User Tools

Site Tools


ipfilter

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

ipfilter [2019/02/01 00:30]
raion
ipfilter [2019/02/01 00:44] (current)
raion Created
Line 8: Line 8:
  
 The install components of the software base subsystem (ipfilter.sw.base) include: The install components of the software base subsystem (ipfilter.sw.base) include:
 +
 +<​code>​
 +f 24676     1 ipfilter.sw.base ​     c etc/​config/​ipfilter
 +f 41041     1 ipfilter.sw.base ​     c etc/​config/​ipfilter.options
 +f 24675     1 ipfilter.sw.base ​     c etc/​config/​ipmon.options
 +f 24643     1 ipfilter.sw.base ​     c etc/​config/​ipnat.options
 +f 51944     5 ipfilter.sw.base ​       etc/​init.d/​ipf
 +f 19158     2 ipfilter.sw.base ​     c etc/​ipf.conf
 +f 40955     1 ipfilter.sw.base ​     c etc/​ipnat.conf
 +l     ​0 ​    0 ipfilter.sw.base ​       etc/​rc2.d/​S33ipf
 +f 38138   131 ipfilter.sw.base ​     m sbin/ipf
 +f 21023    46 ipfilter.sw.base ​     m sbin/ipfs
 +f 22340   281 ipfilter.sw.base ​     m sbin/​ipfstat
 +f 13553    87 ipfilter.sw.base ​     m sbin/ipmon
 +f 64991   230 ipfilter.sw.base ​     m sbin/ipnat
 +f 21372    43 ipfilter.sw.base ​       usr/​include/​netinet/​ipfil.h
 +f 18548    18 ipfilter.sw.base ​       usr/​include/​netinet/​ipnat.h
 +f 33309   361 ipfilter.sw.base ​     m usr/​ipfilter/​bin/​ipftest
 +f 30230    91 ipfilter.sw.base ​     m usr/​ipfilter/​bin/​ipresend
 +f 59158   217 ipfilter.sw.base ​     m usr/​ipfilter/​bin/​ipsend
 +f 13573     6 ipfilter.sw.base ​       usr/​ipfilter/​bin/​mkfilters
 +d     ​0 ​    0 ipfilter.sw.base ​       var/db/ipf
 +f 60660   493 ipfilter.sw.base ​     m var/​sysgen/​boot/​ipf.o
 +f  3341     1 ipfilter.sw.base ​       var/​sysgen/​master.d/​ipf
 +f 46163     1 ipfilter.sw.base ​       var/​sysgen/​system/​ipf.sm
 +</​code>​
 +
 +Note that the ipfilter filter executable utilities (e.g. mkfilters) reside in a subdirectory /​usr/​ipfilter/​bin,​ that will not normally be in your path.
 +
 +====Configuring====
 +IPFilter is a sophisticated tool and configuring it properly requires some effort with a small learning curve. Fortunately,​ there is an excellently written HowTo tutorial available for download in addition to other [[https://​web.archive.org/​web/​20110822105615/​http://​www.obfuscation.org/​ipf/​ipf-howto.html|documentation]]. ​
 +
 +The files that control the particulars of the installation are:
 +
 +<​code>​
 +/​etc/​ipf.conf
 +/​etc/​ipnat.conf
 +/​etc/​config/​ipfilter.options
 +/​etc/​config/​ipnat.options
 +</​code>​
 +
 +The ipf.conf and ipnat.conf being the chief config files. ​
 +
 +====Enabling====
 +To enable, shut of ipfilterd (unrelated package) and turn on ipfilter using chkconfig:
 +
 +<​code>​
 +# chkconfig ipfilterd off
 +# chkconfig ipfilter on
 +</​code>​
 +
 +The ipfilter daemon will not have started yet, but it can be manually invoked as root using the start-up script:
 +
 +<​code>​
 +/​etc/​init.d/​ipf start|stop|reload
 +</​code>​
 +
 +If ipfilterd is already running, a reboot is probably required to fully deactivate it.
 +
 +====Examples====
 +
 +===Simple Firewall===
 +
 +<​code>​
 +#Handling the loopbackdevice
 +pass out quick on lo0
 +pass in  quick on lo0
 +
 +
 +#Block known "black hats"
 +block in quick on ef0 from 64.207.134.34 ​  to any
 +block in quick on ef0 from 129.175.81.121 ​ to any
 +block in quick on ef0 from 216.133.229.216 to any
 +
 +
 +#Manage the Connection to the internet (all keep state)
 +pass out quick on ef0 proto tcp  from any to any flags R/R
