Date: Sun, 2 Feb 2003 10:52:20 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw firewall questions Message-ID: <20030202105220.GA93010@happy-idiot-talk.infracaninophi> In-Reply-To: <200302021150.52576.petre@kgb.ro> References: <200302021150.52576.petre@kgb.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 02, 2003 at 11:50:52AM +0200, Petre Bandac wrote:
> hello
>
> I'm about to "compose" my first ipfw firewall - and, since I have worked quite
> a lot with iptables, I'm interesed in a few minor similarities:
>
> 1 - the firewall is called by rc.conf ? or ca I call it at boot time via
> whatever *.sh placed in the right place
A typical setup is that the /etc/rc.firewall script sets up
firewalling for IPv4, possibly with /etc/rc.firewall6 doing the
equivalent for IPv6. The rc.firewall script contains options to load
various pre-canned ipfw(8) rulesets, or you can load a custom ipfw(8)
ruleset through it.
The rc.firewall{,6} script behaviours are controlled by setting
variables in /etc/rc.conf. Default values (from
/etc/defaults/rc.conf) are:
% grep firewall /etc/defaults/rc.conf
### Basic network and firewall/security options: ###
firewall_enable="NO" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="NO" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file
natd_enable="NO" # Enable natd (if firewall_enable == YES).
ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall
ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall
ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6)
ipv6_firewall_quiet="NO" # Set to YES to suppress rule display
ipv6_firewall_logging="NO" # Set to YES to enable events logging
ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file
Although setting 'firewall_enable' to 'yes' will work with a standard
system, by causing the ipfw.ko module to be loaded into a GENERIC
kernel, check /usr/src/sys/i386/conf/LINT (FreeBSD 4.x) or
/usr/src/sys/conf/NOTES (FreeBSD 5.0) for some extra functionality you
can enable by building yourself a custom kernel.
Alternatively you can use ipf(8) which is a second firewall flavour
but with much the same functionality. If you aren't doing anything
tricky like traffic shaping or QoS, which one you choose is mostly a
matter of taste:
% grep ipf defaults/rc.conf
firewall_flags="" # Flags passed to ipfw when type is a file
ipfilter_enable="NO" # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags="" # additional flags for ipfilter
ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat
ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog"
ipfs_enable="NO" # Set to YES to enable saving and restoring
ipfs_program="/sbin/ipfs" # where the ipfs program lives
ipfs_flags="" # additional flags for ipfs
ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter,
# see /usr/src/contrib/ipfilter/rules
The ipf(8) firewalling is started out of /etc/rc.network --- it's
possible and sometimes useful to run ipfw(8) and ipf(8)
simultaneously.
Finally, you can write your own script and call it in place of
rc.firewall by setting the 'firewall_script' variable. This method is
generally used to run a skeleton firewall ruleset through a
preprocessor to substitute in local interface addresses etc.
> 2 - the firewall can be a executable bash script (i.e. like a regular linux
> firewall, with variables like myIP="192.168.0.0") ?
Basically, yes. However bash is not supplied with the FreeBSD system
--- you can install it as /usr/local/bin/bash from ports, or
(preferably) use the system supplied /bin/sh for writing startup
scripts. /bin/sh is a POSIX compliant Bourne Shell with broadly
equivalent *programming* capabilities to bash (/bin/sh doesn't have
the same sort of support for interactive use though). Syntax is very
similar to bash with a few significant differences to keep you on your
toes.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030202105220.GA93010>