Create account Login Webmail Contact Us


 
SEARCH
Knowledgebase
How to build firewall support in to your kernel.
Posted by Mike C. on 11 September 2009 11:51 PM
First of all I want to tell you that the best way to do this to start with would make a "default to accept" kernel. This means that your kenerl will accept EVERYTHING by default. This will do a few things for you when you are adding a firewall for a server you don't have console access to. We can make the firewall deny everything by adding a rule manually right bellow the allow all rule in 65535.

First add these options in your Kernel:

options IPVFIREWALL
options IPVFIREWALL_VERBOSE
options IPVFIREWALL_VERBOSE_LIMIT
options IPVFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPDIVERT
options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT
options IPV6FIREWALL_DEFAULT_TO_ACCEPT

You also might want to put IPFW2=TRUE in /etc/make.conf

Rebuild your kernel and world or just kernel with the new options. Then you can work on making a ruleset that you feel comfortable with. I would make a suggestion here but if you need my suggestion chances are you don't know what you are doing. If this is the case I suggest you start reading heavily for a day or two to learn how IPFW works. Its a very powerful tool and can easily lock you out of your server. DO NOT, UNDER ANY CIRCUMSTANCE, START YOUR FIREWALL RULES ON BOOT. Do not add anything in rc.conf just do everything through a completely seperate file. You will add your rules like this:

ipfw add 100 deny ip from 192.168.1.1 to any in
ipfw add 101 deny ip from 10.0.0.0/8 to any in

and so on. This way you can chmod +x FILENAME and run the file at any time. Do not just simply make a ruleset that you THINK will work and run it. Just be very careful. You want to allow SSH port and IP in and out. To make the ruleset work as a "default to deny" ruleset you simply just have to add:

ipfw add 65534 deny ip from any to any

at the end of your ruleset. Make sure that you allow all you need to access the server from ssh at the VERY LEAST. You need to make sure that your server can talk back and forth to the DNS server as well.
(431 vote(s))
Helpful
Not helpful
Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: