Linux Inspirations

How To: Install IPFW Firewall FreeBSD

Posted on: 6 Februari, 2010

Starting with the 4.x series FreeBSD included a built-in firewall called ipfw. ipfw is packet filtering firewall and in this how to I will show you how to install ipfw on your server. Here are the basic steps:
1) Recompile kernel with ipfw
2) Add configuration options to rc.conf
3) Add firewall rules

1) If this is your first time recompiling your kernel I suggest you reading my tutorials on cvsup. While it is not necessary if you upgrade your system laster these settings could be removed during a upgrade.

We are now going to build a custom kernel with some basic firewall options.

host# cd /usr/src/sys/i386/conf
host# cp GENERIC FIREWALL

Add the following lines to the new custom kernel called FIREWALL

host# ee FIREWALL
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=15

Now we are going to compile the new kernel

host# cd /usr/src
host# make kernel KERNCONF=FIREWALL

2) Now we are going to tell the system to start the firewall on boot and where the firewall rules are located.

host# ee /etc/rc.conf
firewall_enable=”YES”
firewall_type=”/usr/local/etc/firewall.rules”
firewall_flags=”-p cpp”

3) Now we need to create the firewall.rules file. I have attached a sample file you could use as a start. If you want to see what you have open right now run this command and modify to make your own firewall.rules file.

host# sockstat -4

If you are using my sample firewall.rules.txt file just download and open in your favorite text editor. Then copy that into the next command.

host# ee /usr/local/etc/firewall.rules
host# shutdown -r now

Check to make sure ipfw is working

host# ipfw -list

SAMPLE

/** set these to your outside interface network and netmask and ip **/
#define oif  rl0
#define oip  1.1.1.1
#define onet 1.1.1.1:255.255.252.0

/** Un-welcome address **/
#define badsite1    194.251.240.105:255.255.255.0
#define badsite2    24.112.239.158
#define badsite3    209.247.40.170:255.255.255.0
#define badsite4    195.230.153.1:255.255.255.0
#define badsite5    194.183.177.1:255.255.255.0
#define badsite6    61.9.189.48:255.255.255.0
#define badsite7    213.243.178.226:255.255.255.0
#define badsite8    217.5.72.84
#define badsite9    61.116.112.177
#define badsitea    193.231.15.134
#define badsiteb    217.0.149.105:255.255.255.0
#define badsitec    61.216.62.200
#define badsited    203.231.153.180
#define badsitee    66.21.192.41
#define badsitef    61.209.170.123
#define badsiteg    61.216.61.192
#define badsiteh    152.81.1.137
#define badsitei    128.244.34.216

/** @home operators **/
#define scansite1   24.0.0.203:255.255.255.0
#define scansite2   24.0.94.130:255.255.255.0
#define scansite3   24.0.24.51:255.255.255.0
#define scansite4   24.0.16.94:255.255.255.0
#define scansite5   24.112.31.170:255.255.255.0
#define scansite6   24.112.32.106
#define scansite7   66.185.84.200:255.255.255.0

/** drop Un-welcome address **/
add deny log all from badsite1 to any
add deny log all from badsite2 to any
add deny log all from badsite3 to any
add deny log all from badsite4 to any
add deny log all from badsite5 to any
add deny log all from badsite6 to any
add deny log all from badsite7 to any
add deny log all from badsite8 to any
add deny log all from badsite9 to any
add deny log all from badsitea to any
add deny log all from badsiteb to any
add deny log all from badsitec to any
add deny log all from badsited to any
add deny log all from badsitee to any
add deny log all from badsitef to any
add deny log all from badsiteg to any
add deny log all from badsiteh to any
add deny log all from badsitei to any

/** Deny scanning address **/
add deny log all from scansite1 to any in via oif
add deny log all from scansite2 to any in via oif
add deny log all from scansite3 to any in via oif
add deny log all from scansite4 to any in via oif
add deny log all from scansite5 to any in via oif
add deny log all from scansite6 to any in via oif
add deny log all from scansite7 to any in via oif

