internal lists. Rules are added to the end of the internal lists,
  28 matching the order in which they appear when given to \fBipf\fR.
  29 .sp
  30 .LP
  31 \fBipf\fR's use is restricted through access to \fB/dev/ipauth\fR,
  32 \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files
  33 require \fBipf\fR to be run as root for all operations.
  34 .SS "Enabling Solaris IP Filter Feature"
  35 Solaris IP Filter is installed with the Solaris operating system. However,
  36 packet filtering is not enabled by default. Use the following procedure to
  37 activate the Solaris IP Filter feature.
  38 .RS +4
  39 .TP
  40 1.
  41 Assume a role that includes the IP Filter Management rights profile (see
  42 \fBrbac\fR(5)) or become superuser.
  43 .RE
  44 .RS +4
  45 .TP
  46 2.
  47 Configure system and services' firewall policies. See \fBsvc.ipfd\fR(1M) and
  48 \fBipf\fR(4).
  49 .RE
  50 .RS +4
  51 .TP
  52 3.
  53 (Optional) Create a network address translation (NAT) configuration file.
  54 See \fBipnat\fR(4).
  55 .RE
  56 .RS +4
  57 .TP
  58 4.
  59 (Optional) Create an address pool configuration file. See \fBippool\fR(4).
  60 .sp
  61 Create an \fBippool.conf\fR file if you want to refer to a group of addresses as
  62 a single address pool. If you want the address pool configuration file to be
  63 loaded at boot time, create a file called \fB/etc/ipf/ippool.conf\fR in which
  64 to put the address pool. If you do not want the address pool configuration file
  65 to be loaded at boot time, put the \fBippool.conf\fR file in a location other
  66 than \fB/etc/ipf\fR and manually activate the rules.
  67 .RE
  68 .RS +4
  69 .TP
  70 5.
  71 Enable Solaris IP Filter, as follows:
  72 .sp
  73 .in +2
  74 .nf
  75 # \fBsvcadm enable network/ipfilter\fR
  76 .fi
  77 .in -2
  78 .sp
  79 
  80 .RE
  81 .sp
  82 .LP
  83 To re-enable packet filtering after it has been temporarily disabled either
  84 reboot the machine or enter the following command:
  85 .sp
  86 .in +2
  87 .nf
  88 # \fBsvcadm enable network/ipfilter\fR
  89 .fi
  90 .in -2
  91 .sp
  92 
  93 .sp
  94 .LP
  95 \&...which essentially executes the following \fBipf\fR commands:
  96 .RS +4
  97 .TP
  98 1.
  99 Enable Solaris IP Filter:
 100 .sp
 101 .in +2
 102 .nf
 103 # \fBipf -E\fR
 104 .fi
 105 .in -2
 106 .sp
 107 
 108 .RE
 109 .RS +4
 110 .TP
 111 2.
 112 Load \fBippools\fR:
 113 .sp
 114 .in +2
 115 .nf
 116 \fB# ippool -f\fR \fI<ippool configuration file>\fR
 117 .fi
 118 .in -2
 119 .sp
 120 
 121 See \fBippool\fR(1M).
 122 .RE
 123 .RS +4
 124 .TP
 125 3.
 126 (Optional) Activate packet filtering:
 127 .sp
 128 .in +2
 129 .nf
 130 \fBipf -f\fR \fI<ipf configuration file>\fR
 131 .fi
 132 .in -2
 133 .sp
 134 
 135 .RE
 136 .RS +4
 137 .TP
 138 4.
 139 (Optional) Activate NAT:
 140 .sp
 141 .in +2
 142 .nf
 143 \fBipnat -f\fR \fI<IPNAT configuration file>\fR
 144 .fi
 145 .in -2
 146 .sp
 147 
 148 See \fBipnat\fR(1M).
 149 .RE
 150 .LP
 151 Note -
 152 .sp
 153 .RS 2
 154 If you reboot your system, the IPfilter configuration is automatically
 155 activated.
