Recent versions of IPF support Bridging on FreeBSD. Flemming Laugaard shares this procedure for setting up Bridging. Set these in your kernel conf:
options IPFILTER
options IPFILTER_LOG
options NMBCLUSTERS=65535
options BRIDGE
And then in sysctl.conf:
net.link.ether.bridge=1
net.link.ether.bridge_ipf=1
net.link.ether.bridge_cfg=em1,em2
net.inet.ip.forwarding=1
Replacing em1 and em2 with your interfaces. Then put your rulset in place, and that should be it.
Rene van Hoek points out that you'll also want to set "net.link.bridge.pfil_bridge" to disabled if you don't want all your states to be listed (and filtered) twice. See this thread for more detials.
Set the kernel option:
options IPFILTER_DEFAULT_BLOCK
and recompile your kernel.
Generally, the most recent IPF release will be found in both FreeBSD STABLE and FreeBSD CURRENT.
First you have to install the system sources, see the FreeBSD Handbook if you didn't choose to do this at install time. After installation, the IPF source will be in /usr/src/contrib/ipfilter/. Take care to ensure that comments in various documentation files apply to the particular version of FreeBSD you are running since IPF supports many FreeBSD versions and the operating system has changed significantly over the past few years.
IPF is compiled and installed as part of the regular "make world" and "make kernel" procedures. See the FreeBSD Handbook for more on these.
If you want to rebuild and reinstall only the ipf and ipnat shipped with the sources you have installed, do this:
cd /usr/src/sbin/ipf
The ipl kernel module is (re)built as part of the kernel building procedure as described in the FreeBSD Handbook.
make clean all install
Note that, if version skew between your running system and the source you have installed causes the compile to fail, it is best to upgrade the entire system with either a binary or source upgrade.
First, create a set of filter rules appropriate to your application and save them in /etc/ipf.conf.
Then load the ipl loadable kernel module (these are called "KLD"s in FreeBSD):
kldload ipl
Then load your rule set into ipfilter:
ipf -Fa -f /etc/ipf.conf
No. IPF can be enabled after boot by loading the ipl loadable kernel module as above, or just by configuring it to load at startup as in the next answer.
First, create a set of filter rules appropriate to your application and save them them the file /etc/ipf.conf.
Then, set the following variables in the /etc/rc.conf file:
ipfilter_enable="YES"
and reboot. The startup scripts will load the ipl kernel module (if it is not already in the kernel) and pass the rule file to the ipf program.
ipfilter_program="/sbin/ipf -Fa -f"
ipfilter_rules="/etc/ipf.conf"
ipfilter_flags=""
Note, however, if you are running FreeBSD 4.5+, the switches inipfilter_program
aren't needed, just put/sbin/ipf
(Thanks to Adrian Portelli).
Add the following lines to your custom kernel configuration file:
then compile and install the kernel using the procedure described in the FreeBSD Handbook.options IPFILTER options IPFILTER_LOG
First, create a set of NAT rules appropriate to your application and save them in the file /etc/ipnat.conf.
If not already loaded, load the ipl loadable kernel module:
kldload ipl
Then load your rule set:
ipnat -f /etc/ipnat.conf
First, create a set of NAT rules appropriate to your application and save them in the file /etc/ipnat.conf.
Then set the following variables in the /etc/rc.conf file:
ipnat_enable="YES"
and reboot. The startup scripts will load the ipl kernel module (if it is not already in the kernel) and pass the rule file to the ipnat program.
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.conf"
Note, however, if you are running FreeBSD 4.5+, the switches inipnat_program
aren't needed, just put/sbin/ipnat
(Thanks to Adrian Portelli).
Dummynet is closely tied to ipfw(8) and is not supported by IPF. Darren suggests the use of the ALTQ traffic shaper instead. It is possible to use IPFW and IPF together, e.g. using IPFW for dummynet and IPF for filterning and NAT, see below.
IPF and IPFW are close enough in speed that it is not an issue. As far as which is better, this is something only you can answer. Each is different and appropriate for it's own application. Asking this indicates you have not done enough research into these two tools. Find out as much as you can about both, try both, and decide which is best for you.
No. You can run them both on a single machine. However, you must take care to ensure that one package's rules do not interfere with the other's. Note that the packages get access to rules in the order in which they were loaded, e.g. if IPFW is compiled in the kernel and IPF is loaded as a module, IPFW "sees" packets before IPF.
Yes. How much depends much more on your particular situation than any intrinsic issues. People who have done this have reported that it does not meaningfully impact overall firewall performance.
The sysctl(8) interface to the kernel allows setting some of the values on a running system under net.inet.ipf in the tree. You can use the /etc/rc.sysctl file to set these values at boot time.
David lets us know that this values used in sysctl are in units of the slow timmer (500ms), so it's half-seconds, not seconds.
According to FreeBSD problem-report kern/34801, ipfilter doesn't support RFC 1323 window size extensions. This became more problematic with the new net.inet.tcp.recvspace default of 65536 in FreeBSD 4.5+. You can drop recvspace down one to 65535 or to 32768 by using:
sysctl net.inet.tcp.recvspace=32768
Dropping it merely one (to 65535) will do the trick, however having it a multiple of the page size, is supposedly better for performance. Thus you might try to use 32768.
Installing IP Filter from source on FreeBSD can stick an extraipfilter_flags="-E"
in/etc/rc.conf
which enables IP Filter for the second time thus generating a few errors. Taking out the above line will fix the problem.
From FreeBSD 4.8 onwards, you can simply setipv6_ipfilter_rules="/etc/ipf6.rules"
in your rc.conf, and of course put rules in the file, and voila.