Welcome to ipfwrocks.org. The purpose of this site is to provide and quick and easy quide to establishing a FreeBSD firewall. The firewall documented on this site is meant to be used for a typical web server. Therefore, the rules found in the firewall script cater to typical web servers. Alterations may be needed if you intend to use this firewall for other purposes. The firewall found here is a modified version of the one found at: http://bsdvault.net/sections.php?op=viewarticle&artid=6.
This site is currently under developement and may be incomplete in some areas.
Step 1: Getting your kernel properly configured
To view your current kernel options, you will want to do the following. This assumes that you don't have a custom kernel. If you do, then substitute the name of it for "GENERIC":
vi /usr/src/sys/i386/conf/GENERIC
Check for the following options:
options
IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN
If the above options are not present, you will need to add them and then recompile your kernel. If you need help doing this, click here.
Step 2: The rc.conf file
After you've recompiled the kernel with the above options, you'll want to configure your server's /etc/rc.conf file so that it can handle your server's new firewall. By default, your server's firewall is going to DENY all traffic. So obviously, we want to instruct the server to open itself to certain traffic. This is where the rc.conf script comes into play. It's going to to 3 things:
1. It will enable the firewall
2. It will set the firewall default action to "open" instead of "closed".
3. It will then import a custom firewall script that instructs the server to allow specified traffic and deny everything else.
So let's do it. First, make a backup copy of your current rc.conf:
cp /etc/rc.conf /etc/rc.conf.bak
Now edit /etc/rc.conf and add the following lines:
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
All done. Now for the last step. We will construct our custom firewall script.
Step 3: The firewall script
And now we create the firewall script. In the script below you will want to replace "rl0" with the name of your server's interface.
#!/bin/sh
fwcmd="/sbin/ipfw"
$fwcmd -f flush
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow tcp from any to any out xmit rl0 setup
$fwcmd add allow tcp from any to any via rl0 established
$fwcmd
add allow tcp from any to any 21 setup
$fwcmd add allow tcp from any to any 22 setup
$fwcmd add allow tcp from any to any 25 setup
$fwcmd add allow tcp from any to any 43 setup
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 110 setup
$fwcmd add allow tcp from any to any 143 setup
$fwcmd add allow tcp from any to any 443 setup
$fwcmd add allow tcp from any to any 789 setup
$fwcmd add reset log tcp from any to any 113 in recv rl0
$fwcmd
add allow udp from any to any 53 out xmit rl0
$fwcmd add allow udp from any 53 to any in recv rl0
$fwcmd add 03000 allow icmp from me to any
$fwcmd add04000 deny icmp from any to any
$fwcmd add 65435 deny log ip from any to any
