From owner-freebsd-questions@FreeBSD.ORG Thu May 1 03:16:45 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7299737B401 for ; Thu, 1 May 2003 03:16:45 -0700 (PDT) Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 114B743F75 for ; Thu, 1 May 2003 03:16:44 -0700 (PDT) (envelope-from listone@deathbeforedecaf.net) Received: from goo.0x7e.net ([203.38.184.164] helo=goo) by zim.0x7e.net with smtp (Exim 3.36 #1) id 19BB7C-0005BX-00; Thu, 01 May 2003 19:46:34 +0930 Message-ID: <00ea01c30fca$be6d4b30$a4b826cb@goo> From: "Rob" To: "Dick Hoogendijk" , "freebsd-questions" References: <20030430135304.GA61089@pooh.nagual.st> Date: Thu, 1 May 2003 19:46:34 +0930 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Subject: Re: IPF and kernel options X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 10:16:45 -0000 Yep, ipfw is the 'standard' FreeBSD firewall. There are step-by-step instructions in the FreeBSD Handbook chapter file:///usr/share/doc/handbook/firewalls.html and an overview in the firewall(7) manpage. Here's what I put in the kernel config to enable it: options IPFIREWALL # firewall options IPFIREWALL_VERBOSE # log dropped packets options IPFIREWALL_VERBOSE_LIMIT=5000 # limit verbosity And in /etc/rc.conf to set the rules: firewall_enable="YES" firewall_flags="-p cpp" firewall_logging="YES" firewall_quiet="YES" firewall_type="/etc/firewall.conf" Then /etc/firewall.conf contains a list of commands for ipfw(8). Since I've put "-p cpp" in firewall_flags, it passes the file through cpp(1) first - which lets me use #define for hostnames and stuff. See ipfirewall(4) for more about the device, and ipfw(8) for details on writing rules. ipf is also supported, but I haven't used it so I can't help you there. ----- Original Message ----- From: "Dick Hoogendijk" To: "freebsd-questions" Sent: Wednesday, April 30, 2003 11:23 PM Subject: IPF and kernel options > Excuse me if this sounds like newbie first class.. > I run a couple of fbsd workstations, but now I want to migrate one to be > the server of my homenetwork. > No big deal, but I need a firewall up-and-running. I've chosen for ipf, > read a lot about it and set up my rules, but: looking at the kernel > config I understand that the GENERIC has no firewall support. > > LINT shows me quite some "options" but I'm not quite sure which I need > and which not. As said I don't plan using ipfw, so I guess I could leave > out all references to "ipfirewall"? But what about mrouting, ipstealth, > tcpdebug, icmp_bandlim, dummynet, bridge, etc.. > > =-=-=-from LINT-=-=-= > options MROUTING > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_FORWARD > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPV6FIREWALL > options IPV6FIREWALL_VERBOSE > options IPV6FIREWALL_VERBOSE_LIMIT=100 > options IPV6FIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > > options IPFILTER #ipfilter support > options IPFILTER_LOG #ipfilter logging > options IPFILTER_DEFAULT_BLOCK #block all packets by default > options IPSTEALTH #support for stealth forwarding > options TCPDEBUG > > options RANDOM_IP_ID > > # Statically link in accept filters > options ACCEPT_FILTER_DATA > options ACCEPT_FILTER_HTTP > > options ICMP_BANDLIM > > options DUMMYNET > options BRIDGE > =-=-=-=-end-=-=-= > > A reference to a manual I overlooked it welcome too. I'm not lazy. I > just can't find the information needed. Maybe ipfw is the FreeBSD way of > firewalling? > > -- > dick -- http://www.nagual.st/ -- PGP/GnuPG key: F86289CE > ++ Running FreeBSD 4.8 ++ Debian GNU/Linux (Woody) > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >