1 '\" te 2 .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed 3 .\" location. 4 .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved. 5 .\" Portions Copyright (c) 2015, Joyent, Inc. 6 .TH IPF 1M "May 17, 2020" 7 .SH NAME 8 ipf \- alter packet filtering lists for IP packet input and output 9 .SH SYNOPSIS 10 .nf 11 \fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch] 12 [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR 13 [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR] 14 .fi 15 16 .SH DESCRIPTION 17 The \fBipf\fR utility is part of a suite of commands associated with the 18 Solaris IP Filter feature. See \fBipfilter\fR(5). 19 .sp 20 .LP 21 The \fBipf\fR utility opens the filenames listed (treating a hyphen (\fB-\fR) 22 as stdin) and parses the file for a set of rules which are to be added or 23 removed from the packet filter rule set. 24 .sp 25 .LP 26 If there are no parsing problems, each rule processed by \fBipf\fR is added to 27 the kernel's internal lists. Rules are added to the end of the internal lists, 28 matching the order in which they appear when given to \fBipf\fR. 29 .sp 30 .LP 31 \fBipf\fR's use is restricted through access to \fB/dev/ipauth\fR, 32 \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files 33 require \fBipf\fR to be run as root for all operations. 34 .SS "Enabling Solaris IP Filter Feature" 35 Solaris IP Filter is installed with the Solaris operating system. However, 36 packet filtering is not enabled by default. Use the following procedure to 37 activate the Solaris IP Filter feature. 38 .RS +4 39 .TP 40 1. 41 Assume a role that includes the IP Filter Management rights profile (see 42 \fBrbac\fR(5)) or become superuser. 43 .RE 44 .RS +4 45 .TP 46 2. 47 Configure system and services' firewall policies. See \fBsvc.ipfd\fR(1M) and 48 \fBipf\fR(4). 49 .RE 50 .RS +4 51 .TP 52 3. 53 (Optional) Create a network address translation (NAT) configuration file. 54 See \fBipnat\fR(4). 55 .RE 56 .RS +4 57 .TP 58 4. 59 (Optional) Create an address pool configuration file. See \fBippool\fR(4). 60 .sp 61 Create an \fBippool.conf\fR file if you want to refer to a group of addresses as 62 a single address pool. If you want the address pool configuration file to be 63 loaded at boot time, create a file called \fB/etc/ipf/ippool.conf\fR in which 64 to put the address pool. If you do not want the address pool configuration file 65 to be loaded at boot time, put the \fBippool.conf\fR file in a location other 66 than \fB/etc/ipf\fR and manually activate the rules. 67 .RE 68 .RS +4 69 .TP 70 5. 71 Enable Solaris IP Filter, as follows: 72 .sp 73 .in +2 74 .nf 75 # \fBsvcadm enable network/ipfilter\fR 76 .fi 77 .in -2 78 .sp 79 80 .RE 81 .sp 82 .LP 83 To re-enable packet filtering after it has been temporarily disabled either 84 reboot the machine or enter the following command: 85 .sp 86 .in +2 87 .nf 88 # \fBsvcadm enable network/ipfilter\fR 89 .fi 90 .in -2 91 .sp 92 93 .sp 94 .LP 95 \&...which essentially executes the following \fBipf\fR commands: 96 .RS +4 97 .TP 98 1. 99 Enable Solaris IP Filter: 100 .sp 101 .in +2 102 .nf 103 # \fBipf -E\fR 104 .fi 105 .in -2 106 .sp 107 108 .RE 109 .RS +4 110 .TP 111 2. 112 Load \fBippools\fR: 113 .sp 114 .in +2 115 .nf 116 \fB# ippool -f\fR \fI<ippool configuration file>\fR 117 .fi 118 .in -2 119 .sp 120 121 See \fBippool\fR(1M). 122 .RE 123 .RS +4 124 .TP 125 3. 126 (Optional) Activate packet filtering: 127 .sp 128 .in +2 129 .nf 130 \fBipf -f\fR \fI<ipf configuration file>\fR 131 .fi 132 .in -2 133 .sp 134 135 .RE 136 .RS +4 137 .TP 138 4. 139 (Optional) Activate NAT: 140 .sp 141 .in +2 142 .nf 143 \fBipnat -f\fR \fI<IPNAT configuration file>\fR 144 .fi 145 .in -2 146 .sp 147 148 See \fBipnat\fR(1M). 149 .RE 150 .LP 151 Note - 152 .sp 153 .RS 2 154 If you reboot your system, the IPfilter configuration is automatically 155 activated. 156 .RE 157 .SH OPTIONS 158 The following options are supported: 159 .sp 160 .ne 2 161 .na 162 \fB\fB-6\fR\fR 163 .ad 164 .sp .6 165 .RS 4n 166 This option is required to parse IPv6 rules and to have them loaded. Loading of 167 IPv6 rules is subject to change in the future. 168 .RE 169 170 .sp 171 .ne 2 172 .na 173 \fB\fB-A\fR\fR 174 .ad 175 .sp .6 176 .RS 4n 177 Set the list to make changes to the active list (default). 178 .RE 179 180 .sp 181 .ne 2 182 .na 183 \fB\fB-d\fR\fR 184 .ad 185 .sp .6 186 .RS 4n 187 Turn debug mode on. Causes a hex dump of filter rules to be generated as it 188 processes each one. 189 .RE 190 191 .sp 192 .ne 2 193 .na 194 \fB\fB-D\fR\fR 195 .ad 196 .sp .6 197 .RS 4n 198 Disable the filter (if enabled). Not effective for loadable kernel versions. 199 .RE 200 201 .sp 202 .ne 2 203 .na 204 \fB\fB-E\fR\fR 205 .ad 206 .sp .6 207 .RS 4n 208 Enable the filter (if disabled). Not effective for loadable kernel versions. 209 .RE 210 211 .sp 212 .ne 2 213 .na 214 \fB\fB-F\fR \fBi\fR | \fBo\fR | \fBa\fR\fR 215 .ad 216 .sp .6 217 .RS 4n 218 Specifies which filter list to flush. The parameter should either be \fBi\fR 219 (input), \fBo\fR (output) or \fBa\fR (remove all filter rules). Either a single 220 letter or an entire word starting with the appropriate letter can be used. This 221 option can be before or after any other, with the order on the command line 222 determining that used to execute options. 223 .RE 224 225 .sp 226 .ne 2 227 .na 228 \fB\fB-F\fR \fBs\fR | \fBS\fR\fR 229 .ad 230 .sp .6 231 .RS 4n 232 To flush entries from the state table, use the \fB-F\fR option in conjunction 233 with either \fBs\fR (removes state information about any non-fully established 234 connections) or \fBS\fR (deletes the entire state table). You can specify only 235 one of these two options. A fully established connection will show up in 236 \fBipfstat\fR \fB-s\fR output as \fB4/4\fR, with deviations either way 237 indicating the connection is not fully established. 238 .RE 239 240 .sp 241 .ne 2 242 .na 243 \fB\fB-f\fR \fIfilename\fR\fR 244 .ad 245 .sp .6 246 .RS 4n 247 Specifies which files \fBipf\fR should use to get input from for modifying the 248 packet filter rule lists. 249 .RE 250 251 .sp 252 .ne 2 253 .na 254 \fB\fB-G\fR\fR 255 .ad 256 .sp .6 257 .RS 4n 258 Make changes to the Global Zone-controlled ipfilter for the zone given as an 259 argument. See the \fBZONES\fR section for more information. 260 .RE 261 262 .sp 263 .ne 2 264 .na 265 \fB\fB-I\fR\fR 266 .ad 267 .sp .6 268 .RS 4n 269 Set the list to make changes to the inactive list. 270 .RE 271 272 .sp 273 .ne 2 274 .na 275 \fB\fB-l\fR \fBpass\fR | \fBblock\fR | \fBnomatch\fR\fR 276 .ad 277 .sp .6 278 .RS 4n 279 Toggles default logging of packets. Valid arguments to this option are 280 \fBpass\fR, \fBblock\fR and \fBnomatch\fR. When an option is set, any packet 281 which exits filtering and matches the set category is logged. This is most 282 useful for causing all packets that do not match any of the loaded rules to be 283 logged. 284 .RE 285 286 .sp 287 .ne 2 288 .na 289 \fB\fB-n\fR\fR 290 .ad 291 .sp .6 292 .RS 4n 293 Prevents \fBipf\fR from making any ioctl calls or doing anything which would 294 alter the currently running kernel. 295 .RE 296 297 .sp 298 .ne 2 299 .na 300 \fB\fB-o\fR\fR 301 .ad 302 .sp .6 303 .RS 4n 304 Force rules by default to be added/deleted to/from the output list, rather than 305 the (default) input list. 306 .RE 307 308 .sp 309 .ne 2 310 .na 311 \fB\fB-P\fR\fR 312 .ad 313 .sp .6 314 .RS 4n 315 Add rules as temporary entries in the authentication rule table. 316 .RE 317 318 .sp 319 .ne 2 320 .na 321 \fB\fB-R\fR\fR 322 .ad 323 .sp .6 324 .RS 4n 325 Disable both IP address-to-hostname resolution and port number-to-service name 326 resolution. 327 .RE 328 329 .sp 330 .ne 2 331 .na 332 \fB\fB-r\fR\fR 333 .ad 334 .sp .6 335 .RS 4n 336 Remove matching filter rules rather than add them to the internal lists. 337 .RE 338 339 .sp 340 .ne 2 341 .na 342 \fB\fB-s\fR\fR 343 .ad 344 .sp .6 345 .RS 4n 346 Swap the currently active filter list to be an alternative list. 347 .RE 348 349 .sp 350 .ne 2 351 .na 352 \fB\fB-T\fR \fIoptionlist\fR\fR 353 .ad 354 .sp .6 355 .RS 4n 356 Allows run-time changing of IPFilter kernel variables. To allow for changing, 357 some variables require IPFilter to be in a disabled state (\fB-D\fR), others do 358 not. The \fIoptionlist\fR parameter is a comma-separated list of tuning 359 commands. A tuning command is one of the following: 360 .sp 361 .ne 2 362 .na 363 \fB\fBlist\fR\fR 364 .ad 365 .sp .6 366 .RS 4n 367 Retrieve a list of all variables in the kernel, their maximum, minimum, and 368 current value. 369 .RE 370 371 .sp 372 .ne 2 373 .na 374 \fBsingle variable name\fR 375 .ad 376 .sp .6 377 .RS 4n 378 Retrieve its current value. 379 .RE 380 381 .sp 382 .ne 2 383 .na 384 \fBvariable name with a following assignment\fR 385 .ad 386 .sp .6 387 .RS 4n 388 To set a new value. 389 .RE 390 391 Examples follow: 392 .sp 393 .in +2 394 .nf 395 # Print out all IPFilter kernel tunable parameters 396 ipf -T list 397 398 # Display the current TCP idle timeout and then set it to 3600 399 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E 400 401 # Display current values for fr_pass and fr_chksrc, then set 402 # fr_chksrc to 1. 403 ipf -T fr_pass,fr_chksrc,fr_chksrc=1 404 .fi 405 .in -2 406 .sp 407 408 .RE 409 410 .sp 411 .ne 2 412 .na 413 \fB\fB-v\fR\fR 414 .ad 415 .sp .6 416 .RS 4n 417 Turn verbose mode on. Displays information relating to rule processing. 418 .RE 419 420 .sp 421 .ne 2 422 .na 423 \fB\fB-V\fR\fR 424 .ad 425 .sp .6 426 .RS 4n 427 Show version information. This will display the version information compiled 428 into the \fBipf\fR binary and retrieve it from the kernel code (if running or 429 present). If it is present in the kernel, information about its current state 430 will be displayed; for example, whether logging is active, default filtering, 431 and so forth). 432 .RE 433 434 .sp 435 .ne 2 436 .na 437 \fB\fB-y\fR\fR 438 .ad 439 .sp .6 440 .RS 4n 441 Manually resync the in-kernel interface list maintained by IP Filter with the 442 current interface status list. 443 .RE 444 445 .sp 446 .ne 2 447 .na 448 \fB\fB-z\fR\fR 449 .ad 450 .sp .6 451 .RS 4n 452 For each rule in the input file, reset the statistics for it to zero and 453 display the statistics prior to them being zeroed. 454 .RE 455 456 .sp 457 .ne 2 458 .na 459 \fB\fB-Z\fR\fR 460 .ad 461 .sp .6 462 .RS 4n 463 Zero global statistics held in the kernel for filtering only. This does not 464 affect fragment or state statistics. 465 .RE 466 467 .SH ZONES 468 Each non-global zone has two ipfilter instances: the in-zone ipfilter, which 469 can be controlled from both the zone itself and the global zone, and the 470 Global Zone-controlled (GZ-controlled) instance, which can only be controlled 471 from the Global Zone. The non-global zone is not able to observe or control 472 the GZ-controlled ipfilter. 473 474 ipf optionally takes a zone name as an argument, which will change the 475 ipfilter settings for that zone, rather than the current one. The zonename 476 option is only available in the Global Zone. Using it in any other zone will 477 return an error. If the \fB-G\fR option is specified with this argument, the 478 Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified, 479 the in-zone ipfilter is operated on. Note that ipf differs from the other 480 ipfilter tools in how the zone name is specified. It takes the zone name as the 481 last argument, while all of the other tools take the zone name as an argument 482 to the \fB-G\fR and \fB-z\fR options. 483 484 .SH FILES 485 .ne 2 486 .na 487 \fB\fB/dev/ipauth\fR\fR 488 .ad 489 .br 490 .na 491 \fB\fB/dev/ipl\fR\fR 492 .ad 493 .br 494 .na 495 \fB\fB/dev/ipstate\fR\fR 496 .ad 497 .sp .6 498 .RS 4n 499 Links to IP Filter pseudo devices. 500 .RE 501 502 .sp 503 .ne 2 504 .na 505 \fB\fB/etc/ipf/ipf.conf\fR\fR 506 .ad 507 .sp .6 508 .RS 4n 509 Location of \fBipf\fR startup configuration file. See \fBipf\fR(4). 510 .RE 511 512 .sp 513 .ne 2 514 .na 515 \fB\fB/usr/share/ipfilter/examples/\fR\fR 516 .ad 517 .sp .6 518 .RS 4n 519 Contains numerous IP Filter examples. 520 .RE 521 522 .SH ATTRIBUTES 523 See \fBattributes\fR(5) for descriptions of the following attributes: 524 .sp 525 526 .sp 527 .TS 528 box; 529 c | c 530 l | l . 531 ATTRIBUTE TYPE ATTRIBUTE VALUE 532 _ 533 Interface Stability Committed 534 .TE 535 536 .SH SEE ALSO 537 \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M), 538 \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4), 539 \fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR 540 .sp 541 .LP 542 \fI\fR 543 .SH DIAGNOSTICS 544 Needs to be run as root for the packet filtering lists to actually be affected 545 inside the kernel.