1. Home > Operating_system >

Use IPFW to build a firewall for FreeBSD operating system

Ipfirewall (IPFW) is an IP packet filtering and communication recording tool under the FreeBSD operating system. IPFW, as an independent runtime loadable module, is included in the basic FreeBSD installation package. When the statement "firewall_enable=YES" is contained in rc.conf, the system will dynamically load the kernel module.

The first step: compile the FreeBSD kernel for IPFW

This step is optional. If you do not want to enable the NAT function, you do not need to compile IPFW into the FreeBSD kernel. However, some older versions may not compile IPFW. Below we introduce the method of compiling IPFW into the kernel.

If you get the following error message: "ipfw: getsockopt(IP_FW_GET): Protocol not available", that is, the protocol is not available, then you must compile the kernel source code.

Another option is to open the default kernel configuration file /usr/src/sys/i386/conf, and find the IPFIREWALL option:

# grep IPFIREWALL /usr/src/sys/i386/conf

Step 2: Compile and install a customized kernel with IPFW

First, copy the default kernel file:

< CENTER>

# cd /usr/src/sys/i386/conf# cp GENERIC IPFWKERNEL

Then add IPFW support:

# vi IPFWKERNEL
< /CENTER>

Add the following command:

options IPFIREWALL # required for IPFWoptions  IPFIREWALL_VERBOSE # optional; loggingoptions IPFIREWALL_VERBOSE_LIMIT=10 # optional; don't get too many log entriesoptions IPDIVERT # needed for natd

Save and close the file. To compile the kernel, type the following command:

# cd /usr/src# make buildkernel KERNCONF=IPFWKERNEL  PRE>

Install a new kernel:

# make installkernel KERNCONF=IPFWKERNEL

Now restart the system:

# reboot

Step 3: Enable IPFW

First open the /etc/rc.conf file:

# vi /etc  /rc.conf

Then, add the following settings:

firewall_enable="YES"firewall_script="YES"firewall_script="/usr/local/etc/ipfw.rules"
< /CENTER>
Save and close the file.

Step 4: Write a firewall rule script

You need to put the firewall rules in a file called /usr/local/etc/ In the script of ipfw.rule:

# vi /usr/local/etc/ipfw.rule

Add the following code:

  IPF="ipfw -q add"ipfw -q -f flush#loopback$IPF 10 allow all from any to any via lo0$IPF 20 deny all from any to 127.0.0.0/8$IPF 30 deny all from 127.0.0.0/  8 to any$IPF 40 deny tcp from any to any frag# statefull$IPF 50 check-state$IPF 60 allow tcp from any to any established$IPF 70 allow all from any to any out keep-state$IPF 80 allow icmp from  any to any# open port ftp (21,22), ssh (22), mail (25)# http (80), dns (53) etc$IPF 110 allow tcp from any to any 21 in$IPF 120 allow tcp from  any to any 21 out$IPF 130 allow tcp from any to any 22 in$IPF 140 allow tcp from any to any 22 out$IPF 150 allow tcp from any to any 25 in$IPF 160 allow tcp from a  ny to any 25 out$IPF 170 allow udp from any to any 53 in$IPF 175 allow tcp from any to any 53 in$IPF 180 allow udp from any to any 53 out$IPF 185 allow tcp from any to any 53 out$  IPF 200 allow tcp from any to any 80 in$IPF 210 allow tcp from any to any 80 out# deny and log everything$IPF 500 deny log all from any to any

Save and close the file.

Step 5: Start the firewall

You can restart the server, or enter the following command on the command line to reload these Rules:

# sh /usr/local/etc/ipfw.rules

If you want to list all the rules one by one, you need to type the following command:

< PRE># ipfw list

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Operating_system/31335.html

Contact Us

Online consultation:click here to give a message