firewall settings in rc.firewall

Philip Payne philip.payne at uk.mci.com
Fri Jan 9 05:11:18 PST 2004 

Hi Dan,
 
> Hello, i am trying to make my webserver accessible to the net, i tried
> to run the out of the box rc.firewall, but there was some 
> default rules
> which blocked the 192.168.0 network which is my local lan 
> lol, so killed
> it instead of helped it, anyway i tried setting it to open, but still
> wont allow access to port 1023 which is wot the server is running on,
> can someone please help me with an example rules which may 
> get me going,
> let me know thanks.
> 

Firstly,

	man ipfw

will help you understand ipfw

Look on www.bsdvault.com and do a search on google for building an ipfw
firewall on BSD. There are some good tutorials out there. If you really
don't know where to start this will be valuable.

As you get more familiar you may want to look at fwbuilder.org as this
provides a graphical interface for policy generation but I do suggest you
are familiar with the command line first so you understand what
fwbuilder.org is doing. fwbuilder.org does have some tools to help generate
basic policies.


Some generic statements on how to develop a network policy if you have
absolutely no idea. This is painful but if you don't know where to start and
ignore the tutorials I'm not sure what else you can do:

1) Operate from a default deny scenario unless you have a good reason not
to. If you don't want to break stuff then have a permit all. Set this rule
to log.

e.g 
	ipfw add 65000 deny log ip from any to any
or 
	ipfw add 65000 permit log ip from any to any

2) View the log at /var/log/security

As you have no other rules in your policy the log will quickly get swamped
by the traffic through your firewall.

3) Work out from the log what traffic/packets are required, what traffic is
not and add relevant rules.

e.g.
	ipfw add 100 permit tcp from <your internal network> to any setup
keep-state out via <your external interface>
	ipfw add 110 permit udp from <your internal network> to any
keep-state out via <your external interface>

...is an obvious example if you want your internal network to be able to
initiate any connection. 

4) Clear the logs:

	ipfw resetlog

5) repeat step 2 & 3 until you're only denying and logging the things you
want.

6) Check your logs frequently for unexpected events.

7) Review your policy on a regular basis to collate rules and remove
unwanted ones.

Hope that helps.

Phil.

More information about the freebsd-questions mailing list