BSD DevCenter
oreilly.comSafari Books Online.Conferences.


BSD Firewalls: IPFW
Pages: 1, 2, 3

Creating a good ruleset is a bit of a fine art; if you're creating a firewall for the first time, wait until you have a block of time where it's not essential to have a network connection and you have the time to try things and reboot and try something else and reboot, etc. You'll find that the logic used by ipfw will not necessarily be the same logic you use.

Also, a firewall isn't something you just install and then forget about. Plan on spending some time tweaking it and scratching your head when it doesn't seem to do things the way you expected it would. Once you've rebooted into your new firewall-enabled kernel, you'll want to plan on completing the following three tasks:

  1. Methodically add rules to your ruleset and test each new rule to ensure that you have indeed allowed only the packets you wish to allow.
  2. Decide what you wish to log and watch the resulting log. You'll probably end up modifying your rules as you discover that you have inadvertently allowed or denied some packets that you didn't wish to.
  3. Once you're satisfied that your firewall is dropping and accepting the packets you want, test your firewall to ensure it is behaving as you would expect.

Okay, I'll reboot my computer to load the new kernel. I'll also watch my boot screens carefully; I should see the following messages right after my NIC is loaded:

Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to any to
Firewall rules loaded, starting divert daemons:.
Additional routing options: tcp extensions=NO ignore ICMP redirect=YES TCP keepalive=YES restrict TCP reset=YES drop SYN+FIN packets=YES.

<additional output snipped>
Additional TCP options: log_in_vain=YES.

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

You may wonder why I received those first three lines as I haven't yet created the file that contains my ruleset. When I edited /etc/rc.conf, I added the line:


The file /etc/rc.firewall was read at boot time and it contains the following lines:

# Flush out the list before we begin.
${fwcmd} -f flush

# Only in rare cases do you want to change these rules
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to

Since it clearly states that rules 100 and 200 should be used, I'll start with rule 300 when I create my ruleset. Before doing so, I want to double-check that ipfw is indeed denying all packets by default. I can do this using the ipfw show command.

ipfw show
ipfw: socket: Operation not permitted

Looks like only the superuser is allowed to see the firewall rules, so I'll try again as the superuser:

ipfw show
00100   0     0 allow ip from any to any via lo0
00200   0     0 deny ip from any to
65535 115 14092 deny ip from any to any

Then, to be really sure, I'll try to use my network connection:

ping: cannot resolve Host name lookup failure

traceroute: unknown host

Alert!: Unable to access document.

Well, name resolution definitely isn't working; let's try pinging by IP address:

PING ( 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
--- ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

Since I ran that last ping as the superuser, it looks like ipfw is indeed discarding all IP packets. Now that I've successfully locked myself out of my network connection, it's time to create a ruleset that allows me to send and receive the IP packets I want.

There are two ways to create the rules that are read by ipfw:

  • If you use ipfw add, you don't have to reboot for the rule to take effect; however, the rule is lost if you ever do reboot your computer.
  • You can add a line to a file that you've told ipfw to read; however, it won't read it until you reboot.

Since I'm the only person using my home computer, I'll add my rules directly to a file and reboot. I've already added this line to /etc/rc.conf


so I'll be creating a file called /etc/ipfw.rules.

It'll take a whole article to create and test the ruleset, so let's wait til next week to do so. In the meantime, you may want to take a look at the following so you have a feel for the syntax of ipfw rules and what sort of rules should be included in a ruleset:

man ipfw

As you can see, there's no shortage of resources available, so you don't have to reinvent the wheel when you create your ruleset. You'll also notice that rulesets tend to be specific to an individual's needs; you'll find that you'll end up borrowing good ideas from a variety of sources. Til next week, happy reading.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Read more FreeBSD Basics columns.

Return to the BSD DevCenter.

Sponsored by: