ipwf firewall stock rule types ?

Rodney W. Grimes freebsd-rwg at gndrsh.dnsmgr.net
Mon Jun 10 13:43:35 UTC 2019 

> 
> I'm setting up a new server, from scratch, and I find that it's always
> best to review relevant sections of the Handbook when doing so, especially
> if one hasn't done this fopr a long time, which I haven't.
> 
> This page has me a bit puzzled:
> 
>   https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
> 
> This page says that the stock ipfw firewall rulesets are as follows:
> 
>     open: passes all traffic.
>     client: protects only this machine.
end node

>     simple: protects the whole network.
router

>     closed: entirely disables IP traffic except for the loopback interface.
>     workstation: protects only this machine using stateful rules.
>     UNKNOWN: disables the loading of firewall rules.
>     ...
> 
> I'd just like to know what the differences are between "client" and "simple".
Someone could update the handbook to indicate that client is an end node, and
that simple is for a router.

> 
> Can anyone explain that to me, briefly?

>From /etc/rc.firewall the comments on each of client and simple help to
cover the difference:
 [Cc][Ll][Ii][Ee][Nn][Tt])
        ############
        # This is a prototype setup that will protect your system somewhat
        # against people from outside your own network.
        #
        # Configuration:
        #  firewall_client_net:         Network address of local IPv4 network.
        #  firewall_client_net_ipv6:    Network address of local IPv6 network.
        ############

 [Ss][Ii][Mm][Pp][Ll][Ee])
        ############
        # This is a prototype setup for a simple firewall.  Configure this
        # machine as a DNS and NTP server, and point all the machines
        # on the inside at this machine for those services.
        #
        # Configuration:
        #  firewall_simple_iif:         Inside IPv4 network interface.
        #  firewall_simple_inet:        Inside IPv4 network address.
        #  firewall_simple_oif:         Outside IPv4 network interface.
        #  firewall_simple_onet:        Outside IPv4 network address.
        #  firewall_simple_iif_ipv6:    Inside IPv6 network interface.
        #  firewall_simple_inet_ipv6:   Inside IPv6 network prefix.
        #  firewall_simple_oif_ipv6:    Outside IPv6 network interface.
        #  firewall_simple_onet_ipv6:   Outside IPv6 network prefix.
        ############

The MAJOR difference being that CLIENT is just an end node on a network,
where as SIMPLE is actually a forwarding router setup with 2 interfaces.


-- 
Rod Grimes                                                 rgrimes at freebsd.org

More information about the freebsd-ipfw mailing list