[转载]IP Filter3.4.28 for solaris 安装、配置

韦小宝

[这个贴子最后由韦小宝在 2002/10/16 10:09pm 编辑]

1.下载后解包、安装
# gunzip –cd ip_fil3.4.28.tar.gz | tar xvf -
# cd ip_fil3.4.28
# make solaris注意不能使用GNU make来编译
# cd SunOS5
#make package
ipf软件会被安装在/opt/ipf目录下，并同时在/etc/opt/ipf目录形成一个空文件ipf.conf


2.网络结构：
DMZ：10.0.0.0/8
PRIVATE:172.16.0.0/24
INTERNAT:由isp提供


3.Ipfilter可以分为两个模块：网络地址转换（network address translator）简称NAT，和数据包过滤器（packet filter）。第一个是用于伪装（隐藏单个外部IP地址后面的内部IP地址）和重定向主机和端口之间的数据包。包过滤器会检查被NAT修改过的数据包是否可以允许通过防火墙后的网络。
NAT与应用程序代理工作在TCP/IP的不同层次上，前者的好处是对应用程序基本透明，后者的好处是能够进行基于内容的过滤，但是需要应用程序支持代理并进行正确的设置，并且系统开销比较大，对服务器的配置要求比较高。


4. vi ipf.conf
#
# The following routes should be configured, if not already:
#
# route add 10.0.0.1 localhost 0
# route add 172.16.0.1 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on sppp0 all head 150
block out from 127.0.0.0/8 to any group 150
block out from any to 127.0.0.0/8 group 150
block out from any to 218.108.173.134/32 group 150
pass in on sppp0 all head 100
block in from 127.0.0.0/8 to any group 100
block in from 218.108.173.134/32 to any group 100
block in from 10.0.0.1/0xff000000 to any group 100
block in from 172.16.0.1/0xffff0000 to any group 100
pass out on elxl0 all head 350
block out from 127.0.0.0/8 to any group 350
block out from any to 127.0.0.0/8 group 350
block out from any to 10.0.0.1/32 group 350
pass in on elxl0 all head 300
block in from 127.0.0.0/8 to any group 300
block in from 10.0.0.1/32 to any group 300
block in from 218.108.173.134/0xffffff00 to any group 300
block in from 172.16.0.1/0xffff0000 to any group 300
pass out on elxl1 all head 450
block out from 127.0.0.0/8 to any group 450
block out from any to 127.0.0.0/8 group 450
block out from any to 172.16.0.1/32 group 450
pass in on elxl1 all head 400
block in from 127.0.0.0/8 to any group 400
block in from 172.16.0.1/32 to any group 400
block in from 218.108.173.134/0xffffff00 to any group 400
block in from 10.0.0.1/0xff000000 to any group 400



pass out quick on sppp0 proto tcp from 172.16.0.0/16 to any keep state
pass out quick on sppp0 proto udp from 172.16.0.0/16 to any keep state
pass out quick on sppp0 proto icmp from 172.16.0.0/16 to any keep state


pass in quick on sppp0 proto icmp from any to any icmp-type echorep
block in quick on sppp0 proto icmp from any to any icmp-type redir
block in quick on sppp0 proto icmp from any to any
block in quick on sppp0 proto icmp from any to any icmp-type echo
pass in from any to any
pass out from any to any

5.vi ipnat.rules
map sppp0 172.16.0.0/16 ->; 0/32 proxy port ftp ftp/tcp
map sppp0 172.16.0.0/16 ->; 0/32 portmap tcp/udp 10000:40000
map sppp0 172.16.0.0/16 ->; 0/32

6.vi /etc/rc2.d/S66ipf
/sbin/ipnat -CF -f /etc/opt/ipf/ipnat.rules

7.vi /etc/rc2.d/S65ipfboot
#!/bin/sh
#
PIDFILE=/etc/opt/ipf/ipmon.pid

id=`/usr/sbin/modinfo 2>;&1 | awk '/ipf/ { print $1 } ' - 2>;/dev/null`
if [ -f $PIDFILE ] &#59; then
pid=`cat $PIDFILE 2>;/dev/null`
else
pid=`/bin/ps -e 2>;&1 | awk '/ipmon/ { print $1 } ' - 2>;/dev/null`
fi
PATH=${PATH}:/sbin:/opt/ipf/bin
IPFILCONF=/etc/opt/ipf/ipf.conf
IP6FILCONF=/etc/opt/ipf/ipf6.conf
IPNATCONF=/etc/opt/ipf/ipnat.conf

block_default_workaround() {
ipf -F a
echo "constructing minimal name resolution rules..."
NAMESERVERS=`cat /etc/resolv.conf  2>;/dev/null| \
     nawk '/nameserver/ {printf "%s ", $2}' 2>;/dev/null`
if [ -z "$NAMESERVERS" ] &#59; then
return
fi
for NS in $NAMESERVERS &#59; do
IF_TO_NS=`/usr/sbin/route -n get $NS  2>;/dev/null| \
  nawk '$1 == "interface:" { print $NF &#59; exit }' \
  2>;/dev/null`
if [ -z "$IF_TO_NS" ] &#59; then
continue
fi
IP_TO_NS=`ifconfig $IF_TO_NS  2>;/dev/null| \
nawk 'NR == "2" { print $2 &#59; exit }' 2>;/dev/null`
if [ -z "$IP_TO_NS" ] &#59; then
continue
fi
echo "pass out quick on $IF_TO_NS proto udp from $IP_TO_NS to $NS port = 53 keep state" | \
ipf -f -
done
}

case "$1" in
start)
if [ x"$pid" != x ] &#59; then
kill -TERM $pid 2>;/dev/null
fi
if [ x$id != x ] &#59; then
modunload -i $id 2>;/dev/null
fi
modload /usr/kernel/drv/ipf
if [ -r ${IPFILCONF} ]&#59; then
if `/sbin/ipf -V | \
                              nawk '$1 == "Default:" && $2 == "pass" { exit 1 }'` &#59; then
block_default_workaround
fi
ipf -IFa -f ${IPFILCONF}
if [ $? != 0 ]&#59; then
echo "$0: load of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
ipf -y
if [ -r ${IP6FILCONF} ]&#59; then
ipf -IFa -6f ${IP6FILCONF}
if [ $? != 0 ]&#59; then
echo "$0: load of ${IPFILCONF} into alternate set failed"
else
ipf -IF a
ipf -6f ${IP6FILCONF}
fi
fi
if [ -r ${IPNATCONF} ]&#59; then
ipnat -CF -f ${IPNATCONF}
if [ $? != 0 ]&#59; then
echo "$0: load of ${IPNATCONF} failed"
fi
fi
ipmon -Ds
&#59;&#59;

stop)
if [ x"$pid" != x ] &#59; then
kill -TERM $pid
fi
if [ x$id != x ] &#59; then
modunload -i $id
fi
&#59;&#59;

reload)
if [ -r ${IPFILCONF} ]&#59; then
ipf -I -Fa -f ${IPFILCONF}
if [ $? != 0 ]&#59; then
echo "$0: reload of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
if [ -r ${IPNATCONF} ]&#59; then
ipnat -CF -f ${IPNATCONF}
if [ $? != 0 ]&#59; then
echo "$0: reload of ${IPNATCONF} failed"
fi
fi
&#59;&#59;

reipf)
if [ -r ${IPFILCONF} ]&#59; then
ipf -I -Fa -f ${IPFILCONF}
if [ $? != 0 ]&#59; then
echo "$0: reload of ${IPFILCONF} into alternate set failed"
else
ipf -s
fi
fi
&#59;&#59;
*)
echo "Usage: $0 (start|stop|reload)" >;&2
exit 1
&#59;&#59;

