The IPFIREWALL (IPFW) is a FreeBSD sponsored firewall software application authored and maintained by FreeBSD volunteer staff members. It uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as Simple Stateful logic.
I'm running FreeBSD 7.0 and use freebsd-update to update the system side of FreeBSD so this guide assumes that your using a stock kernel. However if you're running a custom kernel that a look here (Section 31.6.1) before using the current guide.
Let's start by becoming the superuser and enable IPFW at boot time:
- % su
- # vi /etc/rc.conf
firewall_enable="YES"Now we define an IPFW rule set. Bellow you'll find a rule set shamefully stolen from here and adapted to my needs:
firewall_script="/usr/local/etc/ipfw.rules"
firewall_logging="YES"
- # vi /usr/local/etc/ipw.rules
IPF="ipfw -q add"If you aren't planning to use FTP remove the $IPF 300 allow tcp from any to any 1024-65000 keep-state line. This line circumvents IPFW troubles with FTP connections.
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (21), ssh (22), mail (25)
# http (80), dns (53), mldonkey (4080, 21452, 6882),
# darstat (667)
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 220 allow tcp from any to any 4080 in
$IPF 230 allow udp from any to any 4080 out
$IPF 240 allow tcp from any to any 21452 in
$IPF 245 allow udp from any to any 21452 in
$IPF 250 allow tcp from any to any 21452 out
$IPF 255 allow udp from any to any 21452 out
$IPF 260 allow tcp from any to any 6882 in
$IPF 270 allow tcp from any to any 6882 out
$IPF 280 allow tcp from any to any 667 in
$IPF 290 allow tcp from any to any 667 out
$IPF 300 allow tcp from any to any 1024-65000 keep-state
# deny and log everything
$IPF 500 deny log all from any to any
To enable logging run the following commands:
- # vim /etc/syslog.conf
!ipfw
*.* /var/log/ipfw/ipfw.log
- # mkdir /var/log/ipfw
- # touch /var/log/ipfw/ipfw.log
- # killall -HUP syslogd
- # echo "net.inet.ip.fw.verbose_limit=5" >> /etc/sysctl.conf
- # sysctl net.inet.ip.fw.enable=1
- # sysctl net.inet.ip.fw.verbose=1
- # sysctl net.inet.ip.fw.verbose_limit=5
- # vim /etc/rc.d/ipfw start
- # sh /usr/local/etc/ipfw.rules
- # ipfw list
Resources:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO
http://tuxtraining.com/2008/10/16/setting-up-firewall-using-ipfw-in-freebsd
http://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/
4 comments:
Hey!
thanks for the very nice doc. I run http://freebsdhowto.com and my main focus is on freebsd and other *bsd flavors howto's and what the site does is host all howto's and other types of docs in the *bsd arena.
I am interested in a collaboration with you and if you are aswell please contact me through my contact form and I'll get back to you :)
Hi there,
Glad you've liked the guide :)
Of course we can talk and even collaborate.
Regards.
thanks for the explanation about the ipfw. I justs works fine on my BSD 7.1. Because i am new with freebsd and learning about firewalls. Could you show me an example how to make a a rule for a banlist of ipadresses.
Because i see a lot of ipadresses in my htttpd-access.log (from China, Rusia and also from the Netherlands etc how ara scanning the software / ports.
How do i realise to make a rule for a banlist of ipadresses in this good working firewall.
I have worked many years with Debian and used the shorewall- firewall and i had a blacklist for the bad ipadresses and domains.
But i started in august '08 to work with FreeBSD 7.0 and i like this O.S. verry much.
Thanx also for the other BSD-stuff
FreeBSD_newbie
I'm not running any http services so didn't need rules for ban lists. Have a go at google I'm sure you find something helpful.
If you are interested on help thwarting SSH server attacks have a look at http://linux-bsd-sharing.blogspot.com/2009/04/howto-using-denyhosts-to-help-thwart.html.
Post a Comment