RE: installing ipfilter
Ipfilter is an built in firewall just like IPFW. They both are distributed in the base Freebsd system. Ipfilter is the name of the firewall "man ipf" will show you the info you are looking for. Ipfilter is an loadable module which means it is not necessary to add kernel option statements to the kernel source and recompile the kernel. The addition of the ipfilter rc.conf statements will automatically load the ipfilter module. Rc.conf statements. ipfilter_enable="YES"# Start ipf firewall ipfilter_rules="/etc/ipf.rules" # loads rules definition text file # IE: not script file with rules in it ipmon_enable="YES" # Start ip monitor log ipmon_flags="-Ds"# D = start as daemon # s = log to syslog # v = log tcp window, ack, seq # n = map ip & port to names ipnat_enable="YES" # Enable ipfilter Nat function ipnat_rules="/etc/ipnat.rules" Sample ipnat rules # Provide special NAT services for FTP from LAN users. map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp # Provide special NAT services for FTP from gateway system. map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp # Provide Normal NAT services for LAN users. # NAT my private LAN ip address to what every my dynamic ISP address is. map dc0 10.0.10.0/29 -> 0/32 # Provide NAT services for user ppp Dial in tun0 connections. map tun0 10.0.0.0/29 -> 0/32 Sample ipfilter rules # # For testing only allow pass all Bypasses the rest of the rules #pass in log quick on dc0 all #pass out log quick on dc0 all #log out quick on dc0 all # # # No restrictions on Inside Lan Interface for private network # Not needed unless you have Lan # #pass out quick on xl0 all # production server config #pass in quick on xl0 all # production server config pass out quick on rl0 all # development server config pass in quick on rl0 all # development server config # # No restrictions on Loopback Interface # pass in quick on lo0 all pass out quick on lo0 all # # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network # or from this gateway server destine for the public internet. # # Allow out access to my ISP's Domain name server. # xxx.xxx.xxx.xxx must be the IP address of your ISP's DNS. # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file pass out quick on dc0 proto tcp from any to 168.162.40.2 port = 53 flags S keep state pass out quick on dc0 proto udp from any to 168.162.40.2 port = 53 keep state #pass out log quick on dc0 proto udp from any to any port = 53 keep state # Allow out access to my ISP's DHCP server for cable or DSL networks. # This rule is not needed for 'user ppp' type connection to the # public internet, so you can delete this whole group. # Use the following rule and check log for IP address. # Then put IP address in commented out rule & delete first rule pass out quick on dc0 proto udp from any to 168.170.21.152 port = 67 keep state # Allow out non-secure standard www function pass out quick on dc0 proto tcp from any to any port = 80 flags S keep state # Allow out secure www function https over TLS SSL pass out quick on dc0 proto tcp from any to any port = 443 flags S keep state # Allow out send & get email function pass out quick on dc0 proto tcp from any to any port = 25 flags S keep state pass out quick on dc0 proto tcp from any to any port = 110 flags S keep state # Allow out Time pass out quick on dc0 proto tcp from any to any port = 37 flags S keep state # Allow out nntp news pass out quick on dc0 proto tcp from any to any port = 119 flags S keep state # Allow out gateway & LAN users non-secure FTP ( both passive & active modes) # This function uses the IPNAT built in FTP proxy function coded in # the nat rules file to make this single rule function correctly. # If you want to use the pkg_add command to install application packages # on your gateway system you need this rule. pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) pass out quick on dc0 proto tcp from any to any port = 22 flags S keep state # Allow out non-secure Telnet pass out quick on
Re: installing ipfilter
On Sun, 25 Apr 2004, Robert Storey wrote: > I wanted to do some experimenting with ipfilter, and strangely, I can't > figure out how to install it. It's a kernel option, disabled by default. See /usr/src/sys/conf/NOTES, look for 'IPFILTER'. --mendonan "Yang mimpikan secangkir kopi panas dengan selimut.." (Dreaming of a cup of hot coffee, and a blanket..") ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
