Date: Sun, 2 Feb 2003 10:52:20 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw firewall questions Message-ID: <20030202105220.GA93010@happy-idiot-talk.infracaninophi> In-Reply-To: <200302021150.52576.petre@kgb.ro> References: <200302021150.52576.petre@kgb.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 02, 2003 at 11:50:52AM +0200, Petre Bandac wrote: > hello > > I'm about to "compose" my first ipfw firewall - and, since I have worked quite > a lot with iptables, I'm interesed in a few minor similarities: > > 1 - the firewall is called by rc.conf ? or ca I call it at boot time via > whatever *.sh placed in the right place A typical setup is that the /etc/rc.firewall script sets up firewalling for IPv4, possibly with /etc/rc.firewall6 doing the equivalent for IPv6. The rc.firewall script contains options to load various pre-canned ipfw(8) rulesets, or you can load a custom ipfw(8) ruleset through it. The rc.firewall{,6} script behaviours are controlled by setting variables in /etc/rc.conf. Default values (from /etc/defaults/rc.conf) are: % grep firewall /etc/defaults/rc.conf ### Basic network and firewall/security options: ### firewall_enable="NO" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file natd_enable="NO" # Enable natd (if firewall_enable == YES). ipv6_firewall_enable="NO" # Set to YES to enable IPv6 firewall ipv6_firewall_script="/etc/rc.firewall6" # Which script to run to set up the IPv6 firewall ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) ipv6_firewall_quiet="NO" # Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file Although setting 'firewall_enable' to 'yes' will work with a standard system, by causing the ipfw.ko module to be loaded into a GENERIC kernel, check /usr/src/sys/i386/conf/LINT (FreeBSD 4.x) or /usr/src/sys/conf/NOTES (FreeBSD 5.0) for some extra functionality you can enable by building yourself a custom kernel. Alternatively you can use ipf(8) which is a second firewall flavour but with much the same functionality. If you aren't doing anything tricky like traffic shaping or QoS, which one you choose is mostly a matter of taste: % grep ipf defaults/rc.conf firewall_flags="" # Flags passed to ipfw when type is a file ipfilter_enable="NO" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter or ipnat ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" ipfs_enable="NO" # Set to YES to enable saving and restoring ipfs_program="/sbin/ipfs" # where the ipfs program lives ipfs_flags="" # additional flags for ipfs ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter, # see /usr/src/contrib/ipfilter/rules The ipf(8) firewalling is started out of /etc/rc.network --- it's possible and sometimes useful to run ipfw(8) and ipf(8) simultaneously. Finally, you can write your own script and call it in place of rc.firewall by setting the 'firewall_script' variable. This method is generally used to run a skeleton firewall ruleset through a preprocessor to substitute in local interface addresses etc. > 2 - the firewall can be a executable bash script (i.e. like a regular linux > firewall, with variables like myIP="192.168.0.0") ? Basically, yes. However bash is not supplied with the FreeBSD system --- you can install it as /usr/local/bin/bash from ports, or (preferably) use the system supplied /bin/sh for writing startup scripts. /bin/sh is a POSIX compliant Bourne Shell with broadly equivalent *programming* capabilities to bash (/bin/sh doesn't have the same sort of support for interactive use though). Syntax is very similar to bash with a few significant differences to keep you on your toes. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030202105220.GA93010>