Latest IPfilter merged into NetBSD-current
Darren Reed is the author if IPfilter and also a NetBSD developer.
IPfilter is one of the packet filters available in NetBSD,
and the latest version (5.1.1) was imported into NetBSD-current
by darren. Citing from
his mail to tech-net,
there are a few interesting changes and new features:
``To start with, the man pages for ipf(5) and ipnat(5) have been
rewritten from scratch to make them easier to understand and
thus easier to use the various features in IPFilter. In addition
there is now an ipmon(5) that supports delivery of log messages to
different destinations - including generating SNMP traps messages.
There are a few new actions that can be used with ipnat.conf. The
one that will be of most interest to people is "rewrite" which
supports translation of both the source and destination address
with a single rule. Use of an rdr/map combination is no longer
required. There are also some others that are more experimental.
One of those is a "divert" action that takes a packet and puts an
IP + UDP header on the front, allowing "raw packets" to be delivered
to any socket. Similarly, replies from that socket have the relevant
header data removed.
There are a few extras for ipf.conf, most notably it now allows
for defining limits on how many different hosts/networks can have
a state entry in the state table for each rule. IPFilter 5.1.1 also
supports specifying a filter rule group for the filtering of ICMP
packets that match an entry in the state table. Additionally, there
is a new rule - "decapsulate". This has been designed to allow
filtering on "inner headers" of packets that have been encapsulated
in clear text. It will, for example, allow filtering on IPv4 headers
inside of IPv6 packets (or vice versa.)
It is no longer required to have a separate ipf6.conf file. Both
IPv4 and IPv6 packets can be used in the same file. For those that
have separate files today, they should not interfere with each other
unless you have "block in all" for IPv4 and "pass in all" for IPv6
or similar. In that case, the "block in all" will affect IPv6 traffic.
This is a reflection of the internal design where there is now only
a single list of filter rules, not one for each protocol. Check the
man page for ipf.conf for more details.''
[Tags: ipfilter, Security]
Introducing NPF, NetBSD's new packet filter (Updated)
Following the recent
call for funded projects,
a from-scratch implementation of NPF, a new packet filter
developed by Mindaugas Rasiukevicius (rmind@) was now announced:
``NPF is designed for high performance on
multiprocessor machines, and for easy extensibility.
Highlights of NPF features include
By the end of January, NPF should have all of the capabilities that
NetBSD users have come to expect by using the other filters in the
- MP-safety and locklessness for scalable MP performance: no longer is
the packet filter the bottleneck in your multicore router
- Fast hash-table and red-black tree lookups
- Stateful packet filtering, Network Address Port Translation (NAPT),
and Application-Level Gateways (ALGs) for, e.g., traceroute
- The N-Code processor, a packet-inspection engine inspired by BPF:
the N-Code processor is programmed to match packets using generic,
RISC-like instructions and a few CISC-like instructions for common
patterns such as IPv4 addresses
- Familiar configuration syntax and utilities
- Modularity and extensibility: users extend NPF by loading a kernel
module. NPF provides developers with an extensions API. NPF rules
can embed a hook that invokes an extension
Rasiukevicius will also write documentation and configuration examples.
- IPv4 reassembly support
- Bi-directional NAT and port forwarding (re-direction)
- FTP proxy support
- IP header flags cleansing
- ICMP packets and TCP RST packet blocking
- Save/restore state
- Packet logging, configurable using filter rules
Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to
provide technical support to developers who will add IPv6 support to
NPF. An outline of the steps to IPv6 support will be forthcoming.
NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF
is unique for using a bytecode interpreter in its packet-inspection
engine, and for answering the question, "What does a packet filter
designed from the bottom up for multiprocessor systems look like?"
NPF development is sponsored by the NetBSD Foundation.''
Good! If anyone feels bored / brave, things that I'd love to see
added include IPv6 support and support for AltQ,
(Net)BSD's implementation of alternate network queuing,
i.e. QoS / CoS.
For those interested in the configuration of NPF,
here are a bunch of manpages:
[Tags: ipfilter, ncode, npf, pf]
IPFilter + UPnP on NetBSD HOWTO
Jared McNeill writes me that
Xbox Live now requires a
(Internet Gateway Device)
compliant router to function properly. Since the static ruleset s had
in ipnat.conf (based on details from a Microsoft Knowledgebase article) no
longer work, a UPnP-IGD solution is now required.
documentation on how to setup UPnP-IGD with NetBSD and IPfilter.
[Tags: Docs, igd, ipfilter, upnp]
IPFilter 5.0.0 feedback request
IPfilter is one of NetBSD's packet filters (besides PF),
and its author Darren Reed has sent mail with some details
about upcoming IPfilter enhancements and
a request for feedback.
New features include commands to change both source and address
fields for incoming or outgoing packtets ("rewrite"),
encapsulation of packets in a new IP header ("encap") and
encapsulating packets into an IP+UDP acket ("divert").
