1 '\" te
2 .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed
3 .\" location.
4 .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved.
5 .\" Portions Copyright (c) 2015, Joyent, Inc.
6 .TH IPF 1M "April 9, 2016"
7 .SH NAME
8 ipf \- alter packet filtering lists for IP packet input and output
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch]
13 [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR
14 [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR]
15 .fi
16
17 .SH DESCRIPTION
18 .LP
19 The \fBipf\fR utility is part of a suite of commands associated with the
20 Solaris IP Filter feature. See \fBipfilter\fR(5).
21 .sp
22 .LP
23 The \fBipf\fR utility opens the filenames listed (treating a hyphen (\fB-\fR)
24 as stdin) and parses the file for a set of rules which are to be added or
25 removed from the packet filter rule set.
26 .sp
27 .LP
28 If there are no parsing problems, each rule processed by \fBipf\fR is added to
29 the kernel's internal lists. Rules are added to the end of the internal lists,
30 matching the order in which they appear when given to \fBipf\fR.
31 .sp
32 .LP
33 \fBipf\fR's use is restricted through access to \fB/dev/ipauth\fR,
34 \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files
35 require \fBipf\fR to be run as root for all operations.
36 .SS "Enabling Solaris IP Filter Feature"
37 .LP
38 Solaris IP Filter is installed with the Solaris operating system. However,
39 packet filtering is not enabled by default. Use the following procedure to
40 activate the Solaris IP Filter feature.
41 .RS +4
42 .TP
43 1.
44 Assume a role that includes the IP Filter Management rights profile (see
45 \fBrbac\fR(5)) or become superuser.
46 .RE
47 .RS +4
48 .TP
49 2.
50 Configure system and services' firewall policies. See \fBsvc.ipfd\fR(1M) and
51 \fBipf\fR(4).
52 .RE
53 .RS +4
54 .TP
55 3.
56 (Optional) Create a network address translation (NAT) configuration file.
57 See \fBipnat\fR(4).
58 .RE
59 .RS +4
60 .TP
61 4.
62 (Optional) Create an address pool configuration file. See \fBippool\fR(4).
63 .sp
64 Create an \fBipool.conf\fR file if you want to refer to a group of addresses as
65 a single address pool. If you want the address pool configuration file to be
66 loaded at boot time, create a file called \fB/etc/ipf/ippool.conf\fR in which
67 to put the address pool. If you do not want the address pool configuration file
68 to be loaded at boot time, put the \fBippool.conf\fR file in a location other
69 than \fB/etc/ipf\fR and manually activate the rules.
70 .RE
71 .RS +4
72 .TP
73 5.
74 Enable Solaris IP Filter, as follows:
75 .sp
76 .in +2
77 .nf
78 # \fBsvcadm enable network/ipfilter\fR
79 .fi
80 .in -2
81 .sp
82
83 .RE
84 .sp
141 4.
142 (Optional) Activate NAT:
143 .sp
144 .in +2
145 .nf
146 \fBipnat -f\fR \fI<IPNAT configuration file>\fR
147 .fi
148 .in -2
149 .sp
150
151 See \fBipnat\fR(1M).
152 .RE
153 .LP
154 Note -
155 .sp
156 .RS 2
157 If you reboot your system, the IPfilter configuration is automatically
158 activated.
159 .RE
160 .SH OPTIONS
161 .LP
162 The following options are supported:
163 .sp
164 .ne 2
165 .na
166 \fB\fB-6\fR\fR
167 .ad
168 .sp .6
169 .RS 4n
170 This option is required to parse IPv6 rules and to have them loaded. Loading of
171 IPv6 rules is subject to change in the future.
172 .RE
173
174 .sp
175 .ne 2
176 .na
177 \fB\fB-A\fR\fR
178 .ad
179 .sp .6
180 .RS 4n
181 Set the list to make changes to the active list (default).
452 \fB\fB-z\fR\fR
453 .ad
454 .sp .6
455 .RS 4n
456 For each rule in the input file, reset the statistics for it to zero and
457 display the statistics prior to them being zeroed.
458 .RE
459
460 .sp
461 .ne 2
462 .na
463 \fB\fB-Z\fR\fR
464 .ad
465 .sp .6
466 .RS 4n
467 Zero global statistics held in the kernel for filtering only. This does not
468 affect fragment or state statistics.
