Setting up a Firewall
These instructions will help you configure FreeBSD 2.2.2-RELEASE to 3.0-SNAP to act as a firewall.
Note that it is almost suicidal to do this remotely, as one mistake can leave you unable to reach the firewall PC.
Become root on the machine.
IMPORTANT: Make a backup of the kernel located in the root directory.
You must download at least the kernel source code distribution. (/stand/sysinstall will help)
Make a copy of the kernel configuration file /usr/src/sys/i386/conf/GENERIC. Edit the new file and add the following lines to it:
- options IPFIREWALL
- options IPDIVERT
The IPFIREWALL option allows the kernel to block or allow pass through of specific network traffic based on:
- port number, and
The IPDIVERT option allows incoming IP traffic to be diverted to a different port on the Firewall machine, allowing for redirection
based on the options for the firewall option to a program listening to a port.
make sure you are in /usr/src/sys/i386/conf/ and type:
- config <configuration file>
change into the directory /usr/src/sys/compile/<configuration file> then type:
- make depend
- make all
- make install
edit the file /etc/rc.firewall :
Here is my file :
# I have edited this file to simplify it,
# this setup should allow you to use the
# NATd deamon to allow multiple machines
# to share one IP almost transparently
# note the numbers after the lines with "add" in them allow you to remove rules via:
# /sbin/ipfw delete # where is the rule number to remove.
# also if you edit then execute this script you
# can reset the firewall to the values in here.
# clear all rules
/sbin/ipfw -f flush
# Only in rare cases do you want to change this rule
/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
# a couple of subnets and individual IPs
# i have decided to firewall out access to telnet and ftp
/sbin/ipfw add 1005 deny ip from 220.127.116.11 to any
/sbin/ipfw add 1500 deny ip from 18.104.22.168/16 to any 23
/sbin/ipfw add 1500 deny ip from 22.214.171.124/16 to any 21
/sbin/ipfw add 1500 deny ip from 126.96.36.199/16 to any 20
/sbin/ipfw add 1500 deny ip from 188.8.131.52/16 to any 23
/sbin/ipfw add 1500 deny ip from 184.108.40.206/16 to any 21
/sbin/ipfw add 1500 deny ip from 220.127.116.11/16 to any 20
# divert outgoing and incoming though NATd
# 'ed0' is my outside interface
# the number 8668 is the port that NATd listens to
/sbin/ipfw add 2000 divert 8668 all from any to any via ed0
# allow everyone else to go though, although the previous line make this not useful,
# however if i kill natd i don't want the system to freak out
/sbin/ipfw add 65000 pass all from any to any
IMPORTANT: edit /etc/rc.conf and set the option firewall="NO" to firewall="YES"
reboot and everything should be fine.