NetBSD

History

darrenr 1098c7bfb7 Import IPFilter 4.1.33 4.1.33 - Release 16 August 2009 2837931 wrong mode selected in ipf program for hash-entries 2826168 load_http can make ippool core dump 2825150 IPL_LOGMAX used to index some arrays 2825084 ipv6 fragments should not be allowed past 64k 2824713 ipfstat top output alternates between entries and nothing 2824712 ipfstat top output is shows negative ttl 2820965 a single bad ipv6 extension header should not impact others 2818197 ignored fragment bits defined as being reserved 2817667 IPv6 fragment header verification needs attention 2817098 fr_getrulen() finds the wrong rule 2817096 fr_rulen is unused 2741019 Lingering states (Established/Listen - 5/0) in state table 2702887 use of PBR/fastroute causes panic with ipv6 2671913 regression test in7 fails to execute 2598625 parsing empty config file results in an error 2698656 test parsing empty config files 2597956 not all pointers in a clone are reset 2543934 nat_t gets assigned ifp too early 2535795 No need to always bump fr_ref 2535778 Bad IPv6 packets droped by default 2031730 4.1.31 Nat drops fragmented packets after the first 2214661 ipf does not handle IPv6 fragments 2473273 NAT removed before RST/ICMP sent 2216500 fin_state serves no purpose 2424604 adding random MD5 data causes panic 2304435 Ineffecient lock usage in logging 2216491 fin_nat serves little purpose 2055619 duplicating a free-d packet will fail 2042949 Excessive locking when creating nat_t 2035610 nat_update does not need to get locks 2214658 ipf mostly ignores locking in NetBSD 1979427 Memory leak in user utilities - token never freed (rel br) * SunOS4 does not have a curproc, but it does have u. * The fix for 2020447 generated random port numbers but not within the range specified in the map rule. Add in a regression test to verify that the "random" part works. 2020447 NAT can undo name server random port selection 1988795 NetBSD does not build with kernel malloc stats 1988782 fr_movequeue can take a short cut 1988669 first nat creation failure prevents further success 1988668 hostmap searching does not work properly * on some 64bit architectures (such as alpha), the addrfamily_t is packed differently, throwing off the calculations for adf_len * one too many READ_ENTERs in ip_sync code. * clean up fr_fastroute a little by removing some #ifdefs and pushing the code around a bit to use the same variables (NetBSD) * more recent NetBSDs use VOP related macros differently		2009-08-19 08:28:39 +00:00
..
BSD
etc
FWTK	Import IPFilter 4.1.29 to the vendor branch	2008-05-20 06:43:46 +00:00
iplang	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
ipsd
ipsend	Fix two problems in a conditional:	2009-07-02 01:43:15 +00:00
l4check	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
lib	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
man
perl	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
rules
samples	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
test	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
tools	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
arc4random.c	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
BNF	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
bpf_filter.c
bpf-ipf.h	Import IPFilter 4.1.29 to the vendor branch	2008-05-20 06:43:46 +00:00
BugReport
HISTORY	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
IMPORTANT
ip_fil.c	2020447 IPFilter's NAT can undo name server random port selection	2008-07-24 09:37:57 +00:00
ip_htable.c	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
ip_htable.h
ip_irc_pxy.c	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
ip_lookup.c	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
ip_lookup.h	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
ip_pool.c	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
ip_pool.h	Import IPFilter 4.1.29 to the vendor branch	2008-05-20 06:43:46 +00:00
ip_pptp_pxy.c	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
ip_rpcb_pxy.c	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
ip_scan.c	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
ip_scan.h
ip_sync.c	Import IPFilter 4.1.33	2009-08-19 08:28:39 +00:00
ip_sync.h
ipf2netbsd
ipf.h	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
IPF.KANJI
IPFILTER.LICENCE
ipmon.h	Import IPFilter 4.1.29 to the vendor branch	2008-05-20 06:43:46 +00:00
ipt.h
kmem.h
Makefile	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
md5.c
md5.h	Import IPFilter 4.1.29 to the vendor branch	2008-05-20 06:43:46 +00:00
mkfilters	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
ml_ipl.c	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
mlf_rule.c
mlfk_ipl.c	Import IPFilter 4.1.29 to the vendor branch	2008-05-20 06:43:46 +00:00
mlfk_rule.c
mlh_rule.c
mln_rule.c
mlo_ipl.c
mlo_rule.c
mls_rule.c
mlso_rule.c
opts.h
pcap-ipf.h
QNX_OCL.txt
radix_ipf.h	Import IPFilter 4.1.29 to the vendor branch	2008-05-20 06:43:46 +00:00
radix.c	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
README
README.NetBSD	IPF 4.1.31 is out	2008-10-20 12:09:15 +00:00
snoop.h
STYLE.TXT
todo	Pullup IPFilter 4.1.29 from the vendor branch to HEAD.	2008-05-20 07:08:06 +00:00
WhatsNew40.txt
Y2K

