Installing IP Filter 3.3.3
I have installed ipf 3.3.3 under FreeBSD 3.1-Release, 3.2-Release,
3.3-Release, and 3.3-Stable. It runs very well. I never had any trouble with
it. I use it in conjunction with ipnat to provide a gateway/firewall/router
box. I like it so much that I recommend it to people. It’s a great tool!
IP Filter 3.3.4 has been released. I
recommend you use that version instead.
Getting IP Filter
NOTE: I wrote this article about two days before IP Filter version 3.3.3 was
added to the ports. I’ve tried the port and it fails. Feel free to give it a
go. You may have to update your ports in order to get the
correct version. If it fails for you, try the steps in this article.
I have the entire ports tree installed. If you use the
port, you may be able to skip to Configuration.
Please note that I have not installed IP Filter from the ports, so I’m not
sure the following notes will work or not.
I obtained the tar ball from ftp://coombs.anu.edu.au/pub/net/ip-filter/.
I issued the following commands:
cd /usr/ports/net fetch ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.3.tar.gz tar xvfz ip_fil3.3.3.tar.gz
To use ipf, you first compile ipf, and then create a new kernel
which includes the ipf options. In addition, I always use ipnat in
conjunction with ipf. In order for ipnat to work, you must include
the kernel options for ipnat. Be sure to do this
before you recompile the kernel to include ipf.
To compile ipf 3.3.3,
follow the instructions included with the tarball. Here’s what they look like:
# cd /usr/ports/net/ip_fil3.3.3/ # more FreeBSD-3/INST.FreeBSD-3 To build a kernel with the IP filter, follow these steps: 1. do "make freebsd3" 2. do "make install-bsd" (probably has to be done as root) 3. run "FreeBSD-3/kinstall" as root 4. build a new kernel 5. install the new kernel 6. If not using DEVFS, create devices for IP Filter as follows: mknod /dev/ipl c 79 0 mknod /dev/ipnat c 79 1 mknod /dev/ipstate c 79 2 mknod /dev/ipauth c 79 3 7. reboot Darren Reed firstname.lastname@example.org
I did not do step 6.
Remember to add kernel support for ipnat before
I store my
ipnat rules in /etc/ipnat.conf and my ipf rules in /etc/ipf.conf.
To ensure these rules are invoked at startup, I have the following files in /usr/local/etc/rc.d:
# more 000.ipf.sh #!/bin/sh ipf -f /etc/ipf.conf # more 010.ipnat.sh #!/bin/sh ipnat -f /etc/ipnat.conf
You’ll need to make sure the files are executable. See how
to start things at boot time for more detail.
Is that all?
That’s all. That should work. However, I have written these steps from
memory. If I have missed anything out, your comments are appreciated. Thanks. Hope this helps.