469 .RE
470
471 .SH ZONES
472 .LP
473 Each non-global zone has two ipfilter instances: the in-zone ipfilter, which
474 can be controlled from both the zone itself and the global zone, and the
475 Global Zone-controlled (GZ-controlled) instance, which can only be controlled
476 from the Global Zone. The non-global zone is not able to observe or control
477 the GZ-controlled ipfilter.
478
479 ipf optionally takes a zone name as an argument, which will change the
480 ipfilter settings for that zone, rather than the current one. The zonename
481 option is only available in the Global Zone. Using it in any other zone will
482 return an error. If the \fB-G\fR option is specified with this argument, the
483 Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified,
484 the in-zone ipfilter is operated on. Note that ipf differs from the other
485 ipfilter tools in how the zone name is specified. It takes the zone name as the
486 last argument, while all of the other tools take the zone name as an argument
487 to the \fB-G\fR and \fB-z\fR options.
488
489 .SH FILES
490 .ne 2
491 .na
492 \fB\fB/dev/ipauth\fR\fR
508 .ne 2
509 .na
510 \fB\fB/etc/ipf/ipf.conf\fR\fR
511 .ad
512 .sp .6
513 .RS 4n
514 Location of \fBipf\fR startup configuration file. See \fBipf\fR(4).
515 .RE
516
517 .sp
518 .ne 2
519 .na
520 \fB\fB/usr/share/ipfilter/examples/\fR\fR
521 .ad
522 .sp .6
523 .RS 4n
524 Contains numerous IP Filter examples.
525 .RE
526
527 .SH ATTRIBUTES
528 .LP
529 See \fBattributes\fR(5) for descriptions of the following attributes:
530 .sp
531
532 .sp
533 .TS
534 box;
535 c | c
536 l | l .
537 ATTRIBUTE TYPE ATTRIBUTE VALUE
538 _
539 Interface Stability Committed
540 .TE
541
542 .SH SEE ALSO
543 .LP
544 \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M),
545 \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4),
546 \fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR
547 .sp
548 .LP
549 \fI\fR
550 .SH DIAGNOSTICS
551 .LP
552 Needs to be run as root for the packet filtering lists to actually be affected
553 inside the kernel.
|
1 '\" te
2 .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed
3 .\" location.
4 .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved.
5 .\" Portions Copyright (c) 2015, Joyent, Inc.
6 .TH IPF 1M "May 17, 2020"
7 .SH NAME
8 ipf \- alter packet filtering lists for IP packet input and output
9 .SH SYNOPSIS
10 .nf
11 \fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch]
12 [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR
13 [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR]
14 .fi
15
16 .SH DESCRIPTION
17 The \fBipf\fR utility is part of a suite of commands associated with the
18 Solaris IP Filter feature. See \fBipfilter\fR(5).
19 .sp
20 .LP
21 The \fBipf\fR utility opens the filenames listed (treating a hyphen (\fB-\fR)
22 as stdin) and parses the file for a set of rules which are to be added or
23 removed from the packet filter rule set.
24 .sp
25 .LP
26 If there are no parsing problems, each rule processed by \fBipf\fR is added to
27 the kernel's internal lists. Rules are added to the end of the internal lists,
28 matching the order in which they appear when given to \fBipf\fR.
29 .sp
30 .LP
31 \fBipf\fR's use is restricted through access to \fB/dev/ipauth\fR,
32 \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files
33 require \fBipf\fR to be run as root for all operations.
34 .SS "Enabling Solaris IP Filter Feature"
35 Solaris IP Filter is installed with the Solaris operating system. However,
36 packet filtering is not enabled by default. Use the following procedure to
37 activate the Solaris IP Filter feature.
38 .RS +4
39 .TP
40 1.
41 Assume a role that includes the IP Filter Management rights profile (see
42 \fBrbac\fR(5)) or become superuser.
43 .RE
44 .RS +4
45 .TP
46 2.
47 Configure system and services' firewall policies. See \fBsvc.ipfd\fR(1M) and
48 \fBipf\fR(4).
49 .RE
50 .RS +4
51 .TP
52 3.
53 (Optional) Create a network address translation (NAT) configuration file.
54 See \fBipnat\fR(4).
55 .RE
56 .RS +4
57 .TP
58 4.
59 (Optional) Create an address pool configuration file. See \fBippool\fR(4).