esac
exit 0

北极星

好东东。我先收起来！

study12

怎么不早拿出来！

韦小宝

tnnd，你没看发表日期吗？还在冒热气呢

study12

O

asfasf

众里寻她千百度,蓦然回首那人却在灯火阑珊处

littletiger

save先

miling

//ft还叫好哩，越往下看，越觉得眼熟，仔细一看，原来从王波先生写的《FreeBSD使用大全》上大段大段摘下来的，偶尔改动的还改错了。

比如原文：
map fxp1 192.168.3.0/24 ->; 202.102.245.0/26

　　显然内部计算机的数量显然要多于系统拥有的合法地址的数量，上例中内部地址最多254个，而合法的外部地址仅仅有62个，这样如果向外连接的计算机一多，必然出现地址资源用光的问题。因此动态分配IP一般和端口转换结合起来，以避免出现地址消耗完毕的问题。

　　
他在这里改成：
map sppp0 172.16.0.0/16 ->; 202.102.245.0/26
显然内部计算机的数量显然要多于系统拥有的合法地址的数量，上例中内部地址最多254个（2的8次方－2），而合法的外部地址仅仅有62个(2的6次方－2)，这样如果向外连接的计算机一多，必然出现地址资源用光的问题。因此动态分配IP一般和端口转换结合起来，以避免出现地址消耗完毕的问题。

172.16.0.0/16 显然不止254个地址！

kinux

Hi all,

I install ipfilter failure...

here...What's the problem??

