Firewall for FreeBSD 6.2

[macondo]

Hi all, i just installed fbsd 6.2, i'm stucked on the firewall, i've been googling and can't make heads or tails. Anybody knows of a howto to make this painless? I want something for my box: i'm using dhcp, one user, no lan, a plain workstation, just want to keep it simple. Thx

[anomie]

Do you have a preference on which firewall you use? I use IPFW, which is documented in the handbook. You might like to read through that first.

It's possible the client IPFW rules will be sufficient for your needs.

Add to /etc/rc.conf:

Code:

firewall_enable="YES"
firewall_type="client"

Does that keep it simple enough?

Note that I haven't used this particular ruleset (I always write my own rules), so I can't exactly vouch for it. If you have any questions about IPFW, post here again.

Also review man ipfw

[macondo]

Does that keep it simple enough?

Note that I haven't used this particular ruleset (I always write my own rules), so I can't exactly vouch for it. If you have any questions about IPFW, post here again.

Also review man ipfw

Unfortunately, it didn't work, thanks anyways! I'll keep on looking in the handbook and the man page.

It blocked me from entering the internet

[anomie]

Oof. Ok.

Post here if you have questions.

[anomie]

Thought you might like to see an example ipfw script -- this is for one of my FreeBSD workstations.

This uses the following directives in /etc/rc.conf:

Code:

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

And this is /etc/ipfw.rules:

Code:

#!/bin/sh
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="vr0"     # public interface name of NIC
              # facing the public Internet

#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0

#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state

#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################

# Allow out everything
$cmd 00100 allow tcp from any to any out via $pif setup keep-state
$cmd 00110 allow udp from any to any out via $pif keep-state
$cmd 00120 allow icmp from any to any out via $pif keep-state

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################

# Allow in udp traffic on port 631 (for cups browsing)
$cmd 250 allow udp from any to any 631 in via $pif keep-state

# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
$cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
$cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun cluster
$cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D & E multicast

# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81  in via $pif

# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif

# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################

I copied that script almost verbatim from the handbook section on ipfw.

I added some outbound rules to allow out tcp, icmp, and udp traffic. I also added a single inbound rule to allow udp to port 631 (for cups browsing).

Note that the pif="vr0" would need to be modified so that the value contained your own network interface (unless yours is also called vr0).