Tuesday, October 21, 2008

HowTo: IPFW firewall setup on FreeBSD

Today I'll lay down the steps needed to enable and configure FreeBSD' IPFW firewall.

The IPFIREWALL (IPFW) is a FreeBSD sponsored firewall software application authored and maintained by FreeBSD volunteer staff members. It uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as Simple Stateful logic.

I'm running FreeBSD 7.0 and use freebsd-update to update the system side of FreeBSD so this guide assumes that your using a stock kernel. However if you're running a custom kernel that a look here (Section 31.6.1) before using the current guide.

Let's start by becoming the superuser and enable IPFW at boot time:
  • % su
  • # vi /etc/rc.conf
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_logging="YES"
Now we define an IPFW rule set. Bellow you'll find a rule set shamefully stolen from here and adapted to my needs:
  • # vi /usr/local/etc/ipw.rules
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (21), ssh (22), mail (25)
# http (80), dns (53), mldonkey (4080, 21452, 6882),
# darstat (667)
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 4080 in
$IPF 230 allow udp from any to any 4080 out
$IPF 240 allow tcp from any to any 21452 in
$IPF 245 allow udp from any to any 21452 in
$IPF 250 allow tcp from any to any 21452 out
$IPF 255 allow udp from any to any 21452 out
$IPF 260 allow tcp from any to any 6882 in
$IPF 270 allow tcp from any to any 6882 out
$IPF 280 allow tcp from any to any 667 in
$IPF 290 allow tcp from any to any 667 out
$IPF 300 allow tcp from any to any 1024-65000 keep-state

# deny and log everything
$IPF 500 deny log all from any to any
If you aren't planning to use FTP remove the $IPF 300 allow tcp from any to any 1024-65000 keep-state line. This line circumvents IPFW troubles with FTP connections.

To enable logging run the following commands:
  • # vim /etc/syslog.conf
!ipfw
*.* /var/log/ipfw/ipfw.log
  • # mkdir /var/log/ipfw
  • # touch /var/log/ipfw/ipfw.log
  • # killall -HUP syslogd
The firewall_logging variable sets the net.inet.ip.fw.verbose_limit=5 to the value of 1. To increase the verbose level to the value of 5:
  • # echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf
  • # sysctl net.inet.ip.fw.enable=1
  • # sysctl net.inet.ip.fw.verbose=1
  • # sysctl net.inet.ip.fw.verbose_limit=5
To start IPFW and load the rules set:
  • # vim /etc/rc.d/ipfw start
  • # sh /usr/local/etc/ipfw.rules
The following command shows the rules list that is currently loaded:
  • # ipfw list
And we're done. In future I plan to try OpenBSD's PF firewall so stay tuned ;-)

Resources:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
http://tuxtraining.com/2008/10/16/setting-up-firewall-using-ipfw-in-freebsd
http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/

5 comments:

anon said...

Nice blog :-) I run tuxtraining.com, I am looking to add about 5-10 authors to the site but rather than announce it I thought I'd go around and approach some people with some decent sites first.

I like the stuff you write, and I'm hoping me and others can create a more comprehensive how-to site than many of the wikis and blogs around. If interested in my offer, let me know.

Ciprian said...

Hey!

thanks for the very nice doc. I run http://freebsdhowto.com and my main focus is on freebsd and other *bsd flavors howto's and what the site does is host all howto's and other types of docs in the *bsd arena.

I am interested in a collaboration with you and if you are aswell please contact me through my contact form and I'll get back to you :)

tangram said...

Hi there,

Glad you've liked the guide :)

Of course we can talk and even collaborate.

Regards.

Anonymous said...

thanks for the explanation about the ipfw. I justs works fine on my BSD 7.1. Because i am new with freebsd and learning about firewalls. Could you show me an example how to make a a rule for a banlist of ipadresses.

Because i see a lot of ipadresses in my htttpd-access.log (from China, Rusia and also from the Netherlands etc how ara scanning the software / ports.

How do i realise to make a rule for a banlist of ipadresses in this good working firewall.

I have worked many years with Debian and used the shorewall- firewall and i had a blacklist for the bad ipadresses and domains.
But i started in august '08 to work with FreeBSD 7.0 and i like this O.S. verry much.

Thanx also for the other BSD-stuff
FreeBSD_newbie

tangram said...

I'm not running any http services so didn't need rules for ban lists. Have a go at google I'm sure you find something helpful.

If you are interested on help thwarting SSH server attacks have a look at http://linux-bsd-sharing.blogspot.com/2009/04/howto-using-denyhosts-to-help-thwart.html.