Date: Fri, 11 Apr 1997 07:03:42 +1000 (EST) From: proff@suburbia.net To: hackers@freebsd.org Cc: security@freebsd.org Subject: ipfilter-proff-final.shar.gz Message-ID: <19970410210342.12123.qmail@suburbia.net>
next in thread | raw e-mail | index | archive | help
ftp://ftp.freebsd.org/pub/FreeBSD/incoming/ipfilter-proff-final.shar.gz (112k) I'm done. I've tested this release fairly heavily under both -current and 2.2.1 and am happy with it. I have heavy time contraints for the next few weeks/months, and I know avalon is facing similar difficulties. I'm handing over the torch to another bearer. This is what remains to be done (CVS maintence only -- those just wanting to use the code don't need to worry about any of this) is: 1) A new cvs module src/contrib-sys needs to be created 2) src/sys-contrib/ipfilter needs to be imported as a new vendor branch (I'm gambling that all my changes in that tree or some currupted variant thereof will make it into Darren's public release :) 3) src/sbin/ipf and src/lkm/if_ipf need to be imported. 4) src/sys/netinet/{fil.c,ip_compat.h,ip_fil.[ch],ip_frag.[ch], ip_nat.[ch],ip_state.[ch]} can be Attic'ed :) 5) src/contrib/ipfilter can be zorched -Julian # This archive contains: # # src/ipfilter-proff-README # src/etc-ipfilter-proff.diff # src/sys-ipfilter-proff-2.2.1.diff # src/sys-ipfilter-proff-current-970411.diff # src/contrib-sys # src/contrib-sys/ipfilter [...] # src/lkm/if_ipf # src/lkm/if_ipf/Makefile # src/sbin/ipf # src/sbin/ipf/ipfstat # src/sbin/ipf/ipfstat/Makefile # src/sbin/ipf/ipftest # src/sbin/ipf/ipftest/Makefile # src/sbin/ipf/Makefile # src/sbin/ipf/Makefile.inc # src/sbin/ipf/mkfilters # src/sbin/ipf/mkfilters/Makefile # src/sbin/ipf/ipf # src/sbin/ipf/ipf/Makefile # src/sbin/ipf/ipmon # src/sbin/ipf/ipmon/Makefile # src/sbin/ipf/ipnat # src/sbin/ipf/ipnat/Makefile # [...] XUnpack the three new source trees and two patch files: X X root@paranoia# cd /usr X root@paranoia# unshar </tmp/ipfilter.shar X XPatch the sys tree - quite tiny really. X X For -current dated on or around Arpil 11 1997: X X root@paranoia# patch <src/sys-ipfilter-proff-current-970411.diff X X For FreeBSD-2.2.1 (and probably 2.2 also) X X root@paranoia# patch <src/sys-ipfilter-proff-2.2.1.diff X XIf you have have the /usr/src/etc tree: X X root@paranoia# patch <src/etc-ipfilter-proff.diff X root@paranoia# cp src/etc/etc.i386/MAKEDEV /dev X root@paranoia# cd /dev X root@paranoia# ./MAKEDEV ipl ipnat ipstate X Xelse: X X root@paranoia# cd /dev X root@paranoia# mknod ipl c 79 0 X root@paranoia# mknod ipnat c 79 1 X root@paranoia# mknod ipstate c 79 2 X XIf you use devfs for /dev you can ignore the device creation above - Xthe new module loading code will do it for you. X XCompile and install the user-land code: X X root@paranoia# cd /usr/src/sbin/ipf X root@paranoia# make && make install X XCompile and install the kernel module: X X root@paranoia# cd /usr/src/lkm/if_ipf X root@paranoia# make && make install X XAdd the following to your kernel configuration: X X # new IPFILTER firewall X # you need to have the src/contrib-sys tree installed to compile X # kernel support for the in-kernel version. X #options IPFILTER #in-kernel version X options IPFILTER_LKM #module version X options IPFITLER_LOG #support logging (in-kernel) X XMake sure you have DEVFS support turned on in your kernel configuration, Xor you will need to comment out the -DDEVFS in src/lkm/if_ipf/Makefile X XIf you want the in-kernel version instead (it has no advantage): X X Un-comment: X X #options IPFITLER X X and comment out: X X options IPFITLER_LKM X X XRe-config(8), recompile, install and boot the new kernel. X XIf you are running the loadable-module version, load the module: X X root@paranoia# modload /lkm/if_ipf_mod.o X X see if it worked: X X root@paranoia# modstat X XIf you are running the in-kernel version: X X root@paranoia# dmesg | grep -i ipf X XCreate some test firewall rules: X X root@paranoia# mkfilters | tee /tmp/basic-filters X XLoad them in: X X root@paranoia# ipf -f /tmp/basic-filters X XRe-examine: X X root@paranoia# ipfstat -i -o X XWrite some better ones: X X root@paranoia# man 5 ipf -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@suburbia.net |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970410210342.12123.qmail>