 156 .RE
 157 .SH OPTIONS
 158 The following options are supported:
 159 .sp
 160 .ne 2
 161 .na
 162 \fB\fB-6\fR\fR
 163 .ad
 164 .sp .6
 165 .RS 4n
 166 This option is required to parse IPv6 rules and to have them loaded. Loading of
 167 IPv6 rules is subject to change in the future.
 168 .RE
 169 
 170 .sp
 171 .ne 2
 172 .na
 173 \fB\fB-A\fR\fR
 174 .ad
 175 .sp .6
 176 .RS 4n
 177 Set the list to make changes to the active list (default).
 178 .RE
 179 
 180 .sp
 181 .ne 2
 182 .na
 183 \fB\fB-d\fR\fR
 184 .ad
 185 .sp .6
 186 .RS 4n
 187 Turn debug mode on. Causes a hex dump of filter rules to be generated as it
 188 processes each one.
 189 .RE
 190 
 191 .sp
 192 .ne 2
 193 .na
 194 \fB\fB-D\fR\fR
 195 .ad
 196 .sp .6
 197 .RS 4n
 198 Disable the filter (if enabled). Not effective for loadable kernel versions.
 199 .RE
 200 
 201 .sp
 202 .ne 2
 203 .na
 204 \fB\fB-E\fR\fR
 205 .ad
 206 .sp .6
 207 .RS 4n
 208 Enable the filter (if disabled). Not effective for loadable kernel versions.
 209 .RE
 210 
 211 .sp
 212 .ne 2
 213 .na
 214 \fB\fB-F\fR \fBi\fR | \fBo\fR | \fBa\fR\fR
 215 .ad
 216 .sp .6
 217 .RS 4n
 218 Specifies which filter list to flush. The parameter should either be \fBi\fR
 219 (input), \fBo\fR (output) or \fBa\fR (remove all filter rules). Either a single
 220 letter or an entire word starting with the appropriate letter can be used. This
 221 option can be before or after any other, with the order on the command line
 222 determining that used to execute options.
 223 .RE
 224 
 225 .sp
 226 .ne 2
 227 .na
 228 \fB\fB-F\fR \fBs\fR | \fBS\fR\fR
 229 .ad
 230 .sp .6
 231 .RS 4n
 232 To flush entries from the state table, use the \fB-F\fR option in conjunction
 233 with either \fBs\fR (removes state information about any non-fully established
 234 connections) or \fBS\fR (deletes the entire state table). You can specify only
 235 one of these two options. A fully established connection will show up in
 236 \fBipfstat\fR \fB-s\fR output as \fB4/4\fR, with deviations either way
 237 indicating the connection is not fully established.
 238 .RE
 239 
 240 .sp
 241 .ne 2
 242 .na
 243 \fB\fB-f\fR \fIfilename\fR\fR
 244 .ad
 245 .sp .6
 246 .RS 4n
 247 Specifies which files \fBipf\fR should use to get input from for modifying the
 248 packet filter rule lists.
 249 .RE
 250 
 251 .sp
 252 .ne 2
 253 .na
 254 \fB\fB-G\fR\fR
 255 .ad
 256 .sp .6
 257 .RS 4n
 258 Make changes to the Global Zone-controlled ipfilter for the zone given as an
 259 argument. See the \fBZONES\fR section for more information.
 260 .RE
 261 
 262 .sp
 263 .ne 2
 264 .na
 265 \fB\fB-I\fR\fR
 266 .ad
 267 .sp .6
 268 .RS 4n
 269 Set the list to make changes to the inactive list.
 270 .RE
 271 
 272 .sp
 273 .ne 2
 274 .na
 275 \fB\fB-l\fR \fBpass\fR | \fBblock\fR | \fBnomatch\fR\fR
 276 .ad
 277 .sp .6
 278 .RS 4n
 279 Toggles default logging of packets. Valid arguments to this option are
 280 \fBpass\fR, \fBblock\fR and \fBnomatch\fR. When an option is set, any packet
 281 which exits filtering and matches the set category is logged. This is most
 282 useful for causing all packets that do not match any of the loaded rules to be
 283 logged.
