IP Filter FAQ
Welcome to the IP Filter Frequently Asked Questions. This FAQ contains a lot of useful information and if you use, or plan to use IPF, you should read it. Here is some information about the FAQ:
Additionally I would like to thank Darren Reed, Jim Sandoz, Ron Florence, Erik Fichtner, Glen Foster, and everyone else who has contributed for all of their help.
- The latest version can be found at http://www.phildev.net/ipf/
- You may copy it, mirror it, distribute it at will as long as you do so IN ITS ENTIRETY
- The FAQ was written, and currently maintained by Phil Dibowitz so please direct any updates, or questions there.
- The FAQ doesn't address bugs in versions prior to 3.4.20 (other than how to upgrade to that level). If you find a bug not on here, and you don't have a recent version, you should try upgrading.
NOTE: Do NOT email me with your IPF questions and problems. Email the mailing list. ONLY email me about THIS FAQ (corrections, additions, etc.).
NEW!: The whole FAQ in one page.
NEW!: There is now a Changelog.
Last updated: 11/09/09
TABLE OF CONTENTS
II. Mailing List
- Who wrote IP Filter?
- What is the website for IP Filter?
- Is there a tutorial?
- What OS's does it run on?
- I want to distribute IPF with my product XYZ. Is that allowed, and what do I need to do?
- I want to use IPF code in a product I'm working on that I intend to sell. Is that allowed, and what do I need to do?
- I want to use IPF code in a product I'm planning on giving away for free. Is that allowed, and what do I need to do?
- How does the release process for IPF work?
III. Common Questions about IP Filter
- What mailing list(s) is/are available for IP Filter?
- What do I need to know before sending stuff to the list?
- What should I ALWAYS do when sending stuff to the list?
- What should I NEVER do when sending stuff to the list?
- Are there archives for the mailing list?
IV. Common Problems with IP Filter (non-OS Specific)
- What does
keep state actually do? Is it useful?
- What is with this last match stuff?
- What is "in" and what is "out"?
- Does IP Filter actually work on BSD/OS? What do I need to make it work?
- I'm using PPPoE (or some other virtual interface/tunnel), how should I write my rulesets?
- So, if 'map a.b.c.d/M -> w.x.y.z/32' does NAT for all protocols, why do I need a 'map a.b.c.d/M -> w.x.y.z/32 portmap'
- Well, after reading the answer to III-6, do I have to have the first rule if I have the second rule?
- How do I upgrade IPF?
- I have a dynamic IP address, how can I do NAT?
- What's the difference between RDR, MAP and BIMAP?
- When does NAT happen in relation to filtering?
- Are there any GUI's or other aids?
- Are there any log analyzers?
- How do you clear accounting stats?
- What do I handle DNS if I have a NAT'ed LAN?
- I don't run DNS, but see a lot of tcp/53 packets with the SA flags set in my logs. Is this an attack on my machine?
- Can you filter the loopback interface (lo0)?
- I'm seeing port scans in my logs, what should I do?
- How do I use archie from machines behind IP Filter?
- How does
quick affect head rules?
- How do I get the FTP Proxy to work for my firewall if I have a dynamic IP address?
- I've written a patch for XYZ feature/bug. Where do I send it?
- How do I use MRTG to display ip-filter statistics? Is there a MIB for ip-filter?
- What do the states ("ST") in statetop mean?
- How do I enlarge the state table? What else should be tweaked for high-stress installs?
- Is there a way to remove a specific live NAT mapping or IPF state?
- How many rules can IPF handle without noticeable performance loss?
- How can I configure IPF so that laptops can connect to services on the firewall from the internal LAN and from the outside world using the external addresses, so they don't have to be reconfigured all the time?
- How do you use the IPSec Proxy?
- How do you use the H.323 Proxy?
- How do you use the RAudio Proxy?
- Is it possible to have multipe
head statements for a group?
- Can you use ipnat/proxies on a bridge?
- How do I make ping and traceroute work?
- In IPF 4.x, it's supposedly possible to "simple matching of content for TCP session startup" - how does that work?
- Can I have variables in my ipf.conf/ipnat.conf?
V. IPFilter and VPN
- I have file transfer (FTP or HTTP) and if download speed is more then 100 KB/sec, connection breaks.
- I have to keep clearing the state table or IPF dies, why?
- The default ipfboot script flushes the state table. Is this necessary every time you change some rule or just when that rule has a 'keep state' in it and there are existing state table entries that would be affected?
- Sending mail is horribly slow!
- I can't connect to IRC.
- When I try to load the LKM (if_ipl.o), I get "fr_checkp" (or other) unresolved symbols. (FreBSD, OpenBSD, SunOS)
- When I do a
make, it complains about -I(TOP).
- I'm using rdr for a webserver behind IPF and the world can see it just fine, but the internal machines can't surf to it via the external IP address.
- Long ftp transfers and some other long single-connection sessions fail.
- I've set up to use the ftp-proxy in my ipnat.conf file, and it works fine from NAT'ed machines, but I can't ftp from the firewall machine unless I put a rule in ipf.conf to pass port 20/tcp in from remote machines. How do I get the ftp proxy to work from the firewall machine too?
- I'm using NAT and I can't ping the same machine on the internet from two different machines on my LAN at the same time.
- Keep state stops working - it won't make new states.
- I'm using
log body in my rules but the body of the packet isn't getting logged.
- I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP.
- I can't seem to use round-robin load balancing with more than two hosts!
- I'm having problems with ipnat (e.g. can't get proxies to work with bimap, or some other problem).
- I'm using
0/32, and it doesn't work!
- I stop/unload IPF, but it magically reloads itself!
- I'm having problems connecting to Cisco VPNs through IPF NAT.
- I'm trying to remove entries from a pool and getting errors.
- I can only initiate x number of VPN connections to/from my NAT'd boxes! Why?
- I'm having more VPN problems... ESP packets and UDP packets are not being mapped to the same IP ddress.
VII. IPFilter and Solaris
- I have IPMon logging to syslog, but syslog doesn't log anything, why not?
- I have IPMon logging to syslog, and I can't use ipmon -oI, why not?
- When I start ipmon, it fails to start with an error.
- I'm getting wierd ipmon log entries, why?
- Can I make IPF log straight to a file instead of to syslog?
- Why don't my return-rst's work?
- It won't compile, something about
- I'm using a 64-bit kernel, and when it tries to load ipf, it gets an error.
- How can I tell if I'm using a 32-bit or 64-bit kernel?
- Can I use gcc to make 64-bit Sparc kernel modules?
- What do I need to make a 64 bit Sparc kernel module?
- Wait, my Sparc host is running in 64 bit mode, but I don't want to buy Sun's Forte compiler, nor do I want to install the try-and-buy. What can I do to get IPF up?
- When I try to pkgadd the precompiled IPF package I downloaded, there are two sub-packages. What do I do?
- Can I use IPF on Solaris as a Layer 2 bridge?
- How can I tweak some of IPF's internal values at boot time?
- How can I build a transparent proxy using Squid on Solaris 8?
- Why can't I filter on the loopback interface, or virtual interfaces?
- How do I make StateTop work on Solaris?
- I'm using sppp, IPSec, or some other IP Tunnel and I'm seeing random system crashes or CPU "thrash," what do I do?
- I'm using a Sun system with an eri or bge interface, and after setting up NAT, ICMP passes through fine, but TCP doesn't. Why?
- Aren't there any 64-bit IP Filter binaries for Solaris out there already?
- Since upgrading to Solaris 9, I've been having wierd crashes. Is this IPF related? What can be done?
- Where are the instructions for installing on Solaris 7/8/9/etc.?
- I'm getting
/usr/include/ia32/sys/reg.h:300: error: parse error before "upad128_t" when I compile IPF, why?
- In IPF 4.x, you can supposedly compile the rules into an LKM. How do you do this in Solaris?
- In IPF 4.x, what is the performance gain in compiling your rulset into an LKM?
- In IPF 4.x, I'm trying to build with gcc3 but it's not working!
- How do I compile IPF 4.x with gcc?
- How do I remove the IPF that comes with Solaris 10 and replace it with Darren's public-domain release?
- I installed IP Filter with Solaris 10, but there's no init scripts!
- Does IPF Support HP-UX?
- How can I set up bridging on FreeBSD?
- How can I get IP Filter to block by default?
- What version of IPF is included in FreeBSD?
- Where do I find the sources?
- How do I (re)compile IPF on FreeBSD?
- How do I start ipfilter on a running system?
- Don't I need to compile IPF into my kernel?
- How do I configure FreeBSD to enable ipfilter at startup?
- Forget the loadable kernel module stuff, how do I do compile IPF into my kernel?
- How do I start ipnat on a running system?
- How do I configure FreeBSD to enable ipnat at startup?
- How do I use the FreeBSD traffic shaper dummynet(4) with IPF?
- Which is better/faster/cool/etc., IPF of IPFW?
- IPF and IPFW both have features I want to use, must I choose between them?
- Won't this slow down processing packets? By how much?
- How can I tweak some of IPF's internal values?
- Occasionally a server resends a TCP packet I've already sent an ACK to, and it causes the connection to die, why?
- I just upgraded IPF and I'm getting errors on boot - but everything works fine.
- How do I get IPF working with IPv6 in FreeBSD?
- How do I upgrade IP Filter on NetBSD?
- How do I get IPF working with IPv6 in NetBSD?
- I'm getting messages about "no more space for rules" -- and I have a large ruleset. What do I do?
- How can I get IP Filter to block by default?
- How can I upgrade IP Filter on OpenBSD < 3.0?
- So I've upgraded IP Filter, why isn't it working?
- I just installed OpenBSD 3.x, where's IP Filter?
- I've heard that there's problems with filtering on OpenBSD bridges. What's the deal?
XIV. FAQ Administrative Questions
- Is there a linux port?
- So how do I get it running on my favorite distro?
- Would you like me to register a domain for you?
- Would you like free hosting?
- How often is the FAQ updated?
- I have a usefull addition to the FAQ, what do I do?
- I've submitted something for the FAQ, but it's not here, why not?
Copyright © 2002 - 2007 Phil Dibowitz