The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Installing IP Filter 3.4.1 9 May 2000
Need more help on this topic? Click here
This article has no comments
Show me similar articles
Since this article was written, version 3.4.2 has been updated.  This update includes a security advisory.  Please upgrade to version 3.4.2.

IP Filter 3.4.1 has been recently released.  The installation instructions for FreeBSD 4 are slightly different, but it is basically the same process as before. was released today.  This article merely documents that fact and describes how I installed it under FreeBSD 3.3-release.  These instructions should work for all subsequent versions of IP Filter.  If they do not, please add your comments.

Instructions for disabling ipfw/natd are also available here.

Getting IP Filter
ipf is included in FreeBSD.  But I prefer to keep up to date.  The tarball from Darren Reed's website.

The main webpage for IP Filter is http://coombs.anu.edu.au/~avalon/.   And one of the best how-to guides for IP Filter is at http://www.obfuscation.org/ipf/.

I obtained the tar ball from ftp://coombs.anu.edu.au/pub/net/ip-filter/.   I issued the following commands:

cd /usr/ports/net
fetch ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.1.tar.gz
tar xvfz ip_fil3.4.1.tar.gz
Installing
This version of the tarball will completely replace the ipf which comes with FreeBSD.   You don't have to worry about duplicate binaries any more.

To use ipf, you first compile ipf, and then create a new kernel which includes the ipf options.  In addition, I always use ipnat in conjunction with ipf.  In order for ipnat to work, you must include the kernel options for ipnat.  Be sure to do this before you recompile the kernel to include ipf.

To compile ipf 3.4.1, follow the instructions included with the tarball.   Here's what they look like:

# cd /usr/ports/net/ip_fil3.3.4/
# more FreeBSD-3/INST.FreeBSD-3
To build a kernel with the IP filter, follow these steps:

   1. do "make freebsd3"

[if you are installing under FreeBSD 4.*, you should type "make freebsd4" instead]

   2. do "make install-bsd"
      (probably has to be done as root)

   3. run "FreeBSD-3/kinstall" as root

[actually, I didn't do this, I did "FreeBSD-4.0/kinstall" instead]

   4. build a new kernel

   5. install the new kernel

   6. If not using DEVFS, create devices for IP Filter as follows:
                mknod /dev/ipl c 79 0
                mknod /dev/ipnat c 79 1
                mknod /dev/ipstate c 79 2
                mknod /dev/ipauth c 79 3

   7. reboot

Darren Reed
darrenr@pobox.com

I did not do step 6.

For step 4, see the Configuring the FreeBSD Kernel section in the FreeBSD handbook.   Pay special attention to the section on Building and Installing a Custom Kernel.

If you have included the IPFILTER_DEFAULT_BLOCK kernel option (which defaults ipf so it blocks everything by default), you may encounter this during the kernel config.   Ignore the warning.

# config -r DUCKY 
DUCKY:34: unknown option "IPFILTER_DEFAULT_BLOCK"
Don't forget to do a ``make depend''
Kernel build directory is ../../compile/DUCKY
That's it!
I rebuilt my kernel, rebooted, and I was away with IP Filter 3.4.1.  Very smooth.

Need more help on this topic? Click here
This article has no comments
Show me similar articles