![]() |
Welcome
to ipfwrocks.org |
Welcome to ipfwrocks.org. The purpose of this site is to provide and quick and easy quide to establishing a FreeBSD firewall. The firewall documented on this site is meant to be used for a typical web server. Therefore, the rules found in the firewall script cater to typical web servers. Alterations may be needed if you intend to use this firewall for other purposes. The firewall found here is a modified version of the one found at: http://bsdvault.net/sections.php?op=viewarticle&artid=6. This site is currently under developement and may be incomplete in some areas. Step 1: Getting your kernel properly configured To view your current kernel options, you will want to do the following. This assumes that you don't have a custom kernel. If you do, then substitute the name of it for "GENERIC": vi /usr/src/sys/i386/conf/GENERIC Check for the following options: options
IPFIREWALL If the above options are not present, you will need to add them and then recompile your kernel. If you need help doing this, click here. Step 2: The rc.conf file After you've recompiled the kernel with the above options, you'll want to configure your server's /etc/rc.conf file so that it can handle your server's new firewall. By default, your server's firewall is going to DENY all traffic. So obviously, we want to instruct the server to open itself to certain traffic. This is where the rc.conf script comes into play. It's going to to 3 things: 1. It will enable the firewall 2. It will set the firewall default action to "open" instead of "closed". 3. It will then import a custom firewall script that instructs the server to allow specified traffic and deny everything else. So let's do it. First, make a backup copy of your current rc.conf: cp /etc/rc.conf /etc/rc.conf.bak Now edit /etc/rc.conf and add the following lines: firewall_enable="YES" All done. Now for the last step. We will construct our custom firewall script. Step 3: The firewall script And now we create the firewall script. In the script below you will want to replace "rl0" with the name of your server's interface. #!/bin/sh fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add allow ip from any to any via lo0 $fwcmd add allow tcp from any to any out xmit rl0 setup $fwcmd add allow tcp from any to any via rl0 established $fwcmd
add allow tcp from any to any 21 setup $fwcmd add reset log tcp from any to any 113 in recv rl0 $fwcmd
add allow udp from any to any 53 out xmit rl0
$fwcmd add 65435 deny log ip from any to any
|