IPFilter 5 and compiled access lists

-
I've been back to Freebsd lately, and using freebsd10 rc2.

I noticed an option to compile access lists into the kernel module for ipfilter.  I got it to work, but thought I'd note down how ...

firstly the kernel doesn't know the option to compile access lists so add this instead

makeoptions     CFLAGS+=-DIPFILTER_COMPILED

or you could add to /etc/make.conf

now, take your ruleset in a file and create ip_rules.c and ip_rules.h  by doing this

/sbin/ipf -n -cc -f <filename>

copy them into 

/usr/src/sys/contrib/ipfilter/netinet

edit ip_rules.c and take out the if statement for NetBSD by deleting

#if (__NetBSD_Version__ >= 399000000)
#else

then, if you have in and out rules, there is a bug in generating the ip_rules.c , work around it by adding

frentry_t *ipf_rules_out_[1] = {
        (frentry_t *)&out_rule__0
};

and adjust [1] to the amount of rules you have.

then compile the kernel as normal and install it, load the module and you should see something in dmesg like

IP Filter: v5.1.2 initialized.  Default = pass all, Logging = enabled (COMPILED)


Comments

Post a Comment

Popular posts from this blog

Baileys liquor Chocolate Chip and Cream desert

-
Simple and very very very yummy. Prepare today for tomorrow 1-2 pks (14 biscuits approx but depends on size) of really good quality double chocolate chip cookies 100ml Baileys Cream Liqueur 250ml Cream, whipped Chocolate Shavings, Drops to decorate, or Cadburys Flake broken up, or sprinkle of cocoa Use a 9" spring form tin otherwise its tricky to remove the finished cake Pour the Bailey into a bowl One by one, dip or soak (depending on how strong you want it) the biscuits into the Baileys Once each on is soaked place in the tin until you have a layer Cover and spread evenly the freshly whipped cream Repeat the dipping processing and make another layer on top of the cream Cover and spread with cream again Sprinkle with the chocolate shavings or drops or flake etc to decorate Leave in the fridge overnight to allow the biscuits to absorb the cream mixture Remove from fridge just before serving and enjoy !!! (Increase quantities of Baileys and biscuits as required) Serve as is without
Read more

nginx decode base64 url for use with imgproxy

-
 i've been testing imgproxy, to handle our image serving needs, and it looks good. our existing servers are php based, and we sign and encode our urls for images.  To test out imgproxy , I wanted to simply drop it in as a replacement for our servers by sending a % of traffic.  There are many ways to do this, varnish was one, with custom code, but nginx is our go-to web server, so I had to find a way to have nginx sit in front of imgproxy and rewrite the decoded url. I settled on using njs, the cut down version of javascript that plugs into nginx as a loadable module.  Then use proxy_pass to pass the uri to javascript that will return the imgproxy compatable url, and proxy to it. a sample url would be http://foo.bar/images/c2lnbmF0dXJlZm9vaHR0cDovL3MzLWV1LXdlc3QtMS5hbWF6b25hd3MuY29tL215YnVja2V0b2ZwaG90b3MvcGhvdG9fb2ZfYV9jYXQ1fHx8MTIwMHgxMjAwfHx8fHx8fHw==.jpeg it has a sig, a bucket url, and parameters like image size. Getting nginx setup nginx.conf load_module modules/ngx_http_js
Read more

using t1n1wall, opnsense or pfsense on Google Compute Engine GCE

-
I have been doing some work in GCP recently, both appengine , and GCE.  We wanted to make sure all our instances were on private ips and only the LBs had internet ips. This gave us the problem of how to allow our instances reach the internet for updates or for api calls outside. In AWS you had a NAT gateway, but in GCP this doesn't exist. So I set about looking at the easiest way to do NAT from a private IP subnet to a Public address.  I am very familiar with m0n0wall and t1n1wall and a tiny bit with pfsense and less with opnsense. The tl;dr is that all these distributions ship an image which within the distribution there is a disk image.  Taking this internal image, renaming it and re-compressing it is all you need to do to get it working in GCE. you can configure it via the serial port using these instructions  There are guides out there around doing things with Linux and stuff, but you can skip that step. I took the latest version of t1n1wall 2.11 , got the simple a
Read more