Darren's mail for more details.
[Tags: ipfilter, Security]
More fighting ssh password guessing attempts (Updated)
About one year ago (coincidence?) there was some discussion about
how to protect your server against ssh password guessing, see
elsewhere in my blog.
Apparently the topic came up
for ssh and other services this time,
and quite a number of people chimed in and mentioned their preferred
solutions to the same old problem. Solutions fall into three categories:
administrative settings, logfile-parsing, and PAM-based solutions.
Administrative policies to
using password-less ssh logins only is something that needs some adjusting
Most of the mentioned programs parse logfiles and then act on them.
Among them are
a similar script,
a shell-based approach by Rhialto.
The latter post also mentions going the PAM way, which hooks right
into the authentication framework and can detect repeated authentication
failures best - at the place where they get detected first. This is implemented by
the anti-bruteforce PAM module in pkgsrc/security/pam-af.
I guess that's some food for thoughts, and a lot of programs to do the job.
Let's see what comes up in Jan 2008 for this topic... :-)
Elad Efrat wrote me to tell that server site log parsing may not
be such a good idea as it has a potential to open up for some nasty attacks,
see this thread on the fulldisclosuer list. You've been warned!
[Tags: ids, ipfilter, networking, Security, ssh]
Turning the Internet upside down (Updated)
There's a nice
about what to do if your neighbour use your open wavelan
(other than closing it): Modify all images to be upside down
or blurry - very impressive! :)
Now the question is on how to do this with NetBSD instead
of Linux. All the components are available for NetBSD as well:
The squid config and the assorted perl script can be used
on NetBSD too, and the firewall setup for the transparent proxy
(to redirect all network connections to your squid) can be done
with either PF or IPFilter.
has documentation on how to setup IPFilter for the task. Thanks
to Matthias 'tron' Scheler for the IPF link!
Basic instructions for PF can be found
Keywords: transparent proxy. :)
[Tags: ipfilter, proxy, squid]
Fighting ssh password guessing attempts (Update #2)
If you've looked in your /var/log/authlog recently, it's likely that
you seem something like:
Dec 11 09:21:50 xxx sshd: Failed password for root from 220.[...]
Dec 11 09:21:53 xxx sshd: Failed password for root from 220.13[...]
Dec 11 09:21:56 xxx sshd: Failed password for root from 220.13[...]
Dec 11 09:22:28 xxx sshd: Illegal user enterprise from 220.135[...]
Dec 11 09:22:31 xxx sshd: Illegal user release from 126.96.36.199
Dec 11 09:22:34 xxx sshd: Illegal user release from 188.8.131.52
Dec 11 09:22:37 xxx sshd: Illegal user release from 184.108.40.206
Dec 11 09:22:40 xxx sshd: Illegal user release from 220.127.116.11
While I know that NetBSD will withstand those annoying attempts as long
as accounts are protected by good passwords (or even better, SSH keys),
I sometimes wish to lock out people doing those attempts.
And there's help, in the form of a blog article
(found via the #NetBSD Community Blog)
how to use pop-before-smtp and IPfilter
to firewall those people into eternity. (As far as I understand,
the pop-before-smtp thing is mostly used to emulate 'tail -f',
so I dare saying the meat of that article could be rewritten to only
use tools that come with NetBSD. Any takers? Send URL! :)
Ian Spray has taken the challenge and made a version
that only uses tools that come with NetBSD.
See his blog entry!
Geert also brought
to my attention, which convers IPFilter, PF and IPFW
(For FreeBSD, obviously). He found it in
[Tags: ipfilter, networking, Security, ssh]
NetBSD firewall with IP Filter and QoS
The question of how to do traffic shaping with NetBSD came
up, and someone pointed at Hoang Q. Tran's
"NetBSD firewall using IP Filter"
which covers a complete firewall setup including NAT,
traffic shaping (bandwidth limiting, QoS) and VPN (IPsec).
Maybe a start to fill the gap of NetBSD QoS documentation...
[Tags: ipfilter, qos, Security]
IPF: The IP Filter
This introduction discusses
IPfilter. Setup is described for FreeBSD, but that shouldn't be much
of a difference on NetBSD (see... um, where's our generic firewalling
documentation?). The text discusses what a firewall is, basic and more
advanced filtering like on interface or on IPs and advanced topics
like defaulting to deny (beware to not lock traffic to lo0 :), keeping
state and IPv6.
[Tags: ipfilter, networking, Security]
Source Routing with IPfilter
I've seen the question on "Source Routing" several times in the past
few weeks. This can be done with IPfilter, and the following article
describes the details for setup: ``Policy Routing with IPFilter on FreeBSD''.
The fact that the article's written for FreeBSD shouldn't matter here.
[Tags: ipfilter, Security]
Grab the RSS-feed,
or go back to my regular NetBSD page
Disclaimer: All opinion expressed here is purely my own.
No responsibility is taken for anything.