Solved desktop computer

Hi!

I am a single, desktop computer and from FreeBSD 7 I use PF. Today I decided to switch to IPFW and I put in /etc/rc.conf:
Code:
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_logdeny="YES"

Is it enough to have defaults settings, please? I did test with security/nmap and I am starting to learn firewall.

Thank you.
 
To see a full list of active firewall rules, run ipfw -a list.

These are the ipfw() default settings when firewall type is set to "workstation":

# sed '/^##/,/^$/!d;/^$/q' /etc/rc.firewall:
Code:
############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - will allow anyone in
#   client      - will try to protect just this machine
#   simple      - will try to protect a whole network
#   closed      - totally disables IP services except via lo0 interface
#   workstation - will try to protect just this machine using stateful
#                 firewalling. See below for rc.conf variables used
#   UNKNOWN     - disables the loading of firewall rules.
#   filename    - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.
# sed -n '/^\[Ww/,/^\[Cc/p' /etc/rc.firewall:
Code:
[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])
        # Configuration:
        #  firewall_myservices:         List of ports/protocols on which this
        #                                host offers services.
        #  firewall_allowservices:      List of IPv4 and/or IPv6 addresses
        #                                that have access to
        #                                $firewall_myservices.
        #  firewall_trusted:            List of IPv4 and/or IPv6 addresses
        #                                that have full access to this host.
        #                                Be very careful when setting this.
        #                                This option can seriously degrade
        #                                the level of protection provided by
        #                                the firewall.
        #  firewall_logdeny:            Boolean (YES/NO) specifying if the
        #                                default denied packets should be
        #                                logged (in /var/log/security).
        #  firewall_nologports:         List of TCP/UDP ports for which
        #                                denied incoming packets are not
        #                                logged.

        # Allow packets for which a state has been built.
        ${fwcmd} add check-state

        # For services permitted below.
        ${fwcmd} add pass tcp  from me to any established

        # Allow any connection out, adding state for each.
        ${fwcmd} add pass tcp  from me to any setup keep-state
        ${fwcmd} add pass udp  from me to any       keep-state
        ${fwcmd} add pass icmp from me to any       keep-state
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass ipv6-icmp from me to any keep-state
        fi

        # Allow DHCP.
        ${fwcmd} add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out
        ${fwcmd} add pass udp  from any 67     to me 68 in
        ${fwcmd} add pass udp  from any 67     to 255.255.255.255 68 in
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass udp from fe80::/10 to me 546 in
        fi
        # Some servers will ping the IP while trying to decide if it's
        # still in use.
        ${fwcmd} add pass icmp from any to any icmptype 8
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass ipv6-icmp from any to any icmp6type 128,129
        fi
                                             
        # Allow "mandatory" ICMP in.
        ${fwcmd} add pass icmp from any to any icmptype 3,4,11
        if [ $ipv6_available -eq 0 ]; then
                ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3
        fi

        # Add permits for this workstations published services below
        # Only IPs and nets in firewall_allowservices is allowed in.
        # If you really wish to let anyone use services on your
        # workstation, then set "firewall_allowservices='any'" in /etc/rc.conf
        #
        # Note: We don't use keep-state as that would allow DoS of
        #       our statetable.
        #       You can add 'keep-state' to the lines for slightly
        #       better performance if you fell that DoS of your
        #       workstation won't be a problem.
        #
        for i in ${firewall_allowservices} ; do
          for j in ${firewall_myservices} ; do
            case $j in
            [0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo])
              ${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me
            ;;
            [0-9A-Za-z]*/[Tt][Cc][Pp])
              ${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]}
            ;;
            [0-9A-Za-z]*/[Uu][Dd][Pp])
              ${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]}
            ;;
            *[0-9A-Za-z])
              echo "Consider using ${j}/tcp in firewall_myservices." \
                > /dev/stderr
              ${fwcmd} add pass tcp from $i to me $j
            ;;
            *)
              echo "Invalid port in firewall_myservices: $j" > /dev/stderr
            ;;
            esac
          done
        done

        # Allow all connections from trusted IPs.
        # Playing with the content of firewall_trusted could seriously
        # degrade the level of protection provided by the firewall.
        for i in ${firewall_trusted} ; do
          ${fwcmd} add pass ip from $i to me
        done

        ${fwcmd} add 65000 count ip from any to any

        # Drop packets to ports where we don't want logging
        for i in ${firewall_nologports} ; do
          ${fwcmd} add deny { tcp or udp } from any to any $i in
        done

        # Broadcasts and multicasts
        ${fwcmd} add deny ip  from any to 255.255.255.255
        ${fwcmd} add deny ip  from any to 224.0.0.0/24 in       # XXX

        # Noise from routers
        ${fwcmd} add deny udp from any to any 520 in

        # Noise from webbrowsing.
        # The stateful filter is a bit aggressive, and will cause some
        #  connection teardowns to be logged.
        ${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in

        # Deny and (if wanted) log the rest unconditionally.
        log=""
        if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then
          log="log logamount 500"       # The default of 100 is too low.
          sysctl net.inet.ip.fw.verbose=1 >/dev/null
        fi
        ${fwcmd} add deny $log ip from any to any
        ;;

[Cc][Ll][Oo][Ss][Ee][Dd])
 
Is it possible monitoring ipfw firewall with tcpdump as pf firewall (ipfw0).
I tried:
Code:
tcpdump -n -i ipfw0
tcpdump: ipfw0: No such device exists
(BIOCSETIF failed: Device not configured)

Thank you.
 
You can create the device manually with ifconfig ipfw0 create and automatically by including firewall_logif="YES" in rc.conf(5). You also need the sysctl(8) value for net.inet.ip.fw.verbose set to 0, which I think is default anyway. I believe the IPFIREWALL_VERBOSE kernel option (if you're using a custom kernel) sets it to 1 by default, which means logs are sent to syslog(8).
 
Back
Top