The FreeBSD Diary

This diary note describes how I installed IP Filter for the second time.   I strongly suggest you follow the instructions within INST.FreeBSD-2.2 in conjunction with my detailed steps from my original IP Filter installation.

See also IP Filter - an alternative firewall and NAT to ipfw/natd.

This is the second time I've tried IP Filter.  I had trouble getting traceroute.  I've been using the latest beta of IP Filter and doing some testing with the help of the author.  Darren has fixed the trace problem I initially encountered.   The utility I was using to do a trace used short packets which were being removed by the block in log quick all with short rule.  This fix will be available with IP Filter 3.2.10.

Installation | Loading | Logging

This time, I followed the same instructions I used in the original install.  Although I did not create a new kernel as that step had been performed during the original install.  In short, I did the following.

1. cd /usr/ports/net
2. gunzip ip_fil3.2.10beta.tgz
3. tar -xvf ip_fil3.2.10beta.tar
4. cd ip_fil3.2.10beta6
5. make freebsd22 IPFILKERN=<kernel_name>
6. make install-bsd

NOTE: in step 5, substitute your kernel name for <kernel_name>.  See the original install for details.

The following command shows the name of your present kernel:

su-2.02# uname -a                              
FreeBSD freebsd.dvl-software.co.nz 2.2.7-RELEASE FreeBSD 2.2.7-RELEASE #0:
Wed Nov  4 23:49:25 NZDT 1998     
dan@freebsd.dvl-software.co.nz:/usr/src/sys/compile/IPFILTER3  i386

In the above example, the kernel name is IPFILTER3.

su-2.02# modstat
Type     Id Off Loadaddr Size Info     Rev Module Name
DEV    <id>  79 f3c86000 0031 f3c90248   1 IP Filter v3.2.9
su-2.02# modunload -i <id>
su-2.02# modload /lkm/if_ipl.o
Module loaded as ID 1

You will also have to restart your NAT rules and reload your filtering rules.   Here's what I did:

ipnat -f /etc/ipnat.conf
ipf -f /etc/ipfilter_rules

I have also supplied my NAT rules for those that may need an example.

As for your firewall rules, I suggest you start with the contents of the Rules directory and use either BASIC_1.FW or BASIC_1.FW as the basis for your rule set.  Also note that BNF contains the rule syntax.

1. edit /etc/syslog.conf
2. add local0.info /var/log/mylog.log
3. kill -HUP PID_syslogd
4. ipmon -s -n -x

But nothing appears in /var/log/firewall.log. Instead, the messages are going to /var/log/messages.

/etc/syslog.conf, it prefers tabs, not spaces.  Details available here.

Please note that syslog.conf prefers tabs over spaces.  If you use spaces, you'll get a message during reboot which is similar to the following:

unknown priority name "info	/var/log/firewall.log"

Here is what I put in my /etc/syslog.conf to get ipmon messages into the correct file (note that the first line has been split into two lines so it fits on the page):

*.notice;kern.debug;lpr.info;mail.crit;news.err;local0.none
                                          /var/log/messages
local0.info;local0.debug                  /var/log/firewall.log
local0.err                                /var/log/firewall.err

You will notice that I added a local0.none to the first line.  This stopped the messages from appearing the the messages log.  The next two lines direct the information to the appropriate files.

Eventually, I'll add something to rotate these logs so they don't get too big.   But that's another topic for a later date.