IP Filter FAQ

XII. IP FILTER AND OPENBSD

1. How can I get IP Filter to block by default?
2. How can I upgrade IP Filter on OpenBSD < 3.0?
3. So I've upgraded IP Filter, why isn't it working?

1. How can I get IP Filter to block by default?

   Set the kernel option: option IPFILTER_DEFAULT_BLOCK
and recompile your kernel.

2. How can I upgrade IP Filter on OpenBSD < 3.0?

   IP Filter came with OpenBSD until version 3.0. If you have version 3.0 and want to use IP Filter you'll have to install from scratch. The following procedure assumes that you've at least configured your kernel. If you have not, check out http://www.oreillynet.com/pub/a/bsd/2000/10/31/OpenBSD.html for information on that.
   
   # gunzip -c ip_fil3.4.21.tar.gz | tar xf -
# cd ip_fil3.4.21
# BSD/kupgrade
# make openbsd
# make install-bsd
# cd /sys/arch/foo/compile/kernel
# make depend
# make bsd
# cp /bsd /bsd-original
# cp bsd /bsd
# reboot

   Note that the last two steps prior to rebooting make a backup copy of your current kernel to /bsd-original and then copy the new kernel into place.
   
   Pat Lougheed wrote a webpage on upgrading IP Filter in OpenBSD that goes more into depth. At the time, the procedure was a little uglier. As of now you can ignore steps 10-12 provided you're upgrading to atleast 3.4.21. You find his page here.

3. So I've upgraded/installed IP Filter, why isn't it working?

   In order to run IP Filter you'll need to add the following to your /etc/rc.conf file:
   ipfilter=YES

   If you'd like to use IP NAT as well, then additionally add:
   ipnat=YES