Firewall-NAT with IPFilter

From Nekochan
Jump to: navigation, search

This page describes how to configure IPFilter to run on an IRIX machine. One application discussed is for a dual-interfaced IRIX machine to act as a gateway with NAT (Network Address Translation) capabilities---such as a small private network sharing a single common external interface via an IRIX gateway. Alternately, IPFIlter could also be used on a single-interface IRIX workstation that requires a simple firewall to block all ports except a select few.

IRIX as a Router

Chapter 3 of SGI's IRIX documentation, IRIX Admin: Networking and Mail, describes a very simple process of turning an IRIX machine with multiple ethernet interfaces into a router. A summary of the steps are:

  • Enable the 2nd interface (by modifying /etc/config/netif.options) and name it gate-<1st interface name>
  • Reconfigure the kernel and restart the system

Supposedly, IRIX will auto-magically start routing packets for you. What is not discussed is the following:

  • Is the routed daemon running?
chkconfig routed on|off
  • Should I be using the gated daemon instead?
chkconfig gated on|off
  • Should I enable IP Forwarding? (Software Manager->Network and Connectivity->Configure Interface)

Unfortunately, those questions will remain unanswered here because routing alone is insufficient for a "Firewall" without filtering or a "Gateway" without address translation (NAT).

Why NAT?

While the above configuration is sufficient to route packets between two networks, it doesn't provide any filtering protection or anything to help the private network machines communicate with the web in a "transparent" manner. Specifically, in the case where the IRIX gateway is the only system with a public IP address, and the private network machines are all in the unroutable range (e.g. 192.168.x.x, 172.16.x.x or 10.0.x.x) then the replies have no way of getting back to the systems behind the firewall.

What NAT does is "masquerades" the private network machines as the gateway's IP address so that to the rest of the world all queries appear to originate from the gateway and all replies are returned to the gateway. The NAT software on the IRIX gateway is responsible for keeping track of getting the responses back to the proper source on the hidden network.

Linux has some built-in facility for this called IP Masquerading that call be enabled via commands similar to

/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
/sbin/route add  -net  netmask <public IP addr> dev eth1

IRIX does not have native NAT capabilities, so we need to install an additional software package (e.g. IPFilter).


IPFilter is an established open source software package written and maintained by Darren Reed under a modified BSD style license. Source code is available from the project's homepage. It claims to have been tested and run under IRIX 6.2 and 6.5 (loadable kernel module), however, there have reportedly been problems with compiling the latest version (4.1). It provides both filtering and NAT functionality.

SGI once made available a precompiled and patched version of the software on their (now defunct) Cool Software site. This packaged version was compiled against the 6.5.16 IRIX kernel, but is known to work with some caveats on systems running 6.5.30. The package installs itself under the product name ipfilter and should not be confused with the older kernel module ipfilterd which is a part of the eoe.sw.ipgate software subsystem. In fact, IPFilter and ipfilterd are mutually exclusive. There is even a terse but useful SGI Tech Pub document, IRIX Admin: IPFilter Firewall User's Guide, that explains some of the (intended) IRIX implimentation details. Like so many other SGI/IRIX efforts of the new millennium, this one too appears to have been abortive.


Fortunately, through our patron's wisdom and charity, the SGI package has been mirrored on the community FTP site, here:


The installation of the precompiled binary package is simple and straight-forward using either the Software Manager or inst. In the case of inst, it's a simple command:

 inst -f /path/to/6.5.16_ipfilter_3.4.27.tardist

The install components of the software base subsystem (ipfilter.sw.base) include:

f 24676     1 ipfilter.sw.base      c etc/config/ipfilter
f 41041     1 ipfilter.sw.base      c etc/config/ipfilter.options
f 24675     1 ipfilter.sw.base      c etc/config/ipmon.options
f 24643     1 ipfilter.sw.base      c etc/config/ipnat.options
f 51944     5 ipfilter.sw.base        etc/init.d/ipf
f 19158     2 ipfilter.sw.base      c etc/ipf.conf
f 40955     1 ipfilter.sw.base      c etc/ipnat.conf
l     0     0 ipfilter.sw.base        etc/rc2.d/S33ipf
f 38138   131 ipfilter.sw.base      m sbin/ipf
f 21023    46 ipfilter.sw.base      m sbin/ipfs
f 22340   281 ipfilter.sw.base      m sbin/ipfstat
f 13553    87 ipfilter.sw.base      m sbin/ipmon
f 64991   230 ipfilter.sw.base      m sbin/ipnat
f 21372    43 ipfilter.sw.base        usr/include/netinet/ipfil.h
f 18548    18 ipfilter.sw.base        usr/include/netinet/ipnat.h
f 33309   361 ipfilter.sw.base      m usr/ipfilter/bin/ipftest
f 30230    91 ipfilter.sw.base      m usr/ipfilter/bin/ipresend
f 59158   217 ipfilter.sw.base      m usr/ipfilter/bin/ipsend
f 13573     6 ipfilter.sw.base        usr/ipfilter/bin/mkfilters
d     0     0 ipfilter.sw.base        var/db/ipf
f 60660   493 ipfilter.sw.base      m var/sysgen/boot/ipf.o
f  3341     1 ipfilter.sw.base        var/sysgen/master.d/ipf
f 46163     1 ipfilter.sw.base        var/sysgen/system/

Note that the ipfilter filter executable utilities (e.g. mkfilters) reside in a subdirectory /usr/ipfilter/bin, that will not normally be in your path.


