HomePage » Network » FreeBSDIpfw

ipfw

ipfw must be enabled via kernel module or static compilation. For static compilation, see FreeBSDKernel. When your OS boots up with ipfw enabled, the default rule is to block everything.

Loading ipfw kernel module
To load the ipfw module and add an allow all rules immediately, do the following. Note: ipfw defaults to block all, if you're enabling ipfw remotely, the second half of the following command is crucial.
kldload ipfw && ipfw -q add 65000 allow all from any to any


To make this loading on boot, add to /boot/loader.conf
ipfw_load="YES"


Listing ipfw rules
> ipfw -a list
65535 12 700 deny ip from any to any


Basic rules
To allow all, insert a allow any rule
> ipfw -q add allow all from any to any
> ipfw -a list
00100 0 0 check-state
00200 0 0 allow ip from any to any
65535 12 700 deny ip from any to any


ipfw init script
ipfw.rules
# Firewall fules
ipfw -q -f flush       # Delete all rules
ioif="lnc0"
odns="192.168.13.254"
cmd="ipfw -q add"
ks="keep-state"
$cmd 00500 check-state
# allow ssh
$cmd 00501 allow tcp from any to any 22 in via $ioif
# allow outgoing traffic
$cmd 00502 allow all from me to any
# allow all
$cmd 65000 allow all from any to any
# deny anything else
$cmd 65535 deny all from any to any


Then add the followings to /etc/rc.conf to enable firewall on startup
firewall_enable="YES"
firewall_type="OPEN" 
firewall_script="/etc/ipfw.rules"


Limiting connections
# Limit by src-addr, 10 concurrent at most
ipfw -q add 00100 allow tcp from any to me 22 src-addr limit 10


To test, run this script:
#!/bin/bash
for i in `seq 1 10` ; do
  echo 'quit' | nc 63.131.151.34 21 &
done


Document of ipfw http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

There are no comments on this page. [Add comment]

Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki