hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
[20120130] Latest IPfilter merged into NetBSD-current
Darren Reed is the author if IPfilter and also a NetBSD developer. IPfilter is one of the packet filters available in NetBSD, and the latest version (5.1.1) was imported into NetBSD-current by darren. Citing from his mail to tech-net, there are a few interesting changes and new features:

``To start with, the man pages for ipf(5) and ipnat(5) have been rewritten from scratch to make them easier to understand and thus easier to use the various features in IPFilter. In addition there is now an ipmon(5) that supports delivery of log messages to different destinations - including generating SNMP traps messages.

There are a few new actions that can be used with ipnat.conf. The one that will be of most interest to people is "rewrite" which supports translation of both the source and destination address with a single rule. Use of an rdr/map combination is no longer required. There are also some others that are more experimental. One of those is a "divert" action that takes a packet and puts an IP + UDP header on the front, allowing "raw packets" to be delivered to any socket. Similarly, replies from that socket have the relevant header data removed.

There are a few extras for ipf.conf, most notably it now allows for defining limits on how many different hosts/networks can have a state entry in the state table for each rule. IPFilter 5.1.1 also supports specifying a filter rule group for the filtering of ICMP packets that match an entry in the state table. Additionally, there is a new rule - "decapsulate". This has been designed to allow filtering on "inner headers" of packets that have been encapsulated in clear text. It will, for example, allow filtering on IPv4 headers inside of IPv6 packets (or vice versa.)

It is no longer required to have a separate ipf6.conf file. Both IPv4 and IPv6 packets can be used in the same file. For those that have separate files today, they should not interfere with each other unless you have "block in all" for IPv4 and "pass in all" for IPv6 or similar. In that case, the "block in all" will affect IPv6 traffic. This is a reflection of the internal design where there is now only a single list of filter rules, not one for each protocol. Check the man page for ipf.conf for more details.''

[Tags: , ]

[20100915] Introducing NPF, NetBSD's new packet filter (Updated)
Following the recent call for funded projects, a from-scratch implementation of NPF, a new packet filter developed by Mindaugas Rasiukevicius (rmind@) was now announced: ``NPF is designed for high performance on multiprocessor machines, and for easy extensibility.

    Highlights of NPF features include

    • MP-safety and locklessness for scalable MP performance: no longer is the packet filter the bottleneck in your multicore router
    • Fast hash-table and red-black tree lookups
    • Stateful packet filtering, Network Address Port Translation (NAPT), and Application-Level Gateways (ALGs) for, e.g., traceroute
    • The N-Code processor, a packet-inspection engine inspired by BPF: the N-Code processor is programmed to match packets using generic, RISC-like instructions and a few CISC-like instructions for common patterns such as IPv4 addresses
    • Familiar configuration syntax and utilities
    • Modularity and extensibility: users extend NPF by loading a kernel module. NPF provides developers with an extensions API. NPF rules can embed a hook that invokes an extension
    By the end of January, NPF should have all of the capabilities that NetBSD users have come to expect by using the other filters in the kernel:

    • IPv4 reassembly support
    • Bi-directional NAT and port forwarding (re-direction)
    • FTP proxy support
    • IP header flags cleansing
    • ICMP packets and TCP RST packet blocking
    • Save/restore state
    • Packet logging, configurable using filter rules
    Rasiukevicius will also write documentation and configuration examples.

    Beyond that, NPF needs code for IPv6 support. Rasiukevicius agrees to provide technical support to developers who will add IPv6 support to NPF. An outline of the steps to IPv6 support will be forthcoming.

    NPF is the third packet filter in NetBSD, after IP Filter and PF. NPF is unique for using a bytecode interpreter in its packet-inspection engine, and for answering the question, "What does a packet filter designed from the bottom up for multiprocessor systems look like?"

    NPF development is sponsored by the NetBSD Foundation.''

Good! If anyone feels bored / brave, things that I'd love to see added include IPv6 support and support for AltQ, (Net)BSD's implementation of alternate network queuing, i.e. QoS / CoS.

Update: For those interested in the configuration of NPF, here are a bunch of manpages: npf.conf(5), npfctl(8), npf_ncode(9). Enjoy!

[Tags: , , , ]

[20070605] IPFilter + UPnP on NetBSD HOWTO
Jared McNeill writes me that Xbox Live now requires a UPnP-IGD (Internet Gateway Device) compliant router to function properly. Since the static ruleset s had in ipnat.conf (based on details from a Microsoft Knowledgebase article) no longer work, a UPnP-IGD solution is now required.

See Jared's documentation on how to setup UPnP-IGD with NetBSD and IPfilter.

[Tags: , , , ]

[20070116] IPFilter 5.0.0 feedback request
IPfilter is one of NetBSD's packet filters (besides PF), and its author Darren Reed has sent mail with some details about upcoming IPfilter enhancements and a request for feedback. New features include commands to change both source and address fields for incoming or outgoing packtets ("rewrite"), encapsulation of packets in a new IP header ("encap") and encapsulating packets into an IP+UDP acket ("divert"). See Darren's mail for more details.

[Tags: , ]

[20070116] More fighting ssh password guessing attempts (Updated)
About one year ago (coincidence?) there was some discussion about how to protect your server against ssh password guessing, see elsewhere in my blog. Apparently the topic came up again, for ssh and other services this time, and quite a number of people chimed in and mentioned their preferred solutions to the same old problem. Solutions fall into three categories: administrative settings, logfile-parsing, and PAM-based solutions.

Administrative policies to using password-less ssh logins only is something that needs some adjusting from users.

Most of the mentioned programs parse logfiles and then act on them. Among them are fail2ban, denyhost and a similar script, OSsec, blockhosts and a shell-based approach by Rhialto.

The latter post also mentions going the PAM way, which hooks right into the authentication framework and can detect repeated authentication failures best - at the place where they get detected first. This is implemented by the anti-bruteforce PAM module in pkgsrc/security/pam-af.

I guess that's some food for thoughts, and a lot of programs to do the job. Let's see what comes up in Jan 2008 for this topic... :-)

Update: Elad Efrat wrote me to tell that server site log parsing may not be such a good idea as it has a potential to open up for some nasty attacks, see this thread on the fulldisclosuer list. You've been warned!

[Tags: , , , , ]

[20060728] Turning the Internet upside down (Updated)
There's a nice article about what to do if your neighbour use your open wavelan (other than closing it): Modify all images to be upside down or blurry - very impressive! :) Now the question is on how to do this with NetBSD instead of Linux. All the components are available for NetBSD as well: The squid config and the assorted perl script can be used on NetBSD too, and the firewall setup for the transparent proxy (to redirect all network connections to your squid) can be done with either PF or IPFilter. The Squid-Cache FAQ has documentation on how to setup IPFilter for the task. Thanks to Matthias 'tron' Scheler for the IPF link!

Update: Basic instructions for PF can be found here. Keywords: transparent proxy. :)

[Tags: , , ]

[20060107] Fighting ssh password guessing attempts (Update #2)
If you've looked in your /var/log/authlog recently, it's likely that you seem something like:
 Dec 11 09:21:50 xxx sshd[15335]: Failed password for root from 220.[...]
 Dec 11 09:21:53 xxx sshd[2720]: Failed password for root from 220.13[...]
 Dec 11 09:21:56 xxx sshd[7260]: Failed password for root from 220.13[...]
 Dec 11 09:22:28 xxx sshd[1762]: Illegal user enterprise from 220.135[...]
 Dec 11 09:22:31 xxx sshd[20415]: Illegal user release from
 Dec 11 09:22:34 xxx sshd[2405]: Illegal user release from
 Dec 11 09:22:37 xxx sshd[27329]: Illegal user release from
 Dec 11 09:22:40 xxx sshd[22310]: Illegal user release from 
While I know that NetBSD will withstand those annoying attempts as long as accounts are protected by good passwords (or even better, SSH keys), I sometimes wish to lock out people doing those attempts.

And there's help, in the form of a blog article (found via the #NetBSD Community Blog) describing how to use pop-before-smtp and IPfilter to firewall those people into eternity. (As far as I understand, the pop-before-smtp thing is mostly used to emulate 'tail -f', so I dare saying the meat of that article could be rewritten to only use tools that come with NetBSD. Any takers? Send URL! :)

Update: Ian Spray has taken the challenge and made a version that only uses tools that come with NetBSD. See his blog entry!

Update #2: Geert also brought this variant to my attention, which convers IPFilter, PF and IPFW (For FreeBSD, obviously). He found it in the BSDWiki.

[Tags: , , , ]

[20050831] NetBSD firewall with IP Filter and QoS
The question of how to do traffic shaping with NetBSD came up, and someone pointed at Hoang Q. Tran's "NetBSD firewall using IP Filter" which covers a complete firewall setup including NAT, traffic shaping (bandwidth limiting, QoS) and VPN (IPsec). Maybe a start to fill the gap of NetBSD QoS documentation...

[Tags: , , ]

[20050312] IPF: The IP Filter
This introduction discusses IPfilter. Setup is described for FreeBSD, but that shouldn't be much of a difference on NetBSD (see... um, where's our generic firewalling documentation?). The text discusses what a firewall is, basic and more advanced filtering like on interface or on IPs and advanced topics like defaulting to deny (beware to not lock traffic to lo0 :), keeping state and IPv6.

[Tags: , , ]

[20050114] Source Routing with IPfilter
I've seen the question on "Source Routing" several times in the past few weeks. This can be done with IPfilter, and the following article describes the details for setup: ``Policy Routing with IPFilter on FreeBSD''. The fact that the article's written for FreeBSD shouldn't matter here.

[Tags: , ]

Tags: , 2bsd, 34c3, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, adsense, Advocacy, advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, aslr, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, azure, backup, balloon, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, board, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdnow, bsdstats, bsdtalk, bsdtracker, bug,, busybox, buttons, bzip, c-jump, c99, cafepress, calendar, callweaver, camera, can, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, christos, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, faq, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, googlecomputeengine, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, hardware, Hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hotplug, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, imx7, information, init, initrd, install, intel, interix, internet2, interview, interviews, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jetson, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kvm, kylin, l10n, landisk, laptop, laptops, law,, ldap, lehmanns, lenovo, lfs, libc, license, licensing, linkedin, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, max3232, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mixer, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mprotect, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nasa, nat, ncode, ncq, ndis, nec, nemo, neo1973, netbook, netboot, netbsd,, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opendarwin, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, paas, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pie, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc,, pkgsrcCon, pkgsrccon, Platforms, plathome, pleiades, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, products, Products, proplib, protectdrive, proxy, ps, ps3, psp, psrset, pthread, ptp, ptyfs, Publications, puffs, puredarwin, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, ra5370, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, Releases, releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs323, rs6k, rss, ruby, rump, rzip, sa, safenet, san, sata, savin, sbsd, scampi, scheduler, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, Security, security, sed, segvguard, seil, sendmail, serial, serveraptor, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slides, slit, smbus, smp, sockstat, soekris, softdep, softlayer, software, solaris, sony, sound, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, spz, squid, ssh, sshfs, ssp, statistics, stereostream, stickers, storage, stty, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysctl, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, talks, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, tegra, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tk1, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, tty, ttyrec, tulip, tun, tuning, uboot, ucom, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, virtualization, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X,, x11, x2apic, xbox, xcast, Xen, xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 35234862
Copyright (c) Hubert Feyrer