Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 1997 23:02:01 +1000 (EST)
From:      proff@suburbia.net
To:        hackers@freebsd.org
Cc:        security@freebsd.org
Subject:   ipfilter-proff.shar backported to 2.2.1
Message-ID:  <19970410130201.4665.qmail@suburbia.net>

next in thread | raw e-mail | index | archive | help

I have uploaded an updated version of ipfilter-proff.shar as

	ftp://ftp.FreeBSD.org/pub/FreeBSD/incoming/ipfilter.shar.gz.

This latter version corrects two tiny Makefile bugs (in relation
to man page creation), and adds support for FreeBSD-2.2.

--

I've addressed what I consider all outstanding issues with ipfilter
for FreeBSD as one can without stepping on too many toes. This is a
complete make worldable build system.  /usr/src/contrib/ipfilter
can be, and should be zorched after this shar unpacks (presuming
you were running current).

Unpack the three new source trees and two patch files:

	root@paranoia# cd /usr
	root@paranoia# unshar </tmp/ipfilter.shar

Patch the sys tree - quite tiny really.

  For -current dated on or around Arpil 10 1997:

	root@paranoia# patch <src/sys-ipfilter-proff-current-970310.diff

  For FreeBSD-2.2.1 (and probably 2.2 also)

	root@paranoia# patch <src/sys-ipfilter-proff-2.2.1.diff

If you have have the /usr/src/etc tree:

	root@paranoia# patch <src/etc-ipfilter-proff.diff
	root@paranoia# cp src/etc/etc.i386/MAKEDEV /dev
	root@paranoia# cd /dev
	root@paranoia# ./MAKEDEV ipl ipnat ipstate

else:

	root@paranoia# cd /dev
	root@paranoia# mknod ipl c 79 0
	root@paranoia# mknod ipnat c 79 1
	root@paranoia# mknod ipstate c 79 2

If you use devfs for /dev you can ignore the device creation above -
the new module loading code will do it for you.

Compile and install the user-land code:

	root@paranoia# cd /usr/src/sbin/ipf
	root@paranoia# make && make install

Compile and install the kernel module:

	root@paranoia# cd /usr/src/lkm/if_ipf
	root@paranoia# make && make install

Add the following to your kernel configuration:

	# new IPFILTER firewall
	# you need to have the src/contrib-sys tree installed to compile
	# kernel support for the in-kernel version.
	#options	IPFILTER		#in-kernel version
	options		IPFILTER_LKM		#module version
	options		IPFITLER_LOG		#support logging (in-kernel)

Make sure you have DEVFS support turned on in your kernel configuration,
or you will need to comment out the -DDEVFS in src/lkm/if_ipf/Makefile

If you want the in-kernel version instead (it has no advantage):

  Un-comment:

	#options IPFITLER

  and comment out:

	options IPFITLER_LKM


Re-config(8), recompile, install and boot the new kernel.

If you are running the loadable-module version, load the module:

	root@paranoia# modload /lkm/if_ipf_mod.o

  see if it worked:

	root@paranoia# modstat

If you are running the in-kernel version:

	root@paranoia# dmesg | grep -i ipf

Create some test firewall rules:

	root@paranoia# mkfilters | tee /tmp/basic-filters

Load them in:

	root@paranoia# ipf -f /tmp/basic-filters

Re-examine:

	root@paranoia# ipfstat -i -o

Write some better ones:

	root@paranoia# man 5 ipf


--
Prof. Julian Assange  |If you want to build a ship, don't drum up people
		      |together to collect wood and don't assign them tasks
proff@suburbia.net    |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu  |immensity of the sea. -- Antoine de Saint Exupery



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970410130201.4665.qmail>