Hi Guys,
Hopefully this request will help others with the same question, I haven't found any singular source with a complete answer.
I have undertaken quite a challenge for myself and I have been winning so far. But I am coming up to the hardest part and need another set of eyes/brains to look over the plan before I trash the system and/or lock myself out.
The setup is fairly simple, for this forum anyway! I have a remote server (no physical access at all) running FreeBSD 8.1, it is a very minimal install as it is simply the host for two jailed servers. One is a webserver, the other is the data server. At the moment, everything works a treat. But, there is no firewall... and we want one.
I have done alot of reading and have come up with a list of settings that I think will do the job. And one big question.
Ok, maybe two questions. Firstly, do I need natd? I'm certain that I do, but if someone says no, it will make things so much easier for me. Secondly, if I do need natd, do I need address redirection if I am already using port redirection?
Below are the modifications I propose to enable ipfw on the host to protect the system, please let me know if I am missing anything, or if I have something there that shouldn't be:
host# /etc/rc.conf
webserver# /etc/rc.conf
dataserver# /etc/rc.conf
host# /etc/natd.conf
host# /boot/boot.loader
host# /etc/sysctl.conf
Options for KERNEL customizations
With any luck I have put together a solid set of configurations to go from no firewall at all to ipfw with nat.
What is the public opinion? Am I on the right track?
Thanks for your time, I know it's not a simple one.
Hopefully this request will help others with the same question, I haven't found any singular source with a complete answer.
I have undertaken quite a challenge for myself and I have been winning so far. But I am coming up to the hardest part and need another set of eyes/brains to look over the plan before I trash the system and/or lock myself out.
The setup is fairly simple, for this forum anyway! I have a remote server (no physical access at all) running FreeBSD 8.1, it is a very minimal install as it is simply the host for two jailed servers. One is a webserver, the other is the data server. At the moment, everything works a treat. But, there is no firewall... and we want one.
I have done alot of reading and have come up with a list of settings that I think will do the job. And one big question.
Ok, maybe two questions. Firstly, do I need natd? I'm certain that I do, but if someone says no, it will make things so much easier for me. Secondly, if I do need natd, do I need address redirection if I am already using port redirection?
Below are the modifications I propose to enable ipfw on the host to protect the system, please let me know if I am missing anything, or if I have something there that shouldn't be:
host# /etc/rc.conf
Code:
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="simple"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em0"
natd_flags="-f /etc/natd.conf"
webserver# /etc/rc.conf
Code:
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="client"
dataserver# /etc/rc.conf
Code:
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="client"
host# /etc/natd.conf
Code:
redirect_port tcp 203.xxx.xxx.xxx:21 21
redirect_port tcp 203.xxx.xxx.xxx:80 80
redirect_port tcp 203.xxx.xxx.xxx:443 443
- nb. 203.xxx.xxx.xxx is the external ip for the webserver.
host# /boot/boot.loader
Code:
ipfw_load="YES"
ipdivert_load="YES"
net.inet.ip.fw.default_to_accept="1" ##Safety net to be disabled after testing is complete
host# /etc/sysctl.conf
Code:
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
Options for KERNEL customizations
Code:
options IPFIREWALL
options HZ=1000
options IPFIREWALL_DEFAULT_TO_ACCEPT ##Safety net to be disabled after testing is complete
options IPDIVERT
- nb. I have not even begun worrying about the rules yet. I just want to know that this configuration will allow full access before I start locking it down.
With any luck I have put together a solid set of configurations to go from no firewall at all to ipfw with nat.
What is the public opinion? Am I on the right track?
Thanks for your time, I know it's not a simple one.