mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-10 08:22:27 +01:00
109 lines
3.4 KiB
Plaintext
109 lines
3.4 KiB
Plaintext
|
|
IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3
|
|
as well. Under IRIX 5.3, it has been successfully compiled and linked in the
|
|
kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported.
|
|
|
|
To build a kernel with the IP filter and install it on your system,
|
|
follow these steps:
|
|
|
|
1. edit the top-level Makefile to
|
|
a) comment-out the IPFLKM definition.
|
|
This means changing the line reading:
|
|
IPFLKM=-DIPFILTER_LKM
|
|
to
|
|
#IPFLKM=-DIPFILTER_LKM
|
|
b) select the system's compiler (cc)
|
|
This means changing the line reading:
|
|
CC=gcc
|
|
to
|
|
CC=cc
|
|
b) enable full optimization
|
|
This means changing the lines reading:
|
|
DEBUG=-g
|
|
CFLAGS=-I$$(TOP)
|
|
to
|
|
DEBUG=
|
|
CFLAGS=-O2 -I$$(TOP)
|
|
|
|
1. do "make irix" (Warning: GNU make is not supported, so if it has
|
|
been installed on your system, verify your path and/or do "which make"
|
|
to guarantee that IRIX's /sbin/make has precedence)
|
|
|
|
2. do "make install-irix" as root
|
|
(a new kernel will be automatically built)
|
|
|
|
3. determine the filtering rules and place them in /etc/ipf.conf
|
|
and /etc/ipnat.conf
|
|
|
|
4. do "init 6" as root to reboot with the new kernel
|
|
|
|
After restarting, the filter should be active and behaving according to
|
|
the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf.
|
|
|
|
These files can be changed at any time, and reloaded using the
|
|
following command sequence:
|
|
|
|
# sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start
|
|
|
|
|
|
To remove the IP Filter from your kernel, follow these steps:
|
|
|
|
1. Delete the /var/sysgen/boot/ipfilter.o file
|
|
|
|
# rm /var/sysgen/boot/ipfilter.o
|
|
|
|
2. If SGI's ipfilter.o had been previously installed, restore it
|
|
back to its original location
|
|
|
|
# mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o
|
|
|
|
3. Build a new kernel
|
|
|
|
# /etc/autoconfig
|
|
|
|
4. Delete the /etc/rc2.d/S33ipf symbolic link
|
|
|
|
# rm /etc/rc2.d/S33ipf
|
|
|
|
5. Reboot
|
|
|
|
# init 6
|
|
|
|
|
|
ADDITIONAL NOTES:
|
|
|
|
- The IP filter uses the same kernel interface to the IP driver as
|
|
SGI's ipfilter. In fact, it is installed in place of SGI's
|
|
/var/sysgen/boot/ipfilter.o module, after renaming it (if installed)
|
|
to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's
|
|
ipfilterd daemon is not running simultaneously, since this package uses
|
|
the same major device number.
|
|
|
|
- We have not tested IP Filter on a multiprocessor machine yet.
|
|
However, feel free to try it and send your experiences/patches
|
|
back to marc@CAM.ORG. SGI prescribes that kernel code be built on such
|
|
systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should
|
|
probably be uncommented on the DFLAGS line of IRIX/Makefile if your
|
|
machine has more than one processor.
|
|
|
|
- It is also possible to build IP Filter as a dynamically loadable
|
|
kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the
|
|
top-level Makefile), but this is not recommended other than for testing
|
|
and debugging purposes, because the only possible method for dynamic
|
|
attachment to the IP stack (instruction patching) is highly dependent
|
|
on the processor architecture. The code provided has only been tested
|
|
with IP22 CPU boards and can sometime cause panics during loading due
|
|
to a potential race condition.
|
|
|
|
|
|
CREDITS:
|
|
|
|
IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG>
|
|
|
|
Marc Boucher wishes to thank the
|
|
ICARI Institute (http://www.icari.qc.ca)
|
|
and
|
|
Aurelio Cascio <aurelio@toonboom.com>
|
|
for their financial support and testing facilities, respectively.
|
|
|