Setting up a Firewall
By Perlsta These instructions will help you configure FreeBSD 2.2.2-RELEASE to 3.0-SNAP to act as a firewall. Note that it is almost suicidal to do this remotely, as one mistake can leave you unable to reach the firewall PC.
Become root on the machine. IMPORTANT: Make a backup of the kernel located in the root directory. You must download at least the kernel source code distribution. (/stand/sysinstall will help) Make a copy of the kernel configuration file /usr/src/sys/i386/conf/GENERIC. Edit the new file and add the following lines to it: options IPFIREWALL options IPDIVERT The IPFIREWALL option allows the kernel to block or allow pass through of specific network traffic based on: origin, destination, port number, and protocol The IPDIVERT option allows incoming IP traffic to be diverted to a different port on the Firewall machine, allowing for redirection based on the options for the firewall option to a program listening to a port. make sure you are in /usr/src/sys/i386/conf/ and type: config <configuration file> change into the directory /usr/src/sys/compile/<configuration file> then type: make depend make all make install edit the file /etc/rc.firewall :
Here is my file :
# I have edited this file to simplify it, # this setup should allow you to use the # NATd deamon to allow multiple machines # to share one IP almost transparently # note the numbers after the lines with "add" in them allow you to remove rules via: # /sbin/ipfw delete # where is the rule number to remove. # also if you edit then execute this script you # can reset the firewall to the values in here. # clear all rules /sbin/ipfw -f flush # Only in rare cases do you want to change this rule /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1 # a couple of subnets and individual IPs # i have decided to firewall out access to telnet and ftp /sbin/ipfw add 1005 deny ip from 150.156.212.97 to any /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 23 /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 21 /sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 20 /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 23 /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 21 /sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 20 # divert outgoing and incoming though NATd # 'ed0' is my outside interface # the number 8668 is the port that NATd listens to /sbin/ipfw add 2000 divert 8668 all from any to any via ed0 # allow everyone else to go though, although the previous line make this not useful, # however if i kill natd i don't want the system to freak out /sbin/ipfw add 65000 pass all from any to any
IMPORTANT: edit /etc/rc.conf and set the option firewall="NO" to firewall="YES"
reboot and everything should be fine.
|