Comments on: FreeBSD Setting up Firewall using IPFW

By: Fritz

Fritz — Fri, 09 Sep 2011 02:01:17 +0000

i need help, how do i save Save and close the file. Building a Kernel, type following commnds:?, i feel like am doing something wrong please help.

By: jason

jason — Sat, 08 Jan 2011 18:53:15 +0000

Dumb question… in the comments its sats that port 20 is being opened but i don’t see a rule set… since I have set up IPFW I have major pain get file listing for ftp GUI programs

By: Ivan Carrasco Q.

Ivan Carrasco Q. — Fri, 27 Aug 2010 03:23:19 +0000

Also modify the file /etc/sysctl.conf with:

#
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
net.link.ether.bridge=1
net.link.ether.bridge_ipfw=1
net.link.ether.bridge_cfg=vr0:1,re0:1
net.link.bridge.ipfw=1
#

By: Ivan Carrasco Q.

Ivan Carrasco Q. — Fri, 27 Aug 2010 03:18:26 +0000

just add this to /etc/rc.conf
ifconfig_re1=”inet 190.93.224.XXX netmask 255.255.240.0″
defaultrouter=”190.93.224.1″
firewall_enable=”YES”
firewall_script=”/etc/prueba2″
firewall_type=”open”

By: Ivan Carrasco Q.

Ivan Carrasco Q. — Sat, 14 Aug 2010 04:45:14 +0000

Another post /etc/rc.conf

#--sysinstall generated deltas -- # Wed Oct 29 22:56:03 2008
# Created: Wed Oct 29 22:56:03 2008
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
#cloned_interfaces="bridge0 bge0 bge1"
#autobridge_interfaces="bridge0"
#autobridge_bridge0="bge*"
#ifconfig_bridge0="10.192.0.69 netmask 0xffff0000"
cloned_interfaces="vlan24090 vlan24091 vlan3960 vlan3961 vlan19030 vlan19031 vlan19040 vlan19041"
ifconfig_bge0="up"
ifconfig_bge1="up"
ifconfig_vlan24090="vlan 2409 vlandev bge0"
ifconfig_vlan3960="vlan 396 vlandev bge0"
ifconfig_vlan24091="vlan 2409 vlandev bge1"
ifconfig_vlan3961="vlan 396 vlandev bge1"
ifconfig_vlan19040="vlan 1904 vlandev bge0"
ifconfig_vlan19030="vlan 1903 vlandev bge0"
ifconfig_vlan19041="vlan 1904 vlandev bge1"
ifconfig_vlan19031="vlan 1903 vlandev bge1"
cloned_interfaces="bridge0 vlan24090 vlan24091 bridge1 vlan3960 vlan3961 bridge2 vlan19030 vlan19041 bridge3 vlan19040 vlan19041"
ifconfig_bridge0="addm vlan24090 addm vlan24091 up"
ifconfig_bridge1="addm vlan3960 addm vlan3961 up"
ifconfig_bridge2="addm vlan19030 addm vlan19031 up"
ifconfig_bridge3="addm vlan19040 addm vlan19041 up"
ifconfig_bge0="10.192.0.69 netmask 0xffff0000"
linux_enable="YES"
sshd_enable="YES"

By: Iván Carrasco Q.

Iván Carrasco Q. — Mon, 09 Aug 2010 20:52:53 +0000

I just wanted to share in this post my script. I have configured a machine working as a Traffic Shaper with 4 kind of clients, up/down, national/international bw, and also unlimited clients:

#!/bin/sh
fw="/sbin/ipfw"
#Default traffic
BWNAC="2048KBit/s"
BWINT="1024KBit/s"
#Planes
BW1NAC="600KBit/s"
BW1INT="250KBit/s"
BW2NAC="1024KBit/s"
BW2INT="450KBit/s"
BW3NAC="2048KBit/s"
BW3INT="950KBit/s"
##IPs
#IP600 con plan BW1
IP600="{ 190.93.239.0/24 }"
#IP1024 con plan BW2
IP1024="{ 190.93.225.0/24 or 190.93.226.0/23 or 190.93.228.0/22 or 190.93.232.0/23 or 190.93.234.0/24 or 200.73.215.0{0-124} or 200.73.213.0{1-254} or 200.73.214.0{0-254} or 200.73.212.0{100-255} }"
#IP2048 con plan BW3
IP2048="{ 190.93.235.0/24 or 190.93.236.0/23 or 190.93.238.0/24 or 200.73.215.0{125-254} }"
IPNOCUT="{ 190.93.224.0/24 or 200.73.208.0{1-69} }"
$fw -f flush
$fw -f pipe flush
$fw -f queue flush
$fw enable one_pass
$fw add 10 check-state
$fw add 100 allow ip from any to any via lo0
$fw add 200 allow ip from any to 127.0.0.1/8
$fw add 300 allow ip from 127.0.0.1/8 to any
$fw add 540 deny ip from any to any frag in
$fw add 600 allow all from ${IPNOCUT} to any
$fw add 700 allow all from any to ${IPNOCUT}
$fw pipe 1 config buckets 2048 mask src-ip 0xffffffff bw ${BWNAC}
$fw pipe 2 config buckets 2048 mask dst-ip 0xffffffff bw ${BWNAC}
$fw pipe 3 config buckets 2048 mask src-ip 0xffffffff bw ${BWNAC}
$fw pipe 4 config buckets 2048 mask dst-ip 0xffffffff bw ${BWNAC}
$fw pipe 7 config buckets 2048 mask src-ip 0xffffffff bw ${BWINT}
$fw pipe 8 config buckets 2048 mask dst-ip 0xffffffff bw ${BWINT}
$fw pipe 9 config buckets 2048 mask src-ip 0xffffffff bw ${BWNAC}
$fw pipe 10 config buckets 2048 mask dst-ip 0xffffffff bw ${BWNAC}
#
$fw pipe 21 config buckets 2048 mask src-ip 0xffffffff bw ${BW1NAC}
$fw pipe 22 config buckets 2048 mask dst-ip 0xffffffff bw ${BW1NAC}
$fw pipe 23 config buckets 2048 mask src-ip 0xffffffff bw ${BW1INT}
$fw pipe 24 config buckets 2048 mask dst-ip 0xffffffff bw ${BW1INT}
#
$fw pipe 31 config buckets 2048 mask src-ip 0xffffffff bw ${BW2NAC}
$fw pipe 32 config buckets 2048 mask dst-ip 0xffffffff bw ${BW2NAC}
$fw pipe 33 config buckets 2048 mask src-ip 0xffffffff bw ${BW2INT}
$fw pipe 34 config buckets 2048 mask dst-ip 0xffffffff bw ${BW2INT}
#
$fw pipe 41 config buckets 2048 mask src-ip 0xffffffff bw ${BW3NAC}
$fw pipe 42 config buckets 2048 mask dst-ip 0xffffffff bw ${BW3NAC}
$fw pipe 43 config buckets 2048 mask src-ip 0xffffffff bw ${BW3INT}
$fw pipe 44 config buckets 2048 mask dst-ip 0xffffffff bw ${BW3INT}
#
$fw add 1460 allow all from $IPNOCUT to any out xmit bridge0
$fw add 1480 allow all from any to $IPNOCUT in recv bridge0
$fw add 1560 allow all from $IPNOCUT to any out xmit bridge1
$fw add 1580 allow all  from any to $IPNOCUT in recv bridge1
#
####### 600 Permisos por Bridge #################################
$fw add 4660 pipe 21 all from ${IP600} to any out xmit bridge0
$fw add 4680 pipe 22 all from any to ${IP600} in recv bridge0
$fw add 4760 pipe 21 all from ${IP600} to any out xmit bridge1
$fw add 4780 pipe 22 all  from any to ${IP600} in recv bridge1
####### 1024 Permisos por Bridge #################################
$fw add 4660 pipe 31 all from ${IP1024} to any out xmit bridge0
$fw add 4680 pipe 32 all from any to ${IP1024} in recv bridge0
$fw add 4760 pipe 31 all from ${IP1024} to any out xmit bridge1
$fw add 4780 pipe 32 all  from any to ${IP1024} in recv bridge1
####### 2048 Permisos por Bridge #################################
$fw add 4660 pipe 41 all from ${IP2048} to any out xmit bridge0
$fw add 4680 pipe 42 all from any to ${IP2048} in recv bridge0
$fw add 4760 pipe 41 all from ${IP2048} to any out xmit bridge1
$fw add 4780 pipe 42 all  from any to ${IP2048} in recv bridge1
#
$fw add 4860 pipe 3 all from any to any out xmit bridge0
$fw add 4880 pipe 4 all from any to any in recv bridge0
$fw add 4960 pipe 3 all from any to any out xmit bridge1
$fw add 4980 pipe 4 all  from any to any in recv bridge1
############# 600 Permisos por Interfaz  ######################
$fw add 24260 pipe 21 all from ${IP600} to any in via bge0
$fw add 24270 pipe 22 all from any to ${IP600} out via bge0
$fw add 24280 pipe 22 all from ${IP600} to any in via bge1
$fw add 24290 pipe 21 all from any to ${IP600} out via bge1
############# 1024 Permisos por Interfaz  ######################
$fw add 24260 pipe 31 all from ${IP1024} to any in via bge0
$fw add 24270 pipe 32 all from any to ${IP1024} out via bge0
$fw add 24280 pipe 32 all from ${IP1024} to any in via bge1
$fw add 24290 pipe 31 all from any to ${IP1024} out via bge1
############# 2048 Permisos por Interfaz  ######################
$fw add 24260 pipe 41 all from ${IP2048} to any in via bge0
$fw add 24270 pipe 42 all from any to ${IP2048} out via bge0
$fw add 24280 pipe 42 all from ${IP2048} to any in via bge1
$fw add 24290 pipe 41 all from any to ${IP2048} out via bge1
#
$fw add 25260 pipe 1 all from any to any in via bge0
$fw add 25270 pipe 2 all from any to any out via bge0
$fw add 25280 pipe 2 all from any to any in via bge1
$fw add 25290 pipe 1 all from any to any out via bge1
############# 600 Permisos por Vlan Internacional  ############
$fw add 35260 pipe 24 all from ${IP600} to any out via vlan24090
$fw add 35270 pipe 23 all from any to ${IP600} in via vlan24090
$fw add 35280 pipe 24 all from ${IP600} to any in via vlan24091
$fw add 35290 pipe 23 all from any to ${IP600} out via vlan24091
############# 1024 Permisos por Vlan Internacional  ############
$fw add 35260 pipe 34 all from ${IP1024} to any out via vlan24090
$fw add 35270 pipe 33 all from any to ${IP1024} in via vlan24090
$fw add 35280 pipe 34 all from ${IP1024} to any in via vlan24091
$fw add 35290 pipe 33 all from any to ${IP1024} out via vlan24091
############# 2048 Permisos por Vlan Internacional  ############
$fw add 35260 pipe 44 all from ${IP2048} to any out via vlan24090
$fw add 35270 pipe 43 all from any to ${IP2048} in via vlan24090
$fw add 35280 pipe 44 all from ${IP2048} to any in via vlan24091
$fw add 35290 pipe 43 all from any to ${IP2048} out via vlan24091
#
$fw add 36260 pipe 7 all from any to any in via vlan24090
$fw add 36270 pipe 8 all from any to any out via vlan24090
$fw add 36280 pipe 8 all from any to any in via vlan24091
$fw add 36290 pipe 7 all from any to any out via vlan24091
############# 600 Permisos por Vlan nacional  #################
$fw add 47260 pipe 21 all from ${IP600} to any out via vlan3960
$fw add 47270 pipe 22 all from any to ${IP600} in  via vlan3960
$fw add 47280 pipe 22 all from ${IP600} to any in via vlan3961
$fw add 47290 pipe 21 all from any to ${IP600} out via vlan3961
############# 1024 Permisos por Vlan nacional  #################
$fw add 47260 pipe 31 all from ${IP1024} to any out via vlan3960
$fw add 47270 pipe 32 all from any to ${IP1024} in  via vlan3960
$fw add 47280 pipe 32 all from ${IP1024} to any in via vlan3961
$fw add 47290 pipe 31 all from any to ${IP1024} out via vlan3961
############# 2048 Permisos por Vlan nacional  #################
$fw add 47260 pipe 41 all from ${IP2048} to any out via vlan3960
$fw add 47270 pipe 42 all from any to ${IP2048} in  via vlan3960
$fw add 47280 pipe 42 all from ${IP2048} to any in via vlan3961
$fw add 47290 pipe 41 all from any to ${IP2048} out via vlan3961
#
$fw add 47260 pipe 10 all from any to any in via vlan3960
$fw add 47270 pipe 9 all from any to any out via vlan3960
$fw add 47280 pipe 10 all from any to any in via vlan3961
$fw add 47290 pipe 9 all from any to any out via vlan3961
#
$fw add 60000 allow ip from any to any
#
##################################################

By: martin

martin — Fri, 05 Feb 2010 03:59:26 +0000

Have added the DEFAULT_TO_ACCEPT option and removed /etc/rc.conf enables and am still locket out.
Outstanding article.

By: sam

sam — Fri, 21 Aug 2009 01:48:29 +0000

if you dont add DEFAULT_TO_ACCEPT and do not already have a firewall script in place, when you reboot your box the default will be to deny ALL, therefore if your box is not local you may have an issue =)

By: Patric Falinder

Patric Falinder — Tue, 12 May 2009 12:42:15 +0000

How do I modify the script to NAT my traffic from my OpenVPN interface tun0 to my external interface vr0 (it has a direct connection to internet, no router between)?

OpenVPN—->vr0—->INTERNET

By: Alan

Alan — Sat, 24 Jan 2009 15:26:32 +0000

Thank you man!

This is wonderful! I make this process and ther works perfect.

Thank you again!

Sorry for my bad english.

[ ]‘s

By: Emman

Emman — Mon, 12 Jan 2009 07:57:43 +0000

Nice firewall, how about blocking by means of MC Address, I set-up a proxy server
and allow only specific IP’s, but the problem is that some users knows how to change
their IP address and knows what are the IP’s that are allowed to surf the Internet. So
I think blocking by means of MC Address solve my problem here in out company.
Can you help me?

Thank you and more power.

By: boom

boom — Wed, 31 Dec 2008 08:21:08 +0000

locking myself out

By: Real FreeBSD Tips » Stopping SSH & FTP brute force attacks with IPFW

Real FreeBSD Tips » Stopping SSH & FTP brute force attacks with IPFW — Sun, 07 Dec 2008 00:17:48 +0000

[...] then IPFW is not enabled. You can learn how to enable it over here. [...]

By: sara

sara — Fri, 17 Oct 2008 10:49:38 +0000

more useful..

Thanks a lot

By: Njuki

Njuki — Wed, 09 Jul 2008 12:53:06 +0000

i think you should add, before the reboot

options IPFIREWALL_DEFAULT_TO_ACCEPT

When appending options for the kernel, i followed the above steps and realized i could not log in remotely to the box i was building a firewall after the reboot.

By: relch

relch — Thu, 17 Apr 2008 03:46:12 +0000

hi! I need help regarding ipfw. i’m a newbie to freebsd. I want my freebsd to be the gateway of my WLAN to the internet. I also want to authenticate each user through a database. Can anyone help me?
I just need it for my case study in school.

here’s my email for those who want to help:

relch2k7@yahoo.com

thanks!

By: Satyesh Banavali

Satyesh Banavali — Sun, 10 Feb 2008 09:13:22 +0000

I tried both the scripts. Both the scripts bolck http requests and the bsd cannot resolve any DNS queries once they are executed. The moment I open up the firewall everything goes through.

I could not achieve browsing with the script in place. Maybe I am doing something wrong…..

My public IP is 81.155.30.2 and my internal Network is 172.16.0.0

FreeBSD is 6.10

By: Fred

Fred — Sat, 10 Nov 2007 21:11:41 +0000

What about blocking Nmap?

01100 deny ip from any to any ipoptions rr
01110 deny ip from any to any ipoptions ts
01120 deny ip from any to any ipoptions lsrr
01130 deny ip from any to any ipoptions ssrr
01140 deny tcp from any to any tcpflags syn,fin
01150 deny tcp from any to any tcpflags syn,rst

By: Vladimir Tserijemiwtz

Vladimir Tserijemiwtz — Sat, 27 Oct 2007 23:22:57 +0000

Please make note that you can run IPFW & NATD on FreeBSD-6.x without recompiling anything into your computer. The docs keep making reference that you will need to recompile your kernel if you want NATD. I have my system running and it’s using the GENERIC kernel. Both IPFW and NATD work just fine without recompiling the kernel.

FreeBSD docs are often out of date and can send you down the wrong road.

By: aunk

aunk — Tue, 14 Aug 2007 15:06:07 +0000

hi all, i want to ask

fbsdguru, is you ip 192.168.1.5 facing the internet? mine have 2 ether, 1 assigned ip from NAP, and 1 assigned ip for main router of my network (ISP). is your script compatible for my network design? assume that ether which facing public is dc0 and ether for main router is vr0, any suggestion for best firewall on my machine?

thanks before, sorry for bad english.