Wednesday, December 27, 2017

HowTo IPFW firewall setup on FreeBSD

HowTo IPFW firewall setup on FreeBSD


Today Ill lay down the steps needed to enable and configure FreeBSD IPFW firewall.

The IPFIREWALL (IPFW) is a FreeBSD sponsored firewall software application authored and maintained by FreeBSD volunteer staff members. It uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as Simple Stateful logic.

Im running FreeBSD 7.0 and use freebsd-update to update the system side of FreeBSD so this guide assumes that your using a stock kernel. However if youre running a custom kernel that a look here (Section 31.6.1) before using the current guide.

Lets start by becoming the superuser and enable IPFW at boot time:
  • % su
  • # vi /etc/rc.conf
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_logging="YES"
Now we define an IPFW rule set. Bellow youll find a rule set shamefully stolen from here and adapted to my needs:
  • # vi /usr/local/etc/ipw.rules
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (21), ssh (22), mail (25)
# http (80), dns (53), mldonkey (4080, 21452, 6882),
# darstat (667)
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 4080 in
$IPF 230 allow udp from any to any 4080 out
$IPF 240 allow tcp from any to any 21452 in
$IPF 245 allow udp from any to any 21452 in
$IPF 250 allow tcp from any to any 21452 out
$IPF 255 allow udp from any to any 21452 out
$IPF 260 allow tcp from any to any 6882 in
$IPF 270 allow tcp from any to any 6882 out
$IPF 280 allow tcp from any to any 667 in
$IPF 290 allow tcp from any to any 667 out
$IPF 300 allow tcp from any to any 1024-65000 keep-state

# deny and log everything
$IPF 500 deny log all from any to any
If you arent planning to use FTP remove the $IPF 300 allow tcp from any to any 1024-65000 keep-state line. This line circumvents IPFW troubles with FTP connections.

To enable logging run the following commands:
  • # vim /etc/syslog.conf
!ipfw
*.* /var/log/ipfw/ipfw.log
  • # mkdir /var/log/ipfw
  • # touch /var/log/ipfw/ipfw.log
  • # killall -HUP syslogd
The firewall_logging variable sets the net.inet.ip.fw.verbose_limit=5 to the value of 1. To increase the verbose level to the value of 5:
  • # echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf
  • # sysctl net.inet.ip.fw.enable=1
  • # sysctl net.inet.ip.fw.verbose=1
  • # sysctl net.inet.ip.fw.verbose_limit=5
To start IPFW and load the rules set:
  • # vim /etc/rc.d/ipfw start
  • # sh /usr/local/etc/ipfw.rules
The following command shows the rules list that is currently loaded:
  • # ipfw list
And were done. In future I plan to try OpenBSDs PF firewall so stay tuned ;-)

Resources:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
http://tuxtraining.com/2008/10/16/setting-up-firewall-using-ipfw-in-freebsd
http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/

visit link download
Posted by at