Unix tutorial Contact as




Setting Up A FreeBSD Firewall

FreeBSD 3.x and 4.x make it very easy to set up a rule-based packet filtering firewall. The firewall may be configured to protect a single host or an entire IP Network. Network Address Translation (NAT) is easily added so the entire network is accessed by one IP address from outside the firewall.
There are several basic steps to setting up the firewall configuration:

  • Modify and Rebuild the Kernel
  • Make rc.conf changes
  • Configure rc.firewall

    First, you have to make a few changes to your kernel. This isn't as hard as it sounds. Login as root (use "su" command), cd /usr/src/sys/i386/conf, and copy GENERIC to a new file. Let's call it FIRST. This will be your new kernel config. Here are the changes you need to make:

    # Existing Configuration
    #
    cpu "I486_CPU"
    cpu "I586_CPU"
    cpu "I686_CPU"
    ! ident GENERIC
    maxusers 32


    options MATH_EMULATE #Support for x87 emulation

    cpu "I486_CPU"
    cpu "I586_CPU"
    cpu "I686_CPU"
    ! ident FIRST
    maxusers 32


    options MATH_EMULATE #Support for x87 emulation
    # The number of devices determines the maximum number of
    # simultaneous BPF clients programs runnable.
    pseudo-device bpfilter 1 #Berkeley packet filter

    +
    + # Enable ipfw and natd

    + options IPFIREWALL
    + options IPFIREWALL_VERBOSE
    + options IPFIREEWALL_VERBOSE_LIMIT=10
    + options IPFIREWALL_DEFAULT_TO_ACCEPT # (optinal)
    + options TCP_DROP_SYNFIN # (reject the TCP packets with SYN and FIN)
    + options IPDIVERT # (enable NAT)


    In other words, change the ident and add the firewall options. If you're running FreeBSD 4.x and you want to set up an IPv6 firewall too, you should also add IPV6FIREWALL and IPV6FIREWALL_VERBOSE. Note that the regular IPv4 firewall does not affect IPv6 packets at all. If you set up a v4 firewall and not a v6 firewall, all v6 packets will be allowed through. You really need to do both, or disable IPv6 altogether. After setting up the config, build and install the new kernel:

    # /usr/sbin/config FIRST
    # cd ../../compile/FIRST
    # make depend
    # make
    # make install


    Second, edit /etc/rc.conf and add these defines to the end:

    # Enable ipfw
    firewall_enable="YES"
    firewall_type="type" # see rc.firewall for what goes here
    firewall_quiet="NO"
    The firewall_type should be "client" to secure a single stand-alone machine, or "simple" for a gateway guarding an internal network.
    If you want to do Network Address Translation, add these defines too:

    # Enable natd
    natd_enable="YES"
    natd_interface="fxp0" # your public network interface
    natd_flags="-m" # preserve port numbers if possible

    And if you're running FreeBSD 4.x and also want to enable the separate IPv6 firewall, add these:
    # Enable ip6fw
    ipv6_firewall_enable="YES"
    ipv6_firewall_type="type" # see rc.firewall6 for what goes here
    ipv6_firewall_quiet="NO"



  • Comments/Feedback

    If you have specific suggestions for changes, corrections, and additions to this article please use the comment form below.



    Back to main page


    Copyright © 2003-2016 The UnixCities.com
    All rights reserved