IPF(8)                  OpenBSD System Manager's Manual                 IPF(8)

NAME
     ipf - manage IP packet filtering and firewalling rules



SYNOPSIS
     ipf [-AdDEInorsUvyzZ] [-l category] [-F list] [-F table] [-f filename]

DESCRIPTION
     The ipf utility allows the insertion and removal of TCP/IP packet filter-
     ing and firewalling rules.  ipf can be used for anything from very simple
     tasks (i.e., preventing a host from replying to ping packets), to in-
     stalling complex rulesets for a firewall to to protect an entire network.

     Based on the specified rules, ipf can explicitly deny/permit any inbound
     or outbound packet on any interface, filter by IP networks or hosts, se-
     lectively filter packets by protocol and/or protocol options, keep packet
     state information for TCP, UDP, and ICMP packet flows, track fragment
     state information for IP packets (applying the same rules to all frag-
     ments), and much more.

     ipf provides special capabilities for the most common Internet protocols.
     Both TCP and UDP packets may be filtered by port number or port range, or
     ICMP packets by type/code. Rules may filter packets on any arbitrary com-
     bination of TCP flags, IP options, IP security classes, or Type of Ser-
     vice (TOS).  ipf also supports inverted host/net matching.

     To get started, follow these steps:

           1.   Edit /etc/rc.conf and set ipfilter=YES. This will cause ipf to
                install the ruleset specified in /etc/ipf.rules each time the
                system is booted.

           2.   Check that the kernel has been compiled with option IPFILTER
                (see options(4)).  Refer to afterboot(8) for further instruc-
                tions on compiling a custom kernel.

           3.   Edit /etc/sysctl.conf and set net.inet.ip.forwarding=1 if this
                machine is to act as a firewall that also routes traffic or
                does Network Address Translation (NAT).

     Once these steps are complete a rule file may be created. A very simple
     rule file might contain the following:

           pass in from any to any
           pass out from any to any

     Here we're passing all packets and not doing any filtering. This is a
     recommended starting point since it allows the current configuration to
     be tested before formulating and installing a more restrictive ruleset.
     For example, the following:

           block in on we0 proto tcp from foo/32 to any

     This would block all incoming TCP packets on interface ``we0'' from host
     ``foo'' to any internal destination. If this file is /etc/ipf.rules (the
     default location), the following command will flush the kernel's current
     ruleset, install the new ruleset, and enable (-E) ipf:

           ipf -Fa -f /etc/ipf.rules -E

     (This is the exact command executed by the /etc/rc script at boot-time if
     ipfilter=YES in /etc/rc.conf.)

     Please see ipf(5) for a complete description of the ipf rules file format
     and the example files in /usr/share/ipf.

     In addition to ``active'' rulesets (those installed into the kernel which
     dictate the current filtering policies), ipf can maintain a separate
     ``inactive'' ruleset simultaneously. Inactive rulesets are useful for de-
     bugging pending or proposed changes to the active ruleset (see -I option
     below).

     The following options are available:

     -A      Apply changes to the active ruleset. This is the default.

     -I      Apply changes to the inactive ruleset.

     -D      Disable the filter (if enabled).

     -E      Enable the filter (if disabled).

     -F list
             Flush filter lists.  list is one of `i' (input rules), `o' (out-
             put rules), or `a' (all filtering rules).

     -F table
             Flush entries from state tables. If table is `s', ipf removes any
             state information about connections that are non-fully estab-
             lished.  If `S', ipf removes the entire state table. Only one of
             the two options may be specified.  A fully established connection
             will appear in ipfstat -s output as ``4/4''; any deviations indi-
             cate a connection that has not completed the three-way handshake.

     -d      Enable debug mode. Causes a hexdump of filter rules to be gener-
             ated as it processes each one.

     -f filename
             Read, parse, and process the ipf rules contained in filename. If
             filename is `-', ipf reads from the standard input.  All valid
             rules are installed into the kernel's internal rule list using
             the interface described by ipf(4).  Blank lines and lines begin-
             ning with `#' (comments) are ignored.

     -l category
             Packet logging.  category is one of pass, block, or nomatch. Any
             packet which exits filtering and matches the set category is
             logged. This is useful for causing all packets which don't match
             any of the loaded rules to be logged.

     -n      No change. Prevent ipf from actually changing the state of the
             in-kernel filtering configuration.

     -o      Force rules to be added/deleted to/from the output list rather
             than the (default) input list.

     -s      Swap the active and inactive rulesets.

     -r      Remove matching filter rules rather than add them to the in-ker-
             nel lists.

     -v      Enable verbose mode.  ipf will echo each of the successfully pro-
             cessed rules to the standard output. The original rule and any
             error messages that result will be echoed to standard error.

     -y      Force ipf to synchronize the IP filter's in-kernel network inter-
             face list with the current system interface list. In particular,
             if an interface's IP address changes (i.e., due to a DHCP opera-


             tion), ipf must be executed with this option.

     -z      For each rule in the input file, display its statistics, then re-
             set them to 0.

     -Z      Globally reset all in-kernel filtering statistics to 0 (does not
             affect fragment or state statistics).

EXAMPLES
     To flush all in-kernel filtering lists, install the ruleset contained in
     /etc/ipf.rules into the active list, and enable IP filtering:

           ipf -A -Fa -f /etc/ipf.rules -E

     It is advisable to work with an inactive filtering list before commiting
     new rules to the active in-kernel filtering list. To load a ruleset into
     the inactive list:

           ipf -I -Fa -f /etc/ipf.rules

     The verbose (-v) option is useful for verifying that rules are being pro-
     cessed as expected and is often used in conjunction with the inactive
     (-I) ruleset:

           ipf -I -Fa -vf /etc/ipf.rules

     After the inactive ruleset has been tested and seems to be processed cor-
     rectly, use the -s option to swap it with the active ruleset so that it
     represents the new filtering policy for the system:

           ipf -s

     Consider a system manager who administers ipf remotely and has made
     changes to the /etc/ipf.rules file on the remote system. The following
     command sequence is noteworthy:

           ipf -I -Fa -f /etc/ipf.rules
           ipf -s; sleep 10; ipf -s

     The first command installs the new ruleset into the inactive filtering
     list.  The second command first swaps the inactive (new) rules with the
     active (old) rules. After entering the second command, type some charac-
     ters. If the characters are echoed the new ruleset is possibly valid. If
     not, within 10 seconds the old ruleset will be re-installed. This trick
     is useful for minimizing service disruptions.

NOTES
     Rules are checked in the order they are specified. The last matching rule
     wins, except when the ``quick'' keyword is present (see ipf(5)).

     Note that -Fa does not affect the state table. To view the current state
     table, use the ipfstat(8) program:

           ipfstat -s

     To remove all active state entries:

           ipf -FS

FILES
     /usr/share/ipf/example.*  sample rule files
     /dev/ipfauth              ipf authentication socket
     /dev/ipl                  ipf logging socket
     /dev/ipstate              ipf state socket

SEE ALSO
     ipf(4),  ipl(4),  ipnat(4),  ipf(5),  ipfstat(8),  ipftest(8),  ipmon(8),
      ipnat(8)

     http://coombs.anu.edu.au/~avalon



OpenBSD 2.6                      July 7, 1999                                4