Date: Wed, 21 Feb 2018 00:20:41 +1100 From: Ian Smith <smithi@nimnet.asn.au> To: starikarp@yandex.com Cc: freebsd-questions@freebsd.org Subject: Re: ipfw firewall Message-ID: <5A8C20A9.3080809@nimnet.asn.au> In-Reply-To: <1518905856.89579.1.camel@yandex.com> References: <1518905856.89579.1.camel@yandex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat Feb 17 22:17:44 UTC 2018 starikarp@yandex.com wrote: (I'm not currently subscribed; quoting here pasted from the archives) > I am using FreeBSD 11.1-RELEASE (amd64), single desktop computer. I try > to setup a IPFW firewall and I am confused about logging settings. > In /etc/rc.conf I have: > firewall_enable="YES" > firewall_quiet="YES" > firewall_type="workstation" > firewall_logdeny="YES" > firewall_logging="YES" That looks correct and sufficient. > When I start computer I got about firewall: > ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to > deny, logging disable[d] That's right. Logging is disabled when the module is first loaded and logged in /var/log/messages, then enabled after initialisation if firewall_logging is set to YES; see /etc/rc.d/ipfw Contrary to (much) older versions of FreeBSD and so the out-of-date Handbook section on ipfw, there's no need to change any kernel configuration for ipfw these days; all modules (ipfw and ipfw_nat and dummynet if used) are loaded, and all options may be set by sysctls, see below. > In /var/log/security is: newsyslog[28503]: logfile first created Ok. If that's all, then no packets have been denied and logged. If you look at the workstation section in /etc/rc.firewall you'll see that only packets that were not passed or denied by all earlier rules are denied as the second last rule - you can confirm that with '# ipfw list' as being: 65nnn deny log logamount 500 ip from any to any > How should I know if firewall works? I had to use pf firewall and I had > so many logs related to "igmp query v3". There are various other non-logged deny rules in rc.firewall workstation, two of which are: # Broadcasts and multicasts ${fwcmd} add deny ip from any to 255.255.255.255 ${fwcmd} add deny ip from any to 224.0.0.0/24 in # XXX I suspect IGMP might use 224.0.0.0/24 and so would be silently denied. 'workstation' is quite permissive as to what you're allowed to do, and quite strict about denying any would-be connections from the outside - unless you specifically enable firewall_myservices and firewall_allowservices. What I do is copy rc.firewall to (say) rc.myfirewall then make modifications to that - to avoid system upgrades losing them - and have in /etc/rc.conf: firewall_script="/etc/rc.myfirewall" # Which script to run to set up the firewall If you like, you could then add 'log' to any {pass,deny.count,skipto,nat..} rule/s you want logged, for testing or otherwise. But the easy way to check your firewall is working as desired is to list the ruleset, including timestamps and all dynamic rules, with: # ipfw -ted show As Polytropon suggested you can use tcpdump or wireshark etc to watch. And you can see all the kernel settings for ipfw with: # sysctl net.inet.ip.fw > Thank you. My pleasure. Familiarise yourself with ipfw(8) (man ipfw) and prosper. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A8C20A9.3080809>