IPF does not yet support Bridging on FreeBSD, only OpenBSD... however Darren plans on implementing this soon.
Set the kernel option:
options IPFILTER_DEFAULT_BLOCK
and recompile your kernel.
Generally, the most recent IPF release will be found in both FreeBSD STABLE and FreeBSD CURRENT.
First you have to install the system sources, see the FreeBSD Handbook if you didn't choose to do this at install time. After installation, the IPF source will be in /usr/src/contrib/ipfilter/. Take care to ensure that comments in various documentation files apply to the particular version of FreeBSD you are running since IPF supports many FreeBSD versions and the operating system has changed significantly over the past few years.
IPF is compiled and installed as part of the regular "make world" and "make kernel" procedures. See the FreeBSD Handbook for more on these.
If you want to rebuild and reinstall only the ipf and ipnat shipped with the sources you have installed, do this:
cd /usr/src/sbin/ipfThe ipl kernel module is (re)built as part of the kernel building procedure as described in the FreeBSD Handbook.
make clean all install
Note that, if version skew between your running system and the source you have installed causes the compile to fail, it is best to upgrade the entire system with either a binary or source upgrade.
First, create a set of filter rules appropriate to your application and save them in /etc/ipf.conf.
Then load the ipl loadable kernel module (these are called "KLD"s in FreeBSD):
kldload iplThen load your rule set into ipfilter:
ipf -Fa -f /etc/ipf.conf
No. IPF can be enabled after boot by loading the ipl loadable kernel module as above, or just by configuring it to load at startup as in the next answer.
First, create a set of filter rules appropriate to your application and save them them the file /etc/ipf.conf.
Then, set the following variables in the /etc/rc.conf file:
ipfilter_enable="YES"and reboot. The startup scripts will load the ipl kernel module (if it is not already in the kernel) and pass the rule file to the ipf program.
ipfilter_program="/sbin/ipf -Fa -f"
ipfilter_rules="/etc/ipf.conf"
ipfilter_flags=""
Add the following lines to your custom kernel configuration file:
then compile and install the kernel using the procedure described in the FreeBSD Handbook.options IPFILTER options IPFILTER_LOG
First, create a set of NAT rules appropriate to your application and save them in the file /etc/ipnat.conf.
If not already loaded, load the ipl loadable kernel module:
kldload iplThen load your rule set:
ipnat -f /etc/ipnat.conf
First, create a set of NAT rules appropriate to your application and save them in the file /etc/ipnat.conf.
Then set the following variables in the /etc/rc.conf file:
ipnat_enable="YES"and reboot. The startup scripts will load the ipl kernel module (if it is not already in the kernel) and pass the rule file to the ipnat program.
ipnat_program="/sbin/ipnat -CF -f"
ipnat_rules="/etc/ipnat.conf"
Dummynet is closely tied to ipfw(8) and is not supported by IPF. Darren suggests the use of the ALTQ traffic shaper instead. It is possible to use IPFW and IPF together, e.g. using IPFW for dummynet and IPF for filterning and NAT, see below.
IPF and IPFW are close enough in speed that it is not an issue. As far as which is better, this is something only you can answer. Each is different and appropriate for it's own application. Asking this indicates you have not done enough research into these two tools. Find out as much as you can about both, try both, and decide which is best for you.
No. You can run them both on a single machine. However, you must take care to ensure that one package's rules do not interfere with the other's. Note that the packages get access to rules in the order in which they were loaded, e.g. if IPFW is compiled in the kernel and IPF is loaded as a module, IPFW "sees" packets before IPF.
Yes. How much depends much more on your particular situation than any intrinsic issues. People who have done this have reported that it does not meaningfully impact overall firewall performance.
The sysctl(8) interface to the kernel allows setting some of the values on a running system under net.inet.ipf in the tree. You can use the /etc/rc.sysctl file to set these values at boot time.