# ls
ip-fil3.4.31.tar  ip_fil3.4.31      SUNWebnfs         SUNWits
# cd ip_fi*
# ls
4bsd              INSTALL.FreeBSD   IPF.KANJI         mln_ipl.c
BNF               INSTALL.IRIX      IPFILTER.LICENCE  mls_ipl.c
bpf.h             INSTALL.Linux     ipfs.c            NAT.FreeBSD
BSD               INSTALL.NetBSD    ipft_ef.c         natparse.c
bsdinstall        INSTALL.Sol2      ipft_hx.c         NetBSD
BSDOS             INSTALL.SunOS     ipft_pc.c         NetBSD-1.2
BSDOS3            INSTALL.xBSD      ipft_sn.c         netinet
BSDOS4            ip_auth.c         ipft_td.c         OpenBSD-2
BugReport         ip_auth.h         ipft_tx.c         OpenBSD-3
buildlinux        ip_compat.h       ipl.h             opt.c
buildsunos        ip_fil.c          iplang            parse.c
common.c          ip_fil.h          ipmon.c           pcap.h
COMPILE.2.5       ip_frag.c         ipnat.c           perl
COMPILE.Solaris2  ip_frag.h         ipsd              printnat.c
etc               ip_ftp_pxy.c      ipsend            printstate.c
facpri.c          ip_h323_pxy.c     ipt.c             QNX_OCL.txt
facpri.h          ip_ipsec_pxy.c    ipt.h             README
FAQ.FreeBSD       ip_lfil.c         IRIX              relay.c
fil.c             ip_log.c          kmem.c            rules
fils.c            ip_nat.c          kmem.h            samples
FreeBSD           ip_nat.h          l4check           snoop.h
FreeBSD-2.2       ip_netbios_pxy.c  Linux             solaris.c
FreeBSD-3         ip_proxy.c        linux.h           SunOS4
FreeBSD-4.0       ip_proxy.h        Makefile          SunOS5
FWTK              ip_raudio_pxy.c   man               test
HISTORY           ip_rcmd_pxy.c     misc.c            todo
IMPORTANT         ip_sfil.c         mkfilters         UPGRADE_NOTICE
inet_addr.c       ip_state.c        ml_ipl.c          Y2K
INST.FreeBSD-2.2  ip_state.h        mlf_ipl.c
INSTALL.BSDOS     ipf.c             mlfk_ipl.c
INSTALL.BSDOS3    ipf.h             mli_ipl.c
# cd SunOS5
# ls
copyright        Makefile.ipsend  preremove        solinstall
ipf.conf         pkginfo          prototype        system
ipfboot          postinstall      prototype32      uninstall
Makefile         postremove       prototype64
# /usr/ccs/bin/make package
if [ "`uname -p`-`uname -r`" = "" ] ; then \
        $x="`uname -p`-`uname -r`"; \
        /usr/ccs/bin/make "CPUDIR=$x" package; \
else \
        /usr/ccs/bin/make "CPUDIR=`uname -p`-`uname -r`" makepackage; \
fi
mkdir -p i386-5.8/root/usr/include/netinet i386-5.8/root/opt/ipf/examples i386-5.8/root/usr/kernel/drv
mkdir -p i386-5.8/root/etc/init.d /tmp/ipfpkgs
mkdir -p i386-5.8/root/opt/ipf/man/man1 i386-5.8/root/opt/ipf/man/man4 i386-5.8/root/opt/ipf/man/man5 i386-5.8/root/opt/ipf/man/man8
../bsdinstall -c ipfboot i386-5.8/root/etc/init.d
cp ../man/*.[0-9] .
../bsdinstall -c ipf.conf i386-5.8/root/usr/kernel/drv
../bsdinstall ipf.8 i386-5.8/root/opt/ipf/man/man8
../bsdinstall ipfs.8 i386-5.8/root/opt/ipf/man/man8
../bsdinstall ipnat.8 i386-5.8/root/opt/ipf/man/man8
../bsdinstall ipftest.1 i386-5.8/root/opt/ipf/man/man1
../bsdinstall mkfilters.1 i386-5.8/root/opt/ipf/man/man1
../bsdinstall ipf.4 i386-5.8/root/opt/ipf/man/man4
../bsdinstall ipnat.4 i386-5.8/root/opt/ipf/man/man4
../bsdinstall ipl.4 i386-5.8/root/opt/ipf/man/man4
../bsdinstall ipf.5 i386-5.8/root/opt/ipf/man/man5
../bsdinstall ipnat.5 i386-5.8/root/opt/ipf/man/man5
../bsdinstall ipfilter.5 i386-5.8/root/opt/ipf/man/man5
../bsdinstall ipfstat.8 i386-5.8/root/opt/ipf/man/man8
../bsdinstall ipmon.8 i386-5.8/root/opt/ipf/man/man8
cp ../rules/* i386-5.8/root/opt/ipf/examples
cp ../ip_fil.h ../ip_compat.h ../ip_state.h .
cp ../ip_nat.h ../ip_frag.h ../ip_proxy.h .
