[119] in Best-of-Security
BoS: [ANNOUNCE]: ipfilter for FreeBSD2.2.x + FreeBSD3.0-current
daemon@ATHENA.MIT.EDU (proff@suburbia.net)
Sun Apr 13 21:04:37 1997
From: proff@suburbia.net
Date: Mon, 14 Apr 1997 00:20:03 +1000 (EST)
Cc: best-of-security@suburbia.net
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Darren Reed and contributors' excellent firewall software, ipfilter
is now available for FreeBSD2.2/3.0-current.
The IP packet filter can:
o explicitly deny/permit any packet from passing through
o distinguish between various interfaces
o filter by IP networks or hosts
o selectively filter any IP protocol
o selectively filter fragmented IP packets
o selectively filter packets with IP options.
o send back an ICMP error/TCP reset for blocked packets
o keep packet state infromation for TCP, UDP and ICMP
packet flows.
o keep fragment state information for any IP packet,
applying the same rule to all fragments.
o act as a Network Address Translator (NAT)
o use redirection to setup true transparent proxy
connections.
Special provision is made for the three most common Internet
protocols, TCP, UDP and ICMP. The IP Packet filter allows
filtering of:
o TCP/UDP packets by port number or a port number
range
o ICMP packets by type/code
o "established" TCP packets
o on any arbitary combination of TCP flags
o "short" (fragmented) IP packets with incomplete
headers can be filtered
o any of the 19 IP options or 8 registered IP
security classes
o TOS (Type of Service) field in packets
FreeBSD version available from:
ftp://suburbia.net/pub/proff/ipfilter-proff-final2.shar.gz
ftp://ftp.freebsd.org/pub/FreeBSD/incoming/ipfilter-proff-final2.shar.gz
Original:
http://cheops.anu.edu.au/~avalon
Note that while I (Julian Assange) have fixed various bugs originally
found in ipfilter3.2a4, I don't guarentee that this version is bug
free, and Darren certainly doesn't, not having had an opportunity to
test my changes fully.
-Julian <proff@suburbia.net>
# The archive contains:
#
# ipfilter-proff-README
# sys-ipfilter-proff-2.2.1.diff
# sys-ipfilter-proff-current-970411.diff
# lkm/if_ipf
# lkm/if_ipf/Makefile
# sbin/ipf
# sbin/ipf/ipfstat
# sbin/ipf/ipfstat/Makefile
# sbin/ipf/ipftest
# sbin/ipf/ipftest/Makefile
# sbin/ipf/Makefile
# sbin/ipf/Makefile.inc
# sbin/ipf/mkfilters
# sbin/ipf/mkfilters/Makefile
# sbin/ipf/ipf
# sbin/ipf/ipf/Makefile
# sbin/ipf/ipmon
# sbin/ipf/ipmon/Makefile
# sbin/ipf/ipnat
# sbin/ipf/ipnat/Makefile
# contrib-sys
# contrib-sys/ipfilter
# contrib-sys/ipfilter/cflow
# contrib-sys/ipfilter/snoop.h
# contrib-sys/ipfilter/man
#
[..]
Unpack the new source trees and patch files:
root@paranoia# cd /usr
root@paranoia# unshar </tmp/ipfilter.shar
Patch the sys tree - quite tiny really.
For -current dated on or around Arpil 11 1997:
root@paranoia# patch <src/sys-ipfilter-proff-current-970411.diff
For FreeBSD-2.2.1 (and probably 2.2 also)
root@paranoia# patch <src/sys-ipfilter-proff-2.2.1.diff
If you have have the /usr/src/etc tree:
root@paranoia# patch <src/etc-ipfilter-proff.diff
root@paranoia# cp src/etc/etc.i386/MAKEDEV /dev
root@paranoia# cd /dev
root@paranoia# ./MAKEDEV ipl ipnat ipstate
else:
root@paranoia# cd /dev
root@paranoia# mknod ipl c 79 0
root@paranoia# mknod ipnat c 79 1
root@paranoia# mknod ipstate c 79 2
If you use devfs for /dev you can ignore the device creation above -
the new module loading code will do it for you.
Compile and install the user-land code:
root@paranoia# cd /usr/src/sbin/ipf
root@paranoia# make && make install
Compile and install the kernel module:
root@paranoia# cd /usr/src/lkm/if_ipf
root@paranoia# make && make install
Add the following to your kernel configuration:
# new IPFILTER firewall
# you need to have the src/contrib-sys tree installed to compile
# kernel support for the in-kernel version.
#options IPFILTER #in-kernel version
options IPFILTER_LKM #module version
options IPFITLER_LOG #support logging (in-kernel)
Make sure you have DEVFS support turned on in your kernel configuration,
or you will need to comment out the -DDEVFS in src/lkm/if_ipf/Makefile
If you want the in-kernel version instead (it has no advantage):
Un-comment:
#options IPFITLER
and comment out:
options IPFITLER_LKM
Re-config(8), recompile, install and boot the new kernel.
If you are running the loadable-module version, load the module:
root@paranoia# modload /lkm/if_ipf_mod.o
see if it worked:
root@paranoia# modstat
If you are running the in-kernel version:
root@paranoia# dmesg | grep -i ipf
Create some test firewall rules:
root@paranoia# mkfilters | tee /tmp/basic-filters
Load them in:
root@paranoia# ipf -f /tmp/basic-filters
Re-examine:
root@paranoia# ipfstat -i -o
Write some better ones:
root@paranoia# man 5 ipf
--
Prof. Julian Assange |If you want to build a ship, don't drum up people
|together to collect wood and don't assign them tasks
proff@suburbia.net |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
