IPFilter
IRIX does have an IPFilter port for people looking to use firewalls on their machines. This page details several uses of it.
Setup
IPFilter is an established open source software package written and maintained by Darren Reed under a modified BSD style license. Source code is available from the project's homepage. It claims to have been tested and run under IRIX 6.2 and 6.5 (loadable kernel module), however, there have reportedly been problems with compiling versions beyond 4.1.x. It provides both filtering and NAT functionality.
SGI once made available a precompiled and patched version of the software on their (now defunct) Cool Software site. This packaged version was compiled against the 6.5.16 IRIX kernel, but is known to work with some caveats on systems running 6.5.30. The package installs itself under the product name ipfilter and should not be confused with the older kernel module ipfilterd which is a part of the eoe.sw.ipgate software subsystem. In fact, IPFilter and ipfilterd are mutually exclusive. There is even a terse but useful SGI Tech Pub document, IRIX Admin: IPFilter Firewall User's Guide, that explains some of the (intended) IRIX implimentation details. Like so many other SGI/IRIX efforts of the new millennium, this one too appears to have been abortive.
The install components of the software base subsystem (ipfilter.sw.base) include:
f 24676 1 ipfilter.sw.base c etc/config/ipfilter
f 41041 1 ipfilter.sw.base c etc/config/ipfilter.options
f 24675 1 ipfilter.sw.base c etc/config/ipmon.options
f 24643 1 ipfilter.sw.base c etc/config/ipnat.options
f 51944 5 ipfilter.sw.base etc/init.d/ipf
f 19158 2 ipfilter.sw.base c etc/ipf.conf
f 40955 1 ipfilter.sw.base c etc/ipnat.conf
l 0 0 ipfilter.sw.base etc/rc2.d/S33ipf
f 38138 131 ipfilter.sw.base m sbin/ipf
f 21023 46 ipfilter.sw.base m sbin/ipfs
f 22340 281 ipfilter.sw.base m sbin/ipfstat
f 13553 87 ipfilter.sw.base m sbin/ipmon
f 64991 230 ipfilter.sw.base m sbin/ipnat
f 21372 43 ipfilter.sw.base usr/include/netinet/ipfil.h
f 18548 18 ipfilter.sw.base usr/include/netinet/ipnat.h
f 33309 361 ipfilter.sw.base m usr/ipfilter/bin/ipftest
f 30230 91 ipfilter.sw.base m usr/ipfilter/bin/ipresend
f 59158 217 ipfilter.sw.base m usr/ipfilter/bin/ipsend
f 13573 6 ipfilter.sw.base usr/ipfilter/bin/mkfilters
d 0 0 ipfilter.sw.base var/db/ipf
f 60660 493 ipfilter.sw.base m var/sysgen/boot/ipf.o
f 3341 1 ipfilter.sw.base var/sysgen/master.d/ipf
f 46163 1 ipfilter.sw.base var/sysgen/system/ipf.sm
Note that the ipfilter filter executable utilities (e.g. mkfilters) reside in a subdirectory /usr/ipfilter/bin, that will not normally be in your path.
Configuring
IPFilter is a sophisticated tool and configuring it properly requires some effort with a small learning curve. Fortunately, there is an excellently written HowTo tutorial available for download in addition to other documentation: https://web.archive.org/web/20110822105615/http://www.obfuscation.org/ipf/ipf-howto.html
The files that control the particulars of the installation are:
/etc/ipf.conf
/etc/ipnat.conf
/etc/config/ipfilter.options
/etc/config/ipnat.options
The ipf.conf and ipnat.conf being the chief config files.
Enabling
To enable, shut of ipfilterd (unrelated package) and turn on ipfilter using chkconfig:
- chkconfig ipfilterd off
- chkconfig ipfilter on
The ipfilter daemon will not have started yet, but it can be manually invoked as root using the start-up script:
/etc/init.d/ipf start|stop|reload
If ipfilterd is already running, a reboot is probably required to fully deactivate it.
Examples
Simple Firewall
- Handling the loopbackdevice
pass out quick on lo0
pass in quick on lo0
- Block known "black hats"
block in quick on ef0 from 64.207.134.34 to any
block in quick on ef0 from 129.175.81.121 to any
block in quick on ef0 from 216.133.229.216 to any
- Manage the Connection to the internet (all keep state)
pass out quick on ef0 proto tcp from any to any flags R/R
pass out quick on ef0 proto tcp from any to any flags S keep state
pass out quick on ef0 proto udp from any to any keep state
pass out quick on ef0 proto icmp from any to any keep state
pass out quick on ef0 proto tcp from any to any port = 21 flags S keep state
- Open Connections from the Internet
pass in quick on ef0 proto tcp from any to any port = 22 keep state # SSH
pass in quick on ef0 proto tcp from any to any port = 80 keep state # HTTP
pass in quick on ef0 proto tcp from any to any port = 443 keep state # HTTPS
pass in quick on ef0 proto tcp from any to any port = 3690 keep state # SVN and CVS
- mysql Connects from a special host are allowed
pass in quick on ef0 proto tcp from 194.15.95.14 to any port = 3306 keep state
- ICMP management
pass in quick on ef0 proto icmp from any to any icmp-type 0 # PING
pass out quick on ef0 proto icmp from any to any icmp-type 0 # PING
pass in quick on ef0 proto icmp from any to any icmp-type 3
pass in quick on ef0 proto icmp from any to any icmp-type 8
pass out quick on ef0 proto icmp from any to any icmp-type 8
pass in quick on ef0 proto icmp from any to any icmp-type 11
block in log quick on ef0 proto icmp from any to any
- Block some weird IP-Packages.
block in log quick on ef0 proto tcp all with short
block in log quick on ef0 all with opt lsrr
block in log quick on ef0 all with opt ssrr
- Block all and log
block in log on ef0 all
This is a relatively old example retrieved from the Nekochan Wiki, and probably can be optimized further.
Routing with NAT and Firewall
Chapter 3 of SGI's IRIX documentation, https://irix7.com/techpubs/007-2860-012.pdf, describes a very simple process of turning an IRIX machine with multiple ethernet interfaces into a router. A summary of the steps are:
1. Enable the 2nd interface (by modifying /etc/config/netif.options) and name it gate-<1st interface name>
2. Reconfigure the kernel and restart the system
Supposedly, IRIX will auto-magically start routing packets. What is not discussed is the following:
Is the routed daemon running?
chkconfig routed on|off
Should gated be used instead?
chkconfig gated on|off
Should IP Forwarding be enabled? (Software Manager->Network and Connectivity->Configure Interface)
Below are the contents of the NAT configuration file, /etc/ipnat.conf, set up so that a private network (192.168.0.x) can access the public network through an IRIX (dual-interfaced) gateway that is running IPFilter.
map tg0 192.168.0.0/24 -> <gateway's public IP address>/32
The machines on the private network should have their default routes set to the private address of the gateway (e.g. 192.168.0.1)
Testing / Bugs
The existing SGI packaged IPFilter is known to spew the following messages to the console when it is up on machines with gigabit ethernet interfaces (tg0, tg1, etc.).
IPFilter: ipl_if_output: mbuf block too small (m_len=0) for IP vers+hlen, m_type=2 m_flags=0x41
This appears to be harmless debug messages.
The best way is to set l2tcpseg to OFF (default is ON) in /etc/config/tgconfig.options, assuming the machine is using an original SGI Gigabit interface on IRIX 6.5.27.