Defcon1 Logo

           Setting up a Firewall

By Perlsta

These instructions will help you configure FreeBSD 2.2.2-RELEASE to 3.0-SNAP to act as a firewall.

Note that it is almost suicidal to do this remotely, as one mistake can leave you unable to reach the firewall PC.

 

    Become root on the machine.

    IMPORTANT: Make a backup of the kernel located in the root directory.

    You must download at least the kernel source code distribution. (/stand/sysinstall will help)

    Make a copy of the kernel configuration file /usr/src/sys/i386/conf/GENERIC. Edit the new file and add the following lines to it:

    • options IPFIREWALL
    • options IPDIVERT

    The IPFIREWALL option allows the kernel to block or allow pass through of specific network traffic based on:

    • origin,
    • destination,
    • port number, and
    • protocol

    The IPDIVERT option allows incoming IP traffic to be diverted to a different port on the Firewall machine, allowing for redirection based on the options for the firewall option to a program listening to a port.

    make sure you are in /usr/src/sys/i386/conf/ and type:

    • config <configuration file>

    change into the directory /usr/src/sys/compile/<configuration file> then type:

    • make depend
    • make all
    • make install

    edit the file /etc/rc.firewall :

    Here is my file :

    # I have edited this file to simplify it,
    # this setup should allow you to use the
    # NATd deamon to allow multiple machines
    # to share one IP almost transparently
    # note the numbers after the lines with "add" in them allow you to remove rules via:
    # /sbin/ipfw delete # where is the rule number to remove.
    # also if you edit then execute this script you
    # can reset the firewall to the values in here.
    # clear all rules
    /sbin/ipfw -f flush
    # Only in rare cases do you want to change this rule
    /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
    # a couple of subnets and individual IPs
    # i have decided to firewall out access to telnet and ftp
    /sbin/ipfw add 1005 deny ip from 150.156.212.97 to any
    /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 23
    /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 21
    /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 20
    /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 23
    /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 21
    /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 20
    # divert outgoing and incoming though NATd
    # 'ed0' is my outside interface
    # the number 8668 is the port that NATd listens to
    /sbin/ipfw add 2000 divert 8668 all from any to any via ed0
    # allow everyone else to go though, although the previous line make this not useful,
    # however if i kill natd i don't want the system to freak out
    /sbin/ipfw add 65000 pass all from any to any
     

    IMPORTANT: edit /etc/rc.conf and set the option firewall="NO" to firewall="YES"
     

    reboot and everything should be fine.