Date: Thu, 10 Apr 1997 23:02:01 +1000 (EST) From: proff@suburbia.net To: hackers@freebsd.org Cc: security@freebsd.org Subject: ipfilter-proff.shar backported to 2.2.1 Message-ID: <19970410130201.4665.qmail@suburbia.net>
next in thread | raw e-mail | index | archive | help
I have uploaded an updated version of ipfilter-proff.shar as ftp://ftp.FreeBSD.org/pub/FreeBSD/incoming/ipfilter.shar.gz. This latter version corrects two tiny Makefile bugs (in relation to man page creation), and adds support for FreeBSD-2.2. -- I've addressed what I consider all outstanding issues with ipfilter for FreeBSD as one can without stepping on too many toes. This is a complete make worldable build system. /usr/src/contrib/ipfilter can be, and should be zorched after this shar unpacks (presuming you were running current). Unpack the three new source trees and two patch files: root@paranoia# cd /usr root@paranoia# unshar </tmp/ipfilter.shar Patch the sys tree - quite tiny really. For -current dated on or around Arpil 10 1997: root@paranoia# patch <src/sys-ipfilter-proff-current-970310.diff For FreeBSD-2.2.1 (and probably 2.2 also) root@paranoia# patch <src/sys-ipfilter-proff-2.2.1.diff If you have have the /usr/src/etc tree: root@paranoia# patch <src/etc-ipfilter-proff.diff root@paranoia# cp src/etc/etc.i386/MAKEDEV /dev root@paranoia# cd /dev root@paranoia# ./MAKEDEV ipl ipnat ipstate else: root@paranoia# cd /dev root@paranoia# mknod ipl c 79 0 root@paranoia# mknod ipnat c 79 1 root@paranoia# mknod ipstate c 79 2 If you use devfs for /dev you can ignore the device creation above - the new module loading code will do it for you. Compile and install the user-land code: root@paranoia# cd /usr/src/sbin/ipf root@paranoia# make && make install Compile and install the kernel module: root@paranoia# cd /usr/src/lkm/if_ipf root@paranoia# make && make install Add the following to your kernel configuration: # new IPFILTER firewall # you need to have the src/contrib-sys tree installed to compile # kernel support for the in-kernel version. #options IPFILTER #in-kernel version options IPFILTER_LKM #module version options IPFITLER_LOG #support logging (in-kernel) Make sure you have DEVFS support turned on in your kernel configuration, or you will need to comment out the -DDEVFS in src/lkm/if_ipf/Makefile If you want the in-kernel version instead (it has no advantage): Un-comment: #options IPFITLER and comment out: options IPFITLER_LKM Re-config(8), recompile, install and boot the new kernel. If you are running the loadable-module version, load the module: root@paranoia# modload /lkm/if_ipf_mod.o see if it worked: root@paranoia# modstat If you are running the in-kernel version: root@paranoia# dmesg | grep -i ipf Create some test firewall rules: root@paranoia# mkfilters | tee /tmp/basic-filters Load them in: root@paranoia# ipf -f /tmp/basic-filters Re-examine: root@paranoia# ipfstat -i -o Write some better ones: root@paranoia# man 5 ipf -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@suburbia.net |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970410130201.4665.qmail>