/** Deny @home network broadcast **/
add deny all from any to 255.255.255.255 in via oif
add deny all from any to 24.255.255.255 in via oif
add deny all from any to 100.100.100.0/24 in via oif

/** Stop spoofing **/
add deny log all from onet to any in via iif
add deny log all from oip to any in via oif

/** Stop RFC1918 nets on the outside interface **/
add deny all from any to 10.0.0.0/8 via oif
add deny all from any to 172.16.0.0/12 via oif
add deny all from any to 192.168.0.0/16 via oif

/**
Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
on the outside interface
**/
add deny all from any to 0.0.0.0/8 via oif
add deny all from any to 169.254.0.0/16 via oif
add deny all from any to 192.0.2.0/24 via oif
add deny all from any to 224.0.0.0/4 via oif
add deny all from any to 240.0.0.0/4 via oif

/** Stop RFC1918 nets on the outside interface **/
add deny all from 10.0.0.0/8 to any via oif
add deny all from 172.16.0.0/12 to any via oif
add deny all from 192.168.0.0/16 to any via oif

/**
Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
on the outside interface
**/
add deny all from 0.0.0.0/8 to any via oif
add deny all from 169.254.0.0/16 to any via oif
add deny all from 192.0.2.0/24 to any via oif
add deny all from 224.0.0.0/4 to any via oif
add deny all from 240.0.0.0/4 to any via oif

/************************/
/** Check dynamic rule
/************************/
add check-state

/** Allow TCP through if setup succeeded **/
add allow tcp from any to any established

/** Allow IP fragments to allow through **/
add allow all from any to any frag

/************************/
/** Check dynamic rule
/************************/
add check-state

/** Allow TCP through if setup succeeded **/
add allow tcp from any to any established

/** Allow IP fragments to allow through **/
add allow all from any to any frag

/** Allow setup of SMTP **/
add allow tcp from any to oip 25 setup

/** Allow setup of POP3 **/
add allow tcp from any to oip 110 setup

/** Allow setup of IMAP4 **/
add allow tcp from any to oip 143 setup

/** Allow setup of ssh **/
add allow tcp from any to oip 22 setup

/** Allow setup of HTTP **/
add allow tcp from any to oip 80,443 setup

/** Allow setup of DirectAdmin **/
add allow tcp from any to oip 2222 setup

/** Allow setup of FTP **/
add allow tcp from any to oip 20,21 setup

/** Allow setup of FTP PASSIVE **/
add allow tcp from any to oip 49152-65534 setup

/** Reject and Log all setup of incoming connections from the outside **/
add deny log tcp from any to any in via oif setup

/** Allow setup of any other TCP connection **/
add allow tcp from any to any setup

/**************************/
/** Allow UDP to outside
/**************************/
add pass udp from me to any 53 keep-state
add pass udp from any to me 53

add allow udp from oip to any out via oif keep-state

/**************************/
/** Allow ping to outside
/**************************/
add allow icmp from oip to any out via oif icmptypes 8 keep-state

/*******************************/
/** Log all unrecognize attempt
/*******************************/
add deny all from any to not oip in via oif
add deny log all from any to any

Tinggalkan Balasan

Please log in using one of these methods to post your comment:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

ABout Me!


WordPress ini sengaja saya buat untuk menulis apa yang telah saya lakukan agar saya selalu ingat, tulisan yang saya buat kebanyakan dalam bentuk tutorials configurasi linux dari hasil uji coba saya dan sebahagian di kutip dari beberapa website lain yang saya anggap perlu untuk saya tulis disini. Mudah-mudahan tutorial yang saya buat ini berguna buat pencinta linux yang lain. Salam Sejahtera.

Blog Stats

  • 120,467 hits

Linux Inspiration

%d blogger menyukai ini: