IPFilter 4.1.13

I've been busy at home, working on the open source IPFilter project in the last couple of months and earlier today uploaded the latest version, 4.1.13. After creating a fouled up .12 (through lack of testing on my behalf), I'm hoping that 13 won't be an unlucky number for me.

Also, in following up on some earlier work to use IPFilter in defense against spam, I've been experimenting with port knocking. I'll update my blog later in the week when I've made a last few changes there and uploaded it onto Internet.

Comments:

That would explain alot, like why I could get it to work.

Posted by jpdrawneek on April 04, 2006 at 01:40 AM PDT #

Compile Guide to IPFilter 4.1.3 in AMD64/EMT64 system The purpose of this guide is to help anybody that wants to update the "buggy" IPfilter (4.0.2), included in Solaris 10. All the compilation was done in a Dell SC430, with Pentium Dual Core 2.8 EMT64 chip. I also have a Opteron 3800+, that I'm going to test soon, but following the "release fast, release frequently doctrine", I want to offer my experience now. Your are going to need the latest Solaris distribution and Sun Studio 11 for x86 platform (that is recently available for free) to perform the installation. There is an awesome guide to do all this with 32 bits kernels in http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade. Instead of write another guide, refer to this document, all the information in this guide is correct. You can follow this guide until you arrive to section 9 that says: "9) Build and install pfil 2.1.x and ipfilter 4.1.x per the instructions that come in the tarfiles. Follow the instructions carefully. Make sure the previous pfil driver is unloaded before attempting to install pfil 2.1.x." a) He takes for granted good knowledge of kernel module compilation, that I haven't, and a good compilation enviroment, that I have. Just install Sun Studio 11 and made shure that is in your PATH. I put my .profile file as example. -> $HOME/.profile PATH=/opt/SUNWspro/bin:/usr/sfw/bin:/usr/sfw/sbin:$PATH:/usr/ccs/bin:./ MANPATH=/usr/SUNWspro/man:/usr/man:/usr/sfw/man CC=cc CXX=CC MAKE=make PS1="`uname -n`# " EDITOR=vi export PATH MANPATH CC CXX MAKE PS1 EDITOR ----------- b) Uncompress the distribution files in a proper directory, for example /var/tmp/ipf. mkdir /var/tmp/ipf cd /var/tmp/ipf gunzip < ${DOWNLOADS}/export/home/sources/pfil-2.1.10.tar.gz | tar xf - gunzip < ${DOWNLOADS}/export/home/sources/ip_fil4.1.13.tar.gz | tar xf - c) Compile Pfil-2.1.10 I'm using the latest Solaris distribution. In this release, many system include files has been update from files that haven't been touched since 2004. That produce an interesting error with the file /usr/include/sys/ddi_implfuncs.h in line number 206: cc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=10 -DPFILDEBUG -c ../pfil.c -o pfil.o "/usr/include/sys/ddi_implfuncs.h", line 206: syntax error before or at: peekpoke_ctlops_t "/usr/include/sys/ddi_implfuncs.h", line 206: warning: undefined or missing type for: peekpoke_ctlops_t The solution is to comment this declaration in /usr/include/sys/ddi_implfuncs.h. This declaration seems to applied to Sparc v9 platform, so it seem safe to just comment it. I first test the compilation in an older Solaris 10 release that I have in some productions servers, and here it compiles 32 bit binaries without issue, so it seems safe. diff ddi_implfuncs.h.amd64 ddi_implfuncs.h < /\* extern int peekpoke_mem(ddi_ctl_enum_t, peekpoke_ctlops_t \*); \*/ --- > extern int peekpoke_mem(ddi_ctl_enum_t, peekpoke_ctlops_t \*); sund The pfil package is not AMD64 aware (ipfilter is), so I tailored a special Makefile.amd64 to work in this enviroment. This Makefile don't work for 32 bit enviroments. diff Makefile.amd64 Makefile 23c23 < SBITS:sh=optisa amd64 >/dev/null 2>&1; if [ "$?" -eq 0 ] ; then echo "64"; else echo "32"; fi --- > SBITS:sh=optisa sparcv9 >/dev/null 2>&1; if [ "$?" -eq 0 ] ; then echo "64"; else echo "32"; fi 26c26 < S64FLAGS=-fast -xarch=amd64 -xmodel=kernel -DDO=pfil${SBITS} --- > S64FLAGS=-xildoff -xarch=v9 -xchip=ultra -dalign -xcode=abs32 -DDO=pfil${SBITS} 111,114c111,114 < echo 'd none kernel/strmod/amd64 ? root sys' >> prototype; \\ < echo 'l none kernel/strmod/amd64/pfil=../../drv/amd64/pfil' >> prototype; \\ < echo 'd none kernel/drv/amd64 ? root sys' >> prototype; \\ < echo 'f none kernel/drv/amd64/pfil=pfil64 ? root sys' >> prototype; \\ --- > echo 'd none kernel/strmod/sparcv9 ? root sys' >> prototype; \\ > echo 'l none kernel/strmod/sparcv9/pfil=../../drv/sparcv9/pfil' >> prototype; \\ > echo 'd none kernel/drv/sparcv9 ? root sys' >> prototype; \\ > echo 'f none kernel/drv/sparcv9/pfil=pfil64 ? root sys' >> prototype; \\ sund There are three changes. First, the "optisa amd64" instead of "optisa sparcv9" to properly detect the AMD64 platform. Second, the compilation flags requiered for SunPro CC, S64FLAGS=-fast -xarch=amd64 -xmodel=kernel -DDO=pfil${SBITS}. The "-xarch=amd64" generate code for the AMD64/EMT64 platform, "-xmodel=kernel" is very important so code is compiled in memory addresable by the kernel. Third, I change the directory where the package install the compiled files to conform to the Solaris platform standards. The package is compile and installed using the standard commands. Remember to properlly set your compilation enviroment. make package pkgadd -d /tmp/pfil.pkg d) Compile IPFilter-4.1.13 The package is much more easier to compile, because is AMD64/EMT64 aware. Is affected by the same issue of the ddi_implfuncs.h file, so just keep the 206 line commented. Here almost all the work is done by buildsunos script, and basically to declare the proper compilation flags as in pfil to the trick. diff buildsunos.amd64 buildsunos 94c94 < XARCH64_i386="$XARCH32 -fast -xarch=amd64 -xmodel=kernel" --- > XARCH64_i386="$XARCH32 -xarch=amd64 -xcode=abs32" There is also a small problem to build the packages. Is because the sign ! was ommited in the ./ip_fil4.1.13/SunOS5/prototype_amd64 file, that sets the default permission of the files. Just add it and your are ready to rock. diff prototype_amd64.amd64 prototype_amd64 3c3 < !default 0755 root root --- > default 0755 root root sund The package is compile and installed using the standard commands. Remember to properly set your compilation enviroment. make solaris cd SunOS5 make package Now you can continue to follow the http://www.colby.edu/personal/j/jaearick/sysadmin/sol10.ipfilter.upgrade guide. Thanks for this great document. Specially, don't forget to erase Solaris 8/9 initialiation scripts: rm /etc/rc2.d/S65ipfboot rm /etc/rc2.d/S10pfil rm /etc/rcS.d/S10pfil rm /etc/init.d/ipfboot rm /etc/init.d/pfil Regards, Lic. Alejandro Marin, c.p.i. Servicios Pastorales San Jose, Costa Rica, Central America amarin@servpast.org

Posted by Alejandro Marin on May 31, 2006 at 07:36 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

avalon

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today