Installing IP Filter 3.4.1

Installing IP Filter 3.4.1

Since this article was written, version 3.4.2 has been updated.  This update
includes a security advisory.  Please upgrade to version 3.4.2.

IP Filter
3.4.1 has been recently released.  The installation instructions for FreeBSD 4 are
slightly different, but it is basically the same process as before. was released
today.  This article merely documents that fact and describes how I installed it
under FreeBSD 3.3-release.  These instructions should work for all subsequent
versions of IP Filter.  If they do not, please add your comments.

Instructions for disabling ipfw/natd are also available here.

Getting IP Filter

ipf is included in FreeBSD.  But I prefer to keep up to date.  The tarball
from Darren Reed’s website.

The main webpage for IP Filter is http://coombs.anu.edu.au/~avalon/.   And
one of the best how-to guides for IP Filter is at http://www.obfuscation.org/ipf/.

I obtained the tar ball from ftp://coombs.anu.edu.au/pub/net/ip-filter/.
  I issued the following commands:

cd /usr/ports/net
fetch ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.1.tar.gz
tar xvfz ip_fil3.4.1.tar.gz

Installing

This version of the tarball will completely replace the ipf which comes with FreeBSD.
  You don’t have to worry about duplicate binaries any more.

To use ipf,
you first compile ipf, and then create a new kernel which includes the ipf
options.  In addition, I always use ipnat in conjunction with ipf
In order for ipnat to work, you must include the kernel options for ipnat.  Be sure to do this before you recompile the
kernel to include ipf.

To compile ipf 3.4.1, follow the instructions included with the tarball.
  Here’s what they look like:

# cd /usr/ports/net/ip_fil3.3.4/
# more FreeBSD-3/INST.FreeBSD-3
To build a kernel with the IP filter, follow these steps:

   1. do "make freebsd3"

[if you are installing under FreeBSD 4.*, you should type "make freebsd4"
instead]

   2. do "make install-bsd"
      (probably has to be done as root)

   3. run "FreeBSD-3/kinstall" as root

[actually, I didn’t do this, I did "FreeBSD-4.0/kinstall" instead]

   4. build a new kernel

   5. install the new kernel

   6. If not using DEVFS, create devices for IP Filter as follows:
                mknod /dev/ipl c 79 0
                mknod /dev/ipnat c 79 1
                mknod /dev/ipstate c 79 2
                mknod /dev/ipauth c 79 3

   7. reboot

Darren Reed
darrenr@pobox.com

I did not do step 6.

For step 4, see the Configuring
the FreeBSD Kernel
section in the FreeBSD
handbook
.   Pay special attention to the section on Building and Installing
a Custom Kernel
.

If you have included the IPFILTER_DEFAULT_BLOCK kernel option (which defaults ipf so it
blocks everything by default), you may encounter this during the kernel config.  
Ignore the warning.

# config -r DUCKY 
DUCKY:34: unknown option "IPFILTER_DEFAULT_BLOCK"
Don't forget to do a ``make depend''
Kernel build directory is ../../compile/DUCKY

That’s it!

I rebuilt my kernel, rebooted, and I was away with IP Filter 3.4.1. 
Very smooth.

Leave a Comment

Scroll to Top