60 .sp
61 Create an \fBippool.conf\fR file if you want to refer to a group of addresses as
62 a single address pool. If you want the address pool configuration file to be
63 loaded at boot time, create a file called \fB/etc/ipf/ippool.conf\fR in which
64 to put the address pool. If you do not want the address pool configuration file
65 to be loaded at boot time, put the \fBippool.conf\fR file in a location other
66 than \fB/etc/ipf\fR and manually activate the rules.
67 .RE
68 .RS +4
69 .TP
70 5.
71 Enable Solaris IP Filter, as follows:
72 .sp
73 .in +2
74 .nf
75 # \fBsvcadm enable network/ipfilter\fR
76 .fi
77 .in -2
78 .sp
79
80 .RE
81 .sp
138 4.
139 (Optional) Activate NAT:
140 .sp
141 .in +2
142 .nf
143 \fBipnat -f\fR \fI<IPNAT configuration file>\fR
144 .fi
145 .in -2
146 .sp
147
148 See \fBipnat\fR(1M).
149 .RE
150 .LP
151 Note -
152 .sp
153 .RS 2
154 If you reboot your system, the IPfilter configuration is automatically
155 activated.
156 .RE
157 .SH OPTIONS
158 The following options are supported:
159 .sp
160 .ne 2
161 .na
162 \fB\fB-6\fR\fR
163 .ad
164 .sp .6
165 .RS 4n
166 This option is required to parse IPv6 rules and to have them loaded. Loading of
167 IPv6 rules is subject to change in the future.
168 .RE
169
170 .sp
171 .ne 2
172 .na
173 \fB\fB-A\fR\fR
174 .ad
175 .sp .6
176 .RS 4n
177 Set the list to make changes to the active list (default).
448 \fB\fB-z\fR\fR
449 .ad
450 .sp .6
451 .RS 4n
452 For each rule in the input file, reset the statistics for it to zero and
453 display the statistics prior to them being zeroed.
454 .RE
455
456 .sp
457 .ne 2
458 .na
459 \fB\fB-Z\fR\fR
460 .ad
461 .sp .6
462 .RS 4n
463 Zero global statistics held in the kernel for filtering only. This does not
464 affect fragment or state statistics.
465 .RE
466
467 .SH ZONES
468 Each non-global zone has two ipfilter instances: the in-zone ipfilter, which
469 can be controlled from both the zone itself and the global zone, and the
470 Global Zone-controlled (GZ-controlled) instance, which can only be controlled
471 from the Global Zone. The non-global zone is not able to observe or control
472 the GZ-controlled ipfilter.
473
474 ipf optionally takes a zone name as an argument, which will change the
475 ipfilter settings for that zone, rather than the current one. The zonename
476 option is only available in the Global Zone. Using it in any other zone will
477 return an error. If the \fB-G\fR option is specified with this argument, the
478 Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified,
479 the in-zone ipfilter is operated on. Note that ipf differs from the other
480 ipfilter tools in how the zone name is specified. It takes the zone name as the
481 last argument, while all of the other tools take the zone name as an argument
482 to the \fB-G\fR and \fB-z\fR options.
483
484 .SH FILES
485 .ne 2
486 .na
487 \fB\fB/dev/ipauth\fR\fR
503 .ne 2
504 .na
505 \fB\fB/etc/ipf/ipf.conf\fR\fR
506 .ad
507 .sp .6
508 .RS 4n
509 Location of \fBipf\fR startup configuration file. See \fBipf\fR(4).
510 .RE
511
512 .sp
513 .ne 2
514 .na
515 \fB\fB/usr/share/ipfilter/examples/\fR\fR
516 .ad
517 .sp .6
518 .RS 4n
519 Contains numerous IP Filter examples.
520 .RE
521
522 .SH ATTRIBUTES
523 See \fBattributes\fR(5) for descriptions of the following attributes:
524 .sp
525
526 .sp
527 .TS
528 box;
529 c | c
530 l | l .
531 ATTRIBUTE TYPE ATTRIBUTE VALUE
532 _
533 Interface Stability Committed
534 .TE
535
536 .SH SEE ALSO
537 \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M),
538 \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4),
539 \fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR
540 .sp
541 .LP
542 \fI\fR
543 .SH DIAGNOSTICS
544 Needs to be run as root for the packet filtering lists to actually be affected
545 inside the kernel.
|