Print this page
12745 man page typos
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man1m/ipf.1m
+++ new/usr/src/man/man1m/ipf.1m
1 1 '\" te
2 2 .\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed
3 3 .\" location.
4 4 .\" Portions Copyright (c) 2009, Sun Microsystems Inc. All Rights Reserved.
5 5 .\" Portions Copyright (c) 2015, Joyent, Inc.
6 -.TH IPF 1M "April 9, 2016"
6 +.TH IPF 1M "May 17, 2020"
7 7 .SH NAME
8 8 ipf \- alter packet filtering lists for IP packet input and output
9 9 .SH SYNOPSIS
10 -.LP
11 10 .nf
12 11 \fBipf\fR [\fB-6AdDEGInoPRrsvVyzZ\fR] [\fB-l\fR block | pass | nomatch]
13 12 [\fB-T\fR \fIoptionlist\fR] [\fB-F\fR i | o | a | s | S] \fB-f\fR \fIfilename\fR
14 13 [\fB-f\fR \fIfilename\fR...] [\fIzonename\fR]
15 14 .fi
16 15
17 16 .SH DESCRIPTION
18 -.LP
19 17 The \fBipf\fR utility is part of a suite of commands associated with the
20 18 Solaris IP Filter feature. See \fBipfilter\fR(5).
21 19 .sp
22 20 .LP
23 21 The \fBipf\fR utility opens the filenames listed (treating a hyphen (\fB-\fR)
24 22 as stdin) and parses the file for a set of rules which are to be added or
25 23 removed from the packet filter rule set.
26 24 .sp
27 25 .LP
28 26 If there are no parsing problems, each rule processed by \fBipf\fR is added to
29 27 the kernel's internal lists. Rules are added to the end of the internal lists,
30 28 matching the order in which they appear when given to \fBipf\fR.
31 29 .sp
32 30 .LP
33 31 \fBipf\fR's use is restricted through access to \fB/dev/ipauth\fR,
34 32 \fB/dev/ipl\fR, and \fB/dev/ipstate\fR. The default permissions of these files
35 33 require \fBipf\fR to be run as root for all operations.
36 34 .SS "Enabling Solaris IP Filter Feature"
37 -.LP
38 35 Solaris IP Filter is installed with the Solaris operating system. However,
39 36 packet filtering is not enabled by default. Use the following procedure to
40 37 activate the Solaris IP Filter feature.
41 38 .RS +4
42 39 .TP
43 40 1.
44 41 Assume a role that includes the IP Filter Management rights profile (see
45 42 \fBrbac\fR(5)) or become superuser.
46 43 .RE
47 44 .RS +4
48 45 .TP
49 46 2.
50 47 Configure system and services' firewall policies. See \fBsvc.ipfd\fR(1M) and
51 48 \fBipf\fR(4).
52 49 .RE
53 50 .RS +4
↓ open down ↓ |
6 lines elided |
↑ open up ↑ |
54 51 .TP
55 52 3.
56 53 (Optional) Create a network address translation (NAT) configuration file.
57 54 See \fBipnat\fR(4).
58 55 .RE
59 56 .RS +4
60 57 .TP
61 58 4.
62 59 (Optional) Create an address pool configuration file. See \fBippool\fR(4).
63 60 .sp
64 -Create an \fBipool.conf\fR file if you want to refer to a group of addresses as
61 +Create an \fBippool.conf\fR file if you want to refer to a group of addresses as
65 62 a single address pool. If you want the address pool configuration file to be
66 63 loaded at boot time, create a file called \fB/etc/ipf/ippool.conf\fR in which
67 64 to put the address pool. If you do not want the address pool configuration file
68 65 to be loaded at boot time, put the \fBippool.conf\fR file in a location other
69 66 than \fB/etc/ipf\fR and manually activate the rules.
70 67 .RE
71 68 .RS +4
72 69 .TP
73 70 5.
74 71 Enable Solaris IP Filter, as follows:
75 72 .sp
76 73 .in +2
77 74 .nf
78 75 # \fBsvcadm enable network/ipfilter\fR
79 76 .fi
80 77 .in -2
81 78 .sp
82 79
83 80 .RE
84 81 .sp
85 82 .LP
86 83 To re-enable packet filtering after it has been temporarily disabled either
87 84 reboot the machine or enter the following command:
88 85 .sp
89 86 .in +2
90 87 .nf
91 88 # \fBsvcadm enable network/ipfilter\fR
92 89 .fi
93 90 .in -2
94 91 .sp
95 92
96 93 .sp
97 94 .LP
98 95 \&...which essentially executes the following \fBipf\fR commands:
99 96 .RS +4
100 97 .TP
101 98 1.
102 99 Enable Solaris IP Filter:
103 100 .sp
104 101 .in +2
105 102 .nf
106 103 # \fBipf -E\fR
107 104 .fi
108 105 .in -2
109 106 .sp
110 107
111 108 .RE
112 109 .RS +4
113 110 .TP
114 111 2.
115 112 Load \fBippools\fR:
116 113 .sp
117 114 .in +2
118 115 .nf
119 116 \fB# ippool -f\fR \fI<ippool configuration file>\fR
120 117 .fi
121 118 .in -2
122 119 .sp
123 120
124 121 See \fBippool\fR(1M).
125 122 .RE
126 123 .RS +4
127 124 .TP
128 125 3.
129 126 (Optional) Activate packet filtering:
130 127 .sp
131 128 .in +2
132 129 .nf
133 130 \fBipf -f\fR \fI<ipf configuration file>\fR
134 131 .fi
135 132 .in -2
136 133 .sp
137 134
138 135 .RE
139 136 .RS +4
140 137 .TP
141 138 4.
142 139 (Optional) Activate NAT:
143 140 .sp
144 141 .in +2
145 142 .nf
146 143 \fBipnat -f\fR \fI<IPNAT configuration file>\fR
147 144 .fi
148 145 .in -2
149 146 .sp
150 147
↓ open down ↓ |
76 lines elided |
↑ open up ↑ |
151 148 See \fBipnat\fR(1M).
152 149 .RE
153 150 .LP
154 151 Note -
155 152 .sp
156 153 .RS 2
157 154 If you reboot your system, the IPfilter configuration is automatically
158 155 activated.
159 156 .RE
160 157 .SH OPTIONS
161 -.LP
162 158 The following options are supported:
163 159 .sp
164 160 .ne 2
165 161 .na
166 162 \fB\fB-6\fR\fR
167 163 .ad
168 164 .sp .6
169 165 .RS 4n
170 166 This option is required to parse IPv6 rules and to have them loaded. Loading of
171 167 IPv6 rules is subject to change in the future.
172 168 .RE
173 169
174 170 .sp
175 171 .ne 2
176 172 .na
177 173 \fB\fB-A\fR\fR
178 174 .ad
179 175 .sp .6
180 176 .RS 4n
181 177 Set the list to make changes to the active list (default).
182 178 .RE
183 179
184 180 .sp
185 181 .ne 2
186 182 .na
187 183 \fB\fB-d\fR\fR
188 184 .ad
189 185 .sp .6
190 186 .RS 4n
191 187 Turn debug mode on. Causes a hex dump of filter rules to be generated as it
192 188 processes each one.
193 189 .RE
194 190
195 191 .sp
196 192 .ne 2
197 193 .na
198 194 \fB\fB-D\fR\fR
199 195 .ad
200 196 .sp .6
201 197 .RS 4n
202 198 Disable the filter (if enabled). Not effective for loadable kernel versions.
203 199 .RE
204 200
205 201 .sp
206 202 .ne 2
207 203 .na
208 204 \fB\fB-E\fR\fR
209 205 .ad
210 206 .sp .6
211 207 .RS 4n
212 208 Enable the filter (if disabled). Not effective for loadable kernel versions.
213 209 .RE
214 210
215 211 .sp
216 212 .ne 2
217 213 .na
218 214 \fB\fB-F\fR \fBi\fR | \fBo\fR | \fBa\fR\fR
219 215 .ad
220 216 .sp .6
221 217 .RS 4n
222 218 Specifies which filter list to flush. The parameter should either be \fBi\fR
223 219 (input), \fBo\fR (output) or \fBa\fR (remove all filter rules). Either a single
224 220 letter or an entire word starting with the appropriate letter can be used. This
225 221 option can be before or after any other, with the order on the command line
226 222 determining that used to execute options.
227 223 .RE
228 224
229 225 .sp
230 226 .ne 2
231 227 .na
232 228 \fB\fB-F\fR \fBs\fR | \fBS\fR\fR
233 229 .ad
234 230 .sp .6
235 231 .RS 4n
236 232 To flush entries from the state table, use the \fB-F\fR option in conjunction
237 233 with either \fBs\fR (removes state information about any non-fully established
238 234 connections) or \fBS\fR (deletes the entire state table). You can specify only
239 235 one of these two options. A fully established connection will show up in
240 236 \fBipfstat\fR \fB-s\fR output as \fB4/4\fR, with deviations either way
241 237 indicating the connection is not fully established.
242 238 .RE
243 239
244 240 .sp
245 241 .ne 2
246 242 .na
247 243 \fB\fB-f\fR \fIfilename\fR\fR
248 244 .ad
249 245 .sp .6
250 246 .RS 4n
251 247 Specifies which files \fBipf\fR should use to get input from for modifying the
252 248 packet filter rule lists.
253 249 .RE
254 250
255 251 .sp
256 252 .ne 2
257 253 .na
258 254 \fB\fB-G\fR\fR
259 255 .ad
260 256 .sp .6
261 257 .RS 4n
262 258 Make changes to the Global Zone-controlled ipfilter for the zone given as an
263 259 argument. See the \fBZONES\fR section for more information.
264 260 .RE
265 261
266 262 .sp
267 263 .ne 2
268 264 .na
269 265 \fB\fB-I\fR\fR
270 266 .ad
271 267 .sp .6
272 268 .RS 4n
273 269 Set the list to make changes to the inactive list.
274 270 .RE
275 271
276 272 .sp
277 273 .ne 2
278 274 .na
279 275 \fB\fB-l\fR \fBpass\fR | \fBblock\fR | \fBnomatch\fR\fR
280 276 .ad
281 277 .sp .6
282 278 .RS 4n
283 279 Toggles default logging of packets. Valid arguments to this option are
284 280 \fBpass\fR, \fBblock\fR and \fBnomatch\fR. When an option is set, any packet
285 281 which exits filtering and matches the set category is logged. This is most
286 282 useful for causing all packets that do not match any of the loaded rules to be
287 283 logged.
288 284 .RE
289 285
290 286 .sp
291 287 .ne 2
292 288 .na
293 289 \fB\fB-n\fR\fR
294 290 .ad
295 291 .sp .6
296 292 .RS 4n
297 293 Prevents \fBipf\fR from making any ioctl calls or doing anything which would
298 294 alter the currently running kernel.
299 295 .RE
300 296
301 297 .sp
302 298 .ne 2
303 299 .na
304 300 \fB\fB-o\fR\fR
305 301 .ad
306 302 .sp .6
307 303 .RS 4n
308 304 Force rules by default to be added/deleted to/from the output list, rather than
309 305 the (default) input list.
310 306 .RE
311 307
312 308 .sp
313 309 .ne 2
314 310 .na
315 311 \fB\fB-P\fR\fR
316 312 .ad
317 313 .sp .6
318 314 .RS 4n
319 315 Add rules as temporary entries in the authentication rule table.
320 316 .RE
321 317
322 318 .sp
323 319 .ne 2
324 320 .na
325 321 \fB\fB-R\fR\fR
326 322 .ad
327 323 .sp .6
328 324 .RS 4n
329 325 Disable both IP address-to-hostname resolution and port number-to-service name
330 326 resolution.
331 327 .RE
332 328
333 329 .sp
334 330 .ne 2
335 331 .na
336 332 \fB\fB-r\fR\fR
337 333 .ad
338 334 .sp .6
339 335 .RS 4n
340 336 Remove matching filter rules rather than add them to the internal lists.
341 337 .RE
342 338
343 339 .sp
344 340 .ne 2
345 341 .na
346 342 \fB\fB-s\fR\fR
347 343 .ad
348 344 .sp .6
349 345 .RS 4n
350 346 Swap the currently active filter list to be an alternative list.
351 347 .RE
352 348
353 349 .sp
354 350 .ne 2
355 351 .na
356 352 \fB\fB-T\fR \fIoptionlist\fR\fR
357 353 .ad
358 354 .sp .6
359 355 .RS 4n
360 356 Allows run-time changing of IPFilter kernel variables. To allow for changing,
361 357 some variables require IPFilter to be in a disabled state (\fB-D\fR), others do
362 358 not. The \fIoptionlist\fR parameter is a comma-separated list of tuning
363 359 commands. A tuning command is one of the following:
364 360 .sp
365 361 .ne 2
366 362 .na
367 363 \fB\fBlist\fR\fR
368 364 .ad
369 365 .sp .6
370 366 .RS 4n
371 367 Retrieve a list of all variables in the kernel, their maximum, minimum, and
372 368 current value.
373 369 .RE
374 370
375 371 .sp
376 372 .ne 2
377 373 .na
378 374 \fBsingle variable name\fR
379 375 .ad
380 376 .sp .6
381 377 .RS 4n
382 378 Retrieve its current value.
383 379 .RE
384 380
385 381 .sp
386 382 .ne 2
387 383 .na
388 384 \fBvariable name with a following assignment\fR
389 385 .ad
390 386 .sp .6
391 387 .RS 4n
392 388 To set a new value.
393 389 .RE
394 390
395 391 Examples follow:
396 392 .sp
397 393 .in +2
398 394 .nf
399 395 # Print out all IPFilter kernel tunable parameters
400 396 ipf -T list
401 397
402 398 # Display the current TCP idle timeout and then set it to 3600
403 399 ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
404 400
405 401 # Display current values for fr_pass and fr_chksrc, then set
406 402 # fr_chksrc to 1.
407 403 ipf -T fr_pass,fr_chksrc,fr_chksrc=1
408 404 .fi
409 405 .in -2
410 406 .sp
411 407
412 408 .RE
413 409
414 410 .sp
415 411 .ne 2
416 412 .na
417 413 \fB\fB-v\fR\fR
418 414 .ad
419 415 .sp .6
420 416 .RS 4n
421 417 Turn verbose mode on. Displays information relating to rule processing.
422 418 .RE
423 419
424 420 .sp
425 421 .ne 2
426 422 .na
427 423 \fB\fB-V\fR\fR
428 424 .ad
429 425 .sp .6
430 426 .RS 4n
431 427 Show version information. This will display the version information compiled
432 428 into the \fBipf\fR binary and retrieve it from the kernel code (if running or
433 429 present). If it is present in the kernel, information about its current state
434 430 will be displayed; for example, whether logging is active, default filtering,
435 431 and so forth).
436 432 .RE
437 433
438 434 .sp
439 435 .ne 2
440 436 .na
441 437 \fB\fB-y\fR\fR
442 438 .ad
443 439 .sp .6
444 440 .RS 4n
445 441 Manually resync the in-kernel interface list maintained by IP Filter with the
446 442 current interface status list.
447 443 .RE
448 444
449 445 .sp
450 446 .ne 2
451 447 .na
452 448 \fB\fB-z\fR\fR
453 449 .ad
454 450 .sp .6
455 451 .RS 4n
456 452 For each rule in the input file, reset the statistics for it to zero and
457 453 display the statistics prior to them being zeroed.
458 454 .RE
459 455
460 456 .sp
461 457 .ne 2
↓ open down ↓ |
290 lines elided |
↑ open up ↑ |
462 458 .na
463 459 \fB\fB-Z\fR\fR
464 460 .ad
465 461 .sp .6
466 462 .RS 4n
467 463 Zero global statistics held in the kernel for filtering only. This does not
468 464 affect fragment or state statistics.
469 465 .RE
470 466
471 467 .SH ZONES
472 -.LP
473 468 Each non-global zone has two ipfilter instances: the in-zone ipfilter, which
474 469 can be controlled from both the zone itself and the global zone, and the
475 470 Global Zone-controlled (GZ-controlled) instance, which can only be controlled
476 471 from the Global Zone. The non-global zone is not able to observe or control
477 472 the GZ-controlled ipfilter.
478 473
479 474 ipf optionally takes a zone name as an argument, which will change the
480 475 ipfilter settings for that zone, rather than the current one. The zonename
481 476 option is only available in the Global Zone. Using it in any other zone will
482 477 return an error. If the \fB-G\fR option is specified with this argument, the
483 478 Global Zone-controlled ipfilter is operated on. If \fB-G\fR is not specified,
484 479 the in-zone ipfilter is operated on. Note that ipf differs from the other
485 480 ipfilter tools in how the zone name is specified. It takes the zone name as the
486 481 last argument, while all of the other tools take the zone name as an argument
487 482 to the \fB-G\fR and \fB-z\fR options.
488 483
489 484 .SH FILES
490 485 .ne 2
491 486 .na
492 487 \fB\fB/dev/ipauth\fR\fR
493 488 .ad
494 489 .br
495 490 .na
496 491 \fB\fB/dev/ipl\fR\fR
497 492 .ad
498 493 .br
499 494 .na
500 495 \fB\fB/dev/ipstate\fR\fR
501 496 .ad
502 497 .sp .6
503 498 .RS 4n
504 499 Links to IP Filter pseudo devices.
505 500 .RE
506 501
507 502 .sp
508 503 .ne 2
509 504 .na
510 505 \fB\fB/etc/ipf/ipf.conf\fR\fR
511 506 .ad
512 507 .sp .6
513 508 .RS 4n
514 509 Location of \fBipf\fR startup configuration file. See \fBipf\fR(4).
515 510 .RE
516 511
517 512 .sp
↓ open down ↓ |
35 lines elided |
↑ open up ↑ |
518 513 .ne 2
519 514 .na
520 515 \fB\fB/usr/share/ipfilter/examples/\fR\fR
521 516 .ad
522 517 .sp .6
523 518 .RS 4n
524 519 Contains numerous IP Filter examples.
525 520 .RE
526 521
527 522 .SH ATTRIBUTES
528 -.LP
529 523 See \fBattributes\fR(5) for descriptions of the following attributes:
530 524 .sp
531 525
532 526 .sp
533 527 .TS
534 528 box;
535 529 c | c
536 530 l | l .
537 531 ATTRIBUTE TYPE ATTRIBUTE VALUE
538 532 _
539 533 Interface Stability Committed
540 534 .TE
541 535
542 536 .SH SEE ALSO
543 -.LP
544 537 \fBipfstat\fR(1M), \fBipmon\fR(1M), \fBipnat\fR(1M), \fBippool\fR(1M),
545 538 \fBsvcadm\fR(1M), \fBsvc.ipfd\fR(1M), \fBipf\fR(4), \fBipnat\fR(4),
546 539 \fBippool\fR(4), \fBattributes\fR(5), \fBipfilter\fR(5), \fBzones(5)\fR
547 540 .sp
548 541 .LP
549 542 \fI\fR
550 543 .SH DIAGNOSTICS
551 -.LP
552 544 Needs to be run as root for the packet filtering lists to actually be affected
553 545 inside the kernel.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX