Page 1 of 1
Firewall setup help.
Posted: 08 Mar 2014 14:56
by Andy22
Hi,
i'm a little confused why the ipfw has this default rule and how to change it?
In the rc.conf the
firewall_type="client" is set, so going by the manual this means "protects only this machine.", whats the difference to "
workstation"?
I'm new to freeBSD, but i'm used to the concept that enabling a firewall will deny all in/out traffic by default and i build the rules as exceptions to this default rule?
Here it seems the default rule is to allow all traffic and i need to specifically deny?
Can anyone give me a clue on how to setup the ipfw correctly?
thx
Andy
PS: I really liked the ubuntu ufw, where all i needed to-do was:
Code: Select all
ufw allow ssh/tcp
ufw allow http/tcp
ufw allow ftp/tcp
ufw enable
Re: Firewall setup help.
Posted: 08 Mar 2014 15:04
by Andy22
Just googled and it seems the nas4free kernel is build with the none default "IPFIREWALL_DEFAULT_TO_ACCEPT" rule. So i guess i need to manually add a "65000 deny ip from any to any" rule and build as usual from there on?
Re: Firewall setup help.
Posted: 08 Mar 2014 15:41
by Andy22
mhh seems i'm still not understanding the ipfw of freeBSD... i did lock me out with this ruleset?
Code: Select all
>ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow ip from any to me dst-port 53 via em0
00500 allow udp from any 67 to any dst-port 68 via em0
00600 allow icmp from any to any icmptypes 3
00700 allow icmp from any to any icmptypes 4
01100 allow tcp from any to me dst-port 22 via em0
01200 allow tcp from any to me dst-port 80 via em0
01300 deny ip from any to any
65535 allow ip from any to any
So what do i miss here? If i delete "01300 deny ip from any to any" i can access my machine again, via http/ssh.
Should "01100 allow tcp from any to me dst-port 22 via em0" not be executed beforehand and allow me ssh access?
thx
Andy
Re: Firewall setup help.
Posted: 08 Mar 2014 17:25
by Andy22
Seems IPFW rule setup works different from what i'm used too, so if i understand this correctly i need to add the "setup" (tcp), "keep-state" (udp + tcp) options to every rule i add?
This really confuses me and i don't feel very confident on setting up the rules, compared to ufw.
Re: Firewall setup help.
Posted: 08 Mar 2014 18:24
by Andy22
I think i got the hang on the rules, for now i came up with this example.
Code: Select all
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow tcp from any to any established via em0
00500 allow ip from any to any frag
00600 allow udp from me to any dst-port 53 keep-state
00700 allow udp from any 67 to me dst-port 68 in via em0 keep-state
00800 allow icmp from me to any out icmptypes 8 keep-state
00900 allow icmp from me to any out icmptypes 3,4,11 keep-state
01000 allow udp from me to any dst-port 123 out via em0 keep-state
01100 allow tcp from any to me dst-port 22 in via em0
01200 allow tcp from any to me dst-port 80 in via em0
01300 deny ip from any to any
65535 allow ip from any to any
comments and tips welcome!
thx
Andy