Print this page
12745 man page typos
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/ipf.1m.man.txt
+++ new/usr/src/man/man1m/ipf.1m.man.txt
1 1 IPF(1M) Maintenance Commands IPF(1M)
2 2
3 3
4 4
5 5 NAME
6 6 ipf - alter packet filtering lists for IP packet input and output
7 7
8 8 SYNOPSIS
9 9 ipf [-6AdDEGInoPRrsvVyzZ] [-l block | pass | nomatch]
10 10 [-T optionlist] [-F i | o | a | s | S] -f filename
11 11 [-f filename...] [zonename]
12 12
13 13
14 14 DESCRIPTION
15 15 The ipf utility is part of a suite of commands associated with the
16 16 Solaris IP Filter feature. See ipfilter(5).
17 17
18 18
19 19 The ipf utility opens the filenames listed (treating a hyphen (-) as
20 20 stdin) and parses the file for a set of rules which are to be added or
21 21 removed from the packet filter rule set.
22 22
23 23
24 24 If there are no parsing problems, each rule processed by ipf is added
25 25 to the kernel's internal lists. Rules are added to the end of the
26 26 internal lists, matching the order in which they appear when given to
27 27 ipf.
28 28
29 29
30 30 ipf's use is restricted through access to /dev/ipauth, /dev/ipl, and
31 31 /dev/ipstate. The default permissions of these files require ipf to be
32 32 run as root for all operations.
33 33
34 34 Enabling Solaris IP Filter Feature
35 35 Solaris IP Filter is installed with the Solaris operating system.
36 36 However, packet filtering is not enabled by default. Use the following
37 37 procedure to activate the Solaris IP Filter feature.
38 38
39 39 1. Assume a role that includes the IP Filter Management rights
40 40 profile (see rbac(5)) or become superuser.
|
↓ open down ↓ |
40 lines elided |
↑ open up ↑ |
41 41
42 42 2. Configure system and services' firewall policies. See
43 43 svc.ipfd(1M) and ipf(4).
44 44
45 45 3. (Optional) Create a network address translation (NAT)
46 46 configuration file. See ipnat(4).
47 47
48 48 4. (Optional) Create an address pool configuration file. See
49 49 ippool(4).
50 50
51 - Create an ipool.conf file if you want to refer to a group of
52 - addresses as a single address pool. If you want the address
53 - pool configuration file to be loaded at boot time, create a
54 - file called /etc/ipf/ippool.conf in which to put the address
55 - pool. If you do not want the address pool configuration file
56 - to be loaded at boot time, put the ippool.conf file in a
57 - location other than /etc/ipf and manually activate the
58 - rules.
51 + Create an ippool.conf file if you want to refer to a group
52 + of addresses as a single address pool. If you want the
53 + address pool configuration file to be loaded at boot time,
54 + create a file called /etc/ipf/ippool.conf in which to put
55 + the address pool. If you do not want the address pool
56 + configuration file to be loaded at boot time, put the
57 + ippool.conf file in a location other than /etc/ipf and
58 + manually activate the rules.
59 59
60 60 5. Enable Solaris IP Filter, as follows:
61 61
62 62 # svcadm enable network/ipfilter
63 63
64 64
65 65
66 66
67 67 To re-enable packet filtering after it has been temporarily disabled
68 68 either reboot the machine or enter the following command:
69 69
70 70 # svcadm enable network/ipfilter
71 71
72 72
73 73
74 74
75 75 ...which essentially executes the following ipf commands:
76 76
77 77 1. Enable Solaris IP Filter:
78 78
79 79 # ipf -E
80 80
81 81
82 82
83 83 2. Load ippools:
84 84
85 85 # ippool -f <ippool configuration file>
86 86
87 87
88 88 See ippool(1M).
89 89
90 90 3. (Optional) Activate packet filtering:
91 91
92 92 ipf -f <ipf configuration file>
93 93
94 94
95 95
96 96 4. (Optional) Activate NAT:
97 97
98 98 ipnat -f <IPNAT configuration file>
99 99
100 100
101 101 See ipnat(1M).
