RE: IPFilter 4.1

This is a discussion on RE: IPFilter 4.1 within the IPFilter forums, part of the System Security and Security Related category; Darren, There are problems compiling pfil2.1 on Solaris 9 with GCC. See below:- Regards, Adam make package i=`uname -...


Go Back   Usenet Forums > System Security and Security Related > IPFilter

Reload this Page RE: IPFilter 4.1

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 02-12-2004
Adam Summerfield
 
Posts: n/a
Default RE: IPFilter 4.1
Darren,

There are problems compiling pfil2.1 on Solaris 9 with GCC.

See below:-

Regards,

Adam

make package
i=`uname -s`; case $i in HP-UX) make hpux;; *) make $i;; esac
/bin/cp Makefile SunOS
make SunOS`optisa sparcv9 >/dev/null 2>&1; if [ $? -eq 0 ] ; then echo "64"; els
e echo "32"; fi`
(cd SunOS; make pfil "BITS=32" OS=solaris DO=pfil "ADEF=-I.. -I. -D_KERNEL -DSUN
DDI -DSOLARIS2="`uname -r | sed -e 's/[0-9]*\.\([0-9]*\).*/\1/'`" -DPFILDEBUG")
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -c ../pfil.c -o pfil.
o
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -c qif.c -o qif.o
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -c pfildrv.c -o pfild
rv.o
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -c ../pfilstream.c -o
pfilstream.o
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -c pkt.c -o pkt.o
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -c ../misc.c -o misc.
o
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -c ../ndd.c -o ndd.o
ld -r pfil.o qif.o pfildrv.o pfilstream.o pkt.o misc.o ndd.o -o pfil32
/bin/rm -f SunOS/*.o
(cd SunOS; make pfil`optisa sparcv9 >/dev/null 2>&1; if [ $? -eq 0 ] ; then echo
"64"; else echo "32"; fi` "BITS=64" OS=solaris DO=pfil64 "ADEF=-I.. -I. -D_KERN
EL -DSUNDDI -DSOLARIS2="`uname -r | sed -e 's/[0-9]*\.\([0-9]*\).*/\1/'`" -DPFIL
DEBUG -xildoff -xarch=v9 -xchip=ultra -dalign -xcode=abs32 -DDO=pfil`optisa spar
cv9 >/dev/null 2>&1; if [ $? -eq 0 ] ; then echo "64"; else echo "32"; fi`")
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -xildoff -xarch=v9 -x
chip=ultra -dalign -xcode=abs32 -DDO=pfil64 -c ../pfil.c -o pfil.o
gcc: language code=abs32 not recognized
gcc: ../pfil.c: linker input file unused because linking not done
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -xildoff -xarch=v9 -x
chip=ultra -dalign -xcode=abs32 -DDO=pfil64 -c qif.c -o qif.o
gcc: language code=abs32 not recognized
gcc: qif.c: linker input file unused because linking not done
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -xildoff -xarch=v9 -x
chip=ultra -dalign -xcode=abs32 -DDO=pfil64 -c pfildrv.c -o pfildrv.o
gcc: language code=abs32 not recognized
gcc: pfildrv.c: linker input file unused because linking not done
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -xildoff -xarch=v9 -x
chip=ultra -dalign -xcode=abs32 -DDO=pfil64 -c ../pfilstream.c -o pfilstream.o
gcc: language code=abs32 not recognized
gcc: ../pfilstream.c: linker input file unused because linking not done
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -xildoff -xarch=v9 -x
chip=ultra -dalign -xcode=abs32 -DDO=pfil64 -c pkt.c -o pkt.o
gcc: language code=abs32 not recognized
gcc: pkt.c: linker input file unused because linking not done
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -xildoff -xarch=v9 -x
chip=ultra -dalign -xcode=abs32 -DDO=pfil64 -c ../misc.c -o misc.o
gcc: language code=abs32 not recognized
gcc: ../misc.c: linker input file unused because linking not done
gcc -I.. -I. -D_KERNEL -DSUNDDI -DSOLARIS2=9 -DPFILDEBUG -xildoff -xarch=v9 -x
chip=ultra -dalign -xcode=abs32 -DDO=pfil64 -c ../ndd.c -o ndd.o
gcc: language code=abs32 not recognized
gcc: ../ndd.c: linker input file unused because linking not done
ld -r pfil.o qif.o pfildrv.o pfilstream.o pkt.o misc.o ndd.o -o pfil64
ld: fatal: file pfil.o: open failed: No such file or directory
*** Error code 1
make: Fatal error: Command failed for target `pfil64'
Current working directory /export/home/adams/pfil/SunOS
*** Error code 1
make: Fatal error: Command failed for target `SunOS64'
Current working directory /export/home/adams/pfil
*** Error code 1 (ignored)
(cd `uname -s`; make package-`uname -s`)
gcc -c ../pfil.c -o pfil.o
In file included from ../pfil.c:53:
.../compat.h:10:16: os.h: No such file or directory
.../pfil.c: In function `pfil_list_add':
.../pfil.c:226: error: parse error before "struct"
*** Error code 1
make: Fatal error: Command failed for target `pfil.o'
Current working directory /export/home/adams/pfil/SunOS
*** Error code 1
make: Fatal error: Command failed for target `package'

