ServerAdmins.NET » ipfw http://serveradmins.net Stuff for Server Admins... Wed, 07 Dec 2011 23:39:36 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 A Basic IPFW firewall HowTo for FreeBSD… http://serveradmins.net/a-basic-ipfw-firewall-howto-for-freebsd/ http://serveradmins.net/a-basic-ipfw-firewall-howto-for-freebsd/#comments Fri, 19 Feb 2010 01:42:27 +0000 chrism http://serveradmins.net/?p=65 Of all the different OS’s and the multitude of firewall implementations for each, my favorite has to be FreeBSD’s IPFW ruleset. It’s powerful, super efficient, and most of all, *EASY* to read!

So I’m just going to paste a sample firewall below, notate it heavily for you, and show you how to get it enabled.

For newer FreeBSD builds, it’s enough to add firewall_enable="YES" to your /etc/rc.conf file and reboot. This will load all the necessary kernel modules, and get you in shape. You should know that by default FreeBSD defaults to a ‘default deny’ policy. This is *VERY* important to know. What it means is that by default, your server isn’t going to open up any ports. You *WILL* be locked out if you do not have a firewall in place. Don’t say I didn’t warn you!

So, with that being said, let’s get our firewall in built and in place, and then we’ll go about adding in the necessary options to ensure it comes up properly on boot. It should noted here that you can build in a “Default to accept” option into the kernel or “firewall_type=”open” to the /etc/rc.conf to start up wide open. This is the suggested practice as the chances are, you’re not close enough to your server to console it. :)

Let’s get our basic firewall going. We’re going to open up 22 for SSH, 80 for web traffic, 25 for SMTP and 110/143 for POP3/IMAP mail. The syntax is simple enough you should be able to customize it for your own needs, but always make sure your SSH port is accessible. Also if you run SSH on an alternative port, you should modify that here. You don’t want to lock yourself out now, do you?

So go ahead, login as root to your server, open up your text editor of choice. For the purpose of this post, I’m going to assume you’re creating the file /etc/firewall.sh. If not, modify where appropriate. :) You should also make sure this file is executable by root, otherwise it won’t fire off properly on reboot.


#!/bin/sh

set -e

#First, let's clear out any chance of conflicting with other FreeBSD firewall configurations
# and make sure we're starting from a fresh slate.

/sbin/sysctl net.inet.ip.forwarding=0 >/dev/null
/sbin/ipfw -q list >/dev/null 2>&1 || /sbin/kldload ipfw
(/sbin/ipf -D) >/dev/null 2>&1 || true
(/sbin/kldunload ipl) >/dev/null 2>&1 || true
(/sbin/pfctl -d) >/dev/null 2>&1 || true
(/sbin/kldunload pf) >/dev/null 2>&1 || true
/sbin/ipfw -q /dev/stdin < < EOF
flush
delete set 31

#Open up our Loopback device. There's almost never any reason to filter this.
add allow ip from any to any via lo0

#Allow checking/maintenance of stateful rulesets
add check-state

#Kill off any active/open sessions, pre-fw init. We do this
#to ensure that any connection to unauthorized ports is dealt with
#and that all connections adhere to the policy...

add reset tcp from any to any established

##########################
## Add Inbound Service Allowances ##
##########################
#Port 80: www
add allow tcp from any to me 80 setup in
#Port 22: SSH - Stateful connection (it's going to maintain a connection, not come and go)
add allow tcp from any to me 22 setup in keep-state

#Port 21, and 30000-50000, FTP and Passive port rolloff.
add allow tcp from any to me 21 setup in
add allow tcp from any to me 30000-50000 setup in keep-state

#Port 53: DNS
add allow udp from any to me 53 in

#Port 25, 110, 143. SMTP, POP3 and IMAP
add allow tcp from any to me 25 in
add allow tcp from any to me 110 in
add allow tcp from any to me 143 in

#ICMP/ping requests should be allowed through, fun stuff happens
#if you don't allow this. (see ptmu)
add icmp from any to me icmptypes 8 in

#################################
## Lets Deny some Packets. WOOOT ##
#################################

#These rules denies everything else, not explicitly listed above
add deny tcp from any to me setup in
add deny ip from any to me in

##################
## Outbound Ahoy! ##
##################

#Wide open outbound filtering. You could modify this section to default to deny
#And then allow specific ports out. I'm not going to do that here, but you should
#be able to figure it out. :)

add allow tcp from me to any setup out keep-state
add allow ip from me to any out keep-state

###########################
## Last chain to make sure ##
###########################

#One more time, just to be positive...
add deny tcp from any to any setup
add deny ip from any to any
enable firewall
EOF

#I set this because the default FreeBSD behavior is to keep a table open
#for a session for 1 hour. That's a LONG time on a production server. We
#Go for 10 mins here, but could be lowered drastically.

#Set TTL on Dynamic Rules to 10 Mins. Formerly 1 hour.
/sbin/sysctl net.inet.ip.fw.dyn_ack_lifetime=600 >/dev/null

Done!

Save your /etc/firewall.sh file, then make sure permissions are right on it…


chmod 755 /etc/firewall.sh && chown root:wheel /etc/firewall.sh

Open up your handy text editor again, and add the following lines to /etc/rc.conf at the bottom.


firewall_enable="YES"
firewall_script="/etc/firewall.sh"

Done!

Please keep in mind that if you set “firewall_type=open” above, it may overrule this firewall_script variable, so it should be removed.

Congrats, reboot and enjoy your new firewall. :)

If this is something you’re interested in, leave a comment and let me know how and I can write a few more articles on more complex configurations quite easily. :)

]]> http://serveradmins.net/a-basic-ipfw-firewall-howto-for-freebsd/feed/ 4