IP Filter FAQ

Previous | TOC | Next

XII. IP FILTER AND OPENBSD

  1. How can I get IP Filter to block by default?
  2. How can I upgrade IP Filter on OpenBSD?
  3. So I've upgraded IP Filter, why isn't it working?
  4. I just installed OpenBSD 3.x, where's IP Filter?
  5. I've heard that there's problems with filtering on OpenBSD bridges. What's the deal?
  1. How can I get IP Filter to block by default?
    Set the kernel option: option IPFILTER_DEFAULT_BLOCK
     and recompile your kernel.
  2. How can I upgrade IP Filter on OpenBSD?
    If you are using OpenBSD 3.0 or higher, you will notice that IP Filter no longer comes with OpenBSD. To install IP Filter on OpenBSD 3.0+ see question 4. If you are using OpenBSD < 3.0 then read on.

    The following procedure assumes that you've at least configured your kernel. If you have not, check out http://www.oreillynet.com/pub/a/bsd/2000/10/31/OpenBSD.html for information on that.

    # gunzip -c ip_fil3.4.21.tar.gz | tar xf -
    # cd ip_fil3.4.21
    # BSD/kupgrade
    # make openbsd
    # make install-bsd
    # cd /sys/arch/foo/compile/kernel
    # make depend
    # make bsd
    # cp /bsd /bsd-original
    # cp bsd /bsd
    # reboot
    Note that the last two steps prior to rebooting make a backup copy of your current kernel to /bsd-original and then copy the new kernel into place.

    Pat Lougheed wrote a webpage on upgrading IP Filter in OpenBSD that goes more into depth. At the time, the procedure was a little uglier. As of now you can ignore steps 10-12 provided you're upgrading to atleast 3.4.21. You find his page here.
  3. So I've upgraded/installed IP Filter, why isn't it working?
    In order to run IP Filter you'll need to add the following to your /etc/rc.conf file:
    ipfilter=YES
    If you'd like to use IP NAT as well, then additionally add:
    ipnat=YES
  4. I just installed OpenBSD 3.x, where's IP Filter?
    OpenBSD no longer comes with IP Filter as of version 3.0. However, you can still use it! You have two options, 1, you can use the ISOs of OpenBSD3.x + IPF created by Darren Reed here (and also mirrored by locations listed here) or you can install IP Filter into your existing system. To install IP Filter into your existing OpenBSD 3.x system, simply follow the directions in the OpenBSD/README.3_0 file located in the IP filter 3.4.23 or later installation directory.
  5. I've heard that there's problems with filtering on OpenBSD bridges. What's the deal?
    In OpenBSD < 3.0, you can only filter in the in direction. However, in OpenBSD 3.0+, you can filter in both direction.
Previous | TOC | Next