firewall_script in rc.conf: if [ -r "${firewall_script}" ]; then
/bin/sh "${firewall_script}" "${_firewall_type}"
echo 'Firewall rules loaded.'
elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
echo 'Warning: kernel has firewall functionality, but' \
' firewall rules are not enabled.'
echo ' All ip services are disabled.'
fiThat's always a risk, especially if you work remotely. Even seasoned firewall users make mistakes every now and then. Heck, I've locked myself out countless times due to stupid typos. Make sure you have console access (through a KVM or IPMI for example) in case you do lock yourself out.
You need console access for that. By console access I mean the keyboard and display directly attached to the computer. A KVM or IPMI is a way to get that console access over the network. You don't need to boot to single user mode for a firewall, it only blocks network access, not local access.
I have firewall_script="/etc/ipfw.rules" written exactly in rc.conf. "ipfw list" still reads the same "deny ip from any to any" when it's started and stopped. I've made the file executable and cant ping an address or update pkg when ipfw is running.
Doesn't need to be but doesn't hurt either.
Yes, because only that block rules appears to be applied. That rule blocks everything.
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"firewall_script. You can set this if you want to use an alternate /etc/rc.firewall script. You don't need to do this if all you want is a custom ruleset (the current /etc/rc.firewall script can already take care of this).There exist a script which helps to prevent locking us out ourselfs:
So I changed the type to the filename after looking closer at the docs, every rule is working now when I restart ipfw. The problem now is bad "ipfw" command on line 2. So that's the only thing keeping me from resolving. When I change line 2 it just changes to bad command in line 3. These commands are here...
#!/bin/sh
2.ipfw -q -f flush
3.$cmd="ipfw -q add"
4.pif="em0"Yes, I certainly wasn't aware. But I don't use IPFW so never looked for it either, for PF I typically use something like
pfctl -f /etc/pf.newrules.conf && sleep 30 && pfctl -f /etc/pf.conf. This loads the new rules, sleeps for 30 seconds then loads the old rules again. Those 30 seconds are enough to test if I locked myself out or not. If I do get locked out I just have to wait 30 seconds and the old rules are loaded, giving me access again. You have to lock yourself out at least once before you start using these kinds of solutions 
That's a syntax error. You don't use the $ with assignments:
cmd="ipfw -q add"Thanks the shell tutorial will help me a lot. My ipfw script is working now. What do I put in place of the x.x.x.x in the rules?
That would be the destination IP address in this case. Going by the example you've given it's a rule to allow outgoing DNS queries. With a regular ISP or hosting that would be the ISP or hosting provider's DNS server IPs (because the DNS queries are sent to those addresses). That does assume you're not using some other way to resolve DNS (like unbound or BIND).
You can allow port 53 to anywhere, both udp and tcp. If you then choose explicit DNS servers you can futher restrict to those IP addresses with those ports.
Yes, I certainly wasn't aware. But I don't use IPFW so never looked for it either, for PF I typically use something likepfctl -f /etc/pf.newrules.conf && sleep 30 && pfctl -f /etc/pf.conf. This loads the new rules, sleeps for 30 seconds then loads the old rules again. Those 30 seconds are enough to test if I locked myself out or not. If I do get locked out I just have to wait 30 seconds and the old rules are loaded, giving me access again. You have to lock yourself out at least once before you start using these kinds of solutions
I'm learning about what makes a part of a connection as I run into these problems. It's working out well. I set up unbound during installation but don't know how to use this DHCP to get ip addresses as you have stated above. I will check the handbook though. I really want to study a small office firewall setup and chose ipfw because it's for FreeBSD and more complicated than PF. What are TLD's?
Yeah I'm still trying to analyze all of this and get the picture of the connection. What exactly is the function of the port though. When that rule is included is the packet traffic which is udp or tcp only being routed out through one port? And all other ports are blocked? I don't get it?
Nothing is being routed, routing is something else entirely. A firewall doesn't route, remember that. A firewall can translate packets, source NAT, destination NAT (redirection) or allow/block packets, nothing more.
udp and tcp are different protocols, they can be firewalled independantly but a lot of firewalls can do rules spanning tcp and udp
Watching some youtube tutorials on the fundamentals of basic networking and firewalling would be a good idea.
