ipftest(1)
ipftest(1) USER COMMANDS ipftest(1)
NAME
ipftest - test packet filter rules with arbitrary input.
SYNOPSIS
ipftest [ -6bdDNovxX ] [ -F input-format ] [ -I interface ]
-r <filename> [ -i <filename> ]
DESCRIPTION
ipftest is provided for the purpose of being able to test a
set of filter rules without having to put them in place, in
operation and proceed to test their effectiveness. The hope
is that this minimises disruptions in providing a secure IP
environment.
ipftest will parse any standard ruleset for use with ipf and
apply input, returning output as to the result. However,
ipftest will return one of three values for packets passed
through the filter: pass, block or nomatch. This is
intended to give the operator a better idea of what is hap-
pening with packets passing through their filter ruleset.
When used without either of -S, -T or -E, ipftest uses its
own text input format to generate "fake" IP packets. The
format used is as follows:
"in"|"out" "on" if ["tcp"|"udp"|"icmp"]
srchost[,srcport] dsthost[,destport] [FSRPAU]
This allows for a packet going "in" or "out" of an interface
(if) to be generated, being one of the three main protocols
(optionally), and if either TCP or UDP, a port parameter is
also expected. If TCP is selected, it is possible to
(optionally) supply TCP flags at the end. Some examples
are:
# a UDP packet coming in on le0
in on le0 udp 10.1.1.1,2210 10.2.1.5,23
# an IP packet coming in on le0 from localhost - hmm :)
in on le0 localhost 10.4.12.1
# a TCP packet going out of le0 with the SYN flag set.
out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
OPTIONS
-v Verbose mode. This provides more information about
which parts of rule matching the input packet passes
and fails.
-d Turn on filter rule debugging. Currently, this only
shows you what caused the rule to not match in the IP
header checking (addresses/netmasks, etc).
-b Cause the output to be a brief summary (one-word) of
the result of passing the packet through the filter;
either "pass", "block" or "nomatch". This is used in
Last change: 1
ipftest(1) USER COMMANDS ipftest(1)
the regression testing.
-I <interface>
Set the interface name (used in rule matching) to be
the name supplied. This is useful with the -P, -S, -T
and -E options, where it is not otherwise possible to
associate a packet with an interface. Normal "text
packets" can override this setting.
-F This option is used to select which input format the
input file is in. The following formats are available:
etherfind, hex, pcap, snoop, tcpdump.
etherfind
The input file is to be text output from ether-
find. The text formats which are currently sup-
ported are those which result from the following
etherfind option combinations:
etherfind -n
etherfind -n -t
hex The input file is to be hex digits, representing
the binary makeup of the packet. No length
correction is made, if an incorrect length is put
in the IP header. A packet may be broken up over
several lines of hex digits, a blank line indicat-
ing the end of the packet. It is possible to
specify both the interface name and direction of
the packet (for filtering purposes) at the start
of the line using this format:
[direction,interface] To define a packet going in
on le0, we would use [in,le0] - the []'s are
required and part of the input syntax.
pcap The input file specified by -i is a binary file
produced using libpcap (i.e., tcpdump version 3).
Packets are read from this file as being input
(for rule purposes). An interface maybe specified
using -I.
snoop
The input file is to be in "snoop" format (see RFC
1761). Packets are read from this file and used
as input from any interface. This is perhaps the
most useful input type, currently.
tcpdump
The input file is to be text output from tcpdump.
The text formats which are currently supported are
those which result from the following tcpdump
option combinations:
Last change: 2
ipftest(1) USER COMMANDS ipftest(1)
tcpdump -n
tcpdump -nq
tcpdump -nqt
tcpdump -nqtt
tcpdump -nqte
-X The input file is composed of text descriptions of IP
packets.
-i <filename>
Specify the filename from which to take input. Default
is stdin.
-r <filename>
Specify the filename from which to read filter rules.
SEE ALSO
ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c)
BUGS
Not all of the input formats are sufficiently capable of
introducing a wide enough variety of packets for them to be
all useful in testing.
Last change: 3
Man(1) output converted with
man2html