IPF and kernel options

Rob listone at deathbeforedecaf.net
Thu May 1 03:16:45 PDT 2003 

Yep, ipfw is the 'standard' FreeBSD firewall. There are step-by-step
instructions in the FreeBSD Handbook chapter
file:///usr/share/doc/handbook/firewalls.html and an overview in the
firewall(7) manpage.

Here's what I put in the kernel config to enable it:

  options    IPFIREWALL                        # firewall
  options    IPFIREWALL_VERBOSE                # log dropped packets
  options    IPFIREWALL_VERBOSE_LIMIT=5000     # limit verbosity

And in /etc/rc.conf to set the rules:

  firewall_enable="YES"
  firewall_flags="-p cpp"
  firewall_logging="YES"
  firewall_quiet="YES"
  firewall_type="/etc/firewall.conf"

Then /etc/firewall.conf contains a list of commands for ipfw(8). Since
I've put "-p cpp" in firewall_flags, it passes the file through cpp(1)
first - which lets me use #define for hostnames and stuff.

See ipfirewall(4) for more about the device, and ipfw(8) for details on
writing rules.

ipf is also supported, but I haven't used it so I can't help you there.

----- Original Message -----
From: "Dick Hoogendijk" <dick at nagual.st>
To: "freebsd-questions" <freebsd-questions at freebsd.org>
Sent: Wednesday, April 30, 2003 11:23 PM
Subject: IPF and kernel options


> Excuse me if this sounds like newbie first class..
> I run a couple of fbsd workstations, but now I want to migrate one to
be
> the server of my homenetwork.
> No big deal, but I need a firewall up-and-running. I've chosen for
ipf,
> read a lot about it and set up my rules, but: looking at the kernel
> config I understand that the GENERIC has no firewall support.
>
> LINT shows me quite some "options" but I'm not quite sure which I need
> and which not. As said I don't plan using ipfw, so I guess I could
leave
> out all references to "ipfirewall"? But what about mrouting,
ipstealth,
> tcpdebug, icmp_bandlim, dummynet, bridge, etc..
>
> =-=-=-from LINT-=-=-=
> options MROUTING
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_FORWARD
> options IPFIREWALL_VERBOSE_LIMIT=100
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPV6FIREWALL
> options IPV6FIREWALL_VERBOSE
> options IPV6FIREWALL_VERBOSE_LIMIT=100
> options IPV6FIREWALL_DEFAULT_TO_ACCEPT
> options IPDIVERT
>
> options IPFILTER #ipfilter support
> options IPFILTER_LOG #ipfilter logging
> options IPFILTER_DEFAULT_BLOCK #block all packets by default
> options IPSTEALTH #support for stealth forwarding
> options TCPDEBUG
>
> options RANDOM_IP_ID
>
> # Statically link in accept filters
> options ACCEPT_FILTER_DATA
> options ACCEPT_FILTER_HTTP
>
> options ICMP_BANDLIM
>
> options DUMMYNET
> options BRIDGE
> =-=-=-=-end-=-=-=
>
> A reference to a manual I overlooked it welcome too. I'm not lazy. I
> just can't find the information needed. Maybe ipfw is the FreeBSD way
of
> firewalling?
>
> --
> dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE
> ++ Running FreeBSD 4.8 ++ Debian GNU/Linux (Woody)
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list