|
Setting up a Firewall
By Perlsta
These instructions will help you configure FreeBSD 2.2.2-RELEASE to 3.0-SNAP to act as a firewall.
Note that it is almost suicidal to do this remotely, as one mistake can leave you unable to reach the firewall PC.
Become root on the machine.
IMPORTANT: Make a backup of the kernel located in the root directory.
You must download at least the kernel source code distribution. (/stand/sysinstall will help)
Make a copy of the kernel configuration file /usr/src/sys/i386/conf/GENERIC. Edit the new file and add the following lines to it:
- options IPFIREWALL
- options IPDIVERT
The IPFIREWALL option allows the kernel to block or allow pass through of specific network traffic based on:
- origin,
- destination,
- port number, and
- protocol
The IPDIVERT option allows incoming IP traffic to be diverted to a different port on the Firewall machine, allowing for redirection
based on the options for the firewall option to a program listening to a port.
make sure you are in /usr/src/sys/i386/conf/ and type:
- config <configuration file>
change into the directory /usr/src/sys/compile/<configuration file> then type:
- make depend
- make all
- make install
edit the file /etc/rc.firewall :
Here is my file :
# I have edited this file to simplify it,
# this setup should allow you to use the # NATd deamon to allow multiple machines # to share one IP almost transparently
# note the numbers after the lines with "add" in them allow you to remove rules via: # /sbin/ipfw delete # where is the rule number to remove. # also if you edit then execute this script you
# can reset the firewall to the values in here. # clear all rules /sbin/ipfw -f flush # Only in rare cases do you want to change this rule /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
# a couple of subnets and individual IPs # i have decided to firewall out access to telnet and ftp /sbin/ipfw add 1005 deny ip from 150.156.212.97 to any /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 23
/sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 21 /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 20 /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 23
/sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 21 /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 20 # divert outgoing and incoming though NATd # 'ed0' is my outside interface
# the number 8668 is the port that NATd listens to /sbin/ipfw add 2000 divert 8668 all from any to any via ed0 # allow everyone else to go though, although the previous line make this not useful,
# however if i kill natd i don't want the system to freak out /sbin/ipfw add 65000 pass all from any to any
IMPORTANT: edit /etc/rc.conf and set the option firewall="NO" to firewall="YES"
reboot and everything should be fine.
|