The ipf Utility

Syntax

ipf <-options> <rules file name>

Options

The following are a few of the common options used with the ipf utility:

-s

Switches the active rules file with the inactive rules file.

-Fa

Flushes all rules in the specified rules file.

-Fi

Flushes only the IN rules in the specified rules file.

-Fo

Flushes only the OUT rules in the specified rules file.

-I

Specifies that the inactive rules file is to be manipulated.

-Z

Zeroes out the TCP Connections counters displayed in the ipfstat output.

-m <d|e|q|t>

Disables or enables DCA mode, queries the DCA mode, or toggles DCA between being enabled or disabled by using the following options:

When there are no keep limit rules and there is no connection allocation, disable DCA. See “DCA Mode ” for more information about how to disable, enable, query, or toggle DCA.

-E <interface name>

Enables IPFilter processing for traffic on a given interface.

-D <interface name>

Disables IPFilter processing for traffic on a given interface.

-Q <interface name>

Verifies that IPFilter processing is enabled or disabled for a given interface.

The -E, -D, and -Q commands let you control IPFilter processing on a given interface. For example, ipf -D lan0 disables IPFilter processing for traffic on lan0 and ipf -E lan0 enables IPFilter processing on lan0. ipf -Q lan0 is used to verify if IPFilter processing is enabled or disabled for lan0.

	NOTE: All ipf actions are performed on the active rules file by default. To perform actions on the inactive rules file, you must specify the -I option.

For a complete list of ipf options and their uses, refer to the ipf(5) and ipf(8) manpages.

Example

Enter the following command to load a ruleset:

ipf -Fa -f <rules file>