Load-splitting for redirection (splits IP traffic between two alternate destinations)
IPV6 Support (ipf -6/ipfstat -6)
Save/Restore of state and NAT information (ipfs)
"top" style output option for ipstat (ipfstat -t)
destination and source address matching for map/rdr rules
l4check - program to monitor redirection destinations for layer 4 load balancing.
BSD/OS 4.0 support (.o and source patches)
Support securelevel for restricting changes to the configuration.
ICMP errors can be returned to appear as they came from the firewall or the endpoint
Setting a range of addresses rather than a CIDR mask in NAT now possible
Source host filtering on redirects supported
_Large_ static NAT now supported with 1 rule
Logging enhancements, allowing rules to specify syslog facility and priority
Enhancements to state code.
Additional in-kernel proxies provided for rcmd(3) and RealAudio(PNA)
enhancements to ipmon (daemon-capable, HUP'able)
NAT support for traceroute
limited in-kernel FTP proxy, for use with or without NAT
IRIX 5.3, 6.2 Support
Linux 2.0.31 Support (non-GLIBC systems ONLY!)
bi-directional NAT mapping
logical grouping of filter rules
Solaris 2.3 - 2.6 supported
patches for OpenBSD 2.1 integration
new input language for ipsend
inverting of host/net matching
compatibility for NetBSD/FreeBSD improved
use quad_t where available for counting packets and bytes
sysctl interface implemented (FreeBSD 2.2 and above)
in-kernel proxying support
logging of NAT and state changes
device files created for NAT, authentication, state and fragment state
fragment state automatically added with "keep state"
Drop packets which would be passed if logging fails (3.1.2)
Using "redirection", transparent proxying can be achieved, with patches for TIS FWTK ftp-gw provided as an example of how to do it.
Arbitary functions can be called to make more complex filtering decisions than standard filtering provides.
Packets can be logged to network interfaces.
Packets can be routed transparently.
Can be built and installed as a Solaris 2 package (Solaris 2.x only)
Can reset statistics for individual rules.
Regression testing on rule parsing and printing.
ipresend and ipftest can now take input from a larger variety of file types, now including hex. representation of complete IP packets.
Device file permissions are meaningful within IP Filter when processing ioctls.
ipmon can now display logged packets in hex.
Fragment state can be kept and followed on a per packet basis.
Byte counting can be performed for a separate list of filter rules.
Includes a Network Address Translation (NAT) table which can be used to hide and map internal IP#'s to ones accepted by external networks.
ICMP unreachable codes returned can be different for each rule
Can now (optionally) log the first 128 bytes of a packet (if present), including the packet header;
ipmon can now generate log entries with names in place of numerical hostname and port data by using the -N command line option;
ipmon can now optionally log output through syslog using the new -s command line option;
IPSO Basic Security Options filtering;
In-kernel filtering can be turned on/off;
Regression testing to check the correctness of the filter;
IP test program (ipsend) is now included with the package to allow the administrator to send arbitary IP packets, or replay packet sequences at the filter;
Compacts IP header into a directly filterable form;
Three-way filtering results, allowing packets which don't match any rule to be counted and subjected to a general policy of denial or permission.
Used in block rules, it causes a TCP reset (RST) to whoever sent the packet which (finally) matched this rule, causing the connection to close.
# ipfstat -i block in on le0 from me to any block in on le0 proto udp from any to any pass in on le0 from any to me # echo "@2 block in on le0 from any to any flags S" | ipf -f - # ipfstat -i block in on log le0 from me to any block in on le0 proto tcp from any to any flags S block in on le0 proto udp from any to any pass in on le0 from any to me
# ipfstat -hi or # ipfstat -hoEg:
# ipfstat -hi 2 block in log on le0 from me to any 122 block in on le0 proto tcp from any to any flags S 1133 block in on le0 proto udp from any to any 43232 pass in on le0 from any to me