cp ../ip_auth.h .
../bsdinstall ip_fil.h i386-5.8/root/usr/include/netinet
../bsdinstall ip_compat.h i386-5.8/root/usr/include/netinet
../bsdinstall ip_state.h i386-5.8/root/usr/include/netinet
../bsdinstall ip_nat.h i386-5.8/root/usr/include/netinet
../bsdinstall ip_frag.h i386-5.8/root/usr/include/netinet
../bsdinstall ip_proxy.h i386-5.8/root/usr/include/netinet
../bsdinstall ip_auth.h i386-5.8/root/usr/include/netinet
touch i386-5.8/ipf.pkg.common
if [ -d i386-5.8/sparcv7 ]; then \
    /usr/ccs/bin/make CPUDIR=i386-5.8 PROTO=prototype32 PKG=ipf OBJ=sparcv7 \
        BITS=32 i386-5.8/ipf.pkg.bin; \
    /usr/ccs/bin/make CPUDIR=i386-5.8 PROTO=prototype64 PKG=ipfx OBJ=sparcv9 \
        BITS=64 i386-5.8/ipf.pkg.bin; \
else \
    /usr/ccs/bin/make CPUDIR=i386-5.8 OBJ=. BITS=32 i386-5.8/ipf.pkg.bin;\
fi
mkdir -p i386-5.8/root/opt/ipf/bin/. i386-5.8/root//sbin/. i386-5.8/root/usr/kernel/drv/.
../bsdinstall -c -s i386-5.8/./ipftest i386-5.8/root/opt/ipf/bin/./ipftest
install: can't open i386-5.8/./ipftest
*** Error code 1 (ignored)
../bsdinstall -c -s i386-5.8/./ipmon i386-5.8/root/opt/ipf/bin/./ipmon
install: can't open i386-5.8/./ipmon
*** Error code 1 (ignored)
../bsdinstall -c -s i386-5.8/./ipsend i386-5.8/root/opt/ipf/bin/./ipsend
install: can't open i386-5.8/./ipsend
*** Error code 1 (ignored)
../bsdinstall -c -s i386-5.8/./ipresend i386-5.8/root/opt/ipf/bin/./ipresend
install: can't open i386-5.8/./ipresend
*** Error code 1 (ignored)
../bsdinstall -c ../mkfilters i386-5.8/root/opt/ipf/bin/./mkfilters
../bsdinstall -c i386-5.8/./ipf i386-5.8/root/usr/kernel/drv/./ipf
install: can't open i386-5.8/./ipf
*** Error code 1 (ignored)
../bsdinstall -c -s i386-5.8/./ipnat i386-5.8/root//sbin/./ipnat
install: can't open i386-5.8/./ipnat
*** Error code 1 (ignored)
../bsdinstall -c -s i386-5.8/./ipf.exe i386-5.8/root//sbin/./ipf
install: can't open i386-5.8/./ipf.exe
*** Error code 1 (ignored)
../bsdinstall -c -s i386-5.8/./ipfs i386-5.8/root//sbin/./ipfs
install: can't open i386-5.8/./ipfs
*** Error code 1 (ignored)
../bsdinstall -c -s i386-5.8/./ipfstat i386-5.8/root//sbin/./ipfstat
install: can't open i386-5.8/./ipfstat
*** Error code 1 (ignored)
#-(cd i386-5.8; rm -f copyright post* prototype pkginfo)
(cd i386-5.8; rm -f prototype)
#-(cd i386-5.8; ln -s ../copyright ../postinstall ../postremove .)
(cd i386-5.8; ln -s ../prototype prototype)
sed -e 's/ipf/ipf/' -e "s/NAME=.*/&`if [ "32" = 64 ];then echo ' (64-bit)'; fi`/" \
     -e "s/ARCH=.*/ARCH=`uname -p` (32-bit)/" \
        < pkginfo >; i386-5.8/pkginfo
if [ "32" = 64 ]; then echo 'SUNW_ISA=sparcv9' >;>; i386-5.8/pkginfo; fi
(cd i386-5.8; pkgmk -a `uname -p` -o -d /tmp/ipfpkgs)
## Building pkgmap from package prototype file.
ERROR in prototype:
    no object for </opt/ipf/bin/ipftest>; found in local path
    no object for </opt/ipf/bin/ipmon>; found in local path
    no object for </opt/ipf/bin/ipsend>; found in local path
    no object for </opt/ipf/bin/ipresend>; found in local path
    no object for </usr/kernel/drv/ipf>; found in local path
    no object for </sbin/ipfs>; found in local path
    no object for </sbin/ipfstat>; found in local path
    no object for </sbin/ipf>; found in local path
    no object for </sbin/ipnat>; found in local path
pkgmk: ERROR: unable to build pkgmap from prototype file
## Packaging was not successful.
*** Error code 1
make: Fatal error: Command failed for target `i386-5.8/ipf.pkg.bin'
Current working directory /opt/ip_fil3.4.31/SunOS5
*** Error code 1
make: Fatal error: Command failed for target `i386-5.8/ipf.pkg'
Current working directory /opt/ip_fil3.4.31/SunOS5
*** Error code 1
make: Fatal error: Command failed for target `package'
#