Before I rebuild my kernel, I'll add the following lines to my kernel config file:
#To enable IPFW with default deny all packets options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 #To hide firewall from traceroute options IPSTEALTH #To hide from nmap, remove if create web server options TCP_DROP_SYNFIN #To hide from portscans options TCP_RESTRICT_RST
While my kernel recompiles, I'll take a look at the options I should add to
/etc/rc.conf. Again, I'll use the "
/" to search for the correct section in the manpage:
man rc.conf /firewall firewall_enable (bool) Set to NO if you do not want have firewall rules loaded at startup, or YES if you do. If set to YES, and the kernel was not built with IPFIREWALL, the ipfw kernel module will be loaded. See also ipfilter_enable. firewall_script (str) If you want to run a firewall script other than /etc/rc.firewall, set this variable to the full path to that script. firewall_type (str) Names the firewall type from the selection in /etc/rc.firewall, or the file which contains the local firewall ruleset. Valid selections from /etc/rc.firewall, are ''open'' - unrestricted IP access; ''closed'' - all IP services disabled, except via lo0; ''client'' - basic pro- tection for a workstation; ''simple'' - basic protection for a LAN. If a filename is specified, the full path must be given.
Since I want my firewall rules to be loaded at bootup, I'll set
firewall_enable to YES. I'll be creating my own ruleset, so I'll specify
the path to the file I'll create using
firewall_quiet (bool) Set to YES to disable the display of ipfw rules on the console during boot.
This is a good option to set to YES as it'll show each rule being
loaded; if you have a typo in your ruleset, all the rules following the
typo will NOT be loaded. If you're watching the screen at bootup, you'll
ipfw syntax message following the last rule that was successfully
loaded; you'll want to look for a typo in the line following that rule,
then reboot to ensure that all your rules successfully load.
firewall_logging (bool) Set to YES to enable ipfw event logging. This is equivalent to the IPFIREWALL_VERBOSE kernel option. tcp_extensions (bool) Set to NO by default. Setting this to YES enables certain TCP options as described by RFC 1323. If you have problems with connections randomly hanging or other weird behavior of such nature, you might try setting this back to NO and seeing if that helps. Some hardware/software out there is known to be broken with respect to these options. log_in_vain (bool) Set to NO by default. Setting to YES will enable logging of connection attempts to ports that have no listening socket on them. tcp_keepalive (bool) Set to YES by default. Setting to NO will disable probing idle TCP connections to verify that the peer is still up and reachable. tcp_drop_synfin (bool) Set to NO by default. Setting to YES will cause the kernel to ignore TCP frames that have both the SYN and FIN flags set. This prevents OS fingerprinting, but may break some legitimate applications. This option is only avail- able if the kernel was built with the TCP_DROP_SYNFIN op- tion.
Since I added the option
TCP_DROP_SYNFIN in my kernel, I'll set this
corresponding value to YES. I'll include a remark to remove this line if I enable a web server on this computer.
tcp_restrict_rst (bool) Set to NO by default. Setting to YES will cause the kernel to refrain from emitting TCP RST frames in response to invalid TCP packets (e.g., frames destined for closed ports). This option is only available if the kernel was built with the TCP_RESTRICT_RST option. icmp_drop_redirect (bool) Set to NO by default. Setting to YES will cause the kernel to ignore ICMP REDIRECT packets. icmp_log_redirect (bool) Set to NO by default. Setting to YES will cause the kernel to log ICMP REDIRECT packets. Note that the log messages are not rate-limited, so this option should only be used for troubleshooting your own network.
I end up adding the following lines to my
#required for ipfw support firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" firewall_quiet="NO" #change to YES once happy with rules firewall_logging_enable="YES" #extra firewalling options log_in_vain="YES" tcp_drop_synfin="YES" #change to NO if create webserver tcp_restrict_rst="YES" icmp_drop_redirect="YES"
A few notes before I reboot into my new kernel. The
LINT file really means it when it says "YOU WILL LOCK YOURSELF OUT." Until I start creating a
ruleset that allows the IP packets I want, no IP packets will be
allowed to leave or enter my computer. If I want to check my e-mail or download any last bits of information regarding rulesets from the
Internet, now is the time to do it, before I reboot.