What is it ?IPFilter is a software package that can be used to provide network address translation (NAT) or firewall services. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.
To see an overview of how IP Filter fits into the overall picture of TCP/IP with your kernel and the order in which the various phases of packet processing is done, click here.The firewall can:
- explicitly deny/permit any packet from passing through
- distinguish between various interfaces
and can match on the follow IP header fields:
- source/destination IP address (including inverted matches)
- IP protocol
- TOS (Type of Service)
- any of the 19 IP options or 8 registered IP security classes
- fragments (if it is or isn't)
- send back an ICMP error/TCP reset for denied packets
- keep packet state information for TCP, UDP and ICMP packet flows.
- keep fragment state information for any IP packet, applying the same rule to all fragments.
- act as a Network Address Translator (NAT)
- use redirection to setup true transparent proxy connections.
- provide packet header details to a user program for authentication
- in addition, supports temporary storage of pre-authenticated rules for passing packets through
Special provision is made for the three most common Internet protocols, TCP, UDP and ICMP. IP Filter rules allow for packets to be matched based on:
- TCP/UDP packets by port number or a port number range
- ICMP packets by type/code
- "established" TCP packets
- on any arbitrary combination of TCP flags
- "short" (fragmented) IP packets with incomplete headers
To keep track of the performance of IP Filter, a logging device is used which supports logging of:
- the TCP/UDP/ICMP and IP packet headers
- the first 128 bytes of the packet (including headers)
- a packet is successfully passed through
- a packet is blocked from passing through
- it matches a rule setup to look for suspicious packets
To examine a set of example rule files and an example of what can be done, click here.
IPFilter keeps its own set of statistics on:
- packets blocked
- packets (and bytes!) used for accounting
- packets passed
- packets logged
- attempts to log which failed (buffer full)
and much more, for packets going both in and out.
The current implementation provides a small set of tools, which can easily be used and integrated with regular unix shells and tools. Amongst these tools is a new addition, ipftest, which is provided so that you can test a rule set before committing it to use in your kernel. A brief description of the tools provided:
- ipf - reads in a set of rules, from either stdin or a file, and adds them to the kernels current list (appending them). It can also be used to flush the current firewall rule set or delete individual firewall rules.
- ipfstat - interrogates the kernel for statistics on packet processing, so far, and retrieves the list of firewall rules in operation for inbound and outbound packets.
- ipftest - reads in a ipf rule file and then applies sample IP packets to the rule file. This allows for testing of firewall rule list and examination of how a packet is passed along through it.
- ipmon - reads buffered data from the logging device (default is /dev/ipl) for output to either:
* screen (standard output)
- ipsend - generates arbitary IP packets for ethernet connected machines.
- ipresend - reads in a data file of saved IP packets (ie snoop/tcpdump/etherfind output) and sends it back across the network.
- iptest - contains a set of test "programs" which send out a series of IP packets, aimed at testing the strength of the TCP/IP stack at which it is aimed at. WARNING: may crash machine(s) targeted!
- ipnat - reads in a set of rules, from either stdin or a file and adds them to the kernels current list of active NAT rules. NAT rules can also be deleted using ipnat.
Documentation on ioctl's and the format of data saved to the logging character device is provided so that you may develop your own applications to work with or in place of any of the above.
To retrieve this package via anonymous ftp, use: ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil4.1.28.tar.gz