Knowledgebase
How to build firewall support in to your kernel.
Posted by Mike C. on 11 September 2009 11:51 PM
|
|
First of all I want to tell you that the best way to do this to start with would make a "default to accept" kernel. This means that your kenerl will accept EVERYTHING by default. This will do a few things for you when you are adding a firewall for a server you don't have console access to. We can make the firewall deny everything by adding a rule manually right bellow the allow all rule in 65535. First add these options in your Kernel: options IPVFIREWALL options IPVFIREWALL_VERBOSE options IPVFIREWALL_VERBOSE_LIMIT options IPVFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET options IPDIVERT options IPV6FIREWALL options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT options IPV6FIREWALL_DEFAULT_TO_ACCEPT You also might want to put IPFW2=TRUE in /etc/make.conf Rebuild your kernel and world or just kernel with the new options. Then you can work on making a ruleset that you feel comfortable with. I would make a suggestion here but if you need my suggestion chances are you don't know what you are doing. If this is the case I suggest you start reading heavily for a day or two to learn how IPFW works. Its a very powerful tool and can easily lock you out of your server. DO NOT, UNDER ANY CIRCUMSTANCE, START YOUR FIREWALL RULES ON BOOT. Do not add anything in rc.conf just do everything through a completely seperate file. You will add your rules like this: ipfw add 100 deny ip from 192.168.1.1 to any in ipfw add 101 deny ip from 10.0.0.0/8 to any in and so on. This way you can chmod +x FILENAME and run the file at any time. Do not just simply make a ruleset that you THINK will work and run it. Just be very careful. You want to allow SSH port and IP in and out. To make the ruleset work as a "default to deny" ruleset you simply just have to add: ipfw add 65534 deny ip from any to any at the end of your ruleset. Make sure that you allow all you need to access the server from ssh at the VERY LEAST. You need to make sure that your server can talk back and forth to the DNS server as well. | |
|
Comments (0)