IPFW - Ernest G. Wilson II's FreeBSD Pages

IPFW on FreeBSD 7

Prerequisites:

FreeBSD (Base + Autoconf, Automake, Bash and GCC)
Kernel Options

IP Firewall built in to FreeBSD

# Note: IPFW requires that you have compiled some specific kernel options

# Edit /etc/rc.conf file
vi /etc/rc.conf

# Edit /etc/ipfw.rules
vi /etc/ipfw.rules

############################################### # ERNIE'S FreeBSD v7 IPFW2 RULES # # # # THIS FILE: /etc/ipfw.rules # # # # REQUIRES: # # # # Kernel Options: # # options IPFIREWALL # # options IPFIREWALL_VERBOSE # # options IPFIREWALL_VERBOSE_LIMIT=10 # # options IPSTEALTH # # options ACCEPT_FILTER_DATA # # options ACCEPT_FILTER_HTTP # # # # /etc/rc.conf Settings: # # ipfw_enable="YES" # # firewall_enable="YES" # # firewall_script="/etc/rc.firewall" # # firewall_type="/etc/ipfw.rules" # # firewall_quiet="NO" # # firewall_logging_enable="YES" # # log_in_vain="YES" # # tcp_restrict_rst="YES" # # icmp_drop_redirect="YES" # # # # COMMANDS: # # ipfw show # # ipfw zero # # more /var/log/ipfw.today # # tail /var/log/dmesg.today # # # # Version: 12/06/2008 # ############################################### # # DYNAMIC RULES # # Enable dynamic rules add 00201 check-state # # BASIC CLIENT OUTBOUND # # TCP Out Client add 00301 allow tcp from any to any out keep-state # UDP Out Client add 00302 allow udp from any to any out keep-state # ICMP Out Client add 00303 allow icmp from any to any out keep-state # # BASIC CLIENT INBOUND # # DNS Client Replies add 00401 allow udp from any 53 to any in keep-state # NTP Client Replies add 00402 allow udp from any 123 to any in keep-state # ICMP In Replies sent by this Client NOT from external add 00403 allow icmp from any to any in keep-state icmptypes 0,3,4,5,9,10,11,12,14,16,18 # Allow connections from local loopback add 00404 allow ip from any to any via lo0 # Allow RPC from Loopback add 00405 allow tcp from 127.0.0.1 to 127.0.0.1 in dst-port 111 keep-state # Allow Identd from loopback add 00406 allow tcp from 127.0.0.1 to 127.0.0.1 in dst-port 113 keep-state # Allow comsat (biff) from loopback add 00407 allow udp from 127.0.0.1 to 127.0.0.1 in dst-port 512 keep-state # # SERVER INBOUND TCP # # SSH and SFTP Server add 00501 allow tcp from any to any in dst-port 22 keep-state # DNS Server add 00502 allow tcp from any to any in dst-port 53 keep-state # Web Server add 00503 allow tcp from any to any in dst-port 80 keep-state # Portmapper for NFS Server add 00504 allow tcp from any to any in dst-port 111 keep-state # Samba Server (epmap loc-srv DCE endpoint resolution) add 00505 allow tcp from any to any in dst-port 135 keep-state # Samba Server (netbios-ns nbname NETBIOS Name Service) add 00506 allow tcp from any to any in dst-port 137 keep-state # Samba Server (netbios-ssn nbsession NETBIOS Session Service) add 00507 allow tcp from any to any in dst-port 139 keep-state # SSL Web Server add 00508 allow tcp from any to any in dst-port 443 keep-state # Samba Server (microsoft-ds) add 00509 allow tcp from any to any in dst-port 445 keep-state # Nessus Console Server add 00510 allow tcp from any to any in dst-port 1241 keep-state # T120 add 00511 allow tcp from any to any in dst-port 1503 keep-state # H323 add 00512 allow tcp from any to any in dst-port 1720 keep-state # PPTP add 00513 allow tcp from any to any in dst-port 1723 keep-state # NTOP HTTP Web Server add 00514 allow tcp from any to any in dst-port 3000 keep-state # NTOP HTTPS Web Server add 00515 allow tcp from any to any in dst-port 3001 keep-state # TCP iSNS (Internet Storage Name Service) add 00516 allow tcp from any to any in dst-port 3230 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00517 allow tcp from any to any in dst-port 3230 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00518 allow tcp from any to any in dst-port 3231 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00519 allow tcp from any to any in dst-port 3232 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00520 allow tcp from any to any in dst-port 3233 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00521 allow tcp from any to any in dst-port 3234 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00522 allow tcp from any to any in dst-port 3235 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00523 allow tcp from any to any in dst-port 3236 keep-state # TCP RTP Audio and Video (Polycom SIP and H323 Media) add 00524 allow tcp from any to any in dst-port 3237 keep-state # TCP iSCSI (SCSI over IP) add 00525 allow tcp from any to any in dst-port 3260 keep-state # MySQL Server add 00526 allow tcp from any to any in dst-port 3306 keep-state # Asterisk GUI Server add 00527 allow tcp from any to any in dst-port 5038 keep-state # SIP add 00528 allow tcp from any to any in dst-port 5060 keep-state # CVS Update Server add 00529 allow tcp from any to any in dst-port 5999 keep-state # X11 