On the other hand, we are here not to discuss about using either NATD or IPFW, rather we are going to discuss about IPFilter to replace IPFW and NATD.We can go to the IPFILTER official site,  http://coombs.anu.edu.au/ipfilter/ , download the source and we need to rebuild the kernel to install IPFILTER, It is recommended for us to read the README file before installing IPFilter due to different versions that exist: each version has its own way of installing . As an example I used IPFilter v3.4.20, I do these following steps :

                #tar -xzvf ipfilter-xxx.tar.gz

                #cd ipfilter-xxx/

                #make freebsd4

                #make install-bsd

                #FreeBSD-4/kinstall

And now it's time to rebuild your kernel :

                #cd /usr/src/sys/i386/conf/ 

edit the kernel configuration file (e.g. GENERIC ). advisable for you to make a backup , copy the GENERIC to the file called KERNIPF. Open KERNIPF file with your editor and add this :  

options IPFILTER
options IPFILTER_LOG

change the ident section :

ident KERNIPF

save the file and exit, afterwards :

                #config KERNIPF

                #cd ../../compile/KERNIPF

                #make depend

                #make

                #make install

                #reboot

After rebooting, make sure that your IPFilter already been installed. To know whether you have already installed your IPFilter 
type  #dmesg | grep IP   , If the program response  : "IP Filter: v3.4.x initialized. Default = pass all  Logging =enabled", meaning, that your IPFilter has been successfully installed. All we need now is creating the rules for ipf and ipnat. Visit the IPFilter's howto in   http://www.obfuscation.org/ipf/  for details. These are some of the following samples :

# ipf.rules sample
block in log all
pass out all
pass in on rl0 all
pass in on lo0 all
block in log quick on tun0 from 0.0.0.0/32 to any
block in log quick on tun0 from 255.255.255.255/32 to any
block in log quick on tun0 from 127.0.0.0/8 to any
block in log quick on tun0 from any to 0.0.0.0/32
block in log quick on tun0 from any to 255.255.255.255/32
block in log quick on tun0 from any to 127.0.0.0/8
block in log quick on tun0 from 192.168.0.0/16 to any
block in log quick on tun0 from 172.16.0.0/12 to any
block in log quick on tun0 from 10.0.0.0/8 to any
pass in quick on tun0 proto icmp all icmp-type 0
pass in quick on tun0 proto icmp all icmp-type 3
pass in quick on tun0 proto icmp all icmp-type 11
pass in quick proto tcp from any to any port = 113
pass in quick proto udp from any to any port = 113
pass out on tun0 proto tcp all keep state
pass in on tun0 proto udp from any port = 53 to any
block in quick on tun0 proto tcp all flags S/SA
block out quick on tun0 proto tcp all flags SA/SA
#END

-----------------------------------------------------------------------------------------------------------------------------

#ipnat.rules sample
map tun0 192.168.0.0/24 -> 0.0.0.0/32
#end

Note : rl0 = ethernet interface , tun0 = external interface/ PPP tunnel ( the interface which connect to internet ), lo0 = loopback

Put the ipf.rules and ipnat.rules files in /etc/ , to make the rules work each time the system rebooted , open your rc.local file and put these command :

/sbin/ipf -f /etc/ipf.rules
/sbin/ipnat -f /etc/ipnat.rules

Reboot your computer . To check and make sure whether the rules are loaded , type :

#ipfstat -hio             

#ipnat -l  

The IPFILTER should work well now. As a gateway for your clients we have to enable net.inet.ip.fowarding by putting  gateway_enable="YES" in your rc.conf file.

G-net Pekalongan, june 2002 by esteh

Back to INDEX