Date: Thu, 1 May 2003 19:46:34 +0930 From: "Rob" <listone@deathbeforedecaf.net> To: "Dick Hoogendijk" <dick@nagual.st>, "freebsd-questions" <freebsd-questions@freebsd.org> Subject: Re: IPF and kernel options Message-ID: <00ea01c30fca$be6d4b30$a4b826cb@goo> References: <20030430135304.GA61089@pooh.nagual.st>
next in thread | previous in thread | raw e-mail | index | archive | help
Yep, ipfw is the 'standard' FreeBSD firewall. There are step-by-step instructions in the FreeBSD Handbook chapter file:///usr/share/doc/handbook/firewalls.html and an overview in the firewall(7) manpage. Here's what I put in the kernel config to enable it: options IPFIREWALL # firewall options IPFIREWALL_VERBOSE # log dropped packets options IPFIREWALL_VERBOSE_LIMIT=5000 # limit verbosity And in /etc/rc.conf to set the rules: firewall_enable="YES" firewall_flags="-p cpp" firewall_logging="YES" firewall_quiet="YES" firewall_type="/etc/firewall.conf" Then /etc/firewall.conf contains a list of commands for ipfw(8). Since I've put "-p cpp" in firewall_flags, it passes the file through cpp(1) first - which lets me use #define for hostnames and stuff. See ipfirewall(4) for more about the device, and ipfw(8) for details on writing rules. ipf is also supported, but I haven't used it so I can't help you there. ----- Original Message ----- From: "Dick Hoogendijk" <dick@nagual.st> To: "freebsd-questions" <freebsd-questions@freebsd.org> Sent: Wednesday, April 30, 2003 11:23 PM Subject: IPF and kernel options > Excuse me if this sounds like newbie first class.. > I run a couple of fbsd workstations, but now I want to migrate one to be > the server of my homenetwork. > No big deal, but I need a firewall up-and-running. I've chosen for ipf, > read a lot about it and set up my rules, but: looking at the kernel > config I understand that the GENERIC has no firewall support. > > LINT shows me quite some "options" but I'm not quite sure which I need > and which not. As said I don't plan using ipfw, so I guess I could leave > out all references to "ipfirewall"? But what about mrouting, ipstealth, > tcpdebug, icmp_bandlim, dummynet, bridge, etc.. > > =-=-=-from LINT-=-=-= > options MROUTING > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_FORWARD > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPV6FIREWALL > options IPV6FIREWALL_VERBOSE > options IPV6FIREWALL_VERBOSE_LIMIT=100 > options IPV6FIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > > options IPFILTER #ipfilter support > options IPFILTER_LOG #ipfilter logging > options IPFILTER_DEFAULT_BLOCK #block all packets by default > options IPSTEALTH #support for stealth forwarding > options TCPDEBUG > > options RANDOM_IP_ID > > # Statically link in accept filters > options ACCEPT_FILTER_DATA > options ACCEPT_FILTER_HTTP > > options ICMP_BANDLIM > > options DUMMYNET > options BRIDGE > =-=-=-=-end-=-=-= > > A reference to a manual I overlooked it welcome too. I'm not lazy. I > just can't find the information needed. Maybe ipfw is the FreeBSD way of > firewalling? > > -- > dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE > ++ Running FreeBSD 4.8 ++ Debian GNU/Linux (Woody) > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00ea01c30fca$be6d4b30$a4b826cb>