BSD DevCenter
oreilly.comSafari Books Online.Conferences.


FreeBSD Basics

BSD Firewalls: IPFW


Your FreeBSD system comes with two built-in mechanisms for inspecting IP packets: ipfw and ipfilter. Both have their own peculiar syntax for creating rulesets to determine which packets to allow and which packets to discard, so I'd like to demonstrate the usage of both. Since you can only run one or the other, I'll start with ipfw; once we've had a good look at it, I'll switch gears and move on to ipfilter.

Before you can use ipfw, you'll have to add some options to your kernel config file and recompile your kernel. If you're a bit rusty on compiling kernels, you'll want to take a look at that section in the handbook.

There are several options that can be used by ipfw, so let's start by taking a look at LINT. I'll do a search using "/" to quickly find the correct section:

cd /usr/src/sys/i386/conf
more LINT

# IPFIREWALL enables support for IP firewall construction,
# in conjunction with the 'ipfw' program.  IPFIREWALL_VERBOSE
# sends logged packets to the system logger.  
# IPFIREWALL_VERBOSE_LIMIT limits the number of times a 
# matching entry can be logged.
# WARNING:  IPFIREWALL defaults to a policy of "deny ip 
# from any to any" and if you do not add other rules during 
# startup to allow access, YOU WILL LOCK YOURSELF OUT.  It 
# is suggested that you set firewall_type=open in /etc/rc.conf 
# when first enabling this feature, then refining the firewall 
# rules in /etc/rc.firewall after you've tested that the new 
# kernel feature works properly.
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot)
# to allow everything.  Use with care, if a cracker can crash 
# your firewall machine, they can get to your protected machines.
# However, if you are using it as an as-needed filter for 
# specific problems as they arise, then this may be for you.  
# Changing the default to 'allow' means that you won't get stuck 
# if the kernel and /sbin/ipfw binary get out of sync.

As a minimum, you need to include the option IPFIREWALL to enable ipfw; this tells your kernel to examine every IP packet and compare it to a ruleset. It is always a good idea to include logging support, which you do by adding the option IPFIREWALL_VERBOSE. You should also limit the amount of packets the kernel will log for the same reasons we saw last week in limiting the amount of ICMP packets that were logged. You limit the logging of IP packets with the IPFIREWALL_VERBOSE_LIMIT option.

Note that the default is for ipfw to throw away all IP packets except those you've specifically allowed in your ruleset. I prefer this default as it gives a finer control over which packets are being accepted; I'd hate to think my kernel was accepting packets I wasn't aware of. I will definitely notice if packets I want aren't being accepted and can change my ruleset to allow them; I'll never know the difference if packets I hadn't thought of are slipping through my firewall because I didn't make a rule to explicitly deny them. Accordingly, I won't override the default by including the option IPFIREWALL_DEFAULT_TO_ACCEPT.

# IPDIVERT enables the divert IP sockets, used 
# by ''ipfw divert''

This option is used in conjunction with natd. Since I'm only building a firewall to protect a single machine, I won't need this option.

# IPSTEALTH enables code to support stealth forwarding 
# (i.e., forwarding packets without touching the ttl).  
# This can be useful to hide firewalls from traceroute 
# and similar tools.

This sounds like an interesting option, so I'll include it in my firewall and see how it works when I test my firewall.

# Statically Link in accept filters
options            ACCEPT_FILTER_DATA
options            ACCEPT_FILTER_HTTP

I'm not running a web server on this computer, so I won't compile in these two options.

# The following options add sysctl variables for controlling 
# how certain TCP packets are handled.
# TCP_DROP_SYNFIN adds support for ignoring TCP packets with 
# SYN+FIN. This prevents nmap et al. from identifying the 
# TCP/IP stack, but breaks support for RFC1644 extensions 
# and is not recommended for web servers.
# TCP_RESTRICT_RST adds support for blocking the emission 
# of TCP RST packets. This is useful on systems which are 
# exposed to SYN floods (e.g. IRC servers) or any system 
# which one does not want to be easily portscannable.

Again, I'll include these options and watch for the results when I test my firewall.

# ICMP_BANDLIM enables icmp error response bandwidth 
# limiting.   You typically want this option as it will 
# help protect the machine from D.O.S. packet attacks.

This option comes enabled with the default kernel; we saw its behaviour last week when we used the nmap utility.

# DUMMYNET enables the "dummynet" bandwidth limiter. 
# You need IPFIREWALL as well. See the dummynet(4) 
# manpage for more info. BRIDGE enables bridging between 
# ethernet cards -- see bridge(4).

I won't include these two options as I don't need to do any traffic shaping on this stand-alone computer.

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: