Defcon1-Header
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

Using IP Filter as a Loadable Kernel Module
by Bryan Bursey

This article discusses using IP Filter as a Loadable Kernel Module as suggested by the author of IP Filter, Darren Reed. This discussion pertains to FreeBSD 4.2-RELEASE and IP Filter 3.4.8. Other arrangements may work, but as yet, have not been tested. Loading the Module

The IP Filter module is ipl.ko, and is found in /modules. To ensure that the module is loaded early in the boot process, it is necessary to add the following line to /boot/loader.conf:

    ipl_load="YES"

This assumes that the standard module loading syntax has not been altered from the default. (See /boot/defaults/loader.conf) At this point, the module should load each time the system is booted. Starting ipf

Both rc.conf and rc.network are ipf-aware. To cause ipf to start during the initial network setup, the following lines need to be added to /etc/rc.conf:

    ipfilter_enable="YES"
    ipfilter_flags=""

This is necessary to override the values of these variables in /etc/defaults/rc.conf, which are "NO" and "-E", respectively. The first change from "NO" to "YES" is obvious. However, buried in man 8 ipf, is mention that "-E" (and "-D") are not effective for loadable kernel versions, and hence, "-E" need to be removed. The Filtering Rules

The ruleset should be stored in /etc/ipf.rules. Further discussion of IP Filter based firewall systems can be found at http://www.obfuscation.org/ipf/ipf-howto.txt. Initially, it may be best to use an 'open' configuration which will not filter any packet arriving or leaving via any of the computer's network interfaces. The rules file, in this case, would look like:

    pass in from any to any
    pass out from any to any

Note that this is not a recommended ruleset for extended use, but rather tries to ensure that the user is not accidentally locked out of the machine. (The author of this article accepts no responsibility for any damages incurred due to actions taken based on this document.)

Conclusion

Having completed the steps outlined above, rebooting the computer should start the IP Filter kernel module with a default open configuration. It will be necessary to develop a ruleset appropriate to the specific computer and its function.

© 1997 - 20013 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.

Defcon1-Header2
Tool-Bar-2Defcon1  Webmail