FreeBSD Setting up Firewall using IPFW
Q. I'm new to FreeBSD and am trying to configure the firewall using IPFW, but I'm having a hard time understanding it as compare to Linux. Can you provide a small example on how to go about setting up the rules for a typical FreeBSD based Apache Web server?
A. Ipfirewall (ipfw) is a FreeBSD IP packet filter and traffic accounting facility.
IPFW is included in the basic FreeBSD install as a separate run time loadable module. The system will dynamically load the kernel module when the rc.conf statement firewall_enable="YES" is used.
FreeBSD compile kernel for IPFW
This step is optional. You do not need to compile IPFW into the FreeBSD kernel unless you want NAT function enabled. However some old version may not have IPFW compiled. Here is a quick guide to compile kernel with IPFW.
Make sure IPFW support not compiled into the kernel:
#ipfw list
If you get an error that read as follows, you must now compile the source code for the kernel.
ipfw: getsockopt(IP_FW_GET): Protocol not available
Another option is open default kernel config file /usr/src/sys/i386/conf and look for IPFIREWALL option:
# grep IPFIREWALL /usr/src/sys/i386/conf
Building and Installing a Custom Kernel with IPFW
Copy default kernel file:
# cd /usr/src/sys/i386/conf
# cp GENERIC IPFWKERNEL
Add IPFW support:
# vi IPFWKERNEL
Append following directives:
options IPFIREWALL # required for IPFW
options IPFIREWALL_VERBOSE # optional; logging
options IPFIREWALL_VERBOSE_LIMIT=10 # optional; don't get too many log entries
options IPDIVERT # needed for natd
Save and close the file. Building a Kernel, type following commnds:
# cd /usr/src
# make buildkernel KERNCONF=IPFWKERNEL
Install the new kernel:
# make installkernel KERNCONF=IPFWKERNEL
Now reboot the system:
# reboot
Step # 1: Enabling IPFW
Open /etc/rc.conf file
# vi /etc/rc.conf
Append following settings:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
Save and close the file..
Step # 2 Write a Firewall Rule Script
You need to place a firewall rules in a script called /usr/local/etc/ipfw.rule:
# vi /usr/local/etc/ipfw.rules
Append following code:
IPF="ipfw -q add" ipfw -q -f flush #loopback $IPF 10 allow all from any to any via lo0 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 30 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag # statefull $IPF 50 check-state $IPF 60 allow tcp from any to any established $IPF 70 allow all from any to any out keep-state $IPF 80 allow icmp from any to any # open port ftp (20,21), ssh (22), mail (25) # http (80), dns (53) etc $IPF 110 allow tcp from any to any 21 in $IPF 120 allow tcp from any to any 21 out $IPF 130 allow tcp from any to any 22 in $IPF 140 allow tcp from any to any 22 out $IPF 150 allow tcp from any to any 25 in $IPF 160 allow tcp from any to any 25 out $IPF 170 allow udp from any to any 53 in $IPF 175 allow tcp from any to any 53 in $IPF 180 allow udp from any to any 53 out $IPF 185 allow tcp from any to any 53 out $IPF 200 allow tcp from any to any 80 in $IPF 210 allow tcp from any to any 80 out # deny and log everything $IPF 500 deny log all from any to any
Save and close the file.
Step # 3: Start a firewall
You can reboot the box or you could reload these rules by entering on the command line.
# sh /usr/local/etc/ipfw.rules
Task: List all the rules in sequence
Type the following command:
# ipfw list
Further readings:
- Refer ipfw man page
- Read IPFW chapter from FreeBSD handbook
- Read the FreeBSD kernel configuration file format chapter from FreeBSD handbook
Updated for accuracy.
Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
Related Linux / UNIX FAQ:
- Start Iptables under Linux
- How do I Load / Start RHEL / CentOS / Fedora Linux Iptables Firewall on Computer Boot?
- Block ip address of spammers with iptables under Linux
- Howto disable the iptables firewall in Linux
- Iptables setup masquerading for Linux firewall
Discussion on This FAQ
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Please do not use the comment form to ask for help / question. Ask your question on the excellent Linux tech support forum. Thank you very much for stopping by our site!
~ Last updated on: August 21, 2007
June 28th, 2007 at 12:12 pm
Here is my script..