102 102
103 103 Note -
104 104
105 105 If you reboot your system, the IPfilter configuration is
106 106 automatically activated.
107 107
108 108 OPTIONS
109 109 The following options are supported:
110 110
111 111 -6
112 112
113 113 This option is required to parse IPv6 rules and to have them
114 114 loaded. Loading of IPv6 rules is subject to change in the future.
115 115
116 116
117 117 -A
118 118
119 119 Set the list to make changes to the active list (default).
120 120
121 121
122 122 -d
123 123
124 124 Turn debug mode on. Causes a hex dump of filter rules to be
125 125 generated as it processes each one.
126 126
127 127
128 128 -D
129 129
130 130 Disable the filter (if enabled). Not effective for loadable kernel
131 131 versions.
132 132
133 133
134 134 -E
135 135
136 136 Enable the filter (if disabled). Not effective for loadable kernel
137 137 versions.
138 138
139 139
140 140 -F i | o | a
141 141
142 142 Specifies which filter list to flush. The parameter should either
143 143 be i (input), o (output) or a (remove all filter rules). Either a
144 144 single letter or an entire word starting with the appropriate
145 145 letter can be used. This option can be before or after any other,
146 146 with the order on the command line determining that used to execute
147 147 options.
148 148
149 149
150 150 -F s | S
151 151
152 152 To flush entries from the state table, use the -F option in
153 153 conjunction with either s (removes state information about any non-
154 154 fully established connections) or S (deletes the entire state
155 155 table). You can specify only one of these two options. A fully
156 156 established connection will show up in ipfstat -s output as 4/4,
157 157 with deviations either way indicating the connection is not fully
158 158 established.
159 159
160 160
161 161 -f filename
162 162
163 163 Specifies which files ipf should use to get input from for
164 164 modifying the packet filter rule lists.
165 165
166 166
167 167 -G
168 168
169 169 Make changes to the Global Zone-controlled ipfilter for the zone
170 170 given as an argument. See the ZONES section for more information.
171 171
172 172
173 173 -I
174 174
175 175 Set the list to make changes to the inactive list.
176 176
177 177
178 178 -l pass | block | nomatch
179 179
180 180 Toggles default logging of packets. Valid arguments to this option
181 181 are pass, block and nomatch. When an option is set, any packet
182 182 which exits filtering and matches the set category is logged. This
183 183 is most useful for causing all packets that do not match any of the
184 184 loaded rules to be logged.
185 185
186 186
187 187 -n
188 188
189 189 Prevents ipf from making any ioctl calls or doing anything which
190 190 would alter the currently running kernel.
191 191
192 192
193 193 -o
194 194
195 195 Force rules by default to be added/deleted to/from the output list,
196 196 rather than the (default) input list.
197 197
198 198
199 199 -P
200 200
201 201 Add rules as temporary entries in the authentication rule table.
202 202
203 203
204 204 -R
205 205
206 206 Disable both IP address-to-hostname resolution and port number-to-
207 207 service name resolution.
208 208
209 209
210 210 -r
211 211
212 212 Remove matching filter rules rather than add them to the internal
213 213 lists.
214 214
215 215
216 216 -s
217 217
218 218 Swap the currently active filter list to be an alternative list.
219 219
220 220
221 221 -T optionlist
222 222
223 223 Allows run-time changing of IPFilter kernel variables. To allow for
224 224 changing, some variables require IPFilter to be in a disabled state
225 225 (-D), others do not. The optionlist parameter is a comma-separated
226 226 list of tuning commands. A tuning command is one of the following:
227 227
228 228 list
229 229
230 230 Retrieve a list of all variables in the kernel, their maximum,
231 231 minimum, and current value.
232 232
233 233
234 234 single variable name
235 235
236 236 Retrieve its current value.
