IPFW Firewall Question

Steve Bertrand steve at ibctech.ca
Fri Dec 5 06:12:34 PST 2008

G magicman wrote:
> 1.  I need help to reconfigure my firewall on the server using BSD's ipfw

What part do you need to reconfigure?

> 2. short of a reboot how do you start stop and restart the  firewall

Very, very carefully. Until I gained some extensive experience with
IPFW, I would wrap the firewall restart within a sleep/undo of some sort.

That said, now I use table(s) and set(s), so I can update rules without
having to restart the firewall entirely. Below is an example, that also
will guide you in answering your next two questions. The man page and
Google will explain how to use tables and sets.

To answer your question however, depending on where your firewall script
is, simply execute it at the command line, like this:

# /etc/ipfw.rules &

> Here is what i want :
> 1. i want all ports open to the ipaddresses in line 4 "clearaddresses"
> 2. I want to be able to control access to port 25 sendmail to be able to deny
>       whole "A" "B" and "C" addresses


flush="/sbin/ipfw -q flush"
cmd="/sbin/ipfw add"
table="/sbin/ipfw table"


# Tables

# Client/infrastructure IPs for allowing access

$table 1 add
$table 1 add
$table 1 add


$table 2 add
$table 2 add
$table 2 add

# Block all inbound and outbound traffic for certain sites
# ...review periodically to see if they are still valid

$table 3 add    # phishing

# set 3 = specific deny/allow by ids
# set 4 = SSH access
# set 29 = for counting/testing traffic patterns
# set 30 = forwarding

# SET 3

$cmd 20000 set 3 deny all from any to any 1433,1434
$cmd 20100 set 3 allow tcp from to
135,139,445,593 keep-state
$cmd 20105 set 3 allow udp from to
$cmd 20110 set 3 deny all from any to any 135,139,445,593

# SET 4

$cmd 40000 set 4 allow tcp from "table(1)" to any 22 keep-state
$cmd 40005 set 4 deny tcp from any to any 22

# SET 29

#$cmd 59000 set 29 count log logamount 100 tcp from any to any

# SET 30

$cmd 60000 set 30 fwd,53 all from any to 53
$cmd 60005 set 30 fwd,53 all from any to 53

$cmd 64998 deny all from "table(3)" to any
$cmd 64999 deny all from any to "table(3)"

### end dummy ruleset

...if you want specific rule examples, just let me know.

The above does pretty much what you want it to do. I've purposely left
it up to you to do some further research. Tweaking a non-forgiving
firewall remotely is not something you want to learn the hard way.

The benefit of tables is that you can have one rule, but manually
add/remove specific addresses or prefixes on the fly without having to
reload the rule.

With sets, you can disable an entire block of rules, modify it, and
reload it without restarting IPFW, therefore destroying your existing
established rules.


More information about the freebsd-questions mailing list