IPFilter has several commands that can be used to log information, configure IPFilter, and perform other administrative functions. The following groups of commands are available:
ipf: reads in rules and appends them to the kernel's current list. See the ipf(4), ipf(5), and ipf(8) man pages for complete details.
ipfs: saves and restores information for NAT and state tables. See the ipfs(8) man page for details.
ipfstat: reports on packet filter statistics and filter lists. See the ipfstat(8) man page for details.
ipftest: tests packet filter rules. See the ipftest(1) man page for details.
ipl: gathers packet headers to log. See the ipl(4) man page for details.
ipmon: checks for logged packets. See the ipmon(8) man page for details.
ipnat: reads in rules and adds them to the kernel's current list of active NAT rules. See the ipnat(4), ipnat(5), and ipnat(8) man pages for details.
ipresend: resends IP packets out to the network. See the ipresend(1) man page for details.
ipsend: sends IP packets. See the ipsend(1) and ipsend(5) man pages for details.
mkfilters: generates a minimal ruleset for IPFilter. See the mkfilters(1) man page for details.
The iptest command is documented in the IPFilter Based Firewalls HOWTO but it is not available on IRIX systems.
See the IPFilter Based Firewalls HOWTO, available from http://www.obfuscation.org/ipf/ , for detailed examples of command usage.
The following examples demonstrate the use of several IPFilter commands. Note that the output examples will be different from system to system.
The ipf command can be used to enable and disable filters, load rules files, and enable logging. It can also be used to display information about the currently activated system, as in this example:
% ipf -V ipf: IPFilter: v3.4.27 (384) Kernel: IPFilter: v3.4.27 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0
Example 3-2. Sample Rules File
Rules are stored in /etc/ipf.conf. The following is an example of a rules file.
block in on tun0 block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 10.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 0.0.0.0/8 to any block in quick on tun0 from 169.254.0.0/16 to any block in quick on tun0 from 192.0.2.0/24 to any block in quick on tun0 from 126.96.36.199/23 to any block in quick on tun0 from 188.8.131.52/3 to any block in log quick on tun0 from 184.108.40.206/24 to any block in log quick on tun0 from any to 220.127.116.11/32 block in log quick on tun0 from any to 18.104.22.168/32 pass out quick on tun0 proto tcp/udp from 22.214.171.124/32 to any keep state pass out quick on tun0 proto icmp from 126.96.36.199/32 to any keep state
Example 3-3. ipftest(1) Example
The ipftest command allows you to check a rules file offline by entering packet information from the keyboard or from an input file:
% ipftest -r /etc/ipf.conf
The following output appears:
opening rule file "/etc/ipf.conf" in on ec0 xxx.xxx.xx.198, xxx.xxx.xx.224 input: in on ec0 xxx.xxx.xx.198, xxx.xxx.xx.224 pass ip 20(20) 0 255.255.255.255 > xxx.xxx.xx.224
Example 3-4. ipfstat(8) Example
The ipfstat command displays kernel statistics. Note that no output appears for any ipfstat command unless this command is issued by a privileged user.
The following output appears:
input packets: blocked 30 passed 1887 nomatch 159 counted 0 short 0 output packets: blocked 0 passed 449 nomatch 262 counted 0 short 0 input packets logged: blocked 30 passed 23 output packets logged: blocked 0 passed 22 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 fragment state(out): kept 0 lost 0 packet state(in): kept 2 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 1 Invalid source(in): 0 Result cache hits(in): 172 (out): 159 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 1 failures: 0 TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0) none
This command can also show the current rules:
% ipfstat -nio
The ipmon command logs packets to syslog or to another specified file. The logged packets are those which match rules that contain the log keyword or which match the decision type given when the ipf -l decision-type command is issued.
The /etc/init.d/ipf startup script starts ipmon in the background with the -sn options on the command to log to syslog. The logging includes only header information unless it has been invoked with the -b option and the rule indicates log body.
% tail /var/adm/SYSLOG 2136]: 16:00:00.062786 ef0 @0:2 b starfish.sgi.com[XX.XX.XX.224] -> seaweed.sgi.com[XX.XX.XX.198] PR icmp len 20 84 icmp echo/0 IN