Lo primero es definir un set de reglas. El fichero de configuración está en /etc/ipf/ipf.conf. Por ejemplo:

—>8—
# Suponemos que la interfaz es «elx10»
# Mi IP: 172.16.1.100
#
# Bloquear cualquier paquete lo suficientemente pequeño como para ser útil
block in log quick all with short
#
# Descartar y reflejar en el log cualquier paquete con opciones dentro
block in log all with ipopts
#
# Permitir tráfico loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Red publica. Bloquear todo lo que no este especificamente permitido
block in  on elxl0 all
block out on elxl0 all
#
# Permitir salida de pings
pass out quick on elxl0 proto icmp all keep state
#
# Para testeo podemos permitir llegada de pings de otros equipos
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# Permitir ssh solo desde la subred 172.16.0.0/16
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22
—>8—

Otro ejemplo de fichero de configuración es el siguiente:

—>8—
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 80 keep state
pass in quick proto tcp from any to any port = 8080 keep state
pass in quick proto tcp from any to any port = 443 keep state
pass in quick proto icmp from any to any icmp-type 8 keep state
pass in quick proto icmp from any to any icmp-type 13 keep state
pass out quick from any to any keep state
block in quick all
—>8—

Una vez que tenemos el set de reglas del firewall, debemos decirle a IPFilter en qué interfaz de red debe aplicar esas reglas. Esto lo hacemos descomentando la interfaz que queremos en el fichero /etc/ipf/pfil.ap.

Los cambios tomarán efecto en el siguiente rebote. (Puede que no sea necesario rebotar la maquina y valga simplemente con bajar (unplumb) y subir (plumb) la interfaz, pero mejor rebotar si se puede.

Algunos comandos útiles:

ipf -E                          : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.

ipf -V                          : Show version info and active list.

ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5                 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: ‘top’ monitoring the process table.

ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and
: convert back to hostnames and servicenames.

ipmon -s [file]                 : Write logged entries to some file.

ipmon -Ds                       : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
: (/var/log/syslog for Tru64)