Hi Guys
I have set up IPFW on FreeBSD 8.1 amd64, but while I have set the 'closed' option in rc.conf, it is not actually blocking ports by default. For example, I comment out the line allowing port 21, but after I load the rules I can still access ftp. If I set it to deny, then it is denied.
I have been discussing this with Jailed and he suggested that this may be related to some bugs with IPFW and the amd64-8.1. Has anyone discovered the same issue?
This is my IPFW config:
/etc/rc.conf
/etc/sysctl.conf
/boot/loader.conf
/usr/src/sys/amd64/conf/MYKERNEL
This is a minimal ipfw ruleset that Jailed wrote for me to help test the firewall:
/etc/ipfw.rules
Thanks.
I have set up IPFW on FreeBSD 8.1 amd64, but while I have set the 'closed' option in rc.conf, it is not actually blocking ports by default. For example, I comment out the line allowing port 21, but after I load the rules I can still access ftp. If I set it to deny, then it is denied.
I have been discussing this with Jailed and he suggested that this may be related to some bugs with IPFW and the amd64-8.1. Has anyone discovered the same issue?
This is my IPFW config:
/etc/rc.conf
Code:
# ENABLE FIREWALL SETTINGS
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="closed"
/etc/sysctl.conf
Code:
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
/boot/loader.conf
Code:
## Enable ipfw
ipfw_load="YES"
ipdivert_load="YES"
/usr/src/sys/amd64/conf/MYKERNEL
Code:
# Firewall Support
options IPFIREWALL
options HZ=1000
options IPDIVERT
This is a minimal ipfw ruleset that Jailed wrote for me to help test the firewall:
/etc/ipfw.rules
Code:
IPF="ipfw -q add"
ipfw -q -f flush
# allow all internal connections
$IPF 11 allow all from me to me
# allow all passive ports to all IPs.
$IPF 60 allow all from any to any 1024-65535
# allow pings both in and out
$IPF 90 allow icmp from any to any
# Connections to host.
$IPF 900 allow all from any to xxx.xxx.xxx.xx2 22
$IPF 910 allow all from any to xxx.xxx.xxx.xx2 80
$IPF 920 allow all from any to xxx.xxx.xxx.xx2 1194
# Connections to Webserver.
$IPF 1000 allow all from any to xxx.xxx.xxx.xx3 80
$IPF 1010 allow all from any to xxx.xxx.xxx.xx3 443
$IPF 1020 allow all from any to xxx.xxx.xxx.xx3 21
Thanks.