How To: Install IPFW Firewall FreeBSD

existenz

existenz

Verified User
Joined
Jul 18, 2003
Messages
607
Location
/dev/null
Starting with the 4.x series FreeBSD included a built-in firewall called ipfw. ipfw is packet filtering firewall and in this how to I will show you how to install ipfw on your server. Here are the basic steps:

1) Recompile kernel with ipfw
2) Add configuration options to rc.conf
3) Add firewall rules

1) If this is your first time recompiling your kernel I suggest you reading my tutorials on cvsup. While it is not necessary if you upgrade your system laster these settings could be removed during a upgrade.

We are now going to build a custom kernel with some basic firewall options.

host# cd /usr/src/sys/i386/conf
host# cp GENERIC FIREWALL

Add the following lines to the new custom kernel called FIREWALL

host# ee FIREWALL
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=15

Now we are going to compile the new kernel

host# cd /usr/src
host# make kernel KERNCONF=FIREWALL

2) Now we are going to tell the system to start the firewall on boot and where the firewall rules are located.

host# ee /etc/rc.conf
firewall_enable="YES"
firewall_type="/usr/local/etc/firewall.rules"
firewall_flags="-p cpp"

3) Now we need to create the firewall.rules file. I have attached a sample file you could use as a start. If you want to see what you have open right now run this command and modify to make your own firewall.rules file.

host# sockstat -4

If you are using my sample firewall.rules.txt file just download and open in your favorite text editor. Then copy that into the next command.

host# ee /usr/local/etc/firewall.rules
host# shutdown -r now

Check to make sure ipfw is working

host# ipfw -list

Thanks for rhoekman, Xuru for also lending their help with this.
 

Attachments

  • firewall.rules.txt
    5.6 KB · Views: 3,034
Last edited:
Should also add: options IPFIREWALL_DEFAULT_TO_ACCEPT

just incase if something goes wrong when you reboot.
 
You don't want to do that by default. The argument can go eitherway but with that option will in the long run leave the server open to attack.

You could add that option to make sure that it firewall rules work and then remove it once you know it works.
 
Has anyone followed this howto successfully using the example rules? When I tried it I was locked out of my box so it would be good to know if anyone got it working.


vetrun
 
From your firewall rules, if I need to allow multiple IP's for the server, would this work to allow 66.243.176.* as valid IP's on the machine?

/** set these to your outside interface network and netmask and ip **/
#define oif rl0
#define oip 66.243.176.1/24
#define onet 66.243.176.1:255.255.255.224
 
bjseiler said:
From your firewall rules, if I need to allow multiple IP's for the server, would this work to allow 66.243.176.* as valid IP's on the machine?

/** set these to your outside interface network and netmask and ip **/
#define oif rl0
#define oip 66.243.176.1/24
#define onet 66.243.176.1:255.255.255.224
Click to expand...

yes, it should work.


existenz: what is the part of your rules named "@home operators"?
 
I ended up blocking a bunch of people on my server by using your rules...
 
A note

I have followed the steps and successfully configured the IPFW and done with recompilation of kernel. For those who are worrying about the access to the system after enabling the IPFW just add the following lines to your rc.conf

firewall_enable="YES"
firewall_type="open"

No rules will be needed to work with your system till you need to add your customize rules.

Regards,

| Farzan Qureshi | Network Engineer | Cubexs Weatherly Pvt. Ltd. | M: +92 334 397 2377 | UAN: 111 282 397 ext. 3011 | [email protected]
 
You can always just type "kldload ipfw" without rebooting and add the lines in /etc/rc.conf for the further reboots.
 
so this works for all freebsd versions? do i have to customize it for my server and it's ip addresses?
 
You must log in or register to reply here.
Back
Top