IP Filter – second time around
This article is now outdated. For FreeBSD 3.* and ipf 3.3.3, see Installing IP Filter 3.3.3This diary note describes how I installed IP Filter for the second time. I strongly suggest you follow the instructions within INST.FreeBSD-2.2 in conjunction with my detailed steps from my original IP Filter installation.
See also IP Filter – an alternative firewall and NAT to ipfw/natd.
This is the second time I’ve tried IP Filter. I had trouble getting traceroute. I’ve been using the latest beta of IP Filter and doing some testing with the help of the author. Darren has fixed the trace problem I initially encountered. The utility I was using to do a trace used short packets which were being removed by the block in log quick all with short rule. This fix will be available with IP Filter 3.2.10.
Installation | Loading | Logging
Installation
You should follow the instructions found within INST.FreeBSD-2.2.This time, I followed the same instructions I used in the original install. Although I did not create a new kernel as that step had been performed during the original install. In short, I did the following.
- cd /usr/ports/net
- gunzip ip_fil3.2.10beta.tgz
- tar -xvf ip_fil3.2.10beta.tar
- cd ip_fil3.2.10beta6
- make freebsd22 IPFILKERN=<kernel_name>
- make install-bsd
NOTE: in step 5, substitute your kernel name for <kernel_name>. See the original install for details.
The following command shows the name of your present kernel:
su-2.02# uname -a FreeBSD freebsd.dvl-software.co.nz 2.2.7-RELEASE FreeBSD 2.2.7-RELEASE #0: Wed Nov 4 23:49:25 NZDT 1998 dan@freebsd.dvl-software.co.nz:/usr/src/sys/compile/IPFILTER3 i386
In the above example, the kernel name is IPFILTER3.
load the module
If you were already running IP Filter, here is what you do to reload it.su-2.02# modstat Type Id Off Loadaddr Size Info Rev Module Name DEV <id> 79 f3c86000 0031 f3c90248 1 IP Filter v3.2.9 su-2.02# modunload -i <id> su-2.02# modload /lkm/if_ipl.o Module loaded as ID 1
You will also have to restart your NAT rules and reload your filtering rules. Here’s what I did:
ipnat -f /etc/ipnat.conf ipf -f /etc/ipfilter_rules
I have also supplied my NAT rules for those that may need an example.
As for your firewall rules, I suggest you start with the contents of the Rules directory and use either BASIC_1.FW or BASIC_1.FW as the basis for your rule set. Also note that BNF contains the rule syntax.
logging
I’ve decided to do some logging of my traffic. Everything is running fine, but I want to know what packets are being blocked and why. From the IP Filter mailing list archive, I’ve found the following steps to enable logging.- edit /etc/syslog.conf
- add local0.info /var/log/mylog.log
- kill -HUP PID_syslogd
- ipmon -s -n -x
But nothing appears in /var/log/firewall.log. Instead, the messages are going to /var/log/messages.
/etc/syslog.conf, it prefers tabs, not spaces. Details available here.
Please note that syslog.conf prefers tabs over spaces. If you use spaces, you’ll get a message during reboot which is similar to the following:
unknown priority name "info /var/log/firewall.log"
Here is what I put in my /etc/syslog.conf to get ipmon messages into the correct file (note that the first line has been split into two lines so it fits on the page):
*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none
/var/log/messages
local0.info;local0.debug /var/log/firewall.log
local0.err /var/log/firewall.err
You will notice that I added a local0.none to the first line. This stopped the messages from appearing the the messages log. The next two lines direct the information to the appropriate files.
Eventually, I’ll add something to rotate these logs so they don’t get too big. But that’s another topic for a later date.