Date: Tue, 21 May 1996 17:44:09 -0700 (PDT) From: ja <joseph@joseph.dswnet.com> To: Dave Hartzell <hartzeld@cc.sdstate.edu> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: FreeBSD built in firewall Message-ID: <Pine.BSF.3.91.960521174217.7920G-200000@joseph.dswnet.com> In-Reply-To: <199605212057.NAA29064@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] I have used ip_fil3.04 Beta. It works. I have included the history Has info on structure and usage and stuff. Joseph Altea Senior Systems Engineer Data Systems West, Enterprise Solutions On Tue, 21 May 1996, Dave Hartzell wrote: > Has anyone used the FreeBSD built in firewall? I am looking at using it, > because I does everything (not much) that I need to do. > > How well does it work? Is it slow? > > Thanks. > > [-- Attachment #2 --] # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. # # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # 3.0.4beta 25/3/96 - Released wouldn't parse "keep flags keep state" correctly. SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems from Thorsten Lockert <tholo@tetherless.com> b* functions in fil.c on Solaris 2.4 3.0.3 17/3/96 - Released added patches to support IP Filter initialisation when compiled into the kernel. added -x option to ipmon to display hex dumps of logged packets. added -H option to ipftest to allow ascii-hex formatted input to specify arbitary IP packets. Sending TCP RSTs as a response now work for Solaris2 x86 add patches to make IP Filter compile into NetBSD kernels properly. patch to stop SunOS 4.1.x kernels panicing with "data traps". ipfboot script unloads and reloads ipf module on Solaris2 if it is already loaded into the kernel. Installation of IP Filter as a Solaris2 package is now supported. Man pages for ipnat.4, ipnat.5 added. added some more regression tests and fixed up IP Filter to pass the new tests (previous versions failed some of the tests in set 12). IP option filter processing has changed so that saying "with opt lsrr" will check only for that one, but not mask out other options, so a packet with strict source routing, along with loose source routing will match all of "with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) make install is incorrect - Julian Briggs (julian@lightwork.co.uk) strtol() returns 0x7fffffff for all negative numbers, printfr() generates incorrect output for "opt sec-class *", handling of "not opt xxx opt yyy" incorrect. - Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) m_pullup() called only for input and not output; caused problems with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) parsing problem for "port 1" and NetBSD patches incorrect - Andreas Gustafsson (gson@guava.araneus.fi) 3.0.2 4/2/96 - Released Corrected bug where NAT recalculates checksums for fragments. make NAT recalculate UDP checksums (rather than setting them to 0), if they're non-zero. DNS patches - Real Page (Real.Page@Matrox.com) alteration of checksum recalculations in NAT code and addition of redirection with NAT - Mike Neuman core dump, if tcp/udp is used with a port number and not service name, in ipf - Mike Neuman (mcn@engarde.com) initparse() call, missing to prime "<thishost>" hook - Craig Bishop 3.0.1 14/1/96 - Released miscellaneous patches for Solaris2 3.0 14/1/96 - Released Patch included for FDDI, from Richard Ohnemus (Richard_Ohnemus@dallas.csd.sterling.com) Code cleanup for release. 3.0beta4 10/1/96 recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 3.0beta3 9/1/96 FIxup for Solaris2.5 install and interface name bug in ipftest from Julian Briggs (julian@lightwork.co.uk) Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 3.0beta2 7/1/96 Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. Note, this isn't really what one would call IP account, when compared to process accounting, sigh. Split up ipresend into iptest/ipresend/ipsend Added another m_pullup() inside fr_check() for BSD style kernels and added some checks to ipllog() to not log more than is present (for short packets). Fixed bug where failed hostname/netname resolution goes undetecte and becomes 0.0.0.0 (any) (reported Guido van Rooij) 3.0beta 11/11/95 - Released Rewrote the way rule testing is done, reducing the number of files needed and generated. SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 BSD based Unixes (panic'd) Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> (I think someone else already told me about these but they got lost :-/) Changed Makefile structure to build object files for different operating systems in separate directories by default. BSDI has ef0 for first ethernet interface Allow for a "not" operator before optional keywords. The "rule number" was being incorrectly incremented every time it went through the loop rather than when it matched a rule. 2.8.2 24/10/95 - Released Fixed up problems with "textip" for doing lots of testing. Fixed bug in detection of "short" tcp/ip packets (all reported as being short). Solaris 2.4 port now works 100%. Man page errors reported and fixed. Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). Fixed ipmon output to put a space after the log-letter. Patch from Guido van Rooij to fix parsing problem. 2.8.1 15/10/95 - Released Added ttl and tos filtering. Patches for fixing up compilation and port problems (little endian) from Guido van Rooij <guido@IAEhv.nl>. Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. ipsend doesn't compile properly on Solaris2.4 Lots of work done for Solaris2.4 to make it MT/MP safe and work. 2.8 15/9/95 - Released ipmon can now send messages to syslogd (-s) and use names instead of numbers (-N). IP packets are now "compiled" into a structure only containing filterable bits. Added regression testing in the test/ subdirectory, using a new option (-b) with the ipftest program. Added "nomatch" return to filter results. These are counted and show up in reports from ipfstat. Moved filter code out of ip_fil.c and into fil.c - there is now only one instance of it in the package. Added Solaris 2.4 support. Added IPSO basic security option filtering. Added name support for filtering on all 19 named IP options. Patches from Ivan Brawley to log packet contents as well as packet headers. Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, along with a new ioctl, SIOCFRENB. From: Dieter Dworkin Muller <dworkin@village.org> 2.7.3 31/7.95 - Released Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. Brought ipftest program upto date with actual filter code. Filter would cause a match to occur when it wasn't meant to if the packet had short headers and was missing portions that should have been there. Err, it would rightly not match on them, but their absence caused a match when it shouldn't have been. 2.7.2 26/7/95 - Released Problem with filtering just SYN flagged packets reported by Dieter Dworkin Muller <dworkin@village.org>. To solve this problem, added support for masking TCP flags for comparison "flags X/Y". 2.7.1 9/7/95 - Released Added ip_dirbroadcast support for Sun ip_input.c Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are better. 2.7 7/7/95 - Released Added "return-rst" to return TCP RST's to TCP packets. Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. Added insertion of filter rules. Use "@<#>" at the beginning of a filter to insert a rule at row #. Filter keeps track of how many times each rule is matched. Changed compile time things to match kernel option (IPFILTER_LKM & IPFILTER_LOG). Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. (No change required for 3.6) Now includes TCP fragments which start inside the TCP header as being short. Added counting the number of times each rule is matched. 2.6 11/5/95 - Released Added -n option to ipf: when supplied, no changes are made to the kernel. Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. Rewrote filtering to use a more generic mask & match procedure for checking if a packet matches a rule. 2.5.2 27/4/95 - Released "tcp/udp" and a non-initialised pointer caused the "proto" to become a `random' value; added "ip#/dotted.mask" notation to the BNF. From Adam W. Feigin <feigin@iis.ee.ethz.ch> 2.5.1 22/3/95 - Released "tcp/udp" had a strange effect (undesired) on getserv*() functions, causing protocol/service lookups to fail. Reported by Matthew Green. 2.5 17/3/95 - Released Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop output through the ipftest program. Suggestions from: Michael Ciavarella (mikec@phyto.apana.org.au) Conflicts occur when "general" filter rules are used for ports and the lack of a "proto" when used with "port" matches other packets when only TCP/UDP are implied. Reported Matthew Green (mrg@fulcom.com.au); reported & fixed 6-8/3/95 Added filtering of short TCP packets using "with short" 28/2/95 (These can possibly slip by checks for the various flags). Short UDP or ICMP are dropped to the floor and logged. Added filtering of fragmented packets using "with frag" 24/2/95 Port to NetBSD-current completed 20/2/95, using LKM. Added logging of the rule # which caused the logging to happen and the interface on which the packet is currently as suggested by Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 2.4 9/2/95 - Released Fixed saving of IP headers in ICMP packets. 2.3 29/1/95 Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). Fixed iplread() and iplsave() with help from Marc Huber. 2.2 7/1/95 - Released Added code from Marc Huber <huber@fzi.de> to allow it to allocate its own major char number dynamically when modload'ing. Fixed up use of <, >, <=, >= and >< for ports. 2.1 21/12/94 - Released repackaged to include the correct ip_output.c and ip_input.c *goof* 2.0 18/12/94 - Released added code to check for port ranges - complete. rewrote to work as a loadable kernel module - complete. 1.1 added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1.0 22/04/93 - Released First release cut.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960521174217.7920G-200000>