This is a tutorial I met at BSDTechTalk (located at: http://www.bsdtechtalk.com/showthread.php?t=78 )
Thought I'd share it here with everybody.
I hope this helps some people who are interesting in getting a firewall up for their BSD system (although they should be ).
==================
==================
Tutorial Title: Quick IPFW Tutorial
Tutorial Summary:
Quick IPFW tutorial and an example IPFW config file showing a setup for a freebsd server with a DirectAdmin control panel.
Author: Senad
Contact: [email protected]
BSD Type: FreeBSD
BSD Version: FreeBSD 5.x ,6.x
Tutorial:
IPFW can be added to FreeBSD 5.x,6.x by adding the IPFW commands and then startup up IPFW. FreeBSD 4.x needs IPFW compiled into the kernel.
Allright lets begin.
Firewall configuration
In /etc/rc.conf we added the following options to turn on IPFW:
Then
DirectAdmin Control Panel requires the following ports to be opened:
20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:
PassivePorts 32555 32565
and then open that port range as well in your firewall.
In our example we will use port 21 for FTP!
22: ssh access
25: smtp for exim to recieve email
53: dns (named), so your sites resolve
80, 443: apache traffic, http and https
110: client pop email access
143: clients imap email access
2222: DirectAdmin Access
3306: mysql acess. You don't need to open this port if you don't want to allow remote mysql access, as most mysql scripts are all accessed locally.
Add the following Rules
or use stateless firewall rules:
Now lets run ipfw
Thought I'd share it here with everybody.
I hope this helps some people who are interesting in getting a firewall up for their BSD system (although they should be ).
==================
==================
Tutorial Title: Quick IPFW Tutorial
Tutorial Summary:
Quick IPFW tutorial and an example IPFW config file showing a setup for a freebsd server with a DirectAdmin control panel.
Author: Senad
Contact: [email protected]
BSD Type: FreeBSD
BSD Version: FreeBSD 5.x ,6.x
Tutorial:
IPFW can be added to FreeBSD 5.x,6.x by adding the IPFW commands and then startup up IPFW. FreeBSD 4.x needs IPFW compiled into the kernel.
Allright lets begin.
Firewall configuration
In /etc/rc.conf we added the following options to turn on IPFW:
Code:
nano /etc/rc.conf
Code:
firewall_enable=”YES”
firewall_script="YES”
firewall_script="/etc/ipfw.rules"
Then
Code:
nano /etc/ipfw.rules
DirectAdmin Control Panel requires the following ports to be opened:
20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:
PassivePorts 32555 32565
and then open that port range as well in your firewall.
In our example we will use port 21 for FTP!
22: ssh access
25: smtp for exim to recieve email
53: dns (named), so your sites resolve
80, 443: apache traffic, http and https
110: client pop email access
143: clients imap email access
2222: DirectAdmin Access
3306: mysql acess. You don't need to open this port if you don't want to allow remote mysql access, as most mysql scripts are all accessed locally.
Add the following Rules
Code:
##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush
##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 05 allow all from any to any via lo0
$cmd 10 deny all from any to 127.0.0.0/8
$cmd 15 deny all from 127.0.0.0/8 to any
$cmd 20 deny tcp from any to any frag
##############################
# Stateful Rules
##############################
$cmd 25 check-state
$cmd 30 allow tcp from any to any established
$cmd 35 allow all from any to any out keep-state
$cmd 40 allow icmp from any to any
##############################
# Incoming/outgoing services
##############################
$cmd 45 allow tcp from any to any 21 in setup keep-state
$cmd 46 allow udp from any to any 21 in setup keep-state
$cmd 50 allow tcp from any to any 22 in setup keep-state
$cmd 55 allow tcp from any to any 25 in setup keep-state
$cmd 60 allow udp from any to any 53 in setup keep-state
$cmd 61 allow tcp from any to any 53 in setup keep-state
$cmd 65 allow tcp from any to any 80 in setup keep-state
$cmd 70 allow tcp from any to any 443 in setup keep-state
$cmd 75 allow tcp from any to any 110 in setup keep-state
$cmd 80 allow tcp from any to any 143 in setup keep-state
$cmd 90 allow tcp from any to any 2222 in setup keep-state
$cmd 100 allow tcp from any to any 49152-65535 out setup keep-state
##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any
or use stateless firewall rules:
Code:
##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush
ks="keep-state"
##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 10 allow all from any to any via lo0
$cmd 20 deny all from any to 127.0.0.0/8
$cmd 30 deny all from 127.0.0.0/8 to any
$cmd 40 deny tcp from any to any frag
##############################
# Stateful Rules
##############################
$cmd 50 check-state
$cmd 60 allow tcp from any to any established
$cmd 70 allow all from any to any out keep-state
$cmd 80 allow icmp from any to any
##############################
# Incoming/outgoing services
##############################
$cmd 90 allow tcp from any to any 21 in
$cmd 100 allow tcp from any to any 21 out
$cmd 110 allow udp from any to any 21 in
$cmd 120 allow udp from any to any 21 out
$cmd 130 allow tcp from any to any 22 in
$cmd 140 allow tcp from any to any 22 out
$cmd 150 allow tcp from any to any 25 in
$cmd 160 allow tcp from any to any 25 out
$cmd 170 allow udp from any to any 53 in
$cmd 180 allow udp from any to any 53 out
$cmd 190 allow tcp from any to any 80 in
$cmd 200 allow tcp from any to any 80 out
$cmd 210 allow tcp from any to any 443 in
$cmd 220 allow tcp from any to any 443 out
$cmd 230 allow tcp from any to any 110 in
$cmd 240 allow tcp from any to any 110 out
$cmd 250 allow tcp from any to any 143 in
$cmd 260 allow tcp from any to any 143 out
$cmd 270 allow tcp from any to any 2222 in
$cmd 280 allow tcp from any to any 2222 out
$cmd 290 allow tcp from any to any 49152-65535 out
##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any
Code:
/etc/rc.d/ipfw start
Last edited: