IP FIlter

IP Filter is one of the three packet filters included in FreeBSD.

Documentation

IP Filter documentation can be found at the following:

FreeBSD Ports

Four FreeBSD ports support IP Filter.

ipfmeta (https://svnweb.freebsd.org/ports/head/security/ipfmeta/) is used to simplify the maintenance of your IPfilter ruleset. It does this through the use of 'objects'. A matching object gets replaced by its values at runtime. This is similar to what a macro processor like m4 does.

Firewall Builder (fwbuilder https://svnweb.freebsd.org/ports/head/security/fwbuilder/) consists of object-oriented GUI and set of policy compilers for various firewall platforms. In Firewall Builder, firewall policy is a set of rules, each rule consists of abstract objects which represent real network objects and services (hosts, routers, firewalls, networks, protocols). Firewall Builder helps user maintain database of objects and allows policy editing using simple drag-and-drop operations.

p5-plog (https://svnweb.freebsd.org/ports/head/security/p5-plog/) is a parser for the logged output of the ipmon utility that is part of the excellent IP-Filter packet-filtering and NAT package written and maintained by Darren Reed. plog translates the somewhat garbled output from ipmon into a report that aids analysis of your firewall traffic.

fwanalog (https://svnweb.freebsd.org/ports/head/security/fwanalog/) is a shell script that parses and summarizes firewall logfiles. It uses the excellent log analysis program Analog to create its reports.

Bugs and Features

Bug/Feature

Status

Notes

#ifdef cleanup

Done

Convert ipfilter to new routing KPI

Done

Removal of GIANT

Done

Debugging DTrace probes

Complete

Added as needed

IPv6 checksum fixes

Done

Ansify kernel function definitions

Complete but not committed

Ansify userland function definitions

25% complete

Replace caddr_t with void*

Not tested

Make radix_ipf IPv6 aware

WIP

Extemd flags (flags2)

WIP

Import NetBSD ip_nat r1.14 patch

Not tested

TCP MSS support as in iptables

Not started

ip_nat.c-putent

WIP

ipfs bug

Not started

revert r343590 and find a better way to fix

WIP

Documentation and examples

Not started

Resurrect ipftest and enable NetBSD tests

Not started

Replace SPRINTF with snprintf in kernel

WIP

Manage jail's rules from the host

Not started

Prerequiste to import into Illumos

Restrict a jail's control over rules

Not started

Prerequiste to import into Illumos

IPFilter (last edited 2020-11-28T06:25:12+0000 by CySchubert)