237 237
238 238
239 239 variable name with a following assignment
240 240
241 241 To set a new value.
242 242
243 243 Examples follow:
244 244
245 245 # Print out all IPFilter kernel tunable parameters
246 246 ipf -T list
247 247
248 248 # Display the current TCP idle timeout and then set it to 3600
249 249 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
250 250
251 251 # Display current values for fr_pass and fr_chksrc, then set
252 252 # fr_chksrc to 1.
253 253 ipf -T fr_pass,fr_chksrc,fr_chksrc=1
254 254
255 255
256 256
257 257
258 258 -v
259 259
260 260 Turn verbose mode on. Displays information relating to rule
261 261 processing.
262 262
263 263
264 264 -V
265 265
266 266 Show version information. This will display the version information
267 267 compiled into the ipf binary and retrieve it from the kernel code
268 268 (if running or present). If it is present in the kernel,
269 269 information about its current state will be displayed; for example,
270 270 whether logging is active, default filtering, and so forth).
271 271
272 272
273 273 -y
274 274
275 275 Manually resync the in-kernel interface list maintained by IP
276 276 Filter with the current interface status list.
277 277
278 278
279 279 -z
280 280
281 281 For each rule in the input file, reset the statistics for it to
282 282 zero and display the statistics prior to them being zeroed.
283 283
284 284
285 285 -Z
286 286
287 287 Zero global statistics held in the kernel for filtering only. This
288 288 does not affect fragment or state statistics.
289 289
290 290
291 291 ZONES
292 292 Each non-global zone has two ipfilter instances: the in-zone ipfilter,
293 293 which can be controlled from both the zone itself and the global zone,
294 294 and the Global Zone-controlled (GZ-controlled) instance, which can only
295 295 be controlled from the Global Zone. The non-global zone is not able to
296 296 observe or control the GZ-controlled ipfilter.
297 297
298 298 ipf optionally takes a zone name as an argument, which will change the
299 299 ipfilter settings for that zone, rather than the current one. The
300 300 zonename option is only available in the Global Zone. Using it in any
301 301 other zone will return an error. If the -G option is specified with
302 302 this argument, the Global Zone-controlled ipfilter is operated on. If
303 303 -G is not specified, the in-zone ipfilter is operated on. Note that ipf
304 304 differs from the other ipfilter tools in how the zone name is
305 305 specified. It takes the zone name as the last argument, while all of
306 306 the other tools take the zone name as an argument to the -G and -z
307 307 options.
308 308
309 309
310 310 FILES
311 311 /dev/ipauth
312 312 /dev/ipl
313 313 /dev/ipstate
314 314
315 315 Links to IP Filter pseudo devices.
316 316
317 317
318 318 /etc/ipf/ipf.conf
319 319
320 320 Location of ipf startup configuration file. See ipf(4).
321 321
322 322
323 323 /usr/share/ipfilter/examples/
324 324
325 325 Contains numerous IP Filter examples.
326 326
327 327
328 328 ATTRIBUTES
329 329 See attributes(5) for descriptions of the following attributes:
330 330
331 331
332 332
333 333
334 334 +--------------------+-----------------+
335 335 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
336 336 +--------------------+-----------------+
337 337 |Interface Stability | Committed |
338 338 +--------------------+-----------------+
339 339
340 340 SEE ALSO
341 341 ipfstat(1M), ipmon(1M), ipnat(1M), ippool(1M), svcadm(1M),
342 342 svc.ipfd(1M), ipf(4), ipnat(4), ippool(4), attributes(5), ipfilter(5),
|
↓ open down ↓ |
274 lines elided |
↑ open up ↑ |
343 343 zones(5)
344 344
345 345
346 346
347 347 DIAGNOSTICS
348 348 Needs to be run as root for the packet filtering lists to actually be
349 349 affected inside the kernel.
350 350
351 351
352 352
353 - April 9, 2016 IPF(1M)
353 + May 17, 2020 IPF(1M)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX