easy Firewall setup

Antonio Olivares olivares14031 at gmail.com
Sun Jul 31 16:15:31 UTC 2011 

> A> Is there an easy firewall setup available somewhere (like the one
> A> referenced below but for FreeBSD)?
>
>   Here's a script you can use to generate a rules file for IPF.
>
> --

Karl,

I have used your script and it generated me a nice ipf.rules file

/************* ipf.rules ********************/
quadcore# cat /etc/ipf.rules
# Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011
#
# NAME:
#    /etc/ipf.rules
#
# DESCRIPTION:
#    Ruleset for IPF packet filter.
#
# AUTHOR:
#    Antonio Olivares <olivares14031 at gmail.com>

# --------------------------------------------------------------------
# We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP.
block in quick on msk0 proto udp  from any to any port = 68
block in quick on msk0 proto udp  from any to any port = 137
block in quick on msk0 proto udp  from any to any port = 138
block in quick on msk0 proto igmp from any to any

# --------------------------------------------------------------------
# Now block everything coming down the network.
block in  log  on msk0 all
block out log  on msk0 all

# --------------------------------------------------------------------
# Get rid of anything with options, as these can be used to hack.
block in  log quick     from any to any with ipopts

# --------------------------------------------------------------------
# Get rid of short TCP/IP fragments (too small for valid comparison)
# as these can be used to hack.
block in  log quick proto tcp from any to any with short

# --------------------------------------------------------------------
# Allow all traffic on loopback.
pass  in  quick on lo0 all
pass  out quick on lo0 all

# --------------------------------------------------------------------
# Block all the private routable addresses, as these should never
# come down the network, nor should we be talking to them.
block out quick on msk0 from any               to 192.168.0.0/16
block out quick on msk0 from any               to 172.16.0.0/12
block out quick on msk0 from any               to 127.0.0.0/8
block out quick on msk0 from any               to 10.0.0.0/8
block out quick on msk0 from any               to 0.0.0.0/8
block out quick on msk0 from any               to 169.254.0.0/16
block out quick on msk0 from any               to 192.0.2.0/24
block out quick on msk0 from any               to 204.152.64.0/23
block out quick on msk0 from any               to 224.0.0.0/3

block in  quick on msk0 from 192.168.0.0/16    to any
block in  quick on msk0 from 172.16.0.0/12     to any
block in  quick on msk0 from 10.0.0.0/8        to any
block in  quick on msk0 from 127.0.0.0/8       to any
block in  quick on msk0 from 0.0.0.0/8         to any
block in  quick on msk0 from 169.254.0.0/16    to any
block in  quick on msk0 from 192.0.2.0/24      to any
block in  quick on msk0 from 204.152.64.0/23   to any
block in  quick on msk0 from 224.0.0.0/3       to any

# --------------------------------------------------------------------
# Block and log portmapper attempts.
block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state

# --------------------------------------------------------------------
# Allow outbound state related packets.
pass  out quick on msk0 proto tcp from any to any flags S keep state
pass  out quick on msk0 proto udp from any to any keep state

# --------------------------------------------------------------------
# Allow ping and traceroute.  Since we're doing everything quick,
# we must have passes before blocks.
pass  in quick on msk0 proto icmp from any to any icmp-type  0 keep state
pass  in quick on msk0 proto icmp from any to any icmp-type  8 keep state
pass  in quick on msk0 proto icmp from any to any icmp-type 11 keep state
pass out quick on msk0 proto icmp from any to any icmp-type  0 keep state
pass out quick on msk0 proto icmp from any to any icmp-type  8 keep state
pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state
block in log quick on msk0 proto icmp from any to any

# --------------------------------------------------------------------
# Allow DNS; should this be just from nameservers?
pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state
pass in quick on msk0 proto udp from any to any port = 53 keep state

# --------------------------------------------------------------------
# Allow ssh and mail from anywhere: tcpserver filters addresses
pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state
pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state

# --------------------------------------------------------------------
# Allow http from selected addresses.
pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state
pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 80 flags S keep state

# --------------------------------------------------------------------
# Allow secure http from selected addresses.
pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 443 flags S
keep state
pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 443 flags S
keep state

# --------------------------------------------------------------------
# Copyright (C) 2011
# EOF
/************************************************************/

I add
/*******************/
lpd_enable="YES"
ipfilter_enable="YES"
ipfileter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
/******************/
to /etc/rc.conf, I load the kernel module:

quadcore# kldload /boot/kernel/ipl.ko

I verify it is working:

with # ipf -V


quadcore# ipf -Fa -f /etc/ipf.rules

Then I cannot browse :(


quadcore# ipfstat
bad packets:		in 0	out 0
 IPv6 packets:		in 0 out 0
 input packets:		blocked 17 passed 14 nomatch 14 counted 0 short 0
output packets:		blocked 68 passed 22 nomatch 22 counted 0 short 0
 input packets logged:	blocked 0 passed 0
output packets logged:	blocked 0 passed 0
 packets logged:	input 0 output 0
 log failures:		input 0 output 0
fragment state(in):	kept 0	lost 0	not fragmented 0
fragment state(out):	kept 0	lost 0	not fragmented 0
packet state(in):	kept 0	lost 0
packet state(out):	kept 0	lost 0
ICMP replies:	0	TCP RSTs sent:	0
Invalid source(in):	0
Result cache hits(in):	10	(out):	0
IN Pullups succeeded:	0	failed:	0
OUT Pullups succeeded:	0	failed:	0
Fastroute successes:	0	failures:	0
TCP cksum fails(in):	0	(out):	0
IPF Ticks:	574
Packet log flags set: (0)
	none


But I have to stop the firewall

ipf -D

and run
# ifconfig msk0 up

and I can browse.  My best guess is that there is a problem with ipv6
and ipv4, but I don't know how to troubleshoot this.  I had generated
the script a while ago but I got errors, I did not know that the
kernel module had to be loaded:

# kldload /boot/kernel/ipl.ko
verify that it is working with
# ipf -V

I read this over at these pages:

http://manuuus.co.in/configure-ipf-firewall-in-freebsd/

http://www.pc-freak.net/handbook/firewalls-ipf.html

I know about ipfw too[Thanks Polytropon, I have simple setup you
suggested but at school machine], and this time I tried the script
which also is very good, but I have little problem.

Is there anything I have to do, like turn on ipv6 to be able to
browse?  how do I check which version I have?

Thanks for advice given.

Regards,

Antonio

More information about the freebsd-questions mailing list