Date: Tue, 11 Jan 2000 18:11:05 +0200 From: Giorgos Keramidas <charon@hades.hell.gr> To: Martin <Martin.Zibert1@guest.arnes.si> Cc: freebsd-newbies@FreeBSD.ORG Subject: Re: not ipfw but rc.firewall Message-ID: <20000111181105.A64680@hades.hell.gr> In-Reply-To: <387A39C1.3DCB82B1@guest.arnes.si> References: <387A39C1.3DCB82B1@guest.arnes.si>
next in thread | previous in thread | raw e-mail | index | archive | help
[ message format revamped ]
On Mon, Jan 10, 2000 at 07:57:53PM +0000, Martin wrote:
> Greetings..
>
> First i would like to thank all of you, who helped me with ppp and
> Ethernet cards - it really helped me :-) But problems come and go.. and
> one of them came to me again :-)
Problems always had a great sociality. They never stay alone, thus
their tendency to find other things to hang out with. One of their
favorites are humans.
> Here is the problem: i want to enable firewall on my FreeBSD box
> (3.4-RELEASE). I recompiled my kernel and added:
>
> options IPFIREWALL #firewall
> options IPFIREWALL_VERBOSE #print information about
> options IPFILTER #kernel ipfilter support
> options IPFILTER_LOG #ipfilter logging
You don't need all of these for using ipfw. The confusion was probably
a result of the fact that FreeBSD supports two different ways of
filtering packets. The first one is `ipfw', which you said that you
wanted to use. The other one is `ipfilter', a totally different thing.
The first three options you used are indeed for `ipfw'. But, the two
last options, namely IPFILTER and IPFILTER_LOG, are for the other
firewall thing supported by FreeBSD, called `ipfilter'.
The kernel options relevant to using ipfw are:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print info about dropped packets
options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
other options you might want to enable for specialized uses of `ipfw'
are the following:
options IPDIVERT #divert sockets for ipfw
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
> The kernel compiled fine. But when i wanted to configure firewall i
> found out that there are 2 firewalls. One is ipfw and the other is in
> rc.firewall.
The kernel happily compiles with support for both firewall programs
enabled. However, I have had some problems managing to set them up to
work when I added both of them to a running kernel, and it seems rather
pointless anyway.
Oh, and another thing. The `ipfw' program is a utility that lets you
manage the list of the firewall rules. The /etc/rc.firewall script is
a totally different thing. The rc.firewall script is executed at
system boot, and it uses `ipfw' to setup the rules of your firewall.
Not quite the same thing :)
> If these sounds too newbie please forgive me. When i try to
> configure ipfw there are some problems.. if i type "ipfw add deny tcp
> from evil.crackers.org to nice.people.org 23" (like in example in
> handbook) it doesn't do anything.. if i do "ipfw -at l" it doesn't
> show this rule.
Without a number where the rule is going to be added ipfw will try to
add the rule after the last rule you have added to it's list. Look at
the bottom of the list. It should be there.
> And if i reboot my box, all of the rules are flushed. Now my question
> is, what must i do, so that I'll use only rc.firewall.
You have to save these rules for rc.firewall to find them next time you
boot the system. Leave that firewall_script line alone, and copy into
/etc/rc.conf from the file /etc/defaults/rc.conf the line that says:
firewall_type="UNKNOWN"
Copy this line in /etc/rc.conf and change it to look like:
firewall_type="/etc/ipfw.conf"
Then you can edit the file /etc/ipfw.conf with any text editor you like
and add the rules of your firewall there. Other lines that you might
find handy in /etc/defaults/rc.conf are:
firewall_enable="YES" #enable firewall functionality
firewall_quiet="YES" #print nothing while setting up rules
> I even removed that ipfw things from kernel, and in rc.conf edited a
> line "firewall_script="/etc/rc.firewall"" but it doesn't work - when
> i reboot it shows a help file of ipfw - wird if you ask me :-)
Right before that help, ipfw usually prints an error message that
caused it to print it. For instance, when I try to add a rule for a
machine whose name cannot be resolved, I get:
# ipfw add deny ip from no.such.host.net to any
ipfw: error: hostname ``no.such.host.net'' unknown
usage: ipfw [options]
... the rest of the ipfw usage ...
If you have removed ipfw support from the kernel, you cannot use
rc.firewall for setting up the rules of your box. The message will
probably say that your kernel does not support filtering :)
> I don't know how to tell FreeBSD where to look for firewall rule
> file. And does anyone know, how to set rules, if you have dynamic
> IPs?
A small document that describes how I did set up my home box rules when
I was first playing with ipfw can be found at:
http://students.ceid.upatras.gr/~keramida/freebsd/ipfw.html
The above is fine if you want to setup an `open' firewall, which allows
anything and requires an explicit rule for denying certain `bad'
packets. For a firewall that by default denies everything, selectively
allowing traffic through, look at:
http://students.ceid.upatras.gr/~keramida/freebsd/ipfw-closed.html
> I don't know how to set that "external interface", "internal
> interface" in rc.firewall etc.
There is no "external interface" or "internal interface" string in my
rc.firewall script, and I'm using FreeBSD 3.4-STABLE.
% grep external /etc/rc.firewall
% grep internal /etc/rc.firewall
%
> And another thing.. I have a box connected to net trough Ethernet
> card. So the whole network uses one gateway - so if i want to connect
> a box to inet i have to set gw, where i configure Ethernet card
> (during installation - Additional network services -> interfaces).
> And when i have gws IPs set i just have to configure Ethernet card
> and box will be connected?
The gateway box will be connected to both networks after you set up
properly your rc.conf file and reboot. The setup of a gateway that I
installed lately shows:
network_interfaces="lo0 fxp0 xl0"
ifconfig_lo0="inet 127.0.0.1"
ifconfig_fxp0="inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_xl0="inet a.b.c.d netmask 255.255.255.0"
where a.b.c.d the IP address of the 'external' interface.
If you want the box to act as a gateway, you need forwarding enabled
though. Therefore, edit the following rc.conf line to enable it:
gateway_enable="YES"
This will effectively run the next command each time you boot:
# sysctl -w net.inet.ip.forwarding=1
which will enable forwarding of packets from one interface to the
other. If you want to selectively forward packets, using ipfw you can
control what is allowed to `enter' an interface and what is allowed to
`leave' it.
Ciao.
--
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
"What we have to learn to do, we learn by doing." [Aristotle]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000111181105.A64680>