From FreeBSDwiki
Jump to: navigation, search


All software firewall applications are based on monitoring network packet traffic flow to and from your system. The values of selected packet control fields can be interrogated by user written rules to allow or deny packet traffic based on your security needs.

Selection can be based on source and destination IP address, the source and destination port number, the type of protocol used (TCP, UDP, ICMP), or any combination. Firewall software applications provide a much, much finer level of control than that provided by a hardware router. They can be used to protect a single FBSD system or a complete internal network (LAN) by preventing public Internet traffic from making arbitrary connections to your internal network. They may also be used to prevent public Internet entities from spoofing internal IP addresses and to disable services you do not want accessed from the public Internet or by internal LAN users.

Finally, firewalls may be used to support NAT (network address translation), which allows an internal network using private IP addresses to share a single connection to the public Internet, or letting commercial users share a range of static public IP addresses automatically among the LAN users.

Firewall Rule Set Types

Constructing a software application firewall rule set may seem to be trivial, but most people get it wrong. The most common mistake is to create an exclusive firewall rather than an inclusive firewall.

An exclusive firewall allows all services through except for those matching a set of rules that block certain services.

An inclusive firewall does the reverse. It only allows services matching the rules through and blocks everything else. This way you can control what services can originate behind the firewall destined for the public Internet and also control which services originating from the public Internet may access your network. Inclusive firewalls are much, much safer than exclusive firewalls.

When you use your browser to access a web site there are many internal functions that happen before your screen fills with the data from the target web site. Your browser does not receive one large file containing all the data and display format instructions at one time. Each internal function accesses the public Internet in multiple send/receive cycles of packets of information. When all the packets containing the data finally arrive, the data contained in the packets is combined together to fill your screen. Each service has its own port number. The port number 80 is for web page services. So you can code your firewall to only allow web page session start requests originating from your LAN to pass through the firewall out to the public Internet.

Security can be tightened further by telling the firewall to monitor the send/receive cycles of all the packets making up that session until the session completes. These are called stateful capabilities and provide the maximum level of protection.

A firewall rule set that does not implement stateful capabilities on all the services being authorized is an insecure firewall that is still open to many of the most common methods of attack.

Firewall Software Applications

FBSD has three different firewall software products built into the base system. They are IPFILTER also known as IPF, IPFIREWALL also known as IPFW, and the OpenBSD Packet Filter known as PF. IPFW has the built in traffic shaper facilities for controlling bandwidth usage called dummynet. PF has it's built in traffic shaper facilities for controlling bandwidth usage called ALTQ. IPFILTER does not have a built in traffic shaper facility for controlling bandwidth usage, but the ALTQ port application can be used to accomplish the same function. The dummynet feature and ALTQ is generally useful only to large ISPs or commercial users. IPF, IPFW, and IP use rules to control the access of packets to and from your system, although they go about it different ways and have different rule syntaxes.

The IPFW /etc/rc.firewall sample rule set delivered in the basic install is outdated, complicated and does not use stateful rules on the interface facing the public Internet. It exclusively uses legacy stateless rules which only have the ability to open or close the service ports. The IPFW example stateful rule sets presented here supercedes the /etc/rc.firewall file distributed with the system.

Stateful rules have technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by attackers.

Both of these firewall software solutions IPF and IPFW still maintain the legacy heritage of their original rule processing order and reliance on non-stateful rules. These outdated concepts are not covered here, only the new, modern stateful rule construct and rule processing order is presented.

You should read about all 3 firewalls, and them make your own decision on which one best fits your needs.

The author prefers IPFILTER because its stateful rules are much less complicated to use in a Nat environment, and it has a built in FTP proxy that simplifies the rules to allow secure outbound FTP usage. It is also more appropriate to the knowledge level of the inexperienced firewall user.

Since all firewalls are based on interrogating the values of selected packet control fields, the creator of the firewall rules must have an understanding of how TCP/IP works, what the different values in the packet control fields are and how these values are used in a normal session conversation. For a good explanation go to

Personal tools