Some help clarify rc.conf entries for ipfw?

S

sdad

Using 8.1 minimal install. Not connected to any network yet.

Setting up ipfw for first time, I am trying to understand, more than cookbook, what's I'm doing. Firewall_type is very clear, except in this regards: One type is filename, which I see is the full path to firewall rules. But then there is firewall_script which goes to a different file. They both seem to be rulesets, and it appears to me that what I want to use is firewall_scripts, not type filename, so that I can more conveniently modify and restart firewall while trying out rule creation, etc. This further leaves me wondering about type. Current I have set to "open", feel uncomfortable with that, would prefer "closed", but does it make any difference since I am opening the script file. Or, does this affect the tiny space during boot until the rules are in affect? My script file is working, as I can see the rules being displayed during boot.

1. For the student (me), should I use the script file over the filename?
2. If I use script, do I need firewall_type?
3. If I do use firewall_type and script, am I more correct in selecting "closed" until the script is running?

Thanks
 
IMHO: the easiest & most managable way to deal with your firewall is like this:

in your /etc/rc.conf file:
Code: 
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/usr/local/etc/ipfw/ipfw-rules.sh"

Which links to an external firewall script that contains your firewall rules. In my case: the firewall rules are located in /usr/local/etc/ipfw/ipfw-rules.sh

The ipfw-rules.sh is a shell script that allows you to build your rules externally and load / reload them on the fly. When ipfw launches -- it executes the shell script... and you can modify the script at any time and execute it...

My ipfw-rules.sh script looks SOMETHING like this:

Code: 
# IPFW FIREWALL RULES
# G. Patnude

IPF="ipfw -q add"
ipfw -q -f flush

# BRUTEBLOCKD:
$IPF 5 deny ip from 'table(1)' to any

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# FTP:
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out

# SSH:
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out

# MAIL:
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out

# BIND / DNS:
$IPF 170 allow udp from any to any 53 in
$IPF 172 allow tcp from any to any 53 in
$IPF 174 allow udp from any to any 53 out
$IPF 176 allow tcp from any to any 53 out

# RNDC / BIND:
$IPF 180 allow udp from any to any 953 in
$IPF 182 allow tcp from any to any 953 in
$IPF 184 allow udp from any to any 953 out
$IPF 186 allow tcp from any to any 953 out

# APACHE / HTTPD:
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
...
...
...
...
# EVERYTHING ELSE IS DENIED
$IPF 65000 deny log all from any to any

NOTE: I actually run with about 200+ different rules... by embedding them in an external shell script -- I find it VERY easy to add a rule and reload the ruleset by simply executing:

[CMD=""]sh /usr/local/etc/ipfw/ipfw-rules.sh[/CMD]
 
You must log in or register to reply here.
Back
Top