current-users: A packet filtering firewall facility that runs under NetBSD

Subject: A packet filtering firewall facility that runs under NetBSD
To: None <current-users@NetBSD.ORG>
From: Danny Boulet <danny@nahanni.BouletFermat.ab.ca>
List: current-users
Date: 04/02/1995 21:06:48
Most of you have probably never heard of ipfirewall.  This is a packet
filtering IP firewall facility that I've written.  It has been around for
about 18 months.  The current version is now available.  Although the
development work was all done on BSD/OS, the current v2.0 version also
includes patches for NetBSD-current.

Here are the features that are in the current version:

    - ability to match packets based on essentially any combination of:

	= their source and/or destination IP address or port number.

	= the protocol used by the enclosed packet (TCP, UDP, ICMP).

	= which interface the packet arrived via (useful for preventing
	  IP spoofing and other things).

	= whether or not the packet represents an in-bound TCP/IP
	  connection attempt (i.e. is the first packet sent by a TCP/IP
	  client trying to establish a connection with a TCP/IP server).
	  This is quite useful for ensuring that outsiders can only
	  connect to a selected set of TCP/IP servers while allowing
	  insiders access to external TCP/IP servers.

	= whether or not the packet is a fragment of a larger original IP
	  packet.

	= whether or not the packet uses various flavours of IP options.

    - ability to request that an accepted packet be logged (normally, only
      rejected packets get logged).

    - all rejected or logged packet messages indicate which filter
      matched the packet (helps when debugging filters).

The package is distributed in source form with patches for a few kernel files.
This version includes patches for BSD/OS v2.0 and NetBSD-current.  I suspect
that the version will port very easily to just about any NetBSD version.
Porting to FreeBSD is also probably very easy.  Porting to Linux might require
more work (since it isn't based on the same 4.4BSD networking code) but is
probably not very hard.

Starting with ipfirewall v2.0, I'm distributing ipfirewall on a shareware basis.
Users who register themselves by making a minimum contribution of $60
Canadian (about $42 US) will receive a bound 29 page user's guide.
Users who are protecting larger sites are asked to make a larger contribution
(see the distribution for details).  I'll also try to keep registered users
informed of bug fixes and future versions.

I intend to try to make the version quite widely available.  It will
probably appear on a number of ftp sites quite soon.  For now, please
send me a request via e-mail to:

    danny@BouletFermat.ab.ca

I'd like to express my thanks to all of my beta testers (from all over the
world).

Here's a list of the sections in the "ipfirewall v2.0 User's Guide":

    section	page	title

      1.0	  1	Overview of ipfirewall v2.0
      2.0	  3	Obtaining ipfirewall
      3.0	  4	ipfirewall copyright (description of copyright terms)
      4.0	  5	Installation
      5.0	  7	The ipfirewall command
      6.0	 10	Filter syntax
      7.0	 13	Filter examples
      8.0	 19	A complete example
      9.0	 22	Packet filtering rules (how ipfirewall filters packets)
     10.0	 24	Other security considerations
     11.0	 27	Recommended reading
     12.0	 29	About the author (my fifteen minutes of fame!)
	    
-Danny