Server add 00530 allow tcp from any to any in dst-port 6000 keep-state # Alternate WWW Port add 00531 allow tcp from any to any in dst-port 8000 keep-state # VLC Web add 00532 allow tcp from any to any in dst-port 8080 keep-state # Asterisk GUI add 00533 allow tcp from any to any in dst-port 8088 keep-state # Cacti Boost Server add 00534 allow tcp from any to any in dst-port 9050 keep-state # Webmin Server add 00535 allow tcp from any to any in dst-port 10000 keep-state # Usermin Server add 00536 allow tcp from any to any in dst-port 20000 keep-state # SSL Explorer (Adito) add 00537 allow tcp from any to any in dst-port 28080 keep-state # # SERVER INBOUND UDP # # DHCP and BOOTP Server add 00601 allow udp from any to any in dst-port 67 keep-state # DHCP and BOOTP Server add 00602 allow udp from any to any in dst-port 68 keep-state # TFTP Server add 00603 allow udp from any to any in dst-port 69 keep-state # NTP Server add 00604 allow udp from any to any in dst-port 123 keep-state # Samba Server (epmap loc-srv DCE endpoint resolution) add 00605 allow udp from any to any in dst-port 135 keep-state # Samba Server (netbios-ns nbname NETBIOS Name Service) add 00606 allow udp from any to any in dst-port 137 keep-state # Samba Server (netbios-dgm nbdatagram NETBIOS Datagram Service) add 00607 allow udp from any to any in dst-port 138 keep-state # SNMP Traplogd Server add 00608 allow udp from any to any in dst-port 162 keep-state # Samba Server (microsoft-ds) add 00609 allow udp from any to any in dst-port 445 keep-state # IPSec VPN add 00610 allow udp from any to any in dst-port 500 keep-state # Syslog Server add 00611 allow udp from any to any in dst-port 514 keep-state # RADIUS Server Authentication 1 add 00612 allow udp from any to any in dst-port 1645 keep-state # RADIUS Server Accounting 1 add 00613 allow udp from any to any in dst-port 1646 keep-state # RADIUS Server Authentication 2 add 00614 allow udp from any to any in dst-port 1812 keep-state # RADIUS Server Accounting 2 add 00615 allow udp from any to any in dst-port 1813 keep-state # NFS Server add 00616 allow udp from any to any in dst-port 2049 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00617 allow udp from any to any in dst-port 3230 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00618 allow udp from any to any in dst-port 3231 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00619 allow udp from any to any in dst-port 3232 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00620 allow udp from any to any in dst-port 3233 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00621 allow udp from any to any in dst-port 3234 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00622 allow udp from any to any in dst-port 3235 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00623 allow udp from any to any in dst-port 3236 keep-state # UDP RTP Audio and Video (Polycom SIP and H323 Media) add 00624 allow udp from any to any in dst-port 3237 keep-state # IAX2 add 00625 allow udp from any to any in dst-port 4569 keep-state # IAX add 00626 allow udp from any to any in dst-port 5036 keep-state # SIP add 00627 allow udp from any to any in dst-port 5060 keep-state # NTOP Collector #1 Server add 00628 allow udp from any to any in dst-port 9991 keep-state # NTOP Collector #2 Server add 00629 allow udp from any to any in dst-port 9992 keep-state # NTOP Collector #3 Server add 00630 allow udp from any to any in dst-port 9993 keep-state # # VPN Services # # GRE (Protocol ID 47) add 00701 allow gre from any to any out keep-state add 00702 allow gre from any to any in keep-state # # EXPLICIT (normally already implict) DENY ALL OTHER TRAFFIC NOT LISTED ABOVE # # Deny and Log EVERYTHING else add 65535 deny log ip from any to any

# Comment out biff (comsat) (if you are not using it, you probably are not using it)
vi /etc/services
# biff 512/udp comsat #used by mail system to notify users

# Uncomment auth
vi /etc/inetd.conf
auth stream tcp nowait root internal

# Commands to note:
ipfw show
sockstat -4
ipfw zero
more /var/log/ipfw.today
tail /var/log/dmesg.today

# References and thanks to:
#     http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html
#     http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html
#     http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+6.2-RELEASE&format=html

# Note: Webmin's rule editor breaks the rule file - it forgets to put "add" starting each line

# Also: You may now see messages in /var/log/messages like this:
# Aug 15 19:54:44 nms kernel: Connection attempt to TCP 127.0.0.1:111 from 127.0.0.1:864 flags:0x02
# Since you probably don't have RPC running for NFS use on TCP port 111 you can ignore these.
# If you had RPC running, you wouldn't see these "log in vain" messages.
# "Log in vain" messages show connection attempts on ports where you do not currently have services running