This is a tutorial I met at BSDTechTalk (located at: http://www.bsdtechtalk.com/showthread.php?t=78 )

Thought I'd share it here with everybody.

I hope this helps some people who are interesting in getting a firewall up for their BSD system (although they should be :D).
==================
==================



Tutorial Title: Quick IPFW Tutorial

Tutorial Summary:
Quick IPFW tutorial and an example IPFW config file showing a setup for a freebsd server with a DirectAdmin control panel.

Author: Senad

Contact: bsd@bsdtechtalk.com

BSD Type: FreeBSD
BSD Version: FreeBSD 5.x ,6.x


Tutorial:
IPFW can be added to FreeBSD 5.x,6.x by adding the IPFW commands and then startup up IPFW. FreeBSD 4.x needs IPFW compiled into the kernel.

Allright lets begin.

Firewall configuration
In /etc/rc.conf we added the following options to turn on IPFW:

nano /etc/rc.conf



firewall_enable=”YES”
firewall_script="YES”
firewall_script="/etc/ipfw.rules"


Then


nano /etc/ipfw.rules


DirectAdmin Control Panel requires the following ports to be opened:

20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:

PassivePorts 32555 32565
and then open that port range as well in your firewall.

In our example we will use port 21 for FTP!

22: ssh access

25: smtp for exim to recieve email

53: dns (named), so your sites resolve

80, 443: apache traffic, http and https

110: client pop email access
143: clients imap email access

2222: DirectAdmin Access

3306: mysql acess. You don't need to open this port if you don't want to allow remote mysql access, as most mysql scripts are all accessed locally.

Add the following Rules


##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 05 allow all from any to any via lo0
$cmd 10 deny all from any to 127.0.0.0/8
$cmd 15 deny all from 127.0.0.0/8 to any
$cmd 20 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 25 check-state
$cmd 30 allow tcp from any to any established
$cmd 35 allow all from any to any out keep-state
$cmd 40 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 45 allow tcp from any to any 21 in setup keep-state
$cmd 46 allow udp from any to any 21 in setup keep-state
$cmd 50 allow tcp from any to any 22 in setup keep-state
$cmd 55 allow tcp from any to any 25 in setup keep-state
$cmd 60 allow udp from any to any 53 in setup keep-state
$cmd 61 allow tcp from any to any 53 in setup keep-state
$cmd 65 allow tcp from any to any 80 in setup keep-state
$cmd 70 allow tcp from any to any 443 in setup keep-state
$cmd 75 allow tcp from any to any 110 in setup keep-state
$cmd 80 allow tcp from any to any 143 in setup keep-state
$cmd 90 allow tcp from any to any 2222 in setup keep-state
$cmd 100 allow tcp from any to any 49152-65535 out setup keep-state

##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any




or use stateless firewall rules:


##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush
ks="keep-state"

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 10 allow all from any to any via lo0
$cmd 20 deny all from any to 127.0.0.0/8
$cmd 30 deny all from 127.0.0.0/8 to any
$cmd 40 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 50 check-state
$cmd 60 allow tcp from any to any established
$cmd 70 allow all from any to any out keep-state
$cmd 80 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 90 allow tcp from any to any 21 in
$cmd 100 allow tcp from any to any 21 out
$cmd 110 allow udp from any to any 21 in
$cmd 120 allow udp from any to any 21 out
$cmd 130 allow tcp from any to any 22 in
$cmd 140 allow tcp from any to any 22 out
$cmd 150 allow tcp from any to any 25 in
$cmd 160 allow tcp from any to any 25 out
$cmd 170 allow udp from any to any 53 in
$cmd 180 allow udp from any to any 53 out
$cmd 190 allow tcp from any to any 80 in
$cmd 200 allow tcp from any to any 80 out
$cmd 210 allow tcp from any to any 443 in
$cmd 220 allow tcp from any to any 443 out
$cmd 230 allow tcp from any to any 110 in
$cmd 240 allow tcp from any to any 110 out
$cmd 250 allow tcp from any to any 143 in
$cmd 260 allow tcp from any to any 143 out
$cmd 270 allow tcp from any to any 2222 in
$cmd 280 allow tcp from any to any 2222 out
$cmd 290 allow tcp from any to any 49152-65535 out

##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any


Now lets run ipfw

/etc/rc.d/ipfw start

/etc/rc.conf:


pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_program="/sbin/pflogd"


/etc/pf.conf


# /etc/pf.conf

# Macros
WWW="111.222.333.444/32"
DNS="{ 111.222.333.445/32, 111.222.333.446/32 }"
IF="rl0"
LOCAL_IF="lo0"
NO_ROUTE="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# Options
set optimization normal
set block-policy drop
set require-order yes

# Traffic Normalization
scrub in all

# Packet Filtering
block in log all
block out log all

antispoof log quick for $LOCAL_IF inet
pass in on $LOCAL_IF inet all keep state
pass out on $LOCAL_IF inet all keep state

antispoof log quick for $IF inet
block in log quick on $IF from $NO_ROUTE to $IF
block return-rst in log quick on $IF inet proto tcp from any to $WWW port 113
pass in on $IF inet proto icmp from any to $WWW icmp-type 8 code 0 keep state
pass in on $IF inet proto udp from any to $DNS port 53 keep state
pass in on $IF inet proto tcp from any to $WWW port 22 flags S/SA modulate state
pass in on $IF inet proto tcp from any to $WWW port 25 flags S/SA modulate state
pass in on $IF inet proto tcp from any to $WWW port 80 flags S/SA modulate state
pass in on $IF inet proto tcp from any to $WWW port 443 flags S/SA modulate state
block out log quick on $IF from $IF to $NO_ROUTE
pass out on $IF inet from $IF to any keep state


"quick" in a rule means no further rules will be processed if the rule matches.

To run pf:


pfctl -Rf /etc/pf.conf

firewall_type="OPEN"


This will leave all of your firewall ports open to any connections. Basically you have no firewall since it allows all traffic to pass through.

can someone confirm me this is correct:

/etc/rc.conf

firewall_enable="YES"
firewall_script="YES"
firewall_script="/etc/ipfw.rules"


/etc/ipfw.rules

##############################
# IPFW RULES Server
##############################
cmd="ipfw -q add"
ipfw -q -f flush

##############################
#Allow loopback and deny loopback spoofing
##############################
$cmd 05 allow all from any to any via lo0
$cmd 10 deny all from any to 127.0.0.0/8
$cmd 15 deny all from 127.0.0.0/8 to any
$cmd 20 deny tcp from any to any frag

##############################
# Stateful Rules
##############################
$cmd 25 check-state
$cmd 30 allow tcp from any to any established
$cmd 35 allow all from any to any out keep-state
$cmd 40 allow icmp from any to any

##############################
# Incoming/outgoing services
##############################
$cmd 45 allow tcp from any to any 21 in setup keep-state
$cmd 46 allow udp from any to any 21 in setup keep-state
$cmd 50 allow tcp from any to any 22 in setup keep-state
$cmd 55 allow tcp from any to any 25 in setup keep-state
$cmd 60 allow udp from any to any 53 in setup keep-state
$cmd 61 allow tcp from any to any 53 in setup keep-state
$cmd 65 allow tcp from any to any 80 in setup keep-state
$cmd 70 allow tcp from any to any 443 in setup keep-state
$cmd 75 allow tcp from any to any 110 in setup keep-state
$cmd 80 allow tcp from any to any 143 in setup keep-state
$cmd 90 allow tcp from any to any 2222 in setup keep-state
$cmd 100 allow tcp from any to any 49152-65535 out setup keep-state

##############################
# Deny and log
##############################
$cmd 999 deny log all from any to any


I was reading about this:


Also, shouldnt your rule;

Code:
$cmd 30 allow tcp from any to any established

be

Code:
$cmd 30 deny tcp from any to any established

Also, shouldnt your rule;

Code:
$cmd 30 allow tcp from any to any established

be

Code:
$cmd 30 deny tcp from any to any established


No it should allow it to be an established connections so the firewall rule will then keep the established/required connections in a stateful insepection. If you deny it then the firewall rule will deny every connection after the packets return.

Simpler way of saying it:
PC A sends syn packet to host. Host replies with a SYN,ACK...PC A sends back an ACK. You now have an established connection. Now since that rule is above the other more secified rulesets the firewalls stateful packet inspection will see that there is already an authorized connection with the host. If you set it at deny it will hence not allow that host to connect and access the required information and it will deny the user to that host. Having the established command allows you to keep that state at an approved method without having to go and read all of the firewall rulesets all over again. Since the firewall knows and keeps the state it will hence know to keep that state established and allowed by that rule. Hope that helps/makes sense.

Senad, thank you for your post.
I was uncertain to activate my ipfw.

I still have 1 question about this ipfw config.
you are talking about the passive ports in proftpd:

PassivePorts 32555 32565

shouldnt the rule be from:

$cmd 100 allow tcp from any to any 49152-65535 out setup keep-state

to

$cmd 100 allow tcp from any to any 32555 - 32565 out setup keep-state

or are those ports for other services?

Also, could someone give me an example of giving a specific ip access to mysql.

As you can imagine, i'm not really familiar with ipfw ^^'

You can setup your own ports that you want your ftp server to use so senads rule may be different from yours.

i know this, its was more the question if the passive port is another entry on the ipfw.conf or do i need to adept the line in my previous post...

k well i've got everything figured out, only now i have 1 enoying little problem.

opening passive ports will take long and a new port is opened every dir switch.

when i disable the firewall its all working cool. so i think its something with the ipfw.conf..

more people having this problem?

specify passive port range in proftpd.conf then you dont have to open such a big port range.

well i figured it out:

if your proftpd passive port range is:
32555-32565 do:

Instead of:
$cmd 100 allow tcp from any to any 32555-32565 out setup keep-state

To
$cmd 100 allow tcp from any to any 32555-32565 in setup keep-state

So out to in, this works for me.

Originally posted by Senad
110: client pop email access
143: clients imap email access

I guess now I know why I wasn't able to access email via imap, in outlook...

Sorry about the long delay been very busy here. Greenm yes the ruleset I created was based on a remote box user.

nice man :)

Will try now.

I had some issues getting my firewall rules set just right but I thought to share my completed work.

You still need to do this:

20,21: FTP. Note that ftp will use a "random high port number" if the client is in PORT mode, so you may need to add a port rang into your /etc/proftpd.conf file to allow ftp connections, eg:

PassivePorts 32555 32565


#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush

#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag

#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state
$cmd allow icmp from any to any

#################################################
# Incoming/Outgoing Services
#################################################
$cmd allow tcp from any to any 21 setup keep-state
$cmd allow tcp from any to any 22 setup keep-state
$cmd allow tcp from any to any 25 setup keep-state
$cmd allow tcp from any to any 53 setup keep-state
$cmd allow udp from any to any 53 keep-state
$cmd allow tcp from any to any 80 setup keep-state
$cmd allow tcp from any to any 110 setup keep-state
$cmd allow tcp from any to any 143 setup keep-state
$cmd allow tcp from any to any 443 setup keep-state
$cmd allow tcp from any to any 2222 setup keep-state
$cmd allow tcp from any to any 32555-32565 in setup keep-state


#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any

Feel free to use them for yourself.