README

IP Filter - What's this about ?
============================
Web site: http://coombs.anu.edu.au/~avalon/ip-filter.html
How-to: http://www.obfuscation.org/ipf/ipf-howto.txt

  The idea behind this package is allow those who use Unix workstations as
routers (a common occurance in Universities it appears) to apply packet
filtering to packets going in and out of them.  This package has been
tested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs.
It is also quite possible for this small kernel extension to be installed
and used effectively on Sun workstations which don't route IP, just for
added security.  It can also be integrated with the multicast patches.
It has also been tested successfully on all of the modern free BSDs as
well as BSDI, and SGI's IRIX 6.2.

   The filter keeps a rule list for both inbound and outbound sides of
the IP packet queue and a check is made as early as possible, aiming to
stop the packet before it even gets as far as being checked for source
route options.  In the file "BNF", a set of rules for constructing filter
rules understood by this package is given.  The files in the directory
"rules", "example.1" ... "example.sr" show example rules you might apply.

   In practise, I've successfully isolated a workstation from all
machines except the NFS file servers on its local subnets (yeah, ok, so
this doesn't really increase security, because of NFS, but you get the
drift on how it can be applied and used).  I've also successfully
setup and maintained my own firewalls using it with TIS's Firewall Toolkit,
including using it on an mbone router.

   When using it with multicast IP, the calls to fr_check() should be
before the packet is unwrapped and after it is encapsulated.  So the
filter routines will see the packet as a UDP packet, protocol XYZ.
Whether this is better or worse than having it filter on class D addresses
is debateable, but the idea behind this package is to be able to
discriminate between packets as they are on the 'wire', before they
get routed anywhere, etc.

   It is worth noting, that it is possible, using a small MTU and
generating tiny fragmented IP packets to generate a TCP packet which
doesn't contain enough information to filter on the "flags".  Filtering
on these types of packets is possible, but under the more general case
of the packets being "short".  ICMP and UDP packets which are too small
(they don't contain a complete header) are dropped and logged, no questions
asked.  When filtering on fragmented packets, the last fragment will get
through for TCP/UDP/ICMP packets.

Bugs/Problems
-------------
If you have a problem with IP Filter on your operating system, please email
a copy of the file "BugReport" with the details of your setup as required
and email to darrenr@pobox.com.

Some general notes.
-------------------
   To add/delete a rule from memory, access to the device in /dev is needed,
allowing non-root maintenaince.  The filter list in kernel memory is built
from the kernel's heap.  Each packet coming *in* or *out* is checked against
the appropriate list, rejects dropped, others passed through.  Thus this will
work on an individual host, not just gateways.  Presently there is only one
list for all interfaces, the changes required to make it a per-interface list
require more .o replacements for the kernel.  When checking a packet, the
packet is compared to the entire list from top to bottom, the last matching
line being effective.


What does what ?
----------------
if_fil.o  (Loadable kernel module)
	- additional kernel routines to check an access list as to whether
	  or not to drop or pass a packet.  It currently defaults to pass
	  on all packets.

ipfstat
	- digs through your kernel (need to check #define VMUNIX in fils.c)
	  and /dev/kmem for the access filter list and mini stats table.
	  Obviously needs to be run priviledged if required.

ipf
	- reads the files passed as parameters as input files containing new
	  filter rules to add/delete to the kernel list.  The lines are
	  inserted in order; the first line is inserted first, and ends up
	  first on the list.  Subsequent invocations append to the list
	  unless specified otherwise.

ipftest
	- test the ruleset given by filename.  Reads in the ruleset and then
	  waits for stdin.

	  See the man pages (ipf.1, ipftest.1, ipfstat.8) for more detailed
	  information on what the above do.

mkfilters
	- suggests a set of filter rules to employ and suggests how to add
	  routes to back these up.

BNF
	- BNF rule set for the filter rules

Darren Reed
darrenr@pobox.com
http://coombs.anu.edu.au/~avalon/ip-filter.html