IPFW Open status firewall

robeke

New Member


Messages: 7

Hi, please how can i set firewall status to "open"? I tried firewall_type="open" but i still have default rule: deny ip from any to any like firewall_type="close". Please, can you help me?
 

obsigna

Aspiring Daemon

Reaction score: 520
Messages: 895

I am sorry for needing to ask for something obvious, however, the most probable cause for your experience is, that the directive firewall_type="open" wasn't yet executed by the init system. So, did you restart either your machine or the ipfw(8) system after you placed said directive into /etc/rc.conf? See what happens when you issue the following command as user root:
service ipfw restart.
 

obsigna

Aspiring Daemon

Reaction score: 520
Messages: 895

  • Place the following content into a script file /usr/local/etc/ipfw-open.conf
    Code:
    #!/bin/sh
    /sbin/ipfw -q flush
    /sbin/ipfw -q add 65534 allow ip from any to any
  • Make the file executable with the command: chmod +x /usr/local/etc/ipfw-open.conf
  • Execute the created ipfw script: /usr/local/etc/ipfw-open.conf
  • Verify that the rule has been applied: ipfw show
    Code:
    65534 474 79469 allow ip from any to any
    65535   3   192 deny ip from any to any
You should see the allow rule 65534 comming before the deny rule. Note that the rule 65535 cannot be changed from user space. Anyway, with the open-all rule 65534 in place the default deny rule will never be touched anymore.

If this works as expected, then replace in /etc/rc.conf your directive firewall_type="open" with firewall_script="/usr/local/etc/ipfw-open.conf"

If you really want to have the default rule completely disappear, then you need to compile a custom kernel with the following kernel options:
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT.

PS:
Instead of compiling a custom kernel, you can place the DEFAULT_TO_ACCEPT setting as a sysctl into /boot/loader.conf. I just verified this is working with the following additions to /boot/loader.conf:
Code:
...
net.inet.ip.fw.default_to_accept=1
libalias_load="YES"
ipfw_load="YES"
ipfw_nat="YES"
Note, that the given sysctl must be changed in the loader stage since it is read-only from user space.
 
OP
OP
R

robeke

New Member


Messages: 7

Thanks! Its working, but i have problem. Firewall blocking my ip and i dont know why.
ipfw.rules:
Code:
#!/bin/sh
ipfw -q -f flush
ipfw -q add 00001 allow all from 192.168.1.0/24 to any via vtnet0
And my ip is 192.168.1.100 . I tried " allow all from any to any via vtnet0" and then its working (fw pass all traffic).
I tried use my hostname too but i got "unknown hostname".
Sorry for my questions but iam only begginer.
Thanks.
 

obsigna

Aspiring Daemon

Reaction score: 520
Messages: 895

Didn't you say that you achieved to have the final firewall rule to be open?

Note, IP traffic is usually bi-directional, and the firewall must allow the packets of both endpoints of a connection. Your rule #00001 does allow outgoing traffic from 192.168.1.0/24 to any but any incoming traffic is generally forbidden by rule #65535.

Your choices are either of:
  1. convert the default rule #65535 to an open one as explained in my message #5

  2. add a general allow rule in front of the default rule
    /sbin/ipfw -q add 65534 allow ip from any to any

  3. convert your single allow rule into an in/out rule pair:
    /sbin/ipfw -q add 1 allow ip from 192.168.1.0/24 to any out xmit vtnet0
    /sbin/ipfw -q add 2 allow ip from any to 192.168.1.0/24 in recv vtnet0

  4. make your firewall a stateful one:
    /sbin/ipfw -q add 1 check-state
    /sbin/ipfw -q add 2 allow tcp from 192.168.1.0/24 to any out xmit vtnet0 setup keepstate
    /sbin/ipfw -q add 3 allow udp from 192.168.1.0/24 to any out xmit vtnet0 keepstate
 
OP
OP
R

robeke

New Member


Messages: 7

Thanks! I used option 3, so its working. Here is my ipfw.rules:
Code:
#!/bin/sh
ipfw -q -f flush
ipfw -q add 00001 allow ip from any to 192.168.1.0/24 out xmit vtnet0
ipfw -q add 00002 allow ip from 192.168.1.0/24 to any in recv vtnet0
and sorry for my bad english :D
 
OP
OP
R

robeke

New Member


Messages: 7

I have one more question, please how to allow loopback?
i tried:
Code:
ipfw -q add 00015 allow all from 127.0.0.1/8 to me out xmit vtnet0
ipfw -q add 00016 allow all from me to 127.0.0.1/8 in recv vtnet0
but it dont work.
Thanks
 

obsigna

Aspiring Daemon

Reaction score: 520
Messages: 895

ipfw(8) evaluates the rules in sequential order, i.e. rules with lower numbers come first. It stops evaluation once a rule matches. Therefore, you want to put rules which would be hit by the biggest traffic (usually everything local) first in your ruleset. My rulesets always start with:
Code:
#!/bin/sh
ipfw -q -f flush

/sbin/ipfw -q add 10 allow ip from any to any via $lanif
/sbin/ipfw -q add 20 allow ip from any to any via lo0
If your machine does not have a dedicated LAN interface, then forget rule #10. lo0 is the loopback interface identifier, and therefore rule #20 allows all the traffic going over it. Your other rules should come afterwards, and you want to change the rule numbers #1 and #2 to let's say #30 and #31.
 
Top