A Basic IPFW firewall HowTo for FreeBSD…

Of all the different OS’s and the multitude of firewall implementations for each, my favorite has to be FreeBSD’s IPFW ruleset. It’s powerful, super efficient, and most of all, *EASY* to read!

So I’m just going to paste a sample firewall below, notate it heavily for you, and show you how to get it enabled.

For newer FreeBSD builds, it’s enough to add firewall_enable="YES" to your /etc/rc.conf file and reboot. This will load all the necessary kernel modules, and get you in shape. You should know that by default FreeBSD defaults to a ‘default deny’ policy. This is *VERY* important to know. What it means is that by default, your server isn’t going to open up any ports. You *WILL* be locked out if you do not have a firewall in place. Don’t say I didn’t warn you!

So, with that being said, let’s get our firewall in built and in place, and then we’ll go about adding in the necessary options to ensure it comes up properly on boot. It should noted here that you can build in a “Default to accept” option into the kernel or “firewall_type=”open” to the /etc/rc.conf to start up wide open. This is the suggested practice as the chances are, you’re not close enough to your server to console it. 🙂

Let’s get our basic firewall going. We’re going to open up 22 for SSH, 80 for web traffic, 25 for SMTP and 110/143 for POP3/IMAP mail. The syntax is simple enough you should be able to customize it for your own needs, but always make sure your SSH port is accessible. Also if you run SSH on an alternative port, you should modify that here. You don’t want to lock yourself out now, do you?

So go ahead, login as root to your server, open up your text editor of choice. For the purpose of this post, I’m going to assume you’re creating the file /etc/firewall.sh. If not, modify where appropriate. 🙂 You should also make sure this file is executable by root, otherwise it won’t fire off properly on reboot.


#!/bin/sh

set -e

#First, let's clear out any chance of conflicting with other FreeBSD firewall configurations
# and make sure we're starting from a fresh slate.

/sbin/sysctl net.inet.ip.forwarding=0 >/dev/null
/sbin/ipfw -q list >/dev/null 2>&1 || /sbin/kldload ipfw
(/sbin/ipf -D) >/dev/null 2>&1 || true
(/sbin/kldunload ipl) >/dev/null 2>&1 || true
(/sbin/pfctl -d) >/dev/null 2>&1 || true
(/sbin/kldunload pf) >/dev/null 2>&1 || true
/sbin/ipfw -q /dev/stdin < < EOF flush delete set 31 #Open up our Loopback device. There's almost never any reason to filter this. add allow ip from any to any via lo0 #Allow checking/maintenance of stateful rulesets add check-state #Kill off any active/open sessions, pre-fw init. We do this #to ensure that any connection to unauthorized ports is dealt with #and that all connections adhere to the policy... add reset tcp from any to any established ########################## ## Add Inbound Service Allowances ## ########################## #Port 80: www add allow tcp from any to me 80 setup in #Port 22: SSH - Stateful connection (it's going to maintain a connection, not come and go) add allow tcp from any to me 22 setup in keep-state #Port 21, and 30000-50000, FTP and Passive port rolloff. add allow tcp from any to me 21 setup in add allow tcp from any to me 30000-50000 setup in keep-state #Port 53: DNS add allow udp from any to me 53 in #Port 25, 110, 143. SMTP, POP3 and IMAP add allow tcp from any to me 25 in add allow tcp from any to me 110 in add allow tcp from any to me 143 in #ICMP/ping requests should be allowed through, fun stuff happens #if you don't allow this. (see ptmu) add icmp from any to me icmptypes 8 in ################################# ## Lets Deny some Packets. WOOOT ## ################################# #These rules denies everything else, not explicitly listed above add deny tcp from any to me setup in add deny ip from any to me in ################## ## Outbound Ahoy! ## ################## #Wide open outbound filtering. You could modify this section to default to deny #And then allow specific ports out. I'm not going to do that here, but you should #be able to figure it out. :) add allow tcp from me to any setup out keep-state add allow ip from me to any out keep-state ########################### ## Last chain to make sure ## ########################### #One more time, just to be positive... add deny tcp from any to any setup add deny ip from any to any enable firewall EOF #I set this because the default FreeBSD behavior is to keep a table open #for a session for 1 hour. That's a LONG time on a production server. We #Go for 10 mins here, but could be lowered drastically. #Set TTL on Dynamic Rules to 10 Mins. Formerly 1 hour. /sbin/sysctl net.inet.ip.fw.dyn_ack_lifetime=600 >/dev/null

Done!

Save your /etc/firewall.sh file, then make sure permissions are right on it…


chmod 755 /etc/firewall.sh && chown root:wheel /etc/firewall.sh

Open up your handy text editor again, and add the following lines to /etc/rc.conf at the bottom.


firewall_enable="YES"
firewall_script="/etc/firewall.sh"

Done!

Please keep in mind that if you set “firewall_type=open” above, it may overrule this firewall_script variable, so it should be removed.

Congrats, reboot and enjoy your new firewall. 🙂

If this is something you’re interested in, leave a comment and let me know how and I can write a few more articles on more complex configurations quite easily. 🙂

5 comments
  1. Hey there,

    Sorry to hear about that. =( If you could provide the exact error, I might be able to help you out. Keep in mind, the script may take a bit of tuning for a different machine, so there might need to be a bit of work put into it.

  2. I’m presuming firewal_script=”/etc/firewall.sh” is a typo?

    I get “Ambiguous output redirect.” from the script 🙁

  3. I like the style of your script. Haven’t seen another like it. The other posters are right though, there are syntax issues.

    Near the top where you are bringing in EOF there is a space between the “less-than” signs that should not be there.

    Also, the “icmp” directives give a syntax error. Looks like you were trying to just allow ping but anyway… here are the two lines I substituted there instead:

    add allow icmp from any to any in
    add allow icmp from any to any out

    Cheers,
    — Aaron

Add Comment

Required fields are marked *. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.