info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
IPFilter 5.1.1
24 views
Skip to first unread message
Darren Reed
Jan 29, 2012, 2:44:49 PM1/29/12
to
After what seems like an eternity, I've finally uploaded version
IPFilter 5.1.1.
There are no patch files for against 5.1.0 or 4.1.35 as they'd be
too large to
have any meaning.
Building and testing has been primarily done on Solaris 10 and
NetBSD 5.99, with no panics or crashes from regular activity.
It should also compile and load up fine on FreeBSD as well.
Someone asked about Illumos earlier in the week - when I last
tried building there, I ran into some problems that seem related
to bugs in their header files.
Why should you replace version 4 with 5?
At the user interface level, obscure error messages should now be
a thing of the past when dealing with the kernel module. There are
still likely to be obscure messages when parsing configuration
files or in other areas, but that will be taken care of in time too.
If you build IPFilter with "COMPAT_IPFILTER" defined in the top
level Makefile, it will be possible to use ipf/ipnat from earlier
versions of IPFilter to load a configuration but use of ipfstat
and ipnat to display rules and statistics will run into trouble.
In terms of basic features, ipnat now supports IPv6 and with new
"rewrite" rules, both the source and destination address can be
replaced using a single NAT rule. In addition, "divert" and
"encap" rules have been added for experimentation.
See the new man page ipnat(5) for more details.
For ipf, it is now possible to use a filter rule group for filtering
of ICMP packets associated with existing state entries using the
"icmp-head" option with "keep state". Additionally, it is now
possible to restrict the number of individual networks or hosts
that have associated state entries, preventing a single source from
dominating the state table. Version 5 also introduces a compeltely
new type of rule to ipf.conf - "decapsulate". These rules make it
possible to tell IPFilter to "remove" the headers at the front of a
packet and process the contents as a new packet. In the short term,
the primary application of this is to allow firewalls that are not
a tunnel end point to filter on the traffic inside the tunnel where
the traffic is not encrypted. See ipf.conf(5) for more details.
The logging application, ipmon, can now be given a configuration
file that allows for log entries to be stored in different files,
delivered via syslog or via SNMP traps. See ipmon(5) for more
details.
http://coombs.anu.edu.au/~avalon/ip_fil5.1.1.tar.gz
MD5 (ip_fil5.1.1.tar.gz) = e9d51c6e58f549c4ab499254c81c90d2
Darren
IPFilter 5.1.1.
There are no patch files for against 5.1.0 or 4.1.35 as they'd be
too large to
have any meaning.
Building and testing has been primarily done on Solaris 10 and
NetBSD 5.99, with no panics or crashes from regular activity.
It should also compile and load up fine on FreeBSD as well.
Someone asked about Illumos earlier in the week - when I last
tried building there, I ran into some problems that seem related
to bugs in their header files.
Why should you replace version 4 with 5?
At the user interface level, obscure error messages should now be
a thing of the past when dealing with the kernel module. There are
still likely to be obscure messages when parsing configuration
files or in other areas, but that will be taken care of in time too.
If you build IPFilter with "COMPAT_IPFILTER" defined in the top
level Makefile, it will be possible to use ipf/ipnat from earlier
versions of IPFilter to load a configuration but use of ipfstat
and ipnat to display rules and statistics will run into trouble.
In terms of basic features, ipnat now supports IPv6 and with new
"rewrite" rules, both the source and destination address can be
replaced using a single NAT rule. In addition, "divert" and
"encap" rules have been added for experimentation.
See the new man page ipnat(5) for more details.
For ipf, it is now possible to use a filter rule group for filtering
of ICMP packets associated with existing state entries using the
"icmp-head" option with "keep state". Additionally, it is now
possible to restrict the number of individual networks or hosts
that have associated state entries, preventing a single source from
dominating the state table. Version 5 also introduces a compeltely
new type of rule to ipf.conf - "decapsulate". These rules make it
possible to tell IPFilter to "remove" the headers at the front of a
packet and process the contents as a new packet. In the short term,
the primary application of this is to allow firewalls that are not
a tunnel end point to filter on the traffic inside the tunnel where
the traffic is not encrypted. See ipf.conf(5) for more details.
The logging application, ipmon, can now be given a configuration
file that allows for log entries to be stored in different files,
delivered via syslog or via SNMP traps. See ipmon(5) for more
details.
http://coombs.anu.edu.au/~avalon/ip_fil5.1.1.tar.gz
MD5 (ip_fil5.1.1.tar.gz) = e9d51c6e58f549c4ab499254c81c90d2
Darren
Dennis Clarke
Jan 29, 2012, 1:59:46 PM1/29/12
to
> After what seems like an eternity, I've finally uploaded version
> IPFilter 5.1.1.
I'll give it a shot on Solaris 8 and 9 to see what, if
anything, happens.
> http://coombs.anu.edu.au/~avalon/ip_fil5.1.1.tar.gz
>
> MD5 (ip_fil5.1.1.tar.gz) = e9d51c6e58f549c4ab499254c81c90d2
>
> Darren
>
>
--
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x1D936C72FA35B44B
+-------------------------+-----------------------------------+
| Dennis Clarke | Solaris and Linux and Open Source |
| dcl...@blastwave.org | Respect for open standards. |
+-------------------------+-----------------------------------+
Darren Reed
Jan 30, 2012, 11:19:15 AM1/30/12
to
Darren Reed wrote:
> After what seems like an eternity, I've finally uploaded version
> IPFilter 5.1.1.
> ...
> After what seems like an eternity, I've finally uploaded version
> IPFilter 5.1.1.
> http://coombs.anu.edu.au/~avalon/ip_fil5.1.1.tar.gz
>
> MD5 (ip_fil5.1.1.tar.gz) = e9d51c6e58f549c4ab499254c81c90d2
And it has been long enough that I've forgotten a few things...
>
> MD5 (ip_fil5.1.1.tar.gz) = e9d51c6e58f549c4ab499254c81c90d2
Like that I need to change the version number in a few files.
I've fixed those and fixed it so that it compiles on Solaris 11
and Illumos.
MD5 (ip_fil5.1.1.tar.gz) = 168ed89b28a2399218a8f416fd4b07cc
Darren
Jason Hellenthal
Jan 31, 2012, 1:04:14 AM1/31/12
to
In my experience re-rolling distfiles to the same version number causes a whole lot of grief.
e9d51c6e58f549c4ab499254c81c90d2 ip_fil5.1.1_before.tar.gz
168ed89b28a2399218a8f416fd4b07cc ip_fil5.1.1_now.tar.gz
--
;s =;
0 new messages