- Free Software Firewall Guide -

IP Filter

IP Filter was written by ** in ** for the BSD operating systems(OS). It quickly became the standard for OpenBSD as it delivers a feature most of the other firewall systems have yet to implement, namely statefull filtering. IP Filter is used widely on all BSD OSes and has got a name for itself as one of the best filtering packages made to date. There are also some good guides to IP Filter firewalling freely available on the internet. I will include IP Filter Based Firewalls HOWTO[*] by Brendan Conoboy and Erik Fichtner.

If you choose to use the OpenBSD OS for your firewalling needs, IP Filter comes as part of the base package, and you will not need to install the software itself after installing the OS. To activate IP Filter you simply follow the afterboot[*] instructions on IP Filter.

For FreeBSD and NetBSD you will have to download the software and install it yourself. You can find the software and installation instructions on the IP Filter homepage[*].

An IP Filter port for GNU/Linux is still not available.

[*] The original can be found at http://www.obfuscation.org/ipf/.
[*] http://coombs.anu.edu.au/~avalon/ip-filter.html
[*] 'man afterboot' will give some basic after boot setup suggestions in OpenBSD. See the OpenBSD setup section.

IP Filter Firewalling HOWTO

The guide has been split into five different sections; introduction, basic firewalling, advanced firewalling, firewall applications, and fun stuff. You can either follow the guide step by step with the ">>next section" links, or you can browse the index under and pick your topic. If you plan to use IP Filter for firewalling, you should read the whole guide carefully and try out the different rulesets they goes through.

>> First section: Introduction.
>> Second section: Basic firewalling.
>> Third section: Advanced firewalling.
>> Fourth section: Application.
>> Fifth section: Fun with ipf.

HOWTO Index:

• Introduction
• Disclaimer
• Copyright
• Where to obtain the important pieces
• Basic Firewalling
• Config File Dynamics, Order and Precedence
• Basic Rule Processing
• Controlling Rule Processing
• Basic filtering by IP address
• Controlling Your Interfaces
• Using IP Address and Interface Together
• Bi-Directional Filtering; The "out" Keyword
• Logging What Happens; The "log" Keyword
• Complete Bi-Directional Filtering By Interface
• Controlling Specific Protocols; The "proto" Keyword
• Filtering ICMP with the "icmp-type" Keyword; Merging Rulesets
• TCP and UDP Ports; The "port" Keyword
• Advanced Firewalling Introduction
• Rampant Paranoia; or The Default-Deny Stance
• Implicit Allow; The "keep state" Rule
• Stateful UDP
• Stateful ICMP
• FIN Scan Detection; "flags" Keyword, "keep frags" Keyword
• Responding To a Blocked Packet
• Fancy Logging Techniques
• Putting It All Together
• Improving Performance With Rule Groups
• "Fastroute"; The Keyword of Stealthiness
• NAT and Proxies
• Mapping Many Addresses Into One Address
• Mapping Many Addresses Into a Pool of Addresses
• One to One Mappings
• Spoofing Services
• Transparent Proxy Support; Redirection Made Useful
• Magic Hidden Within NAT; Application Proxies
• Loading and Manipulating Filter Rules; The ipf Utility
• Loading and Manipulating NAT Rules; The ipnat Utility
• Monitoring and Debugging
• The ipfstat utility
• The ipmon utility
• Keep State With Servers and Flags.
• Coping With FTP
• Running an FTP Server
• Running an FTP Client
• Assorted Kernel Variables
• Fun with ipf!
• Localhost Filtering
• What Firewall? Transparent filtering.
• Using Transparent Filtering to Fix Network Design Mistakes
• Drop-Safe Logging With dup-to and to.
• The dup-to Method
• The to Method