 284 .RE
 285 
 286 .sp
 287 .ne 2
 288 .na
 289 \fB\fB-n\fR\fR
 290 .ad
 291 .sp .6
 292 .RS 4n
 293 Prevents \fBipf\fR from making any ioctl calls or doing anything which would
 294 alter the currently running kernel.
 295 .RE
 296 
 297 .sp
 298 .ne 2
 299 .na
 300 \fB\fB-o\fR\fR
 301 .ad
 302 .sp .6
 303 .RS 4n
 304 Force rules by default to be added/deleted to/from the output list, rather than
 305 the (default) input list.
 306 .RE
 307 
 308 .sp
 309 .ne 2
 310 .na
 311 \fB\fB-P\fR\fR
 312 .ad
 313 .sp .6
 314 .RS 4n
 315 Add rules as temporary entries in the authentication rule table.
 316 .RE
 317 
 318 .sp
 319 .ne 2
 320 .na
 321 \fB\fB-R\fR\fR
 322 .ad
 323 .sp .6
 324 .RS 4n
 325 Disable both IP address-to-hostname resolution and port number-to-service name
 326 resolution.
 327 .RE
 328 
 329 .sp
 330 .ne 2
 331 .na
 332 \fB\fB-r\fR\fR
 333 .ad
 334 .sp .6
 335 .RS 4n
 336 Remove matching filter rules rather than add them to the internal lists.
 337 .RE
 338 
 339 .sp
 340 .ne 2
 341 .na
 342 \fB\fB-s\fR\fR
 343 .ad
 344 .sp .6
 345 .RS 4n
 346 Swap the currently active filter list to be an alternative list.
 347 .RE
 348 
 349 .sp
 350 .ne 2
 351 .na
 352 \fB\fB-T\fR \fIoptionlist\fR\fR
 353 .ad
 354 .sp .6
 355 .RS 4n
 356 Allows run-time changing of IPFilter kernel variables. To allow for changing,
 357 some variables require IPFilter to be in a disabled state (\fB-D\fR), others do
 358 not. The \fIoptionlist\fR parameter is a comma-separated list of tuning
 359 commands. A tuning command is one of the following:
 360 .sp
 361 .ne 2
 362 .na
 363 \fB\fBlist\fR\fR
 364 .ad
 365 .sp .6
 366 .RS 4n
 367 Retrieve a list of all variables in the kernel, their maximum, minimum, and
 368 current value.
 369 .RE
 370 
 371 .sp
 372 .ne 2
 373 .na
 374 \fBsingle variable name\fR
 375 .ad
 376 .sp .6
 377 .RS 4n
 378 Retrieve its current value.
 379 .RE
 380 
 381 .sp
 382 .ne 2
 383 .na
 384 \fBvariable name with a following assignment\fR
 385 .ad
 386 .sp .6
 387 .RS 4n
 388 To set a new value.
 389 .RE
 390 
 391 Examples follow:
 392 .sp
 393 .in +2
 394 .nf
 395 # Print out all IPFilter kernel tunable parameters
 396 ipf -T list
 397 
 398 # Display the current TCP idle timeout and then set it to 3600
 399 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
 400 
 401 # Display current values for fr_pass and fr_chksrc, then set
 402 # fr_chksrc to 1.
 403 ipf -T fr_pass,fr_chksrc,fr_chksrc=1
 404 .fi
 405 .in -2
 406 .sp
 407 
 408 .RE
 409 
 410 .sp
 411 .ne 2
 412 .na
 413 \fB\fB-v\fR\fR
 414 .ad
 415 .sp .6
 416 .RS 4n
 417 Turn verbose mode on. Displays information relating to rule processing.
 418 .RE
 419 
 420 .sp
 421 .ne 2
 422 .na
 423 \fB\fB-V\fR\fR
 424 .ad
 425 .sp .6
 426 .RS 4n
 427 Show version information. This will display the version information compiled
 428 into the \fBipf\fR binary and retrieve it from the kernel code (if running or
 429 present). If it is present in the kernel, information about its current state
 430 will be displayed; for example, whether logging is active, default filtering,
 431 and so forth).
