Chapter 3. IPFilter Commands and Tools

Chapter 3. IPFilter Commands and Tools
Prev		Next

IPFilter has several commands that can be used to log information, configure IPFilter, and perform other administrative functions. The following groups of commands are available:

ipf: reads in rules and appends them to the kernel's current list. See the ipf(4), ipf(5), and ipf(8) man pages for complete details.
ipfs: saves and restores information for NAT and state tables. See the ipfs(8) man page for details.
ipfstat: reports on packet filter statistics and filter lists. See the ipfstat(8) man page for details.
ipftest: tests packet filter rules. See the ipftest(1) man page for details.
ipl: gathers packet headers to log. See the ipl(4) man page for details.
ipmon: checks for logged packets. See the ipmon(8) man page for details.
ipnat: reads in rules and adds them to the kernel's current list of active NAT rules. See the ipnat(4), ipnat(5), and ipnat(8) man pages for details.
ipresend: resends IP packets out to the network. See the ipresend(1) man page for details.
ipsend: sends IP packets. See the ipsend(1) and ipsend(5) man pages for details.
mkfilters: generates a minimal ruleset for IPFilter. See the mkfilters(1) man page for details.

The iptest command is documented in the IPFilter Based Firewalls HOWTO but it is not available on IRIX systems.

See the IPFilter Based Firewalls HOWTO, available from http://www.obfuscation.org/ipf/ , for detailed examples of command usage.

Examples of Use

The following examples demonstrate the use of several IPFilter commands. Note that the output examples will be different from system to system.

Example 3-1. ipf(8) Example

The ipf command can be used to enable and disable filters, load rules files, and enable logging. It can also be used to display information about the currently activated system, as in this example:

% ipf -V
ipf: IPFilter: v3.4.27 (384)
Kernel: IPFilter: v3.4.27
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0

Example 3-2. Sample Rules File

Rules are stored in /etc/ipf.conf. The following is an example of a rules file.

block in           on tun0
block in     quick on tun0 from 192.168.0.0/16 to any
block in     quick on tun0 from 172.16.0.0/12 to any
block in     quick on tun0 from 10.0.0.0/8 to any
block in     quick on tun0 from 127.0.0.0/8 to any
block in     quick on tun0 from 0.0.0.0/8 to any
block in     quick on tun0 from 169.254.0.0/16 to any
block in     quick on tun0 from 192.0.2.0/24 to any
block in     quick on tun0 from 204.152.64.0/23 to any
block in     quick on tun0 from 224.0.0.0/3 to any
block in log quick on tun0 from 20.20.20.0/24 to any
block in log quick on tun0 from any to 20.20.20.0/32
block in log quick on tun0 from any to 20.20.20.255/32
pass  out quick on tun0 proto tcp/udp from 20.20.20.1/32 to any keep state
pass  out quick on tun0 proto icmp    from 20.20.20.1/32 to any keep state

Example 3-3. ipftest(1) Example

The ipftest command allows you to check a rules file offline by entering packet information from the keyboard or from an input file:

% ipftest -r /etc/ipf.conf

The following output appears:

opening rule file "/etc/ipf.conf"
in on ec0 xxx.xxx.xx.198, xxx.xxx.xx.224
input: in on ec0 xxx.xxx.xx.198, xxx.xxx.xx.224
pass ip 20(20) 0 255.255.255.255 > xxx.xxx.xx.224

Example 3-4. ipfstat(8) Example

The ipfstat command displays kernel statistics. Note that no output appears for any ipfstat command unless this command is issued by a privileged user.

% ipfstat

The following output appears:

input packets:    blocked 30 passed 1887 nomatch 159 counted 0 short 0
output packets:   blocked 0 passed 449 nomatch 262 counted 0 short 0
input packets logged:  blocked 30 passed 23
output packets logged: blocked 0 passed 22
packets logged:        input 0 output 0
log failures:          input 0 output 0
fragment state(in):    kept 0  lost 0
fragment state(out):   kept 0  lost 0
packet state(in):      kept 2  lost 0
packet state(out):     kept 0  lost 0
ICMP replies:   0      TCP RSTs sent:  1
Invalid source(in):    0
Result cache hits(in): 172     (out):  159
IN Pullups succeeded:  0       failed: 0
OUT Pullups succeeded: 0       failed: 0
Fastroute successes:   1       failures:       0
TCP cksum fails(in):   0       (out):  0
Packet log flags set: (0)
        none

This command can also show the current rules:

% ipfstat -nio

Example 3-5. ipmon(8) Example

The ipmon command logs packets to syslog or to another specified file. The logged packets are those which match rules that contain the log keyword or which match the decision type given when the ipf -l decision-type command is issued.

The /etc/init.d/ipf startup script starts ipmon in the background with the -sn options on the command to log to syslog. The logging includes only header information unless it has been invoked with the -b option and the rule indicates log body.

% tail /var/adm/SYSLOG
2136]: 16:00:00.062786 ef0 @0:2 b starfish.sgi.com[XX.XX.XX.224] -> 
seaweed.sgi.com[XX.XX.XX.198] PR icmp len 20 84 icmp echo/0 IN

Prev	Table of Contents	Next
Chapter 2. Setting Up IPFilter on IRIX Systems		Index