Defcon1-Header
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

Setting up a Firewall

By Perlsta
These instructions will help you configure FreeBSD 2.2.2-RELEASE to 3.0-SNAP to act as a firewall.
Note that it is almost suicidal to do this remotely, as one mistake can leave you unable to reach the firewall PC.

Become root on the machine.
IMPORTANT: Make a backup of the kernel located in the root directory.
You must download at least the kernel source code distribution. (/stand/sysinstall will help)
Make a copy of the kernel configuration file /usr/src/sys/i386/conf/GENERIC. Edit the new file and add the following lines to it:
options IPFIREWALL
options IPDIVERT
The IPFIREWALL option allows the kernel to block or allow pass through of specific network traffic based on:
origin,
destination,
port number, and
protocol
The IPDIVERT option allows incoming IP traffic to be diverted to a different port on the Firewall machine, allowing for redirection based on the options for the firewall option to a program listening to a port.
make sure you are in /usr/src/sys/i386/conf/ and type:
config <configuration file>
change into the directory /usr/src/sys/compile/<configuration file> then type:
make depend
make all
make install
edit the file /etc/rc.firewall :

Here is my file :

# I have edited this file to simplify it,
# this setup should allow you to use the
# NATd deamon to allow multiple machines
# to share one IP almost transparently
# note the numbers after the lines with "add" in them allow you to remove rules via:
# /sbin/ipfw delete # where is the rule number to remove.
# also if you edit then execute this script you
# can reset the firewall to the values in here.
# clear all rules
/sbin/ipfw -f flush
# Only in rare cases do you want to change this rule
/sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
# a couple of subnets and individual IPs
# i have decided to firewall out access to telnet and ftp
/sbin/ipfw add 1005 deny ip from 150.156.212.97 to any
/sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 23
/sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 21
/sbin/ipfw add 1500 deny ip from 149.15.0.0/16 to any 20
/sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 23
/sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 21
/sbin/ipfw add 1500 deny ip from 205.232.0.0/16 to any 20
# divert outgoing and incoming though NATd
# 'ed0' is my outside interface
# the number 8668 is the port that NATd listens to
/sbin/ipfw add 2000 divert 8668 all from any to any via ed0
# allow everyone else to go though, although the previous line make this not useful,
# however if i kill natd i don't want the system to freak out
/sbin/ipfw add 65000 pass all from any to any

IMPORTANT: edit /etc/rc.conf and set the option firewall="NO" to firewall="YES"

reboot and everything should be fine.

© 1997 - 20013 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.

Defcon1-Header2
Tool-Bar-2Defcon1  Webmail