FreeBSD 7.0 manual page repository

FreeBSD is a free computer operating system based on BSD UNIX originally. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

ipftest - test packet filter rules with arbitrary input.

 

NAME

        ipftest - test packet filter rules with arbitrary input.
 

SYNOPSIS

        ipftest  [  -6bCdDoRvx  ]  [  -F  input-format ] [ -i <filename> ] [ -I
        interface ] [ -l <filename> ] [ -N <filename> ] [ -P <filename> ] [  -r
        <filename> ] [ -S <ip_address> ] [ -T <optionlist> ]
 

DESCRIPTION

        ipftest is provided for the purpose of being able to test a set of fil‐
        ter rules without having to put them in place, in operation and proceed
        to  test  their effectiveness.  The hope is that this minimises disrup‐
        tions in providing a secure IP environment.
 
        ipftest will parse any standard ruleset for use with ipf, ipnat  and/or
        ippool  and  apply  input, returning output as to the result.  However,
        ipftest will return one of three values for packets passed through  the
        filter:  pass, block or nomatch.  This is intended to give the operator
        a better idea of what is happening with packets passing  through  their
        filter ruleset.
 
        At least one of -N, -P or -r must be specified.
 

OPTIONS

        -6     Use IPv6.
 
        -b     Cause  the output to be a brief summary (one-word) of the result
               of passing the packet through the filter; either "pass", "block"
               or "nomatch".  This is used in the regression testing.
 
        -C     Force  the  checksums to be (re)calculated for all packets being
               input into ipftest.  This may be necessary if  pcap  files  from
               tcpdump  are  being  fed  in  where  there are partial checksums
               present due to hardware offloading.
 
        -d     Turn on filter rule debugging.  Currently, this only  shows  you
               what  caused  the  rule  to  not match in the IP header checking
               (addresses/netmasks, etc).
 
        -D     Dump internal tables before exiting.   This  excludes  log  mes‐
               sages.
 
        -F     This  option is used to select which input format the input file
               is in.  The following formats  are  available:  etherfind,  hex,
               pcap, snoop, tcpdump,text.
 
               etherfind
                      The  input file is to be text output from etherfind.  The
                      text formats which  are  currently  supported  are  those
                      which result from the following etherfind option combina‐
                      tions:
 
                         etherfind -n
                         etherfind -n -t
 
               hex    The input file is to  be  hex  digits,  representing  the
                      binary  makeup  of  the  packet.  No length correction is
                      made, if an incorrect length is put in the IP header.   A
                      packet may be broken up over several lines of hex digits,
                      a blank line indicating the end of  the  packet.   It  is
                      possible to specify both the interface name and direction
                      of the packet (for filtering purposes) at  the  start  of
                      the  line  using  this  format: [direction,interface]  To
                      define a packet going in on le0, we would use [in,le0]  -
                      the []’s are required and part of the input syntax.
 
               pcap  The  input  file specified by -i is a binary file produced
                      using libpcap (i.e., tcpdump  version  3).   Packets  are
                      read  from  this file as being input (for rule purposes).
                      An interface maybe specified using -I.
 
               snoop  The input file is to be in "snoop" format (see RFC 1761).
                      Packets  are  read  from this file and used as input from
                      any interface.  This is perhaps  the  most  useful  input
                      type, currently.
 
               tcpdump
                      The  input  file  is to be text output from tcpdump.  The
                      text formats which  are  currently  supported  are  those
                      which  result  from the following tcpdump option combina‐
                      tions:
 
                         tcpdump -n
                         tcpdump -nq
                         tcpdump -nqt
                         tcpdump -nqtt
                         tcpdump -nqte
 
               text   The input file is in ipftest text input format.  This  is
                      the  default  if no -F argument is specified.  The format
                      used is as follows:
                           "in"|"out" "on" if ["tcp"|"udp"|"icmp"]
                                srchost[,srcport] dsthost[,destport] [FSRPAU]
 
               This allows for a packet going "in" or  "out"  of  an  interface
               (if)  to  be  generated,  being  one of the three main protocols
               (optionally), and if either TCP or UDP, a port parameter is also
               expected.   If  TCP  is selected, it is possible to (optionally)
               supply TCP flags at the end.  Some examples are:
                    # a UDP packet coming in on le0
                    in on le0 udp 10.1.1.1,2210 10.2.1.5,23
                    # an IP packet coming in on le0 from localhost - hmm :)
                    in on le0 localhost 10.4.12.1
                    # a TCP packet going out of le0 with the SYN flag set.
                    out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
 
        -i <filename>
               Specify the filename from  which  to  take  input.   Default  is
               stdin.
 
        -I <interface>
               Set  the  interface  name (used in rule matching) to be the name
               supplied.  This is useful where it is not otherwise possible  to
               associate a packet with an interface.  Normal "text packets" can
               override this setting.
 
        -l <filename>
               Dump log messages generated  during  testing  to  the  specified
               file.
 
        -N <filename>
               Specify  the  filename  from which to read NAT rules in ipnat(5)
               format.
 
        -o     Save output packets that would have been written to each  inter‐
               face in a file /tmp/interface_name in raw format.
 
        -P <filename>
               Read  IP pool configuration information in ippool(5) format from
               the specified file.
 
        -r <filename>
               Specify the filename from which to read filter rules  in  ipf(5)
               format.
 
        -R     Don’t attempt to convert IP addresses to hostnames.
 
        -S <ip_address>
               The IP address specifived with this option is used by ipftest to
               determine whether a packet should be treated as "input" or "out‐
               put".   If the source address in an IP packet matches then it is
               considered to be inbound.  If it does not match then it is  con‐
               sidered  to be outbound.  This is primarily for use with tcpdump
               (pcap) files where there is no  in/out  information  saved  with
               each packet.
 
        -T <optionlist>
               This  option  simulates the run-time changing of IPFilter kernel
               variables available with the -T option of ipf.   The  optionlist
               parameter  is a comma separated list of tuning commands.  A tun‐
               ing command is either "list" (retrieve a list of  all  variables
               in the kernel, their maximum, minimum and current value), a sin‐
               gle variable name (retrieve its current value)  and  a  variable
               name with a following assignment to set a new value.  See ipf(8)
               for examples.
 
        -v     Verbose mode.  This provides more information about which  parts
               of rule matching the input packet passes and fails.
 
        -x     Print a hex dump of each packet before printing the decoded con‐
               tents.
        ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
 

BUGS

        Not all of the input formats are sufficiently capable of introducing  a
        wide enough variety of packets for them to be all useful in testing.
 
                                                                     ipftest(1)
 

Sections

Based on BSD UNIX
FreeBSD is an advanced operating system for x86 compatible (including Pentium and Athlon), amd64 compatible (including Opteron, Athlon64, and EM64T), UltraSPARC, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals. Additional platforms are in various stages of development.