 +pass out quick on ef0 proto tcp  from any to any flags S keep state
 +pass out quick on ef0 proto udp  from any to any keep state
 +pass out quick on ef0 proto icmp from any to any keep state
 +pass out quick on ef0 proto tcp  from any to any port = 21 flags S keep state
 +
 +
 +#Open Connections from the Internet
 +pass in quick on ef0 proto tcp from any to any port = 22   keep state   # SSH
 +pass in quick on ef0 proto tcp from any to any port = 80   keep state   # HTTP
 +pass in quick on ef0 proto tcp from any to any port = 443  keep state   # HTTPS
 +pass in quick on ef0 proto tcp from any to any port = 3690 keep state   # SVN and CVS
 +
 +
 +#Mysql Connects from a special host are allowed
 +pass in quick on ef0 proto tcp from 194.15.95.14 to any port = 3306 keep state
 +
 +
 +#ICMP managen
 +pass  in     quick on ef0 proto icmp from any to any icmp-type 0 # PING
 +pass  out    quick on ef0 proto icmp from any to any icmp-type 0 # PING
 +pass  in     quick on ef0 proto icmp from any to any icmp-type 3
 +pass  in     quick on ef0 proto icmp from any to any icmp-type 8
 +pass  out    quick on ef0 proto icmp from any to any icmp-type 8
 +pass  in     quick on ef0 proto icmp from any to any icmp-type 11
 +block in log quick on ef0 proto icmp from any to any
 +
 +
 +#Block some weird IP-Packages.
 +block in log quick on ef0 proto tcp all with short
 +block in log quick on ef0 all with opt lsrr
 +block in log quick on ef0 all with opt ssrr
 +
 +
 +#Block all and log
 +block in log on ef0 all
 +</​code>​
 +
 +This is a relatively old example retrieved from the Nekochan Wiki, and probably can be optimized further. ​
 +
 +====Routing with NAT and Firewall====
 +Chapter 3 of SGI's IRIX documentation,​ [[https://​irix7.com/​techpubs/​007-2860-012.pdf|IRIX Admin: Networking and Mail]], describes a very simple process of turning an IRIX machine with multiple ethernet interfaces into a router. A summary of the steps are:
 +
 +    Enable the 2nd interface (by modifying /​etc/​config/​netif.options) and name it gate-<​1st interface name>
 +    Reconfigure the kernel and restart the system
 +
 +Supposedly, IRIX will auto-magically start routing packets. What is not discussed is the following:
 +
 +    Is the routed daemon running?
 +
 +chkconfig routed on|off
 +
 +    Should gated be used instead?
 +
 +chkconfig gated on|off
 +
 +    Should IP Forwarding be enabled? (Software Manager->​Network and Connectivity->​Configure Interface)
 +
 +Below are the contents of the NAT configuration file, /​etc/​ipnat.conf,​ set up so that a private network (192.168.0.x) can access the public network through an IRIX (dual-interfaced) gateway that is running IPFilter.
 +
 +map tg0 192.168.0.0/​24 -> <​gateway'​s public IP address>/​32
 +
 +The machines on the private network should have their default routes set to the private address of the gateway (e.g. 192.168.0.1)
 +
 +====Testing / Bugs===
 +The existing SGI packaged IPFilter is known to spew the following messages to the console when it is up on machines with gigabit ethernet interfaces (tg0, tg1, etc.).
 +
 +IPFilter: ipl_if_output:​ mbuf block too small (m_len=0) for IP vers+hlen, m_type=2 m_flags=0x41
 +
 +This appears to be harmless debug messages. ​
 +
 +The best way is to set l2tcpseg to OFF (default is ON) in /​etc/​config/​tgconfig.options,​ assuming the machine is using an original SGI Gigabit interface on IRIX 6.5.27.
 +
 +{{tag>​[Tutorials]}}
 +
  
ipfilter.txt ยท Last modified: 2019/02/01 00:44 by raion