Installing IP Filter 3.4.1Since this article was written, version 3.4.2 has been updated. This update includes a security advisory. Please upgrade to version 3.4.2.
IP Filter 3.4.1 has been recently released. The installation instructions for FreeBSD 4 are slightly different, but it is basically the same process as before. was released today. This article merely documents that fact and describes how I installed it under FreeBSD 3.3-release. These instructions should work for all subsequent versions of IP Filter. If they do not, please add your comments.
Instructions for disabling ipfw/natd are also available here.
Getting IP Filteripf is included in FreeBSD. But I prefer to keep up to date. The tarball from Darren Reed’s website.
I obtained the tar ball from ftp://coombs.anu.edu.au/pub/net/ip-filter/. I issued the following commands:
cd /usr/ports/net fetch ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.1.tar.gz tar xvfz ip_fil3.4.1.tar.gz
InstallingThis version of the tarball will completely replace the ipf which comes with FreeBSD. You don’t have to worry about duplicate binaries any more.
To use ipf, you first compile ipf, and then create a new kernel which includes the ipf options. In addition, I always use ipnat in conjunction with ipf. In order for ipnat to work, you must include the kernel options for ipnat. Be sure to do this before you recompile the kernel to include ipf.
To compile ipf 3.4.1, follow the instructions included with the tarball. Here’s what they look like:
# cd /usr/ports/net/ip_fil3.3.4/ # more FreeBSD-3/INST.FreeBSD-3 To build a kernel with the IP filter, follow these steps: 1. do "make freebsd3"
[if you are installing under FreeBSD 4.*, you should type "make freebsd4" instead]2. do "make install-bsd" (probably has to be done as root) 3. run "FreeBSD-3/kinstall" as root
[actually, I didn’t do this, I did "FreeBSD-4.0/kinstall" instead]4. build a new kernel 5. install the new kernel 6. If not using DEVFS, create devices for IP Filter as follows: mknod /dev/ipl c 79 0 mknod /dev/ipnat c 79 1 mknod /dev/ipstate c 79 2 mknod /dev/ipauth c 79 3 7. reboot Darren Reed firstname.lastname@example.org
I did not do step 6.
If you have included the IPFILTER_DEFAULT_BLOCK kernel option (which defaults ipf so it blocks everything by default), you may encounter this during the kernel config. Ignore the warning.
# config -r DUCKY DUCKY:34: unknown option "IPFILTER_DEFAULT_BLOCK" Don't forget to do a ``make depend'' Kernel build directory is ../../compile/DUCKY