## IPFilter
## Dan Langille <>
IP Filter: An alternative firewall and NAT to ipfw/natd.
I was having some problems with natd and ipfw. It was suggested by by
Darren Reed that I drop ipfw/natd and try IP Filter. I decided to do
so. For a trial at least. It should also be mentioned that Darren is
the author of IP Filter.
IP Filter
The main web page is . See their list of mirrors for the
latest source. It basically does the same thing as the natd and ipfw
combination, but it seems to do it better. This is based solely upon my
first impressions. However, like most ports, the documentation on how to
install it is minimal and open to some interpretation. I have listed the
steps I took. Hopefully, they'll work for you too.
Installation
I followed the instructions supplied in INST.FreeBSD-2.2 and used the
LKM (Loadable Kernel Module) option as the other option (kernel install)
is unsupported.
You will be installing a new kernel. I named my new kernel
IPFILTER. You may wish to name your kernel something else.
Keep that in mind when you see IPFILTER.
Obtain the source
As mentioned above, use the site to obtain your source code. I
downloaded the file and placed it in the /usr/ports/net directory. Then I
did the following to uncompress and extract the files:
cd /usr/ports/net
gunzip ip-fil3.2.9.tar
tar -xvf ip-fil3.2.9.tar
cd ip_fil3.2.9
Prepare a kernel
Prepare, but don't yet compile a new kernel. Follow these steps to do
this:
cd /usr/src/sys/i386/conf/
cp GENERIC IPFILTER
/usr/sbin/config IPFILTER
We will compile this kernel later on. The above steps merely create the
kernel file which will be modified by the IP Filter make.
Make IP Filter
cd /usr/ports/net/ip_fil3.2.9
make freebsd22 IPFILKERN=IPFILTER
make install-bsd
FreeBSD-2.2/minstall
Step 3 may have to be done as root. Step 4 must be done as root.
Build a new kernel
You should now build the kernel you prepared above.
cd /usr/src/sys/i386/conf/
/usr/sbin/config IPFILTER
cd ../../compile/IPFILTER
make depend
make
make install
Reboot to install the kernel
In order for the kernel to be installed, you need to reboot. This
command will do it for you:
shutdown -r now
Load the module
After the new kernel boots, issue the following command to load the
module:
su-2.02# modload /lkm/if_ipl.o
Module loaded as ID 0
su-2.02# modstat
Type Id Off Loadaddr Size Info Rev Module Name
DEV 0 79 f3c86000 0031 f3c90248 1 IP Filter v3.2.9
su-2.02#
NAT
I've summarized what I did based on the instructions supplied in the file
NAT.FreeBSD.
The following numbered sections are extracted from that file. Please
refer to the next section for a list of other steps I performed which
were not included in the instructions.
NOTE: The instructions supplied with IP Filter make reference to
/etc/sysconfig, which has been replaced by /etc/rc.conf.
1) Load the kernel module
We did this manually above. In order for it to run at boot-time, you
should add the following line to /etc/rc.local:
modload /lkm/if_ipl.o
2) Setting up the NAT Rules
Rules for IP Filter are stored in the file /etc/natrules. I took what
I found in /usr/ports/net/ip_fil3.2.9/rules/nat-setup as the basis for
my NAT rules. Here they are (these may or my not be my real numbers):
map ed0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
map ed0 10.1.0.0/16 -> 209.23.1.5/32
Please note that the above example differs from that supplied in the
file. The second line does not contain the portmap keyword. I could
not get the rules to load otherwise.
3) Loading the NAT Rules
The above rules need to be loaded everytime the computer reboots. This
can be done by putting the following line in /etc/rc.local:
ipnat -f /etc/natrules
You can view the loaded rules by issuing the following command:
ipnat -ls
4) Enable Routing between interfaces
The instructions say you should do this:
sysctl -w net.inet.ip.forwarding=1
But you can achieve the same thing by using /etc/rc.conf. Look for
the following section and ensure that the values are as shown.
### Network routing options: ###
gateway_enable=YES
5) Static Routes to Subnet Ranges
The instructions want you to set up the following routes. I didn't
do this and it still worked. I'm not sure what I'm missing.
static_routes="foo"
route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1"
6) Make sure that you have your interfaces configured
In /etc/rc.conf, you should have something which looks like this:
network_interfaces="fxp0 fxp1"
ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0"
ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0"
Removing natd/ipfw
Prior to installing IP Filter, I was running ipfw and natd. My first
attempt failed. I think it was because I was still running those programs.
So I made the following changes in order to get IP Filter running.
- Removed the options IPFIREWALL and options IPDIVERT from my kernel.
- Changed firewall_enable=YES to firewall_enable=NO in /etc/rc.conf.
Adding Rules
The are highly recommended reading. Of note are the sections on
and
.
Rule Groups
The concept of a rule group is at the heart of understanding how IP Filter
works. Rules can be grouped together according to logical function. The
documentation also states that groups make for more efficient rule
processing.
Each group is identified by a unique group number. A new group is
created by including a head statement such as the following:
block in log on ed0 all head 100
The above rule declares that all incoming packets on ed0 will be
processed using group 100. The default action for this group is to
block all. Note: that only packets which match the above rule will
be processed by rules in group 100.
If we wish to allow people to access our web server, we would add a rule
which looks like this:
pass in quick proto tcp from any to any port = WWW keep state group 100
Default rules
IP Filter comes with a script which will create some default blocking
rules for you. Read rules/firewall for details. Here's what I did to
invoke those rules:
cd /usr/ports/net/ip_fil3.2.9
./mkfilters > rules/mkfilter_rules
ipf -f rules/mkfilter_rules
To view the rules, try the following:
ipfstat -hio
Firewall rules
But for real protection, you want the firewall rules. I started with
the ones provided in rules/BASIC_1.FW. Then I moved to rules/BASIC_1.FW
because I couldn't get some of my services to run. I struggled for 2
days trying to get traceroute to work. I gave up.
Conclusions
These conclusions are based on 3 days of working with IP Filter. I
have no doubt they are biased and based upon my lack of experience
with both the product and Unix. I like IP Filter. It loads rules
much faster than ipfw. And the concept and use of rule groups is
quite good. For a commercial environment, I think IP Filter would be
better than ipfw. I also feel that better protection can be obtained
by using IP Filter.
I found it very difficult to find out how to load rules, display the
rules, and view the accounting statistics. Once you know the commands,
they are easy to do, but I found it difficult to obtain this information
from the documentation. Hopefully, the information I've provided above
will help.
I implemented both of the firewall examples. With neither of
them could I get traceroute to work. Again, I may not know what I'm
doing. But until I can resolve those issues, I'm going back to ipfw
and natd.
- Dan
Return to Issue #1
|