Date: Wed, 9 Apr 1997 08:34:23 +1000 (EST) From: proff@suburbia.net To: hackers@freebsd.org Cc: security@freebsd.org, current@freebsd.org Subject: ipfilter-proff.shar.gz Message-ID: <19970408223424.25890.qmail@suburbia.net>
next in thread | raw e-mail | index | archive | help
I've addressed what I consider all outstanding issues with ipfilter insofar as one can without stepping on too many toes. This is complete. I haven't tested it under 2.2, but any changes should be very minimal. /usr/src/contrib/ipfilter can be, and should be zorched after this shar unpacks. Review is appreciated, but anything but bug-fixes will fall on deaf ears. The code is available as: ftp.freebsd.org/FreeBSD/incoming/ipfilter-proff.shar.gz (100k) and from GNATS as `kern/3234'. Unpack the three new source trees and two patch files: root@current# cd /usr root@current# unshar </tmp/ipfilter-proff.shar Patch the sys tree - quite tiny really. root@current# patch <src/sys-ipfilter-proff.diff If you have have the /usr/src/etc tree: root@current# patch <src/etc-ipfilter-proff.diff root@current# cp src/etc/etc.i386/MAKEDEV /dev root@current# cd /dev root@current# ./MAKEDEV ipl ipnat ipstate else: root@current# cd /dev root@current# mknod ipl c 79 0 root@current# mknod ipnat c 79 1 root@current# mknod ipstate c 79 2 If you use devfs for /dev you can ignore the device creation above - the new module loading code will do it for you. Compile and install the user-land code: root@current# cd /usr/src/sbin/ipf root@current# make && make install Compile and install the kernel module: root@current# cd /usr/src/lkm/if_ipf root@current# make && make install Add the following to your kernel configuration: # new IPFILTER firewall # you need to have the src/contrib-sys tree installed to compile # kernel support for the in-kernel version #options IPFILTER #in-kernel version options IPFILTER_LKM #module version options IPFITLER_LOG #support logging (in-kernel) Un-comment: #options IPFITLER and comment out: options IPFITLER_LKM If you want the in-kernel version instead (it has no advantage). Re-config(8), recompile, install and boot the new kernel. If you are running the loadable-module version, load the module: root@current# modload /lkm/if_ipf_mod.o see if it worked: root@current# modstat Create some test firewall rules: root@current# mkfilters | tee /tmp/basic-filters Load them in: root@current# ipf -f /tmp/basic-filters Re-examine: root@current# ipfstat -i -o Write some better ones: root@current# man 5 ipf # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # src/sys-ipfilter-proff.diff # src/etc-ipfilter-proff.diff # src/lkm/if_ipf # src/lkm/if_ipf/Makefile # src/sbin/ipf # src/sbin/ipf/ipfstat # src/sbin/ipf/ipfstat/Makefile # src/sbin/ipf/ipftest # src/sbin/ipf/ipftest/Makefile # src/sbin/ipf/Makefile # src/sbin/ipf/Makefile.inc # src/sbin/ipf/mkfilters # src/sbin/ipf/mkfilters/Makefile # src/sbin/ipf/ipf # src/sbin/ipf/ipf/Makefile # src/sbin/ipf/ipmon # src/sbin/ipf/ipmon/Makefile # src/sbin/ipf/ipnat # src/sbin/ipf/ipnat/Makefile # src/contrib-sys # src/contrib-sys/ipfilter # src/contrib-sys/ipfilter/snoop.h # src/contrib-sys/ipfilter/man # src/contrib-sys/ipfilter/man/man.sed # src/contrib-sys/ipfilter/man/ipf.1 # src/contrib-sys/ipfilter/man/ipf.4 # src/contrib-sys/ipfilter/man/ipf.5 # src/contrib-sys/ipfilter/man/ipfstat.8 # src/contrib-sys/ipfilter/man/ipftest.1 # src/contrib-sys/ipfilter/man/ipl.4 # src/contrib-sys/ipfilter/man/ipmon.8 # src/contrib-sys/ipfilter/man/ipnat.1 # src/contrib-sys/ipfilter/man/ipnat.4 # src/contrib-sys/ipfilter/man/ipnat.5 # src/contrib-sys/ipfilter/man/ipfilter.5 # src/contrib-sys/ipfilter/man/Makefile # src/contrib-sys/ipfilter/man/mkfilters.1 # src/contrib-sys/ipfilter/test # src/contrib-sys/ipfilter/test/input # src/contrib-sys/ipfilter/test/input/input.sed # src/contrib-sys/ipfilter/test/input/10 # src/contrib-sys/ipfilter/test/input/11 # src/contrib-sys/ipfilter/test/input/12 # src/contrib-sys/ipfilter/test/input/13 # src/contrib-sys/ipfilter/test/input/2 # src/contrib-sys/ipfilter/test/input/3 # src/contrib-sys/ipfilter/test/input/4 # src/contrib-sys/ipfilter/test/input/5 # src/contrib-sys/ipfilter/test/input/6 # src/contrib-sys/ipfilter/test/input/7 # src/contrib-sys/ipfilter/test/input/8 # src/contrib-sys/ipfilter/test/input/9 # src/contrib-sys/ipfilter/test/input/1 # src/contrib-sys/ipfilter/test/regress # src/contrib-sys/ipfilter/test/regress/regress.sed # src/contrib-sys/ipfilter/test/regress/10 # src/contrib-sys/ipfilter/test/regress/11 # src/contrib-sys/ipfilter/test/regress/12 # src/contrib-sys/ipfilter/test/regress/13 # src/contrib-sys/ipfilter/test/regress/2 # src/contrib-sys/ipfilter/test/regress/3 # src/contrib-sys/ipfilter/test/regress/4 # src/contrib-sys/ipfilter/test/regress/5 # src/contrib-sys/ipfilter/test/regress/6 # src/contrib-sys/ipfilter/test/regress/7 # src/contrib-sys/ipfilter/test/regress/8 # src/contrib-sys/ipfilter/test/regress/9 # src/contrib-sys/ipfilter/test/regress/i1 # src/contrib-sys/ipfilter/test/regress/i10 # src/contrib-sys/ipfilter/test/regress/i11 # src/contrib-sys/ipfilter/test/regress/i2 # src/contrib-sys/ipfilter/test/regress/i3 # src/contrib-sys/ipfilter/test/regress/i4 # src/contrib-sys/ipfilter/test/regress/i5 # src/contrib-sys/ipfilter/test/regress/i6 # src/contrib-sys/ipfilter/test/regress/i7 # src/contrib-sys/ipfilter/test/regress/i8 # src/contrib-sys/ipfilter/test/regress/i9 # src/contrib-sys/ipfilter/test/regress/1 # src/contrib-sys/ipfilter/test/expected # src/contrib-sys/ipfilter/test/expected/expected.sed # src/contrib-sys/ipfilter/test/expected/10 # src/contrib-sys/ipfilter/test/expected/11 # src/contrib-sys/ipfilter/test/expected/12 # src/contrib-sys/ipfilter/test/expected/2 # src/contrib-sys/ipfilter/test/expected/3 # src/contrib-sys/ipfilter/test/expected/4 # src/contrib-sys/ipfilter/test/expected/5 # src/contrib-sys/ipfilter/test/expected/6 # src/contrib-sys/ipfilter/test/expected/7 # src/contrib-sys/ipfilter/test/expected/8 # src/contrib-sys/ipfilter/test/expected/9 # src/contrib-sys/ipfilter/test/expected/i1 # src/contrib-sys/ipfilter/test/expected/i10 # src/contrib-sys/ipfilter/test/expected/i11 # src/contrib-sys/ipfilter/test/expected/i2 # src/contrib-sys/ipfilter/test/expected/i3 # src/contrib-sys/ipfilter/test/expected/i4 # src/contrib-sys/ipfilter/test/expected/i5 # src/contrib-sys/ipfilter/test/expected/i6 # src/contrib-sys/ipfilter/test/expected/i7 # src/contrib-sys/ipfilter/test/expected/i8 # src/contrib-sys/ipfilter/test/expected/i9 # src/contrib-sys/ipfilter/test/expected/1 # src/contrib-sys/ipfilter/test/hextest # src/contrib-sys/ipfilter/test/itest # src/contrib-sys/ipfilter/test/.cvsignore # src/contrib-sys/ipfilter/test/test.sed # src/contrib-sys/ipfilter/test/Makefile # src/contrib-sys/ipfilter/test/dotest # src/contrib-sys/ipfilter/rules # src/contrib-sys/ipfilter/rules/rules.sed # src/contrib-sys/ipfilter/rules/example.10 # src/contrib-sys/ipfilter/rules/example.11 # src/contrib-sys/ipfilter/rules/example.12 # src/contrib-sys/ipfilter/rules/example.13 # src/contrib-sys/ipfilter/rules/example.2 # src/contrib-sys/ipfilter/rules/example.3 # src/contrib-sys/ipfilter/rules/example.4 # src/contrib-sys/ipfilter/rules/example.5 # src/contrib-sys/ipfilter/rules/example.6 # src/contrib-sys/ipfilter/rules/example.7 # src/contrib-sys/ipfilter/rules/example.8 # src/contrib-sys/ipfilter/rules/example.9 # src/contrib-sys/ipfilter/rules/example.sr # src/contrib-sys/ipfilter/rules/nat.eg # src/contrib-sys/ipfilter/rules/server # src/contrib-sys/ipfilter/rules/tcpstate # src/contrib-sys/ipfilter/rules/example.1 # src/contrib-sys/ipfilter/LICENCE # src/contrib-sys/ipfilter/README # src/contrib-sys/ipfilter/fil.c # src/contrib-sys/ipfilter/fils.c # src/contrib-sys/ipfilter/inet_addr.c # src/contrib-sys/ipfilter/ip_compat.h # src/contrib-sys/ipfilter/ip_fil.c # src/contrib-sys/ipfilter/ip_fil.h # src/contrib-sys/ipfilter/ip_frag.c # src/contrib-sys/ipfilter/ip_frag.h # src/contrib-sys/ipfilter/ip_nat.c # src/contrib-sys/ipfilter/ip_nat.h # src/contrib-sys/ipfilter/ip_state.c # src/contrib-sys/ipfilter/ip_state.h # src/contrib-sys/ipfilter/ipf.c # src/contrib-sys/ipfilter/ipf.h # src/contrib-sys/ipfilter/ipft_ef.c # src/contrib-sys/ipfilter/ipft_hx.c # src/contrib-sys/ipfilter/ipft_pc.c # src/contrib-sys/ipfilter/ipft_sn.c # src/contrib-sys/ipfilter/ipft_td.c # src/contrib-sys/ipfilter/ipft_tx.c # src/contrib-sys/ipfilter/ipl.h # src/contrib-sys/ipfilter/ipl_ldev.c # src/contrib-sys/ipfilter/ipmon.c # src/contrib-sys/ipfilter/ipnat.c # src/contrib-sys/ipfilter/ipt.c # src/contrib-sys/ipfilter/ipt.h # src/contrib-sys/ipfilter/kmem.c # src/contrib-sys/ipfilter/kmem.h # src/contrib-sys/ipfilter/misc.c # src/contrib-sys/ipfilter/mkfilters # src/contrib-sys/ipfilter/etc # src/contrib-sys/ipfilter/etc/etc.sed # src/contrib-sys/ipfilter/opt.c # src/contrib-sys/ipfilter/parse.c # src/contrib-sys/ipfilter/pcap.h # src/contrib-sys/ipfilter/relay.c # src/contrib-sys/ipfilter/todo # src/contrib-sys/ipfilter/NAT.FreeBSD # src/contrib-sys/ipfilter/mlf_ipl.c # src/contrib-sys/ipfilter/ipfconf.h # src/contrib-sys/ipfilter/BNF # src/contrib-sys/ipfilter/HISTORY # src/contrib-sys/ipfilter/IMPORTANT [...] -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@suburbia.net |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970408223424.25890.qmail>