[ Current Issue Home | Issue #1 Home | FAQ ]��
The FreeBSD 'zine
Featured Articles: Firewalls
## IPFilter
## Dan Langille <>

IP Filter: An alternative firewall and NAT to ipfw/natd.

I was having some problems with natd and ipfw. It was suggested by by Darren Reed that I drop ipfw/natd and try IP Filter. I decided to do so. For a trial at least. It should also be mentioned that Darren is the author of IP Filter.

IP Filter

The main web page is . See their list of mirrors for the latest source. It basically does the same thing as the natd and ipfw combination, but it seems to do it better. This is based solely upon my first impressions. However, like most ports, the documentation on how to install it is minimal and open to some interpretation. I have listed the steps I took. Hopefully, they'll work for you too.

Installation

I followed the instructions supplied in INST.FreeBSD-2.2 and used the LKM (Loadable Kernel Module) option as the other option (kernel install) is unsupported.

You will be installing a new kernel. I named my new kernel IPFILTER. You may wish to name your kernel something else. Keep that in mind when you see IPFILTER.

Obtain the source

As mentioned above, use the site to obtain your source code. I downloaded the file and placed it in the /usr/ports/net directory. Then I did the following to uncompress and extract the files:

	cd /usr/ports/net
	gunzip ip-fil3.2.9.tar
	tar -xvf ip-fil3.2.9.tar
	cd ip_fil3.2.9

Prepare a kernel

Prepare, but don't yet compile a new kernel. Follow these steps to do this:

	cd /usr/src/sys/i386/conf/
	cp GENERIC IPFILTER
	/usr/sbin/config IPFILTER

We will compile this kernel later on. The above steps merely create the kernel file which will be modified by the IP Filter make.

Make IP Filter

	cd /usr/ports/net/ip_fil3.2.9
	make freebsd22 IPFILKERN=IPFILTER
	make install-bsd
	FreeBSD-2.2/minstall

Step 3 may have to be done as root. Step 4 must be done as root.

Build a new kernel

You should now build the kernel you prepared above.

	cd /usr/src/sys/i386/conf/
	/usr/sbin/config IPFILTER
	cd ../../compile/IPFILTER
	make depend
	make
	make install

Reboot to install the kernel

In order for the kernel to be installed, you need to reboot. This command will do it for you:

	shutdown -r now

Load the module

After the new kernel boots, issue the following command to load the module:

	su-2.02# modload /lkm/if_ipl.o
	Module loaded as ID 0
	su-2.02# modstat
	Type     Id Off Loadaddr Size Info     Rev Module Name
	DEV       0  79 f3c86000 0031 f3c90248   1 IP Filter v3.2.9
	su-2.02#

NAT

I've summarized what I did based on the instructions supplied in the file NAT.FreeBSD.

The following numbered sections are extracted from that file. Please refer to the next section for a list of other steps I performed which were not included in the instructions.

NOTE: The instructions supplied with IP Filter make reference to /etc/sysconfig, which has been replaced by /etc/rc.conf.

1) Load the kernel module

We did this manually above. In order for it to run at boot-time, you should add the following line to /etc/rc.local:

	modload /lkm/if_ipl.o

2) Setting up the NAT Rules

Rules for IP Filter are stored in the file /etc/natrules. I took what I found in /usr/ports/net/ip_fil3.2.9/rules/nat-setup as the basis for my NAT rules. Here they are (these may or my not be my real numbers):

	map ed0 10.1.0.0/16 -> 209.23.1.5/32 portmap tcp/udp 10000:40000
	map ed0 10.1.0.0/16 -> 209.23.1.5/32

Please note that the above example differs from that supplied in the file. The second line does not contain the portmap keyword. I could not get the rules to load otherwise.

3) Loading the NAT Rules

The above rules need to be loaded everytime the computer reboots. This can be done by putting the following line in /etc/rc.local:

	ipnat -f /etc/natrules

You can view the loaded rules by issuing the following command:

	ipnat -ls

4) Enable Routing between interfaces

The instructions say you should do this:

	sysctl -w net.inet.ip.forwarding=1

But you can achieve the same thing by using /etc/rc.conf. Look for the following section and ensure that the values are as shown.

	### Network routing options: ###
	gateway_enable=YES

5) Static Routes to Subnet Ranges

The instructions want you to set up the following routes. I didn't do this and it still worked. I'm not sure what I'm missing.

	static_routes="foo"
	route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1"

6) Make sure that you have your interfaces configured

In /etc/rc.conf, you should have something which looks like this:

	network_interfaces="fxp0 fxp1"
	ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0"
	ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0"

Removing natd/ipfw

Prior to installing IP Filter, I was running ipfw and natd. My first attempt failed. I think it was because I was still running those programs. So I made the following changes in order to get IP Filter running.

  1. Removed the options IPFIREWALL and options IPDIVERT from my kernel.
  2. Changed firewall_enable=YES to firewall_enable=NO in /etc/rc.conf.

Adding Rules

The are highly recommended reading. Of note are the sections on and .

Rule Groups

The concept of a rule group is at the heart of understanding how IP Filter works. Rules can be grouped together according to logical function. The documentation also states that groups make for more efficient rule processing.

Each group is identified by a unique group number. A new group is created by including a head statement such as the following:

	block in log on ed0 all head 100

The above rule declares that all incoming packets on ed0 will be processed using group 100. The default action for this group is to block all. Note: that only packets which match the above rule will be processed by rules in group 100.

If we wish to allow people to access our web server, we would add a rule which looks like this:

	pass in quick proto tcp from any to any port = WWW keep state group 100

Default rules

IP Filter comes with a script which will create some default blocking rules for you. Read rules/firewall for details. Here's what I did to invoke those rules:

	cd /usr/ports/net/ip_fil3.2.9
	./mkfilters > rules/mkfilter_rules
	ipf -f rules/mkfilter_rules

To view the rules, try the following:

	ipfstat -hio

Firewall rules

But for real protection, you want the firewall rules. I started with the ones provided in rules/BASIC_1.FW. Then I moved to rules/BASIC_1.FW because I couldn't get some of my services to run. I struggled for 2 days trying to get traceroute to work. I gave up.

Conclusions

These conclusions are based on 3 days of working with IP Filter. I have no doubt they are biased and based upon my lack of experience with both the product and Unix. I like IP Filter. It loads rules much faster than ipfw. And the concept and use of rule groups is quite good. For a commercial environment, I think IP Filter would be better than ipfw. I also feel that better protection can be obtained by using IP Filter.

I found it very difficult to find out how to load rules, display the rules, and view the accounting statistics. Once you know the commands, they are easy to do, but I found it difficult to obtain this information from the documentation. Hopefully, the information I've provided above will help.

I implemented both of the firewall examples. With neither of them could I get traceroute to work. Again, I may not know what I'm doing. But until I can resolve those issues, I'm going back to ipfw and natd.

- Dan

Return to Issue #1
Contact: <>
Last modified: $Date: 1999/06/26 05:19:51 $
 		Copyright � 2023, The FreeBSD 'zine
All rights reserved.