IPFilter is a sophisticated tool and configuring it properly requires some effort with a small learning curve. Fortunately, there is an excellently written HowTo tutorial available for download in addition to other documentation. We'll cover here a few simple configuration cases that will get a new user started.

The files that control the particulars of your installation are


where the first two being the ones you will almost certainly want to change.


After the package is installed you need configure the system to active it at start-up (reboot).

chkconfig ipfilterd off
chkconfig ipfilter on

Note that the first command disables the conflicting ipfilterd daemon if it is enabled on your system (default is off). The ipfilter daemon will not have started yet, but you can manually invoke it as root using the start-up script

/etc/init.d/ipf start|stop|reload

If ipfilterd was already running on your system, a reboot is probably required to fully deactivate it.


Below, example configuration files are given for two common applications of IPFIlter.

Simple Firewall

This example exercises IPFilter's filtering capability to provide a simple firewall for a machine with a single interface (ef0). The reason for installing the IPFilter package--even on a stand-alone workstation--is to protect the host against intrusions from your neighborhood. We are trying to block all ports which aren't needed because, after a IRIX default installation, a lot of services are running which are reachable over the Network.

The following example of a configuration file (/etc/ipf.conf) show also how to create some rules to let other machines access some of our services like SSH or HTTP(s). Rules process from the top down, with subsequent rule matches overriding the previous. If a rule contains the keyword "quick" processing terminates as soon as the rule's criteria is met.

#Handling the loopbackdevice
pass out quick on lo0
pass in  quick on lo0

#Block known "black hats"
block in quick on ef0 from   to any
block in quick on ef0 from  to any
block in quick on ef0 from to any

#Manage the Connection to the internet (all keep state)
pass out quick on ef0 proto tcp  from any to any flags R/R
pass out quick on ef0 proto tcp  from any to any flags S keep state
pass out quick on ef0 proto udp  from any to any keep state
pass out quick on ef0 proto icmp from any to any keep state
pass out quick on ef0 proto tcp  from any to any port = 21 flags S keep state

#Open Connections from the Internet
pass in quick on ef0 proto tcp from any to any port = 22   keep state   # SSH
pass in quick on ef0 proto tcp from any to any port = 80   keep state   # HTTP
pass in quick on ef0 proto tcp from any to any port = 443  keep state   # HTTPS
pass in quick on ef0 proto tcp from any to any port = 3690 keep state   # SVN and CVS

#Mysql Connects from a special host are allowed
pass in quick on ef0 proto tcp from to any port = 3306 keep state

#ICMP managen
pass  in     quick on ef0 proto icmp from any to any icmp-type 0 # PING
pass  out    quick on ef0 proto icmp from any to any icmp-type 0 # PING
pass  in     quick on ef0 proto icmp from any to any icmp-type 3
pass  in     quick on ef0 proto icmp from any to any icmp-type 8
pass  out    quick on ef0 proto icmp from any to any icmp-type 8
pass  in     quick on ef0 proto icmp from any to any icmp-type 11
block in log quick on ef0 proto icmp from any to any

#Block some weird IP-Packages.
block in log quick on ef0 proto tcp all with short
block in log quick on ef0 all with opt lsrr
block in log quick on ef0 all with opt ssrr

#Block all and log
block in log on ef0 all

Simple Gateway with NAT

(Note to self: don't forget to address here the questions posed in section "IRIX as a Router")

Here are the contents of the NAT configuration file, /etc/ipnat.conf, set up so that a private network (192.168.0.x) can access the public network through an IRIX (dual-interfaced) gateway that is running IPFilter.

map tg0 -> <gateway's public IP address>/32

The machines on the private network should have their default routes set to the private address of the gateway (e.g.

Testing / Bugs

The existing SGI packaged IPFilter is known to spew the following messages to the console when it is up on machines with gigabit ethernet interfaces (tg0, tg1, etc.).

IPFilter: ipl_if_output: mbuf block too small (m_len=0) for IP vers+hlen, m_type=2 m_flags=0x41

kind of annoying but so far harmless. It has been suggested recompiling with debugging disabled will remove this problem.

The best way is to set l2tcpseg to OFF (default is ON) in /etc/config/tgconfig.options, assuming you are using an original SGI Gigabit interface on IRIX 6.5.27. --Cadmo 11:31, 19 March 2008 (PDT)


An attempt will be made to compile the latest version of IPFilter for inclusion in the Nekoware software collection. Stay tuned!

External Links