# Set this to your ip address. ip="192.168.1.5" fwcmd="ipfw" setup_loopback # Allow anything outbound from this address. ${fwcmd} add allow all from ${ip} to any out # Deny anything outbound from other addresses. ${fwcmd} add deny log all from any to any out # Allow TCP through if setup succeeded. ${fwcmd} add allow tcp from any to any established # Allow IP fragments to pass through. ${fwcmd} add allow all from any to any frag # Allow all IPv6 packets through - they are handled by the separate # ipv6 firewall rules in rc.firewall6. ${fwcmd} add allow ipv6 from any to any # Allow inbound ftp, ssh, email, tcp-dns, http, https, imap, imaps, # pop3, pop3s. ${fwcmd} add allow tcp from any to ${ip} 21 setup ${fwcmd} add allow tcp from any to ${ip} 22 setup ${fwcmd} add allow tcp from any to ${ip} 222 setup ${fwcmd} add allow tcp from any to ${ip} 25 setup ${fwcmd} add allow tcp from any to ${ip} 53 setup ${fwcmd} add allow tcp from any to ${ip} 80 setup ${fwcmd} add allow tcp from any to ${ip} 443 setup ${fwcmd} add allow tcp from any to ${ip} 143 setup ${fwcmd} add allow tcp from any to ${ip} 993 setup ${fwcmd} add allow tcp from any to ${ip} 110 setup ${fwcmd} add allow tcp from any to ${ip} 995 setup # Deny inbound auth, netbios, ldap, and Microsoft's DB protocol # without logging. ${fwcmd} add reset tcp from any to ${ip} 113 setup ${fwcmd} add reset tcp from any to ${ip} 139 setup ${fwcmd} add reset tcp from any to ${ip} 389 setup ${fwcmd} add reset tcp from any to ${ip} 445 setup # Deny some chatty UDP broadcast protocols without logging. ${fwcmd} add deny udp from any 137 to any ${fwcmd} add deny udp from any to any 137 ${fwcmd} add deny udp from any 138 to any ${fwcmd} add deny udp from any 513 to any ${fwcmd} add deny udp from any 525 to any # Allow inbound DNS and NTP replies. This is somewhat of a hole, # since we're looking at the incoming port number, which can be # faked, but that's just the way DNS and NTP work. ${fwcmd} add allow udp from any 53 to ${ip} ${fwcmd} add allow udp from any 123 to ${ip} # Allow inbound DNS queries. ${fwcmd} add allow udp from any to ${ip} 53 # Allow inbound NTP queries. ${fwcmd} add allow udp from any to ${ip} 123 # Allow traceroute to function, but not to get in. ${fwcmd} add unreach port udp from any to ${ip} 33435-33524 # Allow some inbound icmps - echo reply, dest unreach, source quench, # echo, ttl exceeded. ${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,11 # Everything else is denied and logged. ${fwcmd} add deny log all from any to anyHave a fun
July 3rd, 2007 at 12:36 pm
Nice guide.
July 3rd, 2007 at 1:27 pm
Two previous posters mention you might want to compile the firewall into the kernel to allow NAT. For beginners, the reason you might want NAT is if your firewall is protecting a LAN. If your FreeBSD machine is a stand-alone machine, or you have another computer or black-box device protecting your lan, then you don’t need this feature. (The two example firewall config scripts assume this state of affairs!)
If you do have a LAN you need to protect, look at the example firewall script that comes with FreeBSD in /etc/rc.firewall and examine the “Simple” configuration… that’s a good starting point for a firewall protecting a LAN.
July 25th, 2007 at 9:25 am
Nice article, this got me started with the FreeBSD firewall.
A few remarks for improvement:
(starting with your text, followed by the improvement)
1)
Make sure IPFW support not compiled
#ipfw list
>> Please replace with:
Make sure IPFW support not compiled into the kernel:
#ipfw list
2)
# vi /usr/local/etc/ipfw.rule
>> should read:
# vi /usr/local/etc/ipfw.rules
3)
Append following settings:
firewall_enable=”YES”
firewall_script=”YES”
firewall_script=”/usr/local/etc/ipfw.rules”
>> The ‘firewall_script=”YES”‘ should be removed.
4)
# open port ftp (21,22), ssh (22), mail (25)
>> should be
# open port ftp (20,21), ssh (22), mail (25)
Further.., big thanx!,
Tux821
August 14th, 2007 at 3:06 pm
hi all, i want to ask
fbsdguru, is you ip 192.168.1.5 facing the internet? mine have 2 ether, 1 assigned ip from NAP, and 1 assigned ip for main router of my network (ISP). is your script compatible for my network design? assume that ether which facing public is dc0 and ether for main router is vr0, any suggestion for best firewall on my machine?
thanks before, sorry for bad english.
October 27th, 2007 at 11:22 pm
Please make note that you can run IPFW & NATD on FreeBSD-6.x without recompiling anything into your computer. The docs keep making reference that you will need to recompile your kernel if you want NATD. I have my system running and it’s using the GENERIC kernel. Both IPFW and NATD work just fine without recompiling the kernel.
FreeBSD docs are often out of date and can send you down the wrong road.
November 10th, 2007 at 9:11 pm
What about blocking Nmap?
01100 deny ip from any to any ipoptions rr
01110 deny ip from any to any ipoptions ts
01120 deny ip from any to any ipoptions lsrr
01130 deny ip from any to any ipoptions ssrr
01140 deny tcp from any to any tcpflags syn,fin
01150 deny tcp from any to any tcpflags syn,rst
February 10th, 2008 at 9:13 am
I tried both the scripts. Both the scripts bolck http requests and the bsd cannot resolve any DNS queries once they are executed. The moment I open up the firewall everything goes through.
I could not achieve browsing with the script in place. Maybe I am doing something wrong…..
My public IP is 81.155.30.2 and my internal Network is 172.16.0.0
FreeBSD is 6.10
April 17th, 2008 (5 weeks ago) at 3:46 am
hi! I need help regarding ipfw. i’m a newbie to freebsd. I want my freebsd to be the gateway of my WLAN to the internet. I also want to authenticate each user through a database. Can anyone help me?
I just need it for my case study in school.
here’s my email for those who want to help:
relch2k7@yahoo.com
thanks!