 432 .RE
 433 
 434 .sp
 435 .ne 2
 436 .na
 437 \fB\fB-y\fR\fR
 438 .ad
 439 .sp .6
 440 .RS 4n
 441 Manually resync the in-kernel interface list maintained by IP Filter with the
 442 current interface status list.
 443 .RE
 444 
 445 .sp
 446 .ne 2
 447 .na
 448 \fB\fB-z\fR\fR
 449 .ad
 450 .sp .6
 451 .RS 4n
 452 For each rule in the input file, reset the statistics for it to zero and
 453 display the statistics prior to them being zeroed.
 454 .RE
 455 
 456 .sp
 457 .ne 2
 458 .na
 459 \fB\fB-Z\fR\fR
 460 .ad
 461 .sp .6
 462 .RS 4n
 463 Zero global statistics held in the kernel for filtering only. This does not
 464 affect fragment or state statistics.
 465 .RE
 466 
 467 .SH ZONES
 468 Each non-global zone has two ipfilter instances: the in-zone ipfilter, which
 469 can be controlled from both the zone itself and the global zone, and the
 470 Global Zone-controlled (GZ-controlled) instance, which can only be controlled
 471 from the Global Zone. The non-global zone is not able to observe or control
 472 the GZ-controlled ipfilter.
 473 
 474 ipf optionally takes a zone name as an argument, which will change the
 475 ipfilter settings for that zone, rather than the current one. The zonename
 476 option is only available in the Global Zone. Using it in any other zone will
 477 return an error. If the \fB-G\fR option is specified with this argument, the
 478 Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified,
 479 the in-zone ipfilter is operated on. Note that ipf differs from the other
 480 ipfilter tools in how the zone name is specified. It takes the zone name as the
 481 last argument, while all of the other tools take the zone name as an argument
 482 to the \fB-G\fR and \fB-z\fR options.
 483 
 484 .SH FILES
 485 .ne 2
 486 .na
 487 \fB\fB/dev/ipauth\fR\fR
 488 .ad
 489 .br
 490 .na
 491 \fB\fB/dev/ipl\fR\fR
 492 .ad
 493 .br
 494 .na
 495 \fB\fB/dev/ipstate\fR\fR
 496 .ad
 497 .sp .6
 498 .RS 4n
 499 Links to IP Filter pseudo devices.
 500 .RE
 501 
 502 .sp
 503 .ne 2
 504 .na
 505 \fB\fB/etc/ipf/ipf.conf\fR\fR
 506 .ad
 507 .sp .6
 508 .RS 4n
 509 Location of \fBipf\fR startup configuration file. See \fBipf\fR(4).
 510 .RE
 511 
 512 .sp
 513 .ne 2
 514 .na
 515 \fB\fB/usr/share/ipfilter/examples/\fR\fR
 516 .ad
 517 .sp .6
 518 .RS 4n
 519 Contains numerous IP Filter examples.
 520 .RE
 521 
 522 .SH ATTRIBUTES
 523 See \fBattributes\fR(5) for descriptions of the following attributes:
 524 .sp
 525 
 526 .sp
 527 .TS
 528 box;
 529 c | c
 530 l | l .
 531 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 532 _
 533 Interface Stability     Committed
 534 .TE
 535 
 536 .SH SEE ALSO
 537 \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M),
 538 \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4),
 539 \fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR
 540 .sp
 541 .LP
 542 \fI\fR
 543 .SH DIAGNOSTICS
 544 Needs to be run as root for the packet filtering lists to actually be affected
 545 inside the kernel.