FreeBSD IPFW Firewall


Introduction

Hello everyone interested in FreeBSD! After a summer vacation, I am starting a new series of articles. I hope it will be interesting and useful.

For those who are here for the first time, I will explain that I am the developer of the Russian Internet gateway Internet Control Server, implemented on the basis of FreeBSD. And therefore, the seamy side of this operating system, its chips and the intricacies of administration are what I encounter every day and share with you.

In the previous series, we covered the PF firewall. We assessed the possibilities and customized it for different roles. In a new loop, do the same for the IPFW firewall. As with PF, let’s start with a quick overview and create a simple configuration for securing a web server. In the next articles we will dive in and complicate the configuration gradually, introducing new types of rules and adding “meat”.

Ipfirewall – open source module ported to many OS. This list includes FreeBSD, NetBSD, OpenBSD, SunOS, HP / UX and Solaris, Mac OS and even Windows. In addition, it is often used for various embedded systems. First appeared in FreeBSD version 2.0.

Key features:

  • a kernel-level rule processor that includes a packet accounting system

  • logging mechanism

  • forwarding mechanism

  • ipstealth (mechanism for editing TTL fields, protection against traceroute)

  • ALTQ-based QoS controls

  • bandwidth control mechanisms

  • anti-spoofing system based on route table

  • built-in NAT, PAT and LSNAT

  • IPv6 support (with some limitations)

ipfw – custom utility for management ipfirewall… This utility interacts with the kernel module. In what follows, I will use ipfw both as the name of the utility, and as an abbreviation of the name ipfirewall, for brevity and simplicity, well, simply because it is so accepted on the Internet.

V ipfw the configuration consists of numbered rules. The packet follows the rules, starting from the lowest number to the highest, until the first action (for example, allow or deny), after which processing stops. Something like iptables on Linux.

Management and useful settings

To turn on ipfw add the following lines to rc.conf:

firewall_enable="YES"
firewall_script="/etc/ipfw_conf.sh"
firewall_logging="YES"

ipfw with an empty configuration, the default will block all connections. In order not to lose access to the server, you additionally need to add to rc.conf

firewall_type="open"

This line will indicate ipfw add the line to the configuration

65535 allow ip from any to any

Useful commands:

ipfw list # display all rules

ipfw -d list # list all rules, including dynamic ones

ipfw -de list # list all rules, including dynamic ones, including the last one

ipfw -t list # list all rules, the second column is the time of the last match

ipfw -a list # print all rules, the second and third columns will be the counters of incoming and outgoing matches

Adding rules is done with the command

ipfw add <правило>

Add a simple rule, numbered 100, to allow all traffic on all interfaces

ipfw add 00100 allow ip from any to any

And removing:

ipfw delete 00100

The structure of the rules, basic parameters

The general structure of the rule is not particularly complex:

 <Номер> <Действие> <Протокол> from <Источник> to <Назначение> 
    [порт] [in | out] [via IF] 
    [keep-state | limit {src-addr | src-port | dst-addr | dst-port}]

Number – the ordinal number of the rule, it is preferable to use non-consecutive numbers in the configuration, this will allow adding rules without problems while the firewall is running. It is possible to add several rules under one number. In this case, they will fire in the order they were added and ipfw delete will delete them all.

Action assigned to the matched package. In this article, we will look at

allow | accept | pass | permit

These actions are equivalent. Skip packet, processing ends. I’ll use allow for consistency.

deny | drop

They are also equivalent. Drop the package. I will use deny

check-state

Checks the packet against the table of dynamic rules (connections), does not imply any additional options.

Protocol – tcp, udp, icmp, or any other protocol described in / etc / protocols

A source and Appointment – ip addresses, no comments. The keyword all means any address. The me keyword means the local address of the host.

Port – port number for tcp and udp. Service names described in / etc / services can be used

in | out – means a match with incoming or outgoing packets.

via IF – match with traffic of only one IF interface.

keep-state – a keyword indicating the need to create a dynamic rule that will allow the exchange of packets between source and destination.

limit – only allow N connections that match the rule. Creates dynamic rules like keep-state. You cannot use limit and keep-state in the same rule.

Simplest configuration

Take the simplest web server in a vacuum. We need to open ports 22, 80, 443 for outside access. All outgoing connections will be allowed.

To save the configuration and load the rules, we will use the shell script specified in rc.conf with the firewall_script option.

In fact, this shell script contains a set of commands ipfw… This allows you to use all the advantages of the shell in writing configuration. Variables are especially useful. For example:

# cat /etc/ipfw-conf.sh
#
ipfw -q -f flush       # очистка всех правил -q подавляет вывод информации
# значения по умолчанию
eif="em0"              # выходной интерфейс
edns="8.8.8.8"         # IP адрес DNS
cmd="ipfw -q add "     # команда 
ks="keep-state"        # опция, которая добавляет сохранение состояний
# разрешаем всё на локальной петле
$cmd 00010 allow all from any to any via lo0
# если состояние сохрано, пропускаем
$cmd 00020 check-state 
# запрещаем неизвестные фрагментированные пакеты
$cmd 00030 deny all from any to any frag 
# запрешаем все tcp, не проходящие по динамическим правилам
$cmd 00040 deny tcp from any to any established in via $eif

#разрешаем входящие на порты веб-сервера
$cmd 000100 allow tcp from any to me 80 in via $eif $ks
$cmd 000110 allow tcp from any to me 443 in via $eif $ks
#разрешаем входящие на порт ssh
$cmd 000100 allow tcp from any to me 20 in via $eif $ks
#разрешаем исходящие соединения
$cmd 000900 allow all from me to any out via $eif $ks
#остальное логгируем и запрещаем
$cmd 001000 deny log all from any to any

When the firewall starts, this script will be executed and the corresponding rules will be loaded.

Conclusion

We figured out what it is ipfw and launched it. We examined the simplest filtering rules and learned how to work with them. We also created a simple, but quite working firewall configuration that can protect our server from outside threats.

In the next article, we will look at additional filtering options, improve the configuration to protect our web server. Until then, you have a great opportunity test Internet Control Server, especially since the fully functional demo version is available for 35 days, and the version for up to 9 users is generally free.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *