IP Filter FAQ

Welcome to the IP Filter Frequently Asked Questions. This FAQ contains a lot of useful information and if you use, or plan to use IPF, you should read it. Here is some information about the FAQ:
  1. The latest version can be found at http://home.earthlink.net/~jaymzh666/IPF-FAQ/IPFtoc.html
  2. You may copy it, mirror it, distribute it at will as long as you do so IN IT'S ENTIRETY
  3. The FAQ was written, and currently maintained by Phil Dibowitz so please direct any updates, or questions there.
  4. The FAQ doesn't address bugs in versions prior to 3.4.20 (other than how to upgrade to that level). If you find a bug not on here, and you don't have a recent version, you should try upgrading.
Additionally I would like to thank Darren Reed, Jim Sandoz, Ron Florence, Erik Fichtner, Glen Foster, and everyone else who has contributed for all of their help.

Last updated: 10/29/01

TABLE OF CONTENTS

I. General
  1. Who wrote IP Filter?
  2. What is the website for IP Filter?
  3. Is there a tutorial?
  4. What OS's does it run on?
II. Mailing List
  1. What mailing list(s) is/are available for IP Filter?
  2. What do I need to know before sending stuff to the list?
  3. What should I ALWAYS do when sending stuff to the list?
  4. What should I NEVER do when sending stuff to the list?
  5. Are there archives for the mailing list?
III. Common Questions about IP Filter
  1. What does keep state actually do? Is it useful?
  2. What is with this last match stuff?
  3. What is "in" and what is "out"?
  4. Does IP Filter actually work on BSD/OS? What do I need to make it work?
  5. I'm using PPPoE (or some other virtual interface/tunnel), how should I write my rulesets?
  6. So, if 'map a.b.c.d/M -> w.x.y.z/32' does NAT for all protocols, why do I need a 'map a.b.c.d/M -> w.x.y.z/32 portmap'
  7. Well, after reading the answer to III-6, do I have to have the first rule if I have the second rule?
  8. How do I upgrade IPF?
  9. I have a dynamic IP address, how can I do NAT?
  10. What's the difference between MAP and RDR?
  11. When does NAT happen in relation to filtering?
  12. Are there any GUI's or other aids?
  13. Are there any log analyzers?
  14. How do you clear accounting stats?
IV. Common Problems with IP Filter(non-OS Specific)
  1. I have file transfer (FTP or HTTP) and if download speed is more then 100 KB/sec, connection breaks.
  2. I have to keep clearing the state table or IPF dies, why?
  3. The default ipfboot script flushes the state table. Is this necessary everytime you change some rule or just when that rule has a 'keep state' in it and there are existing state table entries that would be affected?
  4. Sending mail is horribly slow!
  5. I can't connect to IRC.
  6. When I try to load the LKM (if_ipl.o), I get "fr_checkp" (or other) unresolved symbols. (FreBSD, OpenBSD, SunOS)
  7. When I do a make, it complains about -I(TOP).
  8. I'm using rdr for a webserver behind IPF and the world can see it just fine, but the internal machines can't surf to it via the external IP address.
  9. Long ftp transfers and some other long single-connection sessions fail.
  10. I've set up to use the ftp-proxy in my ipnat.conf file, and it works fine from NAT'ed machines, but I can't ftp from the firewall machine unless I put a rule in ipf.conf to pass port 20/tcp in from remote machines. How do I get the ftp proxy to work from the firewall machine too?
V. IPFilter and VPN
  1. I can only initiate x number of VPN connections to/from my NAT'd boxes! Why?
  2. I'm having more VPN problems... ESP packets and UDP packets are not being mapped to the same IP ddress.
VI. IPMon
  1. I have IPMon logging to syslog, but syslog doesn't log anything, why not?
  2. I have IPMon logging to syslog, and I can't use ipmon -oI, why not?
  3. When I start ipmon, it fails to start with an error.
VII. IPFilter and Solaris
  1. Why don't my return-rst's work?
  2. It won't compile, something about /usr/ucb/cc.
  3. I'm using a 64-bit kernel, and when it tries to load ipf, it gets an error.
  4. How can I tell if I'm using a 32-bit or 64-bit kernel?
  5. Can the gcc to make 64-bit Sparc kernel modules?
  6. What do I need to make a 64 bit Sparc kernel module?
  7. Wait, my Sparc host is running in 64 bit mode, but I don't want to buy Sun's Forte compiler, nor do I want to install the try-and-buy. What can I do to get IPF up?
  8. When I try and pkgadd the precompiled IPF package I downloaded, there are two sub-packages. What do I do?
  9. Can I use IPF on Solaris as a Layer 2 bridge?
  10. How can I tweak some of IPF's internal values at boot time?
  11. How can I build a transparent proxy using Squid on Solaris 8?
VIII. SunOS
IX. HP-UX
  1. Does IPF Support HP-UX?
X. FreeBSD
  1. I'm having problems with bridging and FreeBSD
  2. How can I get IP Filter to block by default?
  3. What version of IPF is included in FreeBSD?
  4. Where do I find the sources?
  5. How do I (re)compile IPF on FreeBSD?
  6. How do I start ipfilter on a running system?
  7. Don't I need to compile IPF into my kernel?
  8. How do I configure FreeBSD to enable ipfilter at startup?
  9. Forget the loadable kernel module stuff, how do I do compile IPF into my kernel?
  10. How do I start ipnat on a running system?
  11. How do I configure FreeBSD to enable ipnat at startup?
  12. How do I use the FreeBSD traffic shaper dummynet(4) with IPF?
  13. Which is better/faster/cool/etc., IPF of IPFW?
  14. IPF and IPFW both have features I want to use, must I choose between them?
  15. Won't this slow down processing packets? By how much?
  16. How can I tweak some of IPF's internal values?
XI. NetBSD
  1. How do I upgrade IP Filter on NetBSD?
XII. OpenBSD
  1. How can I get IP Filter to block by default?
  2. How can I upgrade IP Filter on OpenBSD?
XIII. Linux
  1. Is there a linux port?