Bugtraq mailing list archives
[ANNOUNCE]: ipfilter for FreeBSD2.2.x + FreeBSD3.0-current
From: proff () SUBURBIA NET (Julian Assange)
Date: Mon, 14 Apr 1997 00:20:03 +1000
Darren Reed and contributors' excellent firewall software, ipfilter is now available for FreeBSD2.2/3.0-current. The IP packet filter can: o explicitly deny/permit any packet from passing through o distinguish between various interfaces o filter by IP networks or hosts o selectively filter any IP protocol o selectively filter fragmented IP packets o selectively filter packets with IP options. o send back an ICMP error/TCP reset for blocked packets o keep packet state infromation for TCP, UDP and ICMP packet flows. o keep fragment state information for any IP packet, applying the same rule to all fragments. o act as a Network Address Translator (NAT) o use redirection to setup true transparent proxy connections. Special provision is made for the three most common Internet protocols, TCP, UDP and ICMP. The IP Packet filter allows filtering of: o TCP/UDP packets by port number or a port number range o ICMP packets by type/code o "established" TCP packets o on any arbitary combination of TCP flags o "short" (fragmented) IP packets with incomplete headers can be filtered o any of the 19 IP options or 8 registered IP security classes o TOS (Type of Service) field in packets FreeBSD version available from: ftp://suburbia.net/pub/proff/ipfilter-proff-final2.shar.gz ftp://ftp.freebsd.org/pub/FreeBSD/incoming/ipfilter-proff-final2.shar.gz Original: http://cheops.anu.edu.au/~avalon Note that while I (Julian Assange) have fixed various bugs originally found in ipfilter3.2a4, I don't guarentee that this version is bug free, and Darren certainly doesn't, not having had an opportunity to test my changes fully. -Julian <proff () suburbia net> # The archive contains: # # ipfilter-proff-README # sys-ipfilter-proff-2.2.1.diff # sys-ipfilter-proff-current-970411.diff # lkm/if_ipf # lkm/if_ipf/Makefile # sbin/ipf # sbin/ipf/ipfstat # sbin/ipf/ipfstat/Makefile # sbin/ipf/ipftest # sbin/ipf/ipftest/Makefile # sbin/ipf/Makefile # sbin/ipf/Makefile.inc # sbin/ipf/mkfilters # sbin/ipf/mkfilters/Makefile # sbin/ipf/ipf # sbin/ipf/ipf/Makefile # sbin/ipf/ipmon # sbin/ipf/ipmon/Makefile # sbin/ipf/ipnat # sbin/ipf/ipnat/Makefile # contrib-sys # contrib-sys/ipfilter # contrib-sys/ipfilter/cflow # contrib-sys/ipfilter/snoop.h # contrib-sys/ipfilter/man # [..] Unpack the new source trees and patch files: root@paranoia# cd /usr root@paranoia# unshar </tmp/ipfilter.shar Patch the sys tree - quite tiny really. For -current dated on or around Arpil 11 1997: root@paranoia# patch <src/sys-ipfilter-proff-current-970411.diff For FreeBSD-2.2.1 (and probably 2.2 also) root@paranoia# patch <src/sys-ipfilter-proff-2.2.1.diff If you have have the /usr/src/etc tree: root@paranoia# patch <src/etc-ipfilter-proff.diff root@paranoia# cp src/etc/etc.i386/MAKEDEV /dev root@paranoia# cd /dev root@paranoia# ./MAKEDEV ipl ipnat ipstate else: root@paranoia# cd /dev root@paranoia# mknod ipl c 79 0 root@paranoia# mknod ipnat c 79 1 root@paranoia# mknod ipstate c 79 2 If you use devfs for /dev you can ignore the device creation above - the new module loading code will do it for you. Compile and install the user-land code: root@paranoia# cd /usr/src/sbin/ipf root@paranoia# make && make install Compile and install the kernel module: root@paranoia# cd /usr/src/lkm/if_ipf root@paranoia# make && make install Add the following to your kernel configuration: # new IPFILTER firewall # you need to have the src/contrib-sys tree installed to compile # kernel support for the in-kernel version. #options IPFILTER #in-kernel version options IPFILTER_LKM #module version options IPFITLER_LOG #support logging (in-kernel) Make sure you have DEVFS support turned on in your kernel configuration, or you will need to comment out the -DDEVFS in src/lkm/if_ipf/Makefile If you want the in-kernel version instead (it has no advantage): Un-comment: #options IPFITLER and comment out: options IPFITLER_LKM Re-config(8), recompile, install and boot the new kernel. If you are running the loadable-module version, load the module: root@paranoia# modload /lkm/if_ipf_mod.o see if it worked: root@paranoia# modstat If you are running the in-kernel version: root@paranoia# dmesg | grep -i ipf Create some test firewall rules: root@paranoia# mkfilters | tee /tmp/basic-filters Load them in: root@paranoia# ipf -f /tmp/basic-filters Re-examine: root@paranoia# ipfstat -i -o Write some better ones: root@paranoia# man 5 ipf -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff () suburbia net |and work, but rather teach them to long for the endless proff () gnu ai mit edu |immensity of the sea. -- Antoine de Saint Exupery
Current thread:
- Re: [LINUX] IP_MASQ / Ethernet Passing Traffic After Halt Miquel van Smoorenburg (Apr 12)
- Re: [LINUX] IP_MASQ / Ethernet Passing Traffic After Halt Alan Cox (Apr 13)
- [ANNOUNCE]: ipfilter for FreeBSD2.2.x + FreeBSD3.0-current Julian Assange (Apr 13)
- Re: [ANNOUNCE]: ipfilter for FreeBSD2.2.x + FreeBSD3.0-current Perry E. Metzger (Apr 13)
- 2nd Linux kernel patch to remove stack exec Solar Designer (Apr 13)
- Re: 2nd Linux kernel patch to remove stack exec Systemkennung Linux (Apr 13)
- Re: 2nd Linux kernel patch to remove stack exec Solar Designer (Apr 13)
- Re: 2nd Linux kernel patch to remove stack exec Systemkennung Linux (Apr 13)
- Re: 2nd Linux kernel patch to remove stack exec David S. Miller (Apr 13)
- Re: 2nd Linux kernel patch to remove stack exec Systemkennung Linux (Apr 13)
- Re: 2nd Linux kernel patch to remove stack exec Systemkennung Linux (Apr 13)
- more l0phtcrack errata Systemkennung Linux (Apr 13)
- PGP Distributed Attack Aleph One (Apr 14)
- Re: PGP Distributed Attack Perry E. Metzger (Apr 14)