IP Filter – second time around
This article is now outdated. For FreeBSD 3.* and ipf 3.3.3, see Installing IP Filter 3.3.3
This diary note
describes how I installed IP Filter for the second time. I strongly
suggest you follow the instructions within INST.FreeBSD-2.2 in conjunction with
my detailed steps from my original IP Filter installation.
See also IP Filter – an alternative firewall and
NAT to ipfw/natd.
This is the second time I’ve tried IP Filter. I had trouble getting
traceroute. I’ve been using the latest beta of IP Filter and doing some
testing with the help of the author. Darren has fixed the trace problem I initially
encountered. The utility I was using to do a trace used short packets which were
being removed by the block in log quick all with short rule. This fix
will be available with IP Filter 3.2.10.
Installation | Loading | Logging
Installation
You should follow the instructions found within INST.FreeBSD-2.2.
This
time, I followed the same instructions I used in the original
install. Although I did not create a new kernel as that step had been performed
during the original install. In short, I did the following.
- cd /usr/ports/net
- gunzip ip_fil3.2.10beta.tgz
- tar -xvf ip_fil3.2.10beta.tar
- cd ip_fil3.2.10beta6
- make freebsd22 IPFILKERN=<kernel_name>
- make install-bsd
NOTE: in step 5, substitute your kernel name for <kernel_name>. See the original install for details.
The following command shows the name of your present kernel:
su-2.02# uname -a FreeBSD freebsd.dvl-software.co.nz 2.2.7-RELEASE FreeBSD 2.2.7-RELEASE #0: Wed Nov 4 23:49:25 NZDT 1998 dan@freebsd.dvl-software.co.nz:/usr/src/sys/compile/IPFILTER3 i386
In the above example, the kernel name is IPFILTER3.
load the module
If you were already running IP Filter, here is what you do to reload it.
su-2.02# modstat Type Id Off Loadaddr Size Info Rev Module Name DEV <id> 79 f3c86000 0031 f3c90248 1 IP Filter v3.2.9 su-2.02# modunload -i <id> su-2.02# modload /lkm/if_ipl.o Module loaded as ID 1
You will also have to restart your NAT rules and reload your filtering rules.
Here’s what I did:
ipnat -f /etc/ipnat.conf ipf -f /etc/ipfilter_rules
I have also supplied my NAT rules for those that may need
an example.
As for your firewall rules, I suggest you start with the contents of the Rules
directory and use either BASIC_1.FW or BASIC_1.FW as the basis for
your rule set. Also note that BNF contains the rule syntax.
logging
I’ve decided to do some logging of my traffic. Everything is running fine, but I
want to know what packets are being blocked and why. From the IP Filter mailing list archive, I’ve found
the following steps to enable logging.
- edit /etc/syslog.conf
- add local0.info /var/log/mylog.log
- kill -HUP PID_syslogd
- ipmon -s -n -x
But nothing appears in /var/log/firewall.log. Instead, the messages are
going to /var/log/messages.
/etc/syslog.conf, it prefers tabs, not spaces. Details available here.
Please note that syslog.conf prefers tabs over spaces. If you use spaces, you’ll
get a message during reboot which is similar to the following:
unknown priority name "info /var/log/firewall.log"
Here is what I put in my /etc/syslog.conf to get ipmon
messages into the correct file (note that the first line has been split into two lines so
it fits on the page):
*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none
/var/log/messages
local0.info;local0.debug /var/log/firewall.log
local0.err /var/log/firewall.err
You will notice that I added a local0.none to the first line. This
stopped the messages from appearing the the messages log. The next two lines direct
the information to the appropriate files.
Eventually, I’ll add something to rotate these logs so they don’t get too big.
But that’s another topic for a later date.