:::::::::::::IPFilter Tutorial::::::::::::: Introduction/Disclaimer -------------------- This document may be modified, reproduced, and distributed free of charge, as long as the "INTRODUCTION/DISCLAIMER" notice and the original author's name are both included. Also, please go to http://www.freebsd.org/copyright/index.html for FreeBSD copyright information. Created 03-August-2002 - aka ded1 E-mail: ded1@MyBSD.org.my WWW: http://www.ded1.org *Sebarang komen/idea/pertanyaan dialu-alukan. configure ipf (Firewall) dalam FreeBSD 4.5-RELEASE 1. ambil source code terbaru ipf dari http://coombs.anu.edu.au/ipfilter/ 2. contoh: ftp://coombs.anu.edu.au/pub/net/ip-filter/ip-fil3.4.28.tar.gz 3. Kemudian letak di mana-mana directory contoh di /root/IPF/ 4. tar source code tu: tar -xzvf ip-fil3.4.28.tar.gz 5. lepas tar akan wujud 1 dir baru nama ip_fil3.4.28 6. cd ke ip_fil3.4.28 7. baca file README dan INSTALL.FreeBSD 8. cd pula ke /root/IPF/ip_fil3.4.28/FreeBSD-4.0 9. baca file INST.FreeBSD-4 10. kemudian cd smula ke /root/IPF/ip_fil3.4.28 11. type # make freebsd4 if [ ! -f netinet/done ] ; then (cd netinet; ln -s ../*.h .; ln -s ../ip_*_pxy.c .; ); (cd netinet; ln -s ../ipsend/tcpip.h tcpip.h); touch netinet/done; fi if [ xNET6 = x ] ; then echo "#undef INET6" > opt_inet6.h; else echo "#define INET6" > opt_inet6.h; fi make setup "TARGOS=BSD" "CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`" if [ ! -d BSD/FreeBSD-4.5-RELEASE-i386 ] ; then mkdir BSD/FreeBSD-4.5-RELEASE-i386; fi rm -f BSD/FreeBSD-4.5-RELEASE-i386/Makefile BSD/FreeBSD-4.5-RELEASE-i386/Makefile.ipsend ln -s ../Makefile BSD/FreeBSD-4.5-RELEASE-i386/Makefile ..... gcc -Wuninitialized -Wstrict-prototypes -O -g ipresend.o ip.o resend.o ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o opt.o sbpf.o sock.o 44arp.o -o ipresend gcc -Wuninitialized -Wstrict-prototypes -O -g -I../.. -DIPFILTER_LOG -c ../../ipsend/iptest.c -o iptest.o gcc -Wuninitialized -Wstrict-prototypes -O -g -I../.. -DIPFILTER_LOG -c ../../ipsend/iptests.c -o iptests.o gcc -Wuninitialized -Wstrict-prototypes -O -g iptest.o iptests.o ip.o sbpf.o sock.o 44arp.o -o iptest 12. kemudian type # make install-bsd (cd BSD/`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`; make install "TOP=../.." 'CFLAGS=-I$(TOP) -DIPFILTER_LOG' "IPFLOG=-DIPFILTER_LOG" "LOGFAC=-DLOGFAC=LOG_LOCAL0" "POLICY=-DIPF_DEFAULT_PASS=FR_PASS" "SOLARIS2=" "DEBUG=-g" "DCPU=`uname -m`" "CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`" 'STATETOP_CFLAGS=-DSTATETOP' 'STATETOP_INC=' 'STATETOP_LIB=-lcurses' "BITS=" "OBJ=" "IPFLKM=-DIPFILTER_LKM" ; cd ..) ...... Remember to rebuild the whatis database. (cd BSD/`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`; make -f Makefile.ipsend INSTALL=install install "TOP=../.." 'CFLAGS=-I$(TOP) -DIPFILTER_LOG' "IPFLOG=-DIPFILTER_LOG" "LOGFAC=-DLOGFAC=LOG_LOCAL0" "POLICY=-DIPF_DEFAULT_PASS=FR_PASS" "SOLARIS2=" "DEBUG=-g" "DCPU=`uname -m`" "CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m`" 'STATETOP_CFLAGS=-DSTATETOP' 'STATETOP_INC=' 'STATETOP_LIB=-lcurses' "BITS=" "OBJ=" "IPFLKM=-DIPFILTER_LKM" ; cd ..) install -cs -g wheel -m 755 -o root ipsend ipresend iptest /usr/sbin 12. Terlebih dahulu cd ke /usr/src/sys/i386/conf 13. cp GENERIC kepada apa2 nama KERNEL yang anda inginkan. 14. contoh: KANCHIK 15. Masukkan line berikut pada kernel config KANCHIK: # KANCHIK IPF options IPDIVERT #divert sockets options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPTUNNEL options IPSTEALTH #support for stealth forwarding options IPSEC options IPSEC_ESP options IPSEC_DEBUG 16. cd ke /root/IPF/ip_fil3.4.28/FreeBSD-4.0 17. type # ./kinstall Installing ip_fil.c ip_fil.h ip_nat.c ip_nat.h ip_frag.c ip_frag.h ip_state.c ip_state.h fil.c ip_proxy.c ip_proxy.h ip_ftp_pxy.c ip_h323_pxy.c ip_ipsec_pxy.c ip_netbios_pxy.c ip_raudio_pxy.c ip_rcmd_pxy.c mlf_ipl.c mlfk_ipl.c ipl.h ip_compat.h ip_auth.c ip_auth.h ip_log.c Linking /usr/include/osreldate.h to /sys/sys/osreldate.h ln: /sys/sys/osreldate.h: No such file or directory IPv6 patching not required for your OS version Kernel configuration to update [GENERIC] KANCHIK IPFilter already configured in kernel config file 18. ok sekarang IPF siap diinstall ke dalam kernel. 19. sekarang, sila recompile kernel KANCHIK anda. Sila baca cara-cara utk customize kernel di: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html 20. Selepas recompile kernel sila reboot machine itu. 21. Login semula machine dan masukkan line berikut pada /etc/rc.conf ipfilter_enable="YES" ipfilter_flags="" ipfilter_program="/sbin/ipf -Fa -v" ipfilter_rules="/etc/ipf1.rules" 22. Buatkan rules yang bernama ipf1.rules dan letak di /etc Berikut adalah contoh rules saya sila rujuk di: http://staff.mybsd.org.my/ded1/Firewall/ipf1.rules 23. Up kan ipf dengan command : # ipf -Fa -vf /etc/ipf1.rules Sekarang machine anda siap dengan firewall menggunakan ipf yang tahan walaupun dengan attack dari big pipe oc3 dan semua ping/scan dari luar akan di deny mengikut rules itu. Sekian. - ded1