-----Original Message-----
From: owner-ipfilter@coombs.anu.edu.au [mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of Darren Reed
Sent: Thursday, 12 February 2004 4:42 PM
To: ipfilter@coombs.anu.edu.au
Subject: IPFilter 4.1

Finally I've reached a point where I think I'm happy enough with
the "ipf4" code to try my hand at making it a major release.
And yes, there's been no "beta" for a while so I'm taking a big
gamble in some ways :) To see how extensively it has been
tested, please read:

http://coombs.anu.edu.au/~avalon/ipfilter-status.html

I will point out here that I've been unable to upgrade from FreeBSD
5.1 to 5.2 because vmware panics while booting from the ISO image file.

People using Solaris & HP-UX should read this before starting:
http://coombs.anu.edu.au/~avalon/ipf-mentat.html

Download from:
--------------
http://coombs.anu.edu.au/~avalon/ip_fil4.1.tar.gz

Upgrades for BSDs
-----------------
This will occur in time. My plan is for both FreeBSD & NetBSD to
move from 3.4.whatever to 4.1.something.

Future for IPFilter 3.4.x
-------------------------
Will remain patched for stability only. One primary driver here is
that there are currently NICs that this version can filter on Solaris
that 4.1 cannot.

Details on new features
-----------------------
Over the coming weeks, I'll write up on a web page detailing in more
depth how each of the new features work. The man pages are also most
likely in need of extra work...but who likes documentation ? O:-)

Darren


What's new in IPFilter 4.1
==========================
(Well, compared to 3.*, anyway)
In no particular order, except headline alphabetical:

Administration:
- Run-time support for modifying ipf table size parameters.
- Run-time support for tuning other ipfilter parameters.

Content Scanning:
- Simple matching of content for TCP session startup.

Firewall Synchronising:
- Master/slave programs available.

General:
- All input files allow simple 'marco' definitions and expansion,
including nesting.
- Code has been rototilled to make maintenance and enhancements
eaiser for me and you.
- More configuration files and binaries.
- Takes up more memory.
- Probably slower.
- Versioned API to support changes in the ABI without breaking
existing binaries (4.0 onward only.)
- IP-Filter framework in place for handling multiple different
types of packet matching for firewalling.
- IP Id number rewriting available.
- Verification of checksums for recognised packet types.
- Optionally enable/disable IP forwarding when enabled/disabled.

IPF:
- BPF syntax available for matching packets in ipf rules (1).
- Can convert IPv4 ipf rules into C code and either:
* load them as an LKM o;
* compile them statically into the kernel (where possible.)
- Address pools allow for simpler rules covering large numbers of
addresses/networks (IPv4 only).
- Lookup functions available to map an IPv4 address to a group.
- Groups can be referenced by multiple heads for subroutine-like use.
- NAT/ipf rules can refer to each other via a tag, creating an implied
join that forms part of the packet matching.
- Extra packet attributes available for filter rules:
* source address/routing interface mismatch;
* multicast (3);
* broadcast (2,3);
* state lookup partially failed;
* out of the TCP window for a state connection;
* NAT lookup partially failed.
- PPS (packets per second) matching available for ipf rules.
- Rule collections (cf FreeBSD numbering) supported for ipf rules.
- Groups can now be names rather than just numbers

IPV6:
- understands extension headers.
- can filter on extension headers.

Logging:
- ipmon now comes with a configuration file for more advanced logging
behaviour.
- Can append arbitrary logging tags with ipf rules for easy matching.

NAT:
- "sticky" mapping available to ensure an address translation on
a per-address basis is always the same (while known) for a set
IP address.

Operating System Support:
- HP-UX 11 added.
- Tru64 5.1a added.
- Solaris/HP-UX now use pfil STREAMS module.
- Linux 2.4 on the way.

Proxies:
- PPTP proxy added.
- IRC proxy added.
- RPCBIND proxy added.
- FTP proxy support for EPSV (IPv4 only.)

Stateful Inspection:
- Can insist that all TCP data arrives in order.
- Can insist that all fragments pass through in order.
- The number of states created per-rule can be set where the total
across all rules may exceed the maximum allowed.
- Can elect not to automatically match ICMP error packets.
- TCP sequence number rewriting supported.

(1) - Requires libpcap for rule parsing
(2) - On Solaris/HP-UX, broadcast packets are seen as multicast packets.
(3) - Not supported on SunOS4

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 06:59 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0