Full Version: IPFW
Does anyone have a good guide for setting up IPFW on FreeBSD 5.x? I have found a few for FreeBSD 4 but am not sure if it is the same procedure.
I think it is installed but just needs to be configured and enabled.
Procedure is the same in 5.x
This is my kernel cfg
You don't need the ipv6 options unless you really want them. DUMMYNET is for setting up pipes with ipfw to throttle bandwidth.
Here is my ruleset
I save my rules in /etc/rc.firewall.rules
I learned the hard way to use firewall_type="OPEN" in rc.conf and then manually load the rules using sh /etc/rc.firewall /etc/rc.firewall.rules (make sure you include the full paths for this command otherwise you will lock yourself out). Using an OPEN firewall by default has saved me tech support time. Just need to ask for a reboot with it like this. There is nothing quite like locking yourself and all the techs out with a firewall rule, then having to explain why they need to plug a keyboard and monitor into the box and exactly what command they need to run. I'm sure they just love it!
This is my kernel cfg
CODE
# Firewall
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT=10
options DUMMYNET
options HZ=1000
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT=10
options DUMMYNET
options HZ=1000
You don't need the ipv6 options unless you really want them. DUMMYNET is for setting up pipes with ipfw to throttle bandwidth.
Here is my ruleset
CODE
add 00001 count ip from any to any in via em0
add 00002 count ip from any to any out via em0
add 00003 deny all from any to 66.139.73.159 # outgoing to ventrilo.com
add 00004 allow all from any to any out via em0
# Banned from life
add 00005 deny all from 221.0.0.0/8 to any # Korea
add 00006 deny all from 218.24.0.0/15 to any # China
add 00007 deny all from 194.88.113.224/28 to any # Brussels University
# Squid
add 65523 allow all from x.x.x.x/16 to x.x.x.x 4000
# Internet Services
add 65524 allow all from any to any 21,22,25,110,587
# HTTP
add 65525 allow all from any to any 80,443
# ftp-data
add 65526 allow all from any to any 49152-65535
# doom3/et/cs:source/ventrilo
add 65527 allow all from any to x.x.x.x 27666,27015,3784,27960
add 65528 allow all from any to x.x.x.x 27960,3784
# shoutcast
add 65530 allow all from any to x.x.x.x 8000,8001
add 65531 allow all from any to x.x.x.x 8000,8001
add 65532 allow icmp from any to any icmptypes 0 # echo
add 65533 allow icmp from any to any icmptypes 8 # ping
add 65534 deny ip from any to any
add 00002 count ip from any to any out via em0
add 00003 deny all from any to 66.139.73.159 # outgoing to ventrilo.com
add 00004 allow all from any to any out via em0
# Banned from life
add 00005 deny all from 221.0.0.0/8 to any # Korea
add 00006 deny all from 218.24.0.0/15 to any # China
add 00007 deny all from 194.88.113.224/28 to any # Brussels University
# Squid
add 65523 allow all from x.x.x.x/16 to x.x.x.x 4000
# Internet Services
add 65524 allow all from any to any 21,22,25,110,587
# HTTP
add 65525 allow all from any to any 80,443
# ftp-data
add 65526 allow all from any to any 49152-65535
# doom3/et/cs:source/ventrilo
add 65527 allow all from any to x.x.x.x 27666,27015,3784,27960
add 65528 allow all from any to x.x.x.x 27960,3784
# shoutcast
add 65530 allow all from any to x.x.x.x 8000,8001
add 65531 allow all from any to x.x.x.x 8000,8001
add 65532 allow icmp from any to any icmptypes 0 # echo
add 65533 allow icmp from any to any icmptypes 8 # ping
add 65534 deny ip from any to any
I save my rules in /etc/rc.firewall.rules
I learned the hard way to use firewall_type="OPEN" in rc.conf and then manually load the rules using sh /etc/rc.firewall /etc/rc.firewall.rules (make sure you include the full paths for this command otherwise you will lock yourself out). Using an OPEN firewall by default has saved me tech support time. Just need to ask for a reboot with it like this. There is nothing quite like locking yourself and all the techs out with a firewall rule, then having to explain why they need to plug a keyboard and monitor into the box and exactly what command they need to run. I'm sure they just love it!
Thanks for that but I don't really understand how I do this kernel thing. The guide I had earlier doesnt go into much details on the kernel apart from saying what options you need to put in.
may i suggest having a look a couple of threads down at my "how to secure a freebsd box" thread, or whatever its called
whilst its not complete, it does cover kernel recompilation, and also soon will have a full PF tutorial (which imo, is better than IPFW, but each to their own)
whilst its not complete, it does cover kernel recompilation, and also soon will have a full PF tutorial (which imo, is better than IPFW, but each to their own)
QUOTE (divzero)
There is nothing quite like locking yourself and all the techs out with a firewall rule, then having to explain why they need to plug a keyboard and monitor into the box and exactly what command they need to run. I'm sure they just love it!
ahh nothing quite like that when your editing your firewall configs on the train, you save + reload and then think "fsck" as your session times out .. as your in a tunnel, you start thinking was it me ... or the tunnel ....
5 mins later your out of the tunnel and ... it was you ... thank god for remote hands + eyes!(and serial console ... which is even better
)
QUOTE (facecake)
ahh nothing quite like that when your editing your firewall configs on the train, you save + reload and then think "fsck" as your session times out .. as your in a tunnel, you start thinking was it me ... or the tunnel ....
5 mins later your out of the tunnel and ... it was you ... thank god for remote hands + eyes!(and serial console ... which is even better)
5 mins later your out of the tunnel and ... it was you ... thank god for remote hands + eyes!(and serial console ... which is even better
)Haha yeah, I can't wait to have my console setup. Will make my heart pulse a little slower during world updates.
Can't wait to see your full PF tut, I've been wanting to research that and possibly switch from IPFW but haven't had the time.
Didnt realise more people had replied to this thread.
This is what I have at the moment can you verify this is correct please
[quote]
#HTTP
add 00300 allow all from any to any 80
#FTP
add 00301 allow all from any to any 21
#SHH
add 00302 allow all from any to any 22
#Webmin
add 00303 allow all from any to any 88
[/quote]
[quote]#Firewall
firewall_enable="NO"
firewall_type="open"
firewall_script="/etc/ipfw.rules"[/quote]
Obviously firewall_enable will be yes but I didnt want to turn it on until everything was correct.
Also do I actually need anything else in my rules file apart from those lines that set the rules?
Do I need any other rules to allow me to get onto the box after enabling the firewall? That is the main thing. Once it is turned on I will add more but I just want to make sure I do not lock myself out of the whole machine.[/code][/quote]
This is what I have at the moment can you verify this is correct please
[quote]
#HTTP
add 00300 allow all from any to any 80
#FTP
add 00301 allow all from any to any 21
#SHH
add 00302 allow all from any to any 22
#Webmin
add 00303 allow all from any to any 88
[/quote]
[quote]#Firewall
firewall_enable="NO"
firewall_type="open"
firewall_script="/etc/ipfw.rules"[/quote]
Obviously firewall_enable will be yes but I didnt want to turn it on until everything was correct.
Also do I actually need anything else in my rules file apart from those lines that set the rules?
Do I need any other rules to allow me to get onto the box after enabling the firewall? That is the main thing. Once it is turned on I will add more but I just want to make sure I do not lock myself out of the whole machine.[/code][/quote]
Thanks to the help of uber duper I got the kernel and everything done. I am just finishing up my rules now.
man rc.conf will give you some info on all of the available rc settings for ipfw. You have to scroll a bit to find them but the information is worth it. There are several options for logging that may interest you.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.