IP Filter
Current version: 3.2beta5
Whats new ? Click here!
Mailling list ?
Send mail to
majordomo@coombs.anu.edu.au
with "subscribe ipfilter" in the body of the mail.
What is it ?
IP Filter is a TCP/IP packet filter, suitable for use in a firewall
environment. To use, it can either be used as a loadable kernel module or
incorporated into your UNIX kernel; use as a loadable kernel module where
possible is highly recommended. Scripts are provided to install and patch
system files, as required.
To see an overview of how IP Filter fits into the overall picture of TCP/IP
with your kernel and the order in which the various filtering phases are
done, click here.
The small and slowly growing FAQ List is also now available.
It comes as a part of the following operating systems:
[Image] OpenBSD
[Image] NetBSD-current (post 1.2)
It has been tested and run on:
[Image] Solaris/Solaris-x86 2.3 - 2.6
[Image] SunOS 4.1.1 - 4.1.4
[Image] NetBSD 1.0 - 1.2
[Image] FreeBSD 2.0.0 - 2.1.5
[Image] BSD/OS-1.1, 2.0
It comes with Multicast IP patches already applied (for SunOS 4).
To ftp this package, see:
the list of mirrors
ftp to ftp://coombs.anu.edu.au/pub/net/kernel/ip-fil3.1.11.tar.gz or
the latest beta (3.2beta5)
ftp://coombs.anu.edu.au/pub/net/kernel/ip-fil-beta.tar.gz
or via http from http://coombs.anu.edu.au/~avalon/ip-fil3.1.11.tar.gz
or the latest beta (3.2beta5)
http://coombs.anu.edu.au/~avalon/ip-fil-beta.tar.gz
The IP packet filter can:
[Image] explicitly deny/permit any packet from passing through
[Image] distinguish between various interfaces
[Image] filter by IP networks or hosts
[Image] selectively filter any IP protocol
[Image] selectively filter fragmented IP packets
[Image] selectively filter packets with IP options.
[Image] send back an ICMP error/TCP reset for blocked packets
[Image] keep packet state infromation for TCP, UDP and ICMP packet
flows.
[Image] keep fragment state information for any IP packet, applying
the same rule to all fragments.
[Image] act as a Network Address Translator (NAT)
[Image] use redirection to setup true transparent proxy connections.
Special provision is made for the three most common Internet
protocols, TCP, UDP and ICMP. The IP Packet filter allows filtering
of:
[Image] TCP/UDP packets by port number or a port number range
[Image] ICMP packets by type/code
[Image] "established" TCP packets
[Image] on any arbitary combination of TCP flags
[Image] "short" (fragmented) IP packets with incomplete headers
can be filtered
[Image] any of the 19 IP options or 8 registered IP security
classes
[Image] TOS (Type of Service) field in packets
[Image] To ease the process of writing filter rules, you can now use a
"Filter Language Compiler" (flc). For more information on this,
including support firewalling packet filters, see
http://coombs.anu.edu.au/~avalon/flc.html.
To keep track of the performance of the IP packet filter, a logging
device is used which supports logging of:
[Image] the TCP/UDP/ICMP and IP packet headers
[Image] the first 128 bytes of the packet (including headers)
when:
[Image] a packet is successfully passed through
[Image] a packet is blocked from passing through
[Image] it matches a rule setup to look for suspicious packets
To examine a set of example rule files and an example of what can be
done, click here.
The filter keeps its own set of statistics on:
[Image] packets blocked
[Image] packets (and bytes!) used for accounting
[Image] packets passed
[Image] packets logged
[Image] attempts to log which failed (buffer full)
and much more, for packets going both in and out.
The current implementation provides a small set of tools, which can easily
be used and integrated with regular unix shells and tools. Amongst these
tools is a new addition, ipftest, which is provided so that you can test a
rule set before committing it to use in your kernel. A brief description of
the tools provided:
[Image] ipf - reads in a set of rules, from either stdin or a file,
and adds them to the kernels current list (appending them). It can
also be used to flush the current filter set or delete individual
filter rules.
[Image] ipfstat - interrogates the kernel for statistics on packet
filtering, so far, and retrieves the list of filters in operation for
inbound and outbound packets.
[Image] ipftest - reads in a filter rule file and then applies sample
IP packets to the rule file. This allows for testing of filter list
and examination of how a packet is passed along through it.
[Image] ipmon - reads buffered data from the logging device (default
is /dev/ipl) for output to either:
* screen (standard output)
* file
* syslog
[Image] ipsend - generates arbitary IP packets for ethernet connected
machines.
[Image] ipresend - reads in a data file of saved IP packets (ie
snoop/tcpdump/etherfind output) and sends it back across the network.
[Image] iptest - contains a set of test "programs" which send out a
series of IP packets, aimed at testing the strength of the TCP/IP
stack at which it is aimed at. WARNING: may crash machine(s) targeted!
[Image] ipnat - reads in a set of rules, from either stdin or a file
and adds them to the kernels current list of active NAT rules. NAT
rules can also be deleted using ipnat.
Documentation on ioctl's and the format of data saved to the logging
character device is provided so that you may develop your own applications
to work with or in place of any of the above.
To retrieve this package via anonymous ftp, use:
ftp://coombs.anu.edu.au/pub/net/kernel/ip-fil3.1.11.tar.gz
ftp://ftp.cyber.com.au/pub/archive/ipfilter.* An index of the mailling list
has been HTML'ised and is available at: http://lists.zyzzyva.com/ipfilter/
Mirrors!
Finland: nic.funet.fi - mirrors
coombs.anu.edu.au:/pub/net/firewall/ip-filter
United Kingdom: ftp.tardis.ed.ac.uk - mirrors
coombs.anu.edu.au:/pub/net/firewall/ip-filter
Greece: ftp.ntua.gr - mirrors
coombs.anu.edu.au:/pub/net/firewall/ip-filter
USA:
ftp://ftp.gw.com/pub/unix/ip-filter/
ftp.zyzzyva.com - mirrors
coombs.anu.edu.au:/pub/net/firewall/ip-filter
ftp.umbc.edu - mirrors coombs.anu.edu.au:/pub/net/kernel
Japan: ftp.win.or.jp - mirrors
coombs.anu.edu.au/pub/net/firewall/ip-filter
This product includes software developed by the University of California,
Berkeley and its contributors.
Darren Reed
darrenr@cyber.com.au