How to Build an IPFW (Internet Protocol Firewall) on FreeBSD 4.x
First of all, you need to view the Current Kernel options.
pico /usr/src/sys/i386/conf/GENERICAnd see whether the Following lines exist
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN
If they doesn’t exist, you need to add these options and recompile the kernel.
This is how to configure and compile your kernel.
cd /usr/src/sys/i386/confcp GENERIC FWKERNEL(or whatever you want to name it to)
pico FWKERNELAdd the following config options:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN
Save and exit.
cd /usr/src
make buildkernel KERNCONF=FWKERNEL
make installkernel KERNCONF=FWKERNEL
Now, the new Kernel should have been configured.
IF YOU ARE SETTING THIS UP OVER SSH (REMOTE) DO NOT RESTART YOUR MACHNE YET, OTHERWISE YOU WILL LOCK YOURSELF OUT!!!
To setup the firewall on your machine, you need to add some options onto /etc/rc.conf
At the moment its set to DENY, so you need to add some allow Rules etc etc.
Before you change your rc.conf, I suggest you make a backup copy of it.
cp /etc/rc.conf /etc/rc.conf.old
Now edit /etc/rc.conf and add the following lines:
firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
Now, save the rc.conf
Final Step is to create the firewall script ipfw.rules and place it in /etc Directory.
#!/bin/sh
fwcmd=”/sbin/ipfw”
$fwcmd -f flush
$fwcmd add allow ip from 123.123.123.123 to any via sis0
$fwcmd add allow ip from any to 123.123.123.123 via sis0
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow tcp from any to any out xmit sis0 setup
$fwcmd add allow tcp from any to any via sis0 established
$fwcmd add allow tcp from any to any 22 setup
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 21 setup
$fwcmd add allow tcp from any to any 7000 setup
$fwcmd add reset log tcp from any to any 113 in recv sis0
$fwcmd add allow udp from any to any 53 out xmit sis0
$fwcmd add allow udp from any 53 to any in recv sis0
$fwcmd add 03000 allow icmp from me to any
$fwcmd add 04000 deny icmp from any to any
$fwcmd add 65435 deny log ip from any to any
$fwcmd add deny log all from any to any
On the Firewall Rules (see below) , I have added 2 Rules where It will allow A certain IP to access the Machine no matter what. So, Replace the IP 123.123.123.123 With your Static IP.
$fwcmd add allow ip from 123.123.123.123 to any via sis0
$fwcmd add allow ip from any to 123.123.123.123 via sis0
NOTE: sis0 is the machine’s interface. You need to change it to YOUR machine’s interface. Just do ifconfig on the terminal and It will tell you what its called. THIS IS VERY IMPORTANT.
When you Reboot Your Machine You should have a working Firewall!!!
Popularity: 1% [?]
You Should Also Check Out This Post:
- How Reliable is your Hard Disk?
- CCDE Design Track Certification
- Adding Nameservers on Sun Solaris
- How to add IP Address / Default Gateway on Sun Solaris
- DNS Cache Poisoning Bug
More Active Posts:
- Make BisonCam work on Windows Vista (92)
- Disabling livecall.exe on Windows Live Messenger (WLM) (13)
- 301 Redirect WordPress Posts To New Domain (10)
- Live Messenger - "Show what I'm listening to" Doesn't work (9)
- Hydrogen Powered Car (7)
- AdobeUpdater.exe CPU Resource Hog (5)
- How to gain ROOT access to a Linux Box within 10 Seconds (3)
- TechForums Update (3)
- How to lock Windows XP when Idle (2)
- Perfect Email System (2)
My name is Nish Vamadevan, I live in London. I’m a Network Systems Administrator, and Freelance IT Consultant. I’d like to think of myself and a creative and a resourceful person when it’s come to Computers and Technology.
I have been working in the freelance IT sector for over 6 years and have done various Network Deployments, System Administration and Building, maintaining, managing websites for Small / Medium companies..
No User Responded In This Article
Leave Your Comment Below