IP FIlter
IP Filter is one of the three packet filters included in FreeBSD.
Documentation
IP Filter documentation can be found at the following:
- The man pages can be found at:
FreeBSD's handbook page: https://www.freebsd.org/doc/handbook/firewalls-ipf.html
NetBSD's handbook page: https://www.netbsd.org/docs/network/nsps/config_ipf.html
Oracle Solaris IP Filter documentation: https://docs.oracle.com/cd/E36784_01/html/E36883/ipfilter-5.html
This Solaris 10 article is a good primer: https://prefetch.net/articles/solarisipfilter.html
Illumos ipfilter documentation: https://illumos.org/man/5/ipfilter
Phil Dibowitz has created an excellent FAQ: https://www.phildev.net/ipf/
IP Filter commands and tools: https://techpubs.jurassic.nl/manuals/0650/admin/IPFilter_UG/sgi_html/ch03.html
FreeBSD Ports
Four FreeBSD ports support IP Filter.
ipfmeta (https://svnweb.freebsd.org/ports/head/security/ipfmeta/) is used to simplify the maintenance of your IPfilter ruleset. It does this through the use of 'objects'. A matching object gets replaced by its values at runtime. This is similar to what a macro processor like m4 does.
Firewall Builder (fwbuilder https://svnweb.freebsd.org/ports/head/security/fwbuilder/) consists of object-oriented GUI and set of policy compilers for various firewall platforms. In Firewall Builder, firewall policy is a set of rules, each rule consists of abstract objects which represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps user maintain database of objects and allows policy editing using simple drag-and-drop operations.
p5-plog (https://svnweb.freebsd.org/ports/head/security/p5-plog/) is a parser for the logged output of the ipmon utility that is part of the excellent IP-Filter packet-filtering and NAT package written and maintained by Darren Reed. plog translates the somewhat garbled output from ipmon into a report that aids analysis of your firewall traffic.
fwanalog (https://svnweb.freebsd.org/ports/head/security/fwanalog/) is a shell script that parses and summarizes firewall logfiles. It uses the excellent log analysis program Analog to create its reports.
Bugs and Features
Bug/Feature |
Status |
Notes |
#ifdef cleanup |
Done |
|
Convert ipfilter to new routing KPI |
Done |
|
Removal of GIANT |
Done |
|
Debugging DTrace probes |
Complete |
Added as needed |
IPv6 checksum fixes |
Done |
|
Ansify kernel function definitions |
Complete but not committed |
|
Ansify userland function definitions |
25% complete |
|
Replace caddr_t with void* |
Not tested |
|
Make radix_ipf IPv6 aware |
WIP |
|
Extemd flags (flags2) |
WIP |
|
Import NetBSD ip_nat r1.14 patch |
Not tested |
|
TCP MSS support as in iptables |
Not started |
|
ip_nat.c-putent |
WIP |
|
ipfs bug |
Not started |
|
revert r343590 and find a better way to fix |
WIP |
|
Documentation and examples |
Not started |
|
Resurrect ipftest and enable NetBSD tests |
Not started |
|
Replace SPRINTF with snprintf in kernel |
WIP |
|
Manage jail's rules from the host |
Not started |
Prerequiste to import into Illumos |
Restrict a jail's control over rules |
Not started |
Prerequiste to import into Illumos |