This is the old XigmaNAS forum in read only mode,
it will taken offline by the end of march 2021!


I like to aks Users and Admins to rewrite/take over important post from here into the new fresh main forum!
Its not possible for us to export from here and import it to the main forum!

Firewall setup help.

New installs of XigmaNAS.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
Andy22
Starter
Starter
Posts: 54
Joined: 22 Feb 2014 17:16
Status: Offline

Firewall setup help.

Post by Andy22 »

Hi,

i'm a little confused why the ipfw has this default rule and how to change it?

Code: Select all

65535 allow ip from any to any
In the rc.conf the firewall_type="client" is set, so going by the manual this means "protects only this machine.", whats the difference to "workstation"?
I'm new to freeBSD, but i'm used to the concept that enabling a firewall will deny all in/out traffic by default and i build the rules as exceptions to this default rule?
Here it seems the default rule is to allow all traffic and i need to specifically deny?

Can anyone give me a clue on how to setup the ipfw correctly?

thx
Andy

PS: I really liked the ubuntu ufw, where all i needed to-do was:

Code: Select all

ufw allow ssh/tcp
ufw allow http/tcp
ufw allow ftp/tcp
ufw enable
Last edited by Andy22 on 08 Mar 2014 15:05, edited 1 time in total.
Top
Andy22
Starter
Starter
Posts: 54
Joined: 22 Feb 2014 17:16
Status: Offline

Re: Firewall setup help.

Post by Andy22 »

Just googled and it seems the nas4free kernel is build with the none default "IPFIREWALL_DEFAULT_TO_ACCEPT" rule. So i guess i need to manually add a "65000 deny ip from any to any" rule and build as usual from there on?
Top
Andy22
Starter
Starter
Posts: 54
Joined: 22 Feb 2014 17:16
Status: Offline

Re: Firewall setup help.

Post by Andy22 »

mhh seems i'm still not understanding the ipfw of freeBSD... i did lock me out with this ruleset?

Code: Select all

>ipfw list

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow ip from any to me dst-port 53 via em0
00500 allow udp from any 67 to any dst-port 68 via em0
00600 allow icmp from any to any icmptypes 3
00700 allow icmp from any to any icmptypes 4
01100 allow tcp from any to me dst-port 22 via em0
01200 allow tcp from any to me dst-port 80 via em0
01300 deny ip from any to any
65535 allow ip from any to any
So what do i miss here? If i delete "01300 deny ip from any to any" i can access my machine again, via http/ssh.
Should "01100 allow tcp from any to me dst-port 22 via em0" not be executed beforehand and allow me ssh access?

thx
Andy
Top
Andy22
Starter
Starter
Posts: 54
Joined: 22 Feb 2014 17:16
Status: Offline

Re: Firewall setup help.

Post by Andy22 »

Seems IPFW rule setup works different from what i'm used too, so if i understand this correctly i need to add the "setup" (tcp), "keep-state" (udp + tcp) options to every rule i add?

This really confuses me and i don't feel very confident on setting up the rules, compared to ufw.
Top
Andy22
Starter
Starter
Posts: 54
Joined: 22 Feb 2014 17:16
Status: Offline

Re: Firewall setup help.

Post by Andy22 »

I think i got the hang on the rules, for now i came up with this example.

Code: Select all

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow tcp from any to any established via em0
00500 allow ip from any to any frag
00600 allow udp from me to any dst-port 53 keep-state
00700 allow udp from any 67 to me dst-port 68 in via em0 keep-state
00800 allow icmp from me to any out icmptypes 8 keep-state
00900 allow icmp from me to any out icmptypes 3,4,11 keep-state
01000 allow udp from me to any dst-port 123 out via em0 keep-state
01100 allow tcp from any to me dst-port 22 in via em0
01200 allow tcp from any to me dst-port 80 in via em0
01300 deny ip from any to any
65535 allow ip from any to any
comments and tips welcome!

thx
Andy
Top
Post Reply

Return to “Install XigmaNAS”