BSD Firewalls: IPFW04/25/2001
Your FreeBSD system comes with two built-in mechanisms for inspecting IP
ipfilter. Both have their own peculiar syntax for creating rulesets to determine which packets to allow and which packets to
discard, so I'd like to demonstrate the usage of both. Since you can only
run one or the other, I'll start with
ipfw; once we've had a good look
at it, I'll switch gears and move on to
Before you can use
ipfw, you'll have to add some options to your kernel config file and recompile your kernel. If you're a bit rusty on compiling
kernels, you'll want to take a look at that section in the handbook.
There are several options that can be used by
ipfw, so let's start by
taking a look at LINT. I'll do a search using "
/" to quickly find the
cd /usr/src/sys/i386/conf more LINT /IPFIREWALL # IPFIREWALL enables support for IP firewall construction, # in conjunction with the 'ipfw' program. IPFIREWALL_VERBOSE # sends logged packets to the system logger. # IPFIREWALL_VERBOSE_LIMIT limits the number of times a # matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip # from any to any" and if you do not add other rules during # startup to allow access, YOU WILL LOCK YOURSELF OUT. It # is suggested that you set firewall_type=open in /etc/rc.conf # when first enabling this feature, then refining the firewall # rules in /etc/rc.firewall after you've tested that the new # kernel feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) # to allow everything. Use with care, if a cracker can crash # your firewall machine, they can get to your protected machines. # However, if you are using it as an as-needed filter for # specific problems as they arise, then this may be for you. # Changing the default to 'allow' means that you won't get stuck # if the kernel and /sbin/ipfw binary get out of sync.
As a minimum, you need to include the option IPFIREWALL to enable
ipfw; this tells your kernel to examine every IP packet and compare it
to a ruleset. It is always a good idea to include logging support, which
you do by adding the option
IPFIREWALL_VERBOSE. You should also limit
the amount of packets the kernel will log for the same reasons we saw last
week in limiting the amount of ICMP packets that were logged. You limit
the logging of IP packets with the
Note that the default is for
ipfw to throw away all IP packets except
those you've specifically allowed in your ruleset. I prefer this
default as it gives a finer control over which packets are being
accepted; I'd hate to think my kernel was accepting packets I wasn't aware
of. I will definitely notice if packets I want aren't being accepted and
can change my ruleset to allow them; I'll never know the difference if packets
I hadn't thought of are slipping through my firewall because I didn't
make a rule to explicitly deny them. Accordingly, I won't override the default
by including the option
# IPDIVERT enables the divert IP sockets, used # by ''ipfw divert''
This option is used in conjunction with
natd. Since I'm only building a firewall to protect a single machine, I won't need this option.
# IPSTEALTH enables code to support stealth forwarding # (i.e., forwarding packets without touching the ttl). # This can be useful to hide firewalls from traceroute # and similar tools.
This sounds like an interesting option, so I'll include it in my firewall and see how it works when I test my firewall.
# Statically Link in accept filters options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP
I'm not running a web server on this computer, so I won't compile in these two options.
# The following options add sysctl variables for controlling # how certain TCP packets are handled. # # TCP_DROP_SYNFIN adds support for ignoring TCP packets with # SYN+FIN. This prevents nmap et al. from identifying the # TCP/IP stack, but breaks support for RFC1644 extensions # and is not recommended for web servers. # # TCP_RESTRICT_RST adds support for blocking the emission # of TCP RST packets. This is useful on systems which are # exposed to SYN floods (e.g. IRC servers) or any system # which one does not want to be easily portscannable.
Again, I'll include these options and watch for the results when I test my firewall.
# ICMP_BANDLIM enables icmp error response bandwidth # limiting. You typically want this option as it will # help protect the machine from D.O.S. packet attacks. # options ICMP_BANDLIM
This option comes enabled with the default kernel; we saw its behaviour
last week when we used the
# DUMMYNET enables the "dummynet" bandwidth limiter. # You need IPFIREWALL as well. See the dummynet(4) # manpage for more info. BRIDGE enables bridging between # ethernet cards -- see bridge(4).
I won't include these two options as I don't need to do any traffic shaping on this stand-alone computer.