ipf - alters packet filtering lists for IP packet input and output
ipf [ -6AcdDEInoPrsvVyzZ ] [ -l <block|pass|nomatch>
  ] [ -T <optionlist> ] [ -F <i|o|a|s|S> ] -f
  <filename> [ -f <filename> [...]]
ipf opens the filenames listed (treating "-" as stdin) and
  parses the file for a set of rules which are to be added or removed from the
  packet filter rule set.
Each rule processed by ipf is added to the kernel's
    internal lists if there are no parsing problems. Rules are added to the end
    of the internal lists, matching the order in which they appear when given to
    ipf.
  - -6
- This option is required to parse IPv6 rules and to have them loaded.
- -A
- Set the list to make changes to the active list (default).
- -c <language>
- This option causes ipf to generate output files for a compiler that
      supports language. At present, the only target language
      supported is C (-cc) for which two files -
      ip_rules.c and ip_rules.h are generated
      in the CURRENT DIRECTORY when ipf is
      being run. These files can be used with the
      IPFILTER_COMPILED kernel option to build filter rules
      staticly into the kernel.
- -d
- Turn debug mode on. Causes a hexdump of filter rules to be generated as it
      processes each one.
- -D
- Disable the filter (if enabled). Not effective for loadable kernel
      versions.
- -E
- Enable the filter (if disabled). Not effective for loadable kernel
      versions.
- -F <i|o|a>
- This option specifies which filter list to flush. The parameter should
      either be "i" (input), "o" (output) or "a"
      (remove all filter rules). Either a single letter or an entire word
      starting with the appropriate letter maybe used. This option maybe before,
      or after, any other with the order on the command line being that used to
      execute options.
- -F <s|S>
- To flush entries from the state table, the -F option is used in
      conjunction with either "s" (removes state information about any
      non-fully established connections) or "S" (deletes the entire
      state table). Only one of the two options may be given. A fully
      established connection will show up in ipfstat -s output as 5/5,
      with deviations either way indicating it is not fully established any
      more.
- -F<5|6|7|8|9|10|11>
- For the TCP states that represent the closing of a connection has begun,
      be it only one side or the complete connection, it is possible to flush
      those states directly using the number corresponding to that state. The
      numbers relate to the states as follows: 5 = close-wait, 6 = fin-wait-1, 7
      = closing, 8 = last-ack, 9 = fin-wait-2, 10 = time-wait, 11 = closed.
- -F<number>
- If the argument supplied to -F is greater than 30, then state table
      entries that have been idle for more than this many seconds will be
      flushed.
- -f <filename>
- This option specifies which files ipf should use to get input from
      for modifying the packet filter rule lists.
- -I
- Set the list to make changes to the inactive list.
- -l  <block|pass|nomatch|none|state|nat>
- Use of the -l flag toggles default logging of packets. Valid
      arguments to this option are pass, block, nomatch,
      none, state, and nat. When an option is set, any
      packet which exits filtering and matches the set category is logged. This
      is most useful for causing all packets which don't match any of the loaded
      rules to be logged.
- -n
- This flag (no-change) prevents ipf from actually making any ioctl
      calls or doing anything which would alter the currently running
    kernel.
- -o
- Force rules by default to be added/deleted to/from the output list, rather
      than the (default) input list.
- -P
- Add rules as temporary entries in the authentication rule table.
- -r
- Remove matching filter rules rather than add them to the internal
    lists
- -s
- Swap the active filter list in use to be the "other" one.
- -T <optionlist>
- This option allows run-time changing of IPFilter kernel variables. Some
      variables require IPFilter to be in a disabled state (-D) for
      changing, others do not. The optionlist parameter is a comma separated
      list of tuning commands. A tuning command is either "list"
      (retrieve a list of all variables in the kernel, their maximum, minimum
      and current value), a single variable name (retrieve its current value)
      and a variable name with a following assignment to set a new value. Some
      examples follow.
    
# Print out all IPFilter kernel tunable parameters
ipf -T list
# Display the current TCP idle timeout and then set it to 3600
ipf -D -T fr_tcpidletimeout,fr_tcpidletimeout=3600 -E
# Display current values for fr_pass and fr_chksrc, then set fr_chksrc to 1.
ipf -T fr_pass,fr_chksrc,fr_chksrc=1
    
- -v
- Turn verbose mode on. Displays information relating to rule
    processing.
- -V
- Show version information. This will display the version information
      compiled into the ipf binary and retrieve it from the kernel code (if
      running/present). If it is present in the kernel, information about its
      current state will be displayed (whether logging is active, default
      filtering, etc).
- -y
- Manually resync the in-kernel interface list maintained by IP Filter with
      the current interface status list.
- -z
- For each rule in the input file, reset the statistics for it to zero and
      display the statistics prior to them being zeroed.
- -Z
- Zero global statistics held in the kernel for filtering only (this doesn't
      affect fragment or state statistics).
/dev/ipauth
/dev/ipl
/dev/ipstate
ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8)
Needs to be run as root for the packet filtering lists to actually be affected
  inside the kernel.
If you find any, please send email to me at darrenr@pobox.com