GIT – Ipfirewall (ipfw) is a IP packet filter and traffic accounting facility. IPFW is included in the basic as a separate run time loadable module. The system will dynamically load the kernel module when the rc.conf statement firewall_enable=”YES” is used.

FreeBSD compile kernel for IPFW

This step is optional. You do not need to compile IPFW into the FreeBSD kernel unless you want NAT function enabled. However some old version may not have IPFW compiled. Here is a quick guide to compile kernel with IPFW.

Make sure IPFW support not compiled into the kernel:
#ipfw list
If you get an error that read as follows, you must now compile the source code for the kernel.
ipfw: getsockopt(IP_FW_GET): Protocol not available

Another option is open default kernel config file /usr/src/sys/i386/conf and look for IPFIREWALL option:
# grep IPFIREWALL /usr/src/sys/i386/conf

Building and Installing a Custom Kernel with IPFW

Copy default kernel file:
# cd /usr/src/sys/i386/conf
# cp GENERIC IPFWKERNEL

Add IPFW support:
# vi IPFWKERNEL
Append following directives:
options IPFIREWALL # required for IPFW
options IPFIREWALL_VERBOSE # optional; logging
options IPFIREWALL_VERBOSE_LIMIT=10 # optional; don't get too many log entries
options IPDIVERT # needed for natd

Save and close the file. Building a Kernel, type following commnds:
# cd /usr/src
# make buildkernel KERNCONF=IPFWKERNEL

Install the new kernel:
# make installkernel KERNCONF=IPFWKERNEL
Now reboot the system:
# reboot

Step # 1: Enabling IPFW

Open /etc/rc.conf file
# vi /etc/rc.conf
Append following settings:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Save and close the file..

Step # 2 Write a Firewall Rule Script

You need to place a firewall rules in a script called /usr/local/etc/ipfw.rule:
# vi /usr/local/etc/ipfw.rules
Append following code:

IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port  (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
# deny and log everything
$IPF 500 deny log all from any to any

Save and close the file.

Step # 3: Start a firewall

You can reboot the box or you could reload these rules by entering on the line.
# sh /usr/local/etc/ipfw.rules

Task: List all the rules in sequence

Type the following command:
# ipfw list

Some rules ipfw

/** set these to your outside interface network and netmask and ip **/
#define oif rl0
#define oip 1.1.1.1
#define onet 1.1.1.1:255.255.252.0
/** Un-welcome address **/
#define badsite1 194.251.240.105:255.255.255.0
#define badsite2 24.112.239.158
#define badsite3 209.247.40.170:255.255.255.0
#define badsite4 195.230.153.1:255.255.255.0
#define badsite5 194.183.177.1:255.255.255.0
#define badsite6 61.9.189.48:255.255.255.0
#define badsite7 213.243.178.226:255.255.255.0
#define badsite8 217.5.72.84
#define badsite9 61.116.112.177
#define badsitea 193.231.15.134
#define badsiteb 217.0.149.105:255.255.255.0
#define badsitec 61.216.62.200
#define badsited 203.231.153.180
#define badsitee 66.21.192.41
#define badsitef 61.209.170.123
#define badsiteg 61.216.61.192
#define badsiteh 152.81.1.137
#define badsitei 128.244.34.216

/** @home operators **/
#define scansite1 24.0.0.203:255.255.255.0
#define scansite2 24.0.94.130:255.255.255.0
#define scansite3 24.0.24.51:255.255.255.0
#define scansite4 24.0.16.94:255.255.255.0
#define scansite5 24.112.31.170:255.255.255.0
#define scansite6 24.112.32.106
#define scansite7 66.185.84.200:255.255.255.0

/** drop Un-welcome address **/
add deny log all from badsite1 to any
add deny log all from badsite2 to any
add deny log all from badsite3 to any
add deny log all from badsite4 to any
add deny log all from badsite5 to any
add deny log all from badsite6 to any
add deny log all from badsite7 to any
add deny log all from badsite8 to any
add deny log all from badsite9 to any
add deny log all from badsitea to any
add deny log all from badsiteb to any
add deny log all from badsitec to any
add deny log all from badsited to any
add deny log all from badsitee to any
add deny log all from badsitef to any
add deny log all from badsiteg to any
add deny log all from badsiteh to any
add deny log all from badsitei to any

/** Deny scanning address **/
add deny log all from scansite1 to any in via oif
add deny log all from scansite2 to any in via oif
add deny log all from scansite3 to any in via oif
add deny log all from scansite4 to any in via oif
add deny log all from scansite5 to any in via oif
add deny log all from scansite6 to any in via oif
add deny log all from scansite7 to any in via oif

/** Deny @home network broadcast **/
add deny all from any to 255.255.255.255 in via oif
add deny all from any to 24.255.255.255 in via oif
add deny all from any to 100.100.100.0/24 in via oif

/** Stop spoofing **/
add deny log all from onet to any in via iif
add deny log all from oip to any in via oif

/** Stop RFC1918 nets on the outside interface **/
add deny all from any to 10.0.0.0/8 via oif
add deny all from any to 172.16.0.0/12 via oif
add deny all from any to 192.168.0.0/16 via oif

/**
Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
on the outside interface
**/
add deny all from any to 0.0.0.0/8 via oif
add deny all from any to 169.254.0.0/16 via oif
add deny all from any to 192.0.2.0/24 via oif
add deny all from any to 224.0.0.0/4 via oif
add deny all from any to 240.0.0.0/4 via oif
/** Stop RFC1918 nets on the outside interface **/
add deny all from 10.0.0.0/8 to any via oif
add deny all from 172.16.0.0/12 to any via oif
add deny all from 192.168.0.0/16 to any via oif

/**
Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
on the outside interface
**/
add deny all from 0.0.0.0/8 to any via oif
add deny all from 169.254.0.0/16 to any via oif
add deny all from 192.0.2.0/24 to any via oif
add deny all from 224.0.0.0/4 to any via oif
add deny all from 240.0.0.0/4 to any via oif

/************************/
/** Check dynamic rule
/************************/
add check-state

/** Allow TCP through if setup succeeded **/
add allow tcp from any to any established

/** Allow IP fragments to allow through **/
add allow all from any to any frag
/************************/
/** Check dynamic rule
/************************/
add check-state

/** Allow TCP through if setup succeeded **/
add allow tcp from any to any established

/** Allow IP fragments to allow through **/
add allow all from any to any frag

/** Allow setup of SMTP **/
add allow tcp from any to oip 25 setup

/** Allow setup of POP3 **/
add allow tcp from any to oip 110 setup

/** Allow setup of IMAP4 **/
add allow tcp from any to oip 143 setup

/** Allow setup of ssh **/
add allow tcp from any to oip 22 setup

/** Allow setup of HTTP **/
add allow tcp from any to oip 80,443 setup

/** Allow setup of DirectAdmin **/
add allow tcp from any to oip 2222 setup

/** Allow setup of FTP **/
add allow tcp from any to oip 20,21 setup

/** Allow setup of FTP PASSIVE **/
add allow tcp from any to oip 49152-65534 setup

/** Reject and Log all setup of incoming connections from the outside **/
add deny log tcp from any to any in via oif setup

/** Allow setup of any other TCP connection **/
add allow tcp from any to any setup

/**************************/
/** Allow UDP to outside
/**************************/
add pass udp from me to any 53 keep-state
add pass udp from any to me 53

add allow udp from oip to any out via oif keep-state

/**************************/
/** Allow ping to outside
/**************************/
add allow icmp from oip to any out via oif icmptypes 8 keep-state

/*******************************/
/** Log all unrecognize attempt
/*******************************/
add deny all from any to not oip in via oif
add deny log all from any to any

Print Friendly

Comments

comments

Bài viết liên quan