FreeBSD Setting up Firewall using IPFW February 9th, 2010
Q. I’m new to FreeBSD and am trying to configure the firewall using IPFW, but I’m having a hard time understanding it as compare to Linux. Can you provide a small example on how to go about setting up the rules for a typical FreeBSD based Apache Web server?
A. Ipfirewall (ipfw) is a FreeBSD IP packet filter and traffic accounting facility.
IPFW is included in the basic FreeBSD install as a separate run time loadable module. The system will dynamically load the kernel module when the rc.conf statement firewall_enable=”YES” is used.
FreeBSD compile kernel for IPFW
This step is optional. You do not need to compile IPFW into the FreeBSD kernel unless you want NAT function enabled. However some old version may not have IPFW compiled. Here is a quick guide to compile kernel with IPFW.
Make sure IPFW support not compiled into the kernel:
If you get an error that read as follows, you must now compile the source code for the kernel.
ipfw: getsockopt(IP_FW_GET): Protocol not available
Another option is open default kernel config file /usr/src/sys/i386/conf and look for IPFIREWALL option:
# grep IPFIREWALL /usr/src/sys/i386/conf
Building and Installing a Custom Kernel with IPFW
Copy default kernel file:
# cd /usr/src/sys/i386/conf
# cp GENERIC IPFWKERNEL
Add IPFW support:
# vi IPFWKERNEL
Append following directives:
options IPFIREWALL # required for IPFW Read the rest of this entry »
options IPFIREWALL_VERBOSE # optional; logging
options IPFIREWALL_VERBOSE_LIMIT=10 # optional; don't get too many log entries
options IPDIVERT # needed for natd
FreeBSD Firewall Explained February 7th, 2010
Howto setup a ipfw stateful firewall on FreeBSD with a simple ruleset and explain certain details, including natd interaction.
Why have protection? Computers on the internet run the risk of being damaged or hijacked. Firewall software is a very powerful tool in fighting this. Having FreeBSD firewall software doesn’t mean that your safe. You will still have to update your system in order to fix security bugs and check for viruses. Although the later isn’t much of a problem for Unix like computers at the time of writing.
The goal of this howto is to setup a simple firewall for FreeBSD and explain certain details of the ipfw firewall, from the user point of view, while doing so. At the end of this howto you will have a firewall for FreeBSD with a simple ruleset. The questions this article will give anwsers to are:
- How packet’s are checked against the rules.
- Howto natd effects the rules and howto deal with those effects.
- Howto setup statefull rules and why the can not be used with natd.
- Firewall Setup – A more complex firewall setup for FreeBSD, that also includes a traffic shaper and network address translation (NAT). This particular howto lays the basis for the next howto.
- Traffic Reports – Howto create traffic graphs with MRTG, IPA and IPFW.
The newer versions of FreeBSD can load the ipfw firewall software when this is requires. Older versions of FreeBSD don’t have this ability and need to have a kernel compiles. You also need to do this with the newer version when you like to create more advanced rules, like logging of traffic shaping.
Summary Read the rest of this entry »
FreeBSD + natd + ipfw + squid February 7th, 2010
This is going to be an overview of the steps it takes to create a Walled Garden using FreeBSD, natd, ipfw and squid.
The basic scenario: You have a private IP network that you want to allow people to connect with, and you allow them basic web access (we’ll just do port 80 for now). For your default access you only want to allow these users to access certain URL’s – if they try to access anything else it will redirect them to your “portal” page. Presumbably your portal would have software that would do account signups and such, and once you authorize an ip you would allow it to connect to anything on the internet. Portal design won’t be discussed here, but I will show you how to punch a whole through the firewall.
For this exercise we are going to have a private ip network, and a public ip. Splitting off a management IP is highly advisable, but that won’t be covered here.
Our private IP network is going to be 10.7.0.0/16 our “public ip” is going to be 192.168.0.1 (which is really private, but ignore that – when deploying this substitute in a real public ip here)
First things first, you need to make sure your kernel has some options compiled into it, before doing anything else, go compile these in right now:
Once you install that kernel and reboot your server we can proceed with configuration.
For the next step let’s go ahead and install squid. This can be done using whatever method for installing software you prefer, but I’m going to list the package add method, because it’s so simple:
# pkg_add -r squid Read the rest of this entry »