BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


BSD Firewalls: IPFW
Pages: 1, 2, 3

Before I rebuild my kernel, I'll add the following lines to my kernel config file:



#To enable IPFW with default deny all packets
options	  IPFIREWALL
options	  IPFIREWALL_VERBOSE
options	  IPFIREWALL_VERBOSE_LIMIT=10

#To hide firewall from traceroute
options	  IPSTEALTH

#To hide from nmap, remove if create web server
options	  TCP_DROP_SYNFIN

#To hide from portscans
options	  TCP_RESTRICT_RST

While my kernel recompiles, I'll take a look at the options I should add to /etc/rc.conf. Again, I'll use the "/" to search for the correct section in the manpage:

man rc.conf
/firewall

firewall_enable
   (bool) Set to NO if you do not want have firewall rules
   loaded at startup, or YES if you do.  If set to YES, and
   the kernel was not built with IPFIREWALL, the ipfw kernel
   module will be loaded.  See also ipfilter_enable.

firewall_script
   (str) If you want to run a firewall script other than
   /etc/rc.firewall, set this variable to the full path to
   that script.

firewall_type
   (str) Names the firewall type from the selection in
   /etc/rc.firewall, or the file which contains the local
   firewall ruleset.  Valid selections from /etc/rc.firewall,
   are ''open'' - unrestricted IP access; ''closed'' - all IP
   services disabled, except via lo0; ''client'' - basic pro-
   tection for a workstation; ''simple'' - basic protection
   for a LAN.  If a filename is specified, the full path must
   be given.

Since I want my firewall rules to be loaded at bootup, I'll set firewall_enable to YES. I'll be creating my own ruleset, so I'll specify the path to the file I'll create using firewall_type.

firewall_quiet
   (bool) Set to YES to disable the display of ipfw rules on
   the console during boot.

This is a good option to set to YES as it'll show each rule being loaded; if you have a typo in your ruleset, all the rules following the typo will NOT be loaded. If you're watching the screen at bootup, you'll see an ipfw syntax message following the last rule that was successfully loaded; you'll want to look for a typo in the line following that rule, then reboot to ensure that all your rules successfully load.

firewall_logging
   (bool) Set to YES to enable ipfw event logging.  This is
   equivalent to the IPFIREWALL_VERBOSE kernel option.

tcp_extensions
   (bool) Set to NO by default.  Setting this to YES enables
   certain TCP options as described by RFC 1323.  If you have
   problems with connections randomly hanging or other weird
   behavior of such nature, you might try setting this back to
   NO and seeing if that helps.  Some hardware/software out
   there is known to be broken with respect to these options.

log_in_vain   (bool) Set to NO by default.  Setting to YES 
   will enable logging of connection attempts to ports that have 
   no listening socket on them.

tcp_keepalive
   (bool) Set to YES by default.  Setting to NO will disable
   probing idle TCP connections to verify that the peer is
   still up and reachable.

tcp_drop_synfin
   (bool) Set to NO by default.  Setting to YES will cause the
   kernel to ignore TCP frames that have both the SYN and FIN
   flags set.  This prevents OS fingerprinting, but may break
   some legitimate applications.  This option is only avail-
   able if the kernel was built with the TCP_DROP_SYNFIN op-
   tion.

Since I added the option TCP_DROP_SYNFIN in my kernel, I'll set this corresponding value to YES. I'll include a remark to remove this line if I enable a web server on this computer.

tcp_restrict_rst
   (bool) Set to NO by default.  Setting to YES will cause the
   kernel to refrain from emitting TCP RST frames in response
   to invalid TCP packets (e.g., frames destined for closed
   ports).  This option is only available if the kernel was
   built with the TCP_RESTRICT_RST option.

icmp_drop_redirect
   (bool) Set to NO by default.  Setting to YES will cause the
   kernel to ignore ICMP REDIRECT packets.

icmp_log_redirect
   (bool) Set to NO by default.  Setting to YES will cause the
   kernel to log ICMP REDIRECT packets.  Note that the log
   messages are not rate-limited, so this option should only
   be used for troubleshooting your own network.

I end up adding the following lines to my /etc/rc.conf file:

#required for ipfw support
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
firewall_quiet="NO"	#change to YES once happy with rules
firewall_logging_enable="YES"

#extra firewalling options
log_in_vain="YES"
tcp_drop_synfin="YES"	#change to NO if create webserver
tcp_restrict_rst="YES"
icmp_drop_redirect="YES"

A few notes before I reboot into my new kernel. The LINT file really means it when it says "YOU WILL LOCK YOURSELF OUT." Until I start creating a ruleset that allows the IP packets I want, no IP packets will be allowed to leave or enter my computer. If I want to check my e-mail or download any last bits of information regarding rulesets from the Internet, now is the time to do it, before I reboot.

Pages: 1, 2, 3

Next Pagearrow





Sponsored by: