easy Firewall setup
Antonio Olivares
olivares14031 at gmail.com
Sun Jul 31 16:15:31 UTC 2011
> A> Is there an easy firewall setup available somewhere (like the one
> A> referenced below but for FreeBSD)?
>
> Here's a script you can use to generate a rules file for IPF.
>
> --
Karl,
I have used your script and it generated me a nice ipf.rules file
/************* ipf.rules ********************/
quadcore# cat /etc/ipf.rules
# Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011
#
# NAME:
# /etc/ipf.rules
#
# DESCRIPTION:
# Ruleset for IPF packet filter.
#
# AUTHOR:
# Antonio Olivares <olivares14031 at gmail.com>
# --------------------------------------------------------------------
# We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP.
block in quick on msk0 proto udp from any to any port = 68
block in quick on msk0 proto udp from any to any port = 137
block in quick on msk0 proto udp from any to any port = 138
block in quick on msk0 proto igmp from any to any
# --------------------------------------------------------------------
# Now block everything coming down the network.
block in log on msk0 all
block out log on msk0 all
# --------------------------------------------------------------------
# Get rid of anything with options, as these can be used to hack.
block in log quick from any to any with ipopts
# --------------------------------------------------------------------
# Get rid of short TCP/IP fragments (too small for valid comparison)
# as these can be used to hack.
block in log quick proto tcp from any to any with short
# --------------------------------------------------------------------
# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all
# --------------------------------------------------------------------
# Block all the private routable addresses, as these should never
# come down the network, nor should we be talking to them.
block out quick on msk0 from any to 192.168.0.0/16
block out quick on msk0 from any to 172.16.0.0/12
block out quick on msk0 from any to 127.0.0.0/8
block out quick on msk0 from any to 10.0.0.0/8
block out quick on msk0 from any to 0.0.0.0/8
block out quick on msk0 from any to 169.254.0.0/16
block out quick on msk0 from any to 192.0.2.0/24
block out quick on msk0 from any to 204.152.64.0/23
block out quick on msk0 from any to 224.0.0.0/3
block in quick on msk0 from 192.168.0.0/16 to any
block in quick on msk0 from 172.16.0.0/12 to any
block in quick on msk0 from 10.0.0.0/8 to any
block in quick on msk0 from 127.0.0.0/8 to any
block in quick on msk0 from 0.0.0.0/8 to any
block in quick on msk0 from 169.254.0.0/16 to any
block in quick on msk0 from 192.0.2.0/24 to any
block in quick on msk0 from 204.152.64.0/23 to any
block in quick on msk0 from 224.0.0.0/3 to any
# --------------------------------------------------------------------
# Block and log portmapper attempts.
block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state
# --------------------------------------------------------------------
# Allow outbound state related packets.
pass out quick on msk0 proto tcp from any to any flags S keep state
pass out quick on msk0 proto udp from any to any keep state
# --------------------------------------------------------------------
# Allow ping and traceroute. Since we're doing everything quick,
# we must have passes before blocks.
pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state
pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state
pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state
pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state
pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state
pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state
block in log quick on msk0 proto icmp from any to any
# --------------------------------------------------------------------
# Allow DNS; should this be just from nameservers?
pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state
pass in quick on msk0 proto udp from any to any port = 53 keep state
# --------------------------------------------------------------------
# Allow ssh and mail from anywhere: tcpserver filters addresses
pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state
pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state
# --------------------------------------------------------------------
# Allow http from selected addresses.
pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state
pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 80 flags S keep state
# --------------------------------------------------------------------
# Allow secure http from selected addresses.
pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 443 flags S
keep state
pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 443 flags S
keep state
# --------------------------------------------------------------------
# Copyright (C) 2011
# EOF
/************************************************************/
I add
/*******************/
lpd_enable="YES"
ipfilter_enable="YES"
ipfileter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
/******************/
to /etc/rc.conf, I load the kernel module:
quadcore# kldload /boot/kernel/ipl.ko
I verify it is working:
with # ipf -V
quadcore# ipf -Fa -f /etc/ipf.rules
Then I cannot browse :(
quadcore# ipfstat
bad packets: in 0 out 0
IPv6 packets: in 0 out 0
input packets: blocked 17 passed 14 nomatch 14 counted 0 short 0
output packets: blocked 68 passed 22 nomatch 22 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 10 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
IPF Ticks: 574
Packet log flags set: (0)
none
But I have to stop the firewall
ipf -D
and run
# ifconfig msk0 up
and I can browse. My best guess is that there is a problem with ipv6
and ipv4, but I don't know how to troubleshoot this. I had generated
the script a while ago but I got errors, I did not know that the
kernel module had to be loaded:
# kldload /boot/kernel/ipl.ko
verify that it is working with
# ipf -V
I read this over at these pages:
http://manuuus.co.in/configure-ipf-firewall-in-freebsd/
http://www.pc-freak.net/handbook/firewalls-ipf.html
I know about ipfw too[Thanks Polytropon, I have simple setup you
suggested but at school machine], and this time I tried the script
which also is very good, but I have little problem.
Is there anything I have to do, like turn on ipv6 to be able to
browse? how do I check which version I have?
Thanks for advice given.
Regards,
Antonio
More information about the freebsd-questions
mailing list