Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Feb 2018 00:20:41 +1100
From:      Ian Smith <smithi@nimnet.asn.au>
To:        starikarp@yandex.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw firewall
Message-ID:  <5A8C20A9.3080809@nimnet.asn.au>
In-Reply-To: <1518905856.89579.1.camel@yandex.com>
References:  <1518905856.89579.1.camel@yandex.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat Feb 17 22:17:44 UTC 2018 starikarp@yandex.com wrote:

(I'm not currently subscribed; quoting here pasted from the archives)

  > I am using FreeBSD 11.1-RELEASE (amd64), single desktop computer. I try
  > to setup a IPFW firewall and I am confused about logging settings.
  > In /etc/rc.conf I have:
  > firewall_enable="YES"
  > firewall_quiet="YES"
  > firewall_type="workstation"
  > firewall_logdeny="YES"
  > firewall_logging="YES"

That looks correct and sufficient.

  > When I start computer I got about firewall:
  > ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to
  > deny, logging disable[d]

That's right. Logging is disabled when the module is first loaded and logged
in /var/log/messages, then enabled after initialisation if firewall_logging 
is set to YES; see /etc/rc.d/ipfw

Contrary to (much) older versions of FreeBSD and so the out-of-date Handbook
section on ipfw, there's no need to change any kernel configuration for ipfw
these days; all modules (ipfw and ipfw_nat and dummynet if used) are loaded, 
and all options may be set by sysctls, see below.

  > In /var/log/security is: newsyslog[28503]: logfile first created

Ok. If that's all, then no packets have been denied and logged. If you look
at the workstation section in /etc/rc.firewall you'll see that only packets
that were not passed or denied by all earlier rules are denied as the
second last rule - you can confirm that with '# ipfw list' as being:

   65nnn deny log logamount 500 ip from any to any

  > How should I know if firewall works? I had to use pf firewall and I had
  > so many logs related to "igmp query v3".

There are various other non-logged deny rules in rc.firewall workstation,
two of which are:

	# Broadcasts and multicasts
	${fwcmd} add deny ip from any to 255.255.255.255
	${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX

I suspect IGMP might use 224.0.0.0/24 and so would be silently denied. 
'workstation' is quite permissive as to what you're allowed to do, and quite 
strict about denying any would-be connections from the outside - unless you 
specifically enable firewall_myservices and firewall_allowservices.

What I do is copy rc.firewall to (say) rc.myfirewall then make modifications
to that - to avoid system upgrades losing them - and have in /etc/rc.conf:

   firewall_script="/etc/rc.myfirewall" # Which script to run to set up the 
firewall

If you like, you could then add 'log' to any {pass,deny.count,skipto,nat..} 
rule/s you want logged, for testing or otherwise.

But the easy way to check your firewall is working as desired is to list the
ruleset, including timestamps and all dynamic rules, with:

   # ipfw -ted show

As Polytropon suggested you can use tcpdump or wireshark etc to watch.

And you can see all the kernel settings for ipfw with:

   # sysctl net.inet.ip.fw

  > Thank you.

My pleasure.  Familiarise yourself with ipfw(8) (man ipfw) and prosper.

cheers, Ian



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A8C20A9.3080809>