From owner-freebsd-questions@FreeBSD.ORG Sun Jul 31 16:15:31 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39C981065673 for ; Sun, 31 Jul 2011 16:15:31 +0000 (UTC) (envelope-from olivares14031@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 055B98FC12 for ; Sun, 31 Jul 2011 16:15:30 +0000 (UTC) Received: by iyb11 with SMTP id 11so7872082iyb.13 for ; Sun, 31 Jul 2011 09:15:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=CFOpPuE+bvj8NBjm5Zop5uGbMcHArh7PlLFpBlNyT7g=; b=w8uhEdEUQMbzfCDy40ofI7mmLst1av2TN0nwnBbI03B/aHz8thptmxQd7ohFwSeZG2 P8HUhNF4BA5bP5RPGb1krcpND29ghfilRyvpQPbyWruXlhZFSuRiz6hCIaWS1ouC771Z yp9G3jpTLpNbLNSUoOnjJoBtEI1t7SX40gcxY= MIME-Version: 1.0 Received: by 10.42.29.129 with SMTP id r1mr2286377icc.360.1312128930223; Sun, 31 Jul 2011 09:15:30 -0700 (PDT) Received: by 10.42.179.67 with HTTP; Sun, 31 Jul 2011 09:15:30 -0700 (PDT) In-Reply-To: <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil> References: <20110426184836.3C611B7EE@kev.msw.wpafb.af.mil> Date: Sun, 31 Jul 2011 11:15:30 -0500 Message-ID: From: Antonio Olivares To: vogelke+unix@pobox.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Polytropon , FreeBSD Questions Subject: Re: easy Firewall setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2011 16:15:31 -0000 > A> Is there an easy firewall setup available somewhere (like the one > A> referenced below but for FreeBSD)? > > =A0 Here's a script you can use to generate a rules file for IPF. > > -- Karl, I have used your script and it generated me a nice ipf.rules file /************* ipf.rules ********************/ quadcore# cat /etc/ipf.rules # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011 # # NAME: # /etc/ipf.rules # # DESCRIPTION: # Ruleset for IPF packet filter. # # AUTHOR: # Antonio Olivares # -------------------------------------------------------------------- # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. block in quick on msk0 proto udp from any to any port =3D 68 block in quick on msk0 proto udp from any to any port =3D 137 block in quick on msk0 proto udp from any to any port =3D 138 block in quick on msk0 proto igmp from any to any # -------------------------------------------------------------------- # Now block everything coming down the network. block in log on msk0 all block out log on msk0 all # -------------------------------------------------------------------- # Get rid of anything with options, as these can be used to hack. block in log quick from any to any with ipopts # -------------------------------------------------------------------- # Get rid of short TCP/IP fragments (too small for valid comparison) # as these can be used to hack. block in log quick proto tcp from any to any with short # -------------------------------------------------------------------- # Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # -------------------------------------------------------------------- # Block all the private routable addresses, as these should never # come down the network, nor should we be talking to them. block out quick on msk0 from any to 192.168.0.0/16 block out quick on msk0 from any to 172.16.0.0/12 block out quick on msk0 from any to 127.0.0.0/8 block out quick on msk0 from any to 10.0.0.0/8 block out quick on msk0 from any to 0.0.0.0/8 block out quick on msk0 from any to 169.254.0.0/16 block out quick on msk0 from any to 192.0.2.0/24 block out quick on msk0 from any to 204.152.64.0/23 block out quick on msk0 from any to 224.0.0.0/3 block in quick on msk0 from 192.168.0.0/16 to any block in quick on msk0 from 172.16.0.0/12 to any block in quick on msk0 from 10.0.0.0/8 to any block in quick on msk0 from 127.0.0.0/8 to any block in quick on msk0 from 0.0.0.0/8 to any block in quick on msk0 from 169.254.0.0/16 to any block in quick on msk0 from 192.0.2.0/24 to any block in quick on msk0 from 204.152.64.0/23 to any block in quick on msk0 from 224.0.0.0/3 to any # -------------------------------------------------------------------- # Block and log portmapper attempts. block in log quick on msk0 proto tcp/udp from any to any port =3D 111 keep = state # -------------------------------------------------------------------- # Allow outbound state related packets. pass out quick on msk0 proto tcp from any to any flags S keep state pass out quick on msk0 proto udp from any to any keep state # -------------------------------------------------------------------- # Allow ping and traceroute. Since we're doing everything quick, # we must have passes before blocks. pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state block in log quick on msk0 proto icmp from any to any # -------------------------------------------------------------------- # Allow DNS; should this be just from nameservers? pass in quick on msk0 proto tcp from any to any port =3D 53 flags S keep st= ate pass in quick on msk0 proto udp from any to any port =3D 53 keep state # -------------------------------------------------------------------- # Allow ssh and mail from anywhere: tcpserver filters addresses pass in quick on msk0 proto tcp from any to any port =3D 22 flags S keep st= ate pass in quick on msk0 proto tcp from any to any port =3D 25 flags S keep st= ate # -------------------------------------------------------------------- # Allow http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port =3D 80 flags S kee= p state pass in quick on msk0 proto tcp from 1.2.3.5 to any port =3D 80 flags S kee= p state # -------------------------------------------------------------------- # Allow secure http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port =3D 443 flags S keep state pass in quick on msk0 proto tcp from 1.2.3.5 to any port =3D 443 flags S keep state # -------------------------------------------------------------------- # Copyright (C) 2011 # EOF /************************************************************/ I add /*******************/ lpd_enable=3D"YES" ipfilter_enable=3D"YES" ipfileter_rules=3D"/etc/ipf.rules" ipmon_enable=3D"YES" ipmon_flags=3D"-Ds" /******************/ to /etc/rc.conf, I load the kernel module: quadcore# kldload /boot/kernel/ipl.ko I verify it is working: with # ipf -V quadcore# ipf -Fa -f /etc/ipf.rules Then I cannot browse :( quadcore# ipfstat bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 17 passed 14 nomatch 14 counted 0 short 0 output packets: blocked 68 passed 22 nomatch 22 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 10 (out): 0 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 574 Packet log flags set: (0) none But I have to stop the firewall ipf -D and run # ifconfig msk0 up and I can browse. My best guess is that there is a problem with ipv6 and ipv4, but I don't know how to troubleshoot this. I had generated the script a while ago but I got errors, I did not know that the kernel module had to be loaded: # kldload /boot/kernel/ipl.ko verify that it is working with # ipf -V I read this over at these pages: http://manuuus.co.in/configure-ipf-firewall-in-freebsd/ http://www.pc-freak.net/handbook/firewalls-ipf.html I know about ipfw too[Thanks Polytropon, I have simple setup you suggested but at school machine], and this time I tried the script which also is very good, but I have little problem. Is there anything I have to do, like turn on ipv6 to be able to browse? how do I check which version I have? Thanks for advice given. Regards, Antonio