Setting Up A FreeBSD Firewall
FreeBSD 3.x and 4.x make it very easy to set up a rule-based packet filtering firewall. The firewall may
be configured to protect a single host or an entire IP Network. Network Address Translation (NAT) is easily
added so the entire network is accessed by one IP address from outside the firewall.
There are several basic steps to setting up the firewall configuration:
Modify and Rebuild the Kernel
Make rc.conf changes
Configure rc.firewall
First, you have to make a few changes to your kernel.
This isn't as hard as it sounds.
Login as root (use "su" command), cd /usr/src/sys/i386/conf, and copy GENERIC to a new file.
Let's call it FIRST. This will be your new kernel config.
Here are the changes you need to make:
# Existing Configuration
#
cpu "I486_CPU"
cpu "I586_CPU"
cpu "I686_CPU"
! ident GENERIC
maxusers 32
options MATH_EMULATE #Support for x87 emulation
cpu "I486_CPU"
cpu "I586_CPU"
cpu "I686_CPU"
! ident FIRST
maxusers 32
options MATH_EMULATE #Support for x87 emulation
# The number of devices determines the maximum number of
# simultaneous BPF clients programs runnable.
pseudo-device bpfilter 1 #Berkeley packet filter
+
+ # Enable ipfw and natd
+ options IPFIREWALL
+ options IPFIREWALL_VERBOSE
+ options IPFIREEWALL_VERBOSE_LIMIT=10
+ options IPFIREWALL_DEFAULT_TO_ACCEPT # (optinal)
+ options TCP_DROP_SYNFIN # (reject the TCP packets with SYN and FIN)
+ options IPDIVERT # (enable NAT)
In other words, change the ident and add the firewall options. If you're running FreeBSD 4.x
and you want to set up an IPv6 firewall too, you should also add IPV6FIREWALL and IPV6FIREWALL_VERBOSE.
Note that the regular IPv4 firewall does not affect IPv6 packets at all.
If you set up a v4 firewall and not a v6 firewall, all v6 packets will be allowed through.
You really need to do both, or disable IPv6 altogether.
After setting up the config, build and install the new kernel:
# /usr/sbin/config FIRST
# cd ../../compile/FIRST
# make depend
# make
# make install
Second, edit /etc/rc.conf and add these defines to the end:
# Enable ipfw
firewall_enable="YES"
firewall_type="type" # see rc.firewall for what goes here
firewall_quiet="NO"
The firewall_type should be "client" to secure a single stand-alone machine,
or "simple" for a gateway guarding an internal network.
If you want to do Network Address Translation, add these defines too:
# Enable natd
natd_enable="YES"
natd_interface="fxp0" # your public network interface
natd_flags="-m" # preserve port numbers if possible
And if you're running FreeBSD 4.x and also want to enable the separate IPv6 firewall, add these:
# Enable ip6fw
ipv6_firewall_enable="YES"
ipv6_firewall_type="type" # see rc.firewall6 for what goes here
ipv6_firewall_quiet="NO"
Comments/Feedback
If you have specific suggestions for changes, corrections, and additions to this article
please use the comment form below.
Back to main page
Copyright © 2003-2016
The UnixCities.com
All rights reserved