ipf(1M)ipf(1M)NAME
ipf - loads and manages filter rules for HP-UX IPFilter, and enables or
disables Dynamic Connection Allocation (DCA) mode
SYNOPSISDESCRIPTION
ipf opens the specified filenames and parses them for filter rules that
are to be added or removed from the IPFilter ruleset. without any com‐
mand line option or with only the option shows the usage information.
Each rule processed by is added to the kernel's internal lists (rule‐
sets) if there are no parsing problems. Rules are added to the end of
the internal lists, matching the order in which reads them.
OPTIONS
Parse and load IPv6 filter rules.
You must specify this option if the input file contains IPv6
filter rules. An input file must contain either IPv6 or IPv4
rules (an input file cannot contain a mix of IPv6 and IPv4
rules). To use this option, insert it immediately after the
command and before any other options.
Set the list to make changes to the active list (default).
Turn debug mode on. Causes a hexdump of filter rules to be generated
as
it processes each one.
Flush the specified type of filter rule, where
are input rules, are output rules, is all filter rules. Either
a single letter or an entire word starting with the appropriate
letter maybe used. This option maybe before or after any other,
with the order on the command line being that used to execute
options. If you specify this option with the option, this option
affects the IPv6 rulesets; if you specify it without the option,
this option affects the IPv4 rulesets.
Flush the entries from the state table. The
option is used in conjuction with the option (remove state
information about any non-fully established connections) or the
option (delete the entire state table). Only one of the two
options may be given. A fully established connection will
appear in ipfstat -s output with state value with other values
indicating it is not a fully established connection. The option
is not needed with this option because this option alone removes
state information for both IPv4 and IPv6 connections.
This option specifies input files that contain filter rules.
The utility can also read rules from For example, the command
outputs parseable rules when displaying rulesets, which you can
use as input to The following command uses to output inbound
rules and uses this list of rules as input to that specifies the
rules to remove This removes all filters on input packets:
Set the list to make changes to the inactive list. If you specify this
option
with the option, this option affects the IPv6 ruleset; if you
specify it without the option, this option affects the IPv4
ruleset.
Toggles the default logging of packets. Valid
parameters are and When an option is set, any packet which exits
filtering and matches the specified category is logged. The
most commonly used option is which is useful for logging packets
that do not match any of the active rules.
Enable or disable Dynamic Connection Allocation (DCA) mode.
DCA mode is disabled by default. The default can be changed at
system startup time by setting the flag in the file The quali‐
fiers for this option are which queries the current state, which
enables DCA, which disables DCA, and which toggles the DCA mode.
DCA mode must be enabled for rules to work. The option is
not needed with this option because this option alone enables or
disables DCA mode for both IPv4 and IPv6 rulesets.
These options require an interface name as a qualifier.
The -D option disables and -E option enables the IPFilter pro‐
cessing for the specified interface. The -Q option queries if
processing is enabled or disabled for the specified interface
The option can be used to improve IPFilter performance but must
must be used with caution. Incorrect use of this option will
lead to undesirable consequences.
The option can be used on an intermediate node with DCA mode
enabled. DCA works without disabling any interface, but dis‐
abling one of the interfaces when IPFilter is running on an
intermediate system will improve performance because the net‐
working traffic will be processed only once (i,e in the incoming
or outgoing interface depending on which one is disabled). Never
use the option when using IPFilter as a firewall.
If you specify this option with the -6 option, it disables IPv6
IPFilter processing; if you specify this option without the -6
option, it disables IPv4 IPFilter processing.
This flag (no-change) prevents
from making any ioctl calls or doing anything that alters the
currently running kernel.
Force rules by default to be added/deleted to/from the output list,
rather
than the (default) input list.
Add rules as temporary entries in the authentication rule table.
Remove matching filter rules rather than add them to the internal lists
Swap the active and inactive filter rule sets. If specified with the
option, swaps the IPv6 active and inactive filter rule sets. If
specified without the .C -6 option, swaps the IPv4 active and
inactive filter rule sets.
Enable verbose mode. Displays information relating to rule processing.
If this is the only option specified, displays usage informa‐
tion.
Display version information. This displays the version from the
the binary and from from the kernel module (if running/present).
If is present in the kernel, information about its current state
will be displayed (whether logging is active, default filtering,
etc).
Manually resync the in-kernel interface list maintained by IPFilter
with
the current interface status list.
For each rule in the input file, reset statistics to zero and
display the statistics prior to them being zeroed.
Zeroes global statistics held in the kernel for filtering only (this
does not
affect fragment or state statistics).
FILESSEE ALSOipftest(1M), mkfilters(1M), ipl(7), ipf(4), ipfstat(1M), ipmon(1M)DIAGNOSTICS
You must have superuser or equivalent capabilities to modify the active
(kernel-resident) ruleset.
AUTHOR
IPFilter was originally developed by Darren Reed. This HP-UX
enhanced version of IPFilter is based on the open source version
3.5 Alpha 5.
ipf(1M)