pavement

IPFIREWALL (IPFW) Firewall

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(Kernel options)
(IPFW Command)
Line 87: Line 87:
 
You would enter on the FBSD command line one of the following forms of the list command.
 
You would enter on the FBSD command line one of the following forms of the list command.
  
 +
<pre>
 
ipfw list          List all rules in rule number sequence.
 
ipfw list          List all rules in rule number sequence.
  
Line 109: Line 110:
 
ipfw zero number  Clear accounting counter just for this rule number.
 
ipfw zero number  Clear accounting counter just for this rule number.
  
ipfw show | more  
+
ipfw show | more
 +
</pre>
 +
 
  
 
If you have a big rule set with dynamic rules it will scroll off the screen. Suffix the command with ‘ | more’ which will only display the first screen full, and then you have to use the arrow keys or enter key to scroll down through the info.
 
If you have a big rule set with dynamic rules it will scroll off the screen. Suffix the command with ‘ | more’ which will only display the first screen full, and then you have to use the arrow keys or enter key to scroll down through the info.

Revision as of 16:54, 13 August 2012

Contents

IPFIREWALL (IPFW) Firewall

The IPFIREWALL (IPFW) is a FBSD sponsored firewall software application authored and maintained by FBSD volunteer staff members. It uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as simple stateful logic.

The IPFW stateless rule syntax is empowered with technically sophisticated selection capabilities which far surpasses the knowledge level of the customary firewall installer. IPFW is targeted at the professional user or the advanced technical computer hobbyist who has advanced packet selection requirements. A high degree of detailed knowledge into how different protocols use and create their unique packet header information is necessary before the power of the IPFW rules can be unleashed. Providing that level of explanation is out of the scope of this section of the handbook.

IPFW is composed of seven components; the kernel firewall filter rule processor and its integrated packet accounting facility (the primary component), the logging facility, the ‘divert’ rule which triggers the NAT facility, and the advanced special purpose facilities (the dummynet traffic shaper facilities the ‘fwd rule’ forward facility, the bridge facility, and the ipstealth facility).

See the FBSD man pages, 'man ipfw' or 'man ipfirewall' or 'man dummynet' for details.

From this point on I will use IPFW to mean IPFIREWALL.



Enabling IPFW

IPFW is included in the basic FBSD install as a separate run time loadable module. IPFW will dynamically load its kernel loadable module when the rc.conf statement firewall_enable="YES" is used. You do not need to compile IPFW into the FBSD kernel.

Using the IPFW run time loadable module is recommended.

After rebooting your system with firewall_enable="YES" in rc.conf the following white highlighted message is displayed on the screen as part of the boot process.

IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled

You can disregard this message as it’s outdated and no longer is the true status of the IPFW loadable module. The loadable module really does have logging ability.

To set the verbose limit, there is a knob you can set in sysctl.conf by adding this statement to the file:

    ee /etc/sysctl.conf


    net.inet.ip.fw.verbose_limit=5

Kernel options

It is not a mandatory requirement that you enable IPFW by compiling the following options into the FBSD kernel. It’s only presented here as a background information option. Compiling IPFW into the kernel causes the loadable module to never be used.


Sample kernel source IPFW options statements are in the /usr/src/sys/i386/conf/LINT kernel source and are reproduced here.

options IPFIREWALL
options IPFIREWALL_VERBOSE 
options IPFIREWALL_VERBOSE_LIMIT=5
option  IPDIVERT               

IPFIREWALL This tells the compile to include IPFW as part of the kernel.

IPFIREWALL_VERBOSE enables the option to have IPFW log traffic by printing packet activity to syslogd for every rule that has the "log" keyword.

IPFIREWALL_VERBOSE_LIMIT=5 specifies the default number of packets from a particular rule is to be logged. Without this option each repeated occurrences of the same packet will be logged and eventually consume all the free disk space, resulting in services being denied due to lack of resources. The 5 is the number of consecutive times to log evidence of this unique occurrence.

IPDIVERT adds the userland natd function which is utilized by the divert natd IPFW rule statement.

A complete list of the IPFW options statements are in /usr/src/sys/i386/conf/LINT

Installer note: After compiling IPFW into your kernel you lose the ability to access all private LAN and public Internet networks, until you enable IPFW in rc.conf and reboot.

RC.CONF Options

You have to tell FBSD to active it at boot time. You do that by adding the following statements to /etc/rc.conf:

firewall_enable="YES"               # Start IPFW daemon
firewall_script="/etc/ipfw.rules"   # Use my custom rules.
filewall_logging="YES"              # Enable packet logging


For a completely open firewall, you have to create the /etc/ipfw.rules file with the following rules

ipfw –f flush ipfw add allow all from any to any



IPFW Command

The ipfw command is the normal vehicle for making manual single rule additions or deletions to the firewall active internal rules while it's running. The problem with using this method is once your system is shutdown or halted, all the rules you added or changed or deleted are lost. Writing all your rules in a file and using that file to load the rules at boot time or to replace in mass the currently running firewall rules with changes you made to the files content is the recommended method used here.

The ipfw command is still a very useful for displaying the running firewall rules to the console screen. The IPFW accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. During the process of testing a rule, listing the rule with its counter is the only way of determining if the rule is functioning.

You would enter on the FBSD command line one of the following forms of the list command.

ipfw list          List all rules in rule number sequence.


ipfw -t list       List rules in rule number sequence with timestamp 
                   of last time that rule was matched.
                        
ipfw -a list       List the accounting information, packet count for 
                   matched rules along with the rules themselves. 
                   The first column is the rule number, followed 
                   by the number of outgoing matched packets, 
                   followed by the number of incoming matched packets, 
                   and finally followed by the rule itself.


ipfw -d list       List dynamic rules in addition to static ones.

ipfw -d -e list    Also show expired dynamic rules.

ipfw zero          Clear all the accounting counters.

ipfw zero number   Clear accounting counter just for this rule number.

ipfw show | more


If you have a big rule set with dynamic rules it will scroll off the screen. Suffix the command with ‘ | more’ which will only display the first screen full, and then you have to use the arrow keys or enter key to scroll down through the info.

Personal tools