Home » Blogs » xwings's blog

IPF for FreeBSD 5

Submitted by xwings
on April 4, 2004 - 9:15pm
Title   : IPF for FreeBSD 5
Os      : BSD
Distro  : FreeBSD 5
URL     : i. http://www.freebsd.org
          ii. http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html

   1. Install FreeBSD 5.2.1 (Now 5.2.1 is the latest "5 Series").

   2. Remeber to Install Kernel Source and Ports (might be Useful)

   3. Setup the network. Make sure can connect to Internet.

   4. Install all the software and needed from ports. If forgotton to install from CD.
      Such as bash, vim-lite and others.

   5. Setting up logs.

        # touch /var/log/firewall_logs
        # touch /var/log/authlog
        # chmod 600 /var/log/firewall_logs
        # chmod 600 /var/log/authlog

        # vim /etc/syslog.conf
           Add in : local0.*     /var/log/firewall_logs
                    auth.*      /var/log/authlog
  
        # vim /etc/newsyslog.conf
           Add in : /var/log/firewall_logs    600   14   100   *   Z
                    /var/log/authlog          600   14   100   *   Z
   
   6. Enable firewall rules at start-up
        # vim /etc/rc.conf
           Add in : ipfilter_enable="YES"
                    ipfilter_flags=""
                    ipmon_enable="YES"
                    ipmon_flags="-Dsvn"
                    ipnat_enable="YES"

   7. Add in ipf.conf and ipnat.conf in /etc.
      Example in /usr/share/example/ipfilter.
      Attatchment : my SIMPLE ipf rules.
                    Please take note that the rules is still under testing.
                    Any comments pealse do let me know.

   8. Change Directory To /usr/src/sys/i386/conf
        # make LINT
        # make GENERIC yourkernelname

   9. Edit kernel configuration file.
        # vim yourkernelname
           Add in : options IPFILTER
                    options IPFILTER_LOG
                    options IPFILTER_DEFAULT_BLOCK

   10. Please edit the kernel configuration file according to your server.

   11. Compile kernel 
        # cd /usr/src
        # make kernel KERNCONF=yourkernelname

   12. Reboot System
        # shutdown -r now


From FreeBSD handbook

Procedure 2. Building a Kernel the “New” Way

   1. Change to the /usr/src directory.

       # cd /usr/src

   2. Compile the kernel.

      # make buildkernel KERNCONF=MYKERNEL

   3. Install the new kernel.

      # make installkernel KERNCONF=MYKERNEL


## To Activate : /sbin/ipf -Fa -f /etc/ipf.rules
#
## By : XwinGs at KjLau
#
## rl0 : Internal
## rl1 : External

## Block unwanted Packets
block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lsrr
block in log quick all with opt ssrr

## Allow ALL , loopback
pass in on lo0 all
pass out on lo0 all

## Allow ALL, rl0
pass in on rl0 all
pass out on rl0 all

## Allow ALL , rl1
block in on rl1 all
pass out on rl1 all

## Allow All, gif0
pass in on gif0 all
pass out on gif0 all

## Anti Spoofing
block in log quick on rl1 from 192.168.0.0/16 to any
block in log quick on rl1 from 172.16.0.0/12 to any
block in log quick on rl1 from 10.0.0.0/8 to any
block in log quick on rl1 from 127.0.0.0/8 to any
block in log quick on rl1 from 0.0.0.0/8 to any
block in log quick on rl1 from 169.254.0.0/16 to any
block in log quick on rl1 from 192.0.2.0/24 to any
block in log quick on rl1 from 204.152.64.0/23 to any
block in quick on rl1 from 224.0.0.0/3 to any

## Allow passive FTP transfers from ports 49152 to 65534, the IANA-registered ephemeral port range.
#pass in quick proto tcp from any to any port 49151 >< 65535 flags S keep state

## Allow active FTP data connections back to my box
#pass in quick proto tcp from any port = 20 to any port 8192 <> 16384 flags S keep state
#pass in quick proto tcp from any port = 20 to any port 32768 <> 40000 flags S keep state

## For VPN
pass in quick on rl1 from  to any keep state keep frags

## Allow Incomming Ports

pass in quick on rl1 proto tcp from any to any port = 22 flags S keep state
pass in quick on rl1 proto tcp from any to any port = 25 flags S keep state
pass in quick on rl1 proto tcp from any to any port = 2122 flags S keep state
pass in quick on rl1 proto tcp from any to any port = 2180 flags S keep state

## Block Incomming Ports
#block in quick on xl0 proto tcp from any to any port = 25 flags S keep state

## Block Out Going Ports
#block out log quick proto tcp/udp from any to any port = 6995

## Block Outgoing to IP Address. eg. 163.com
#block in log quick on xl0 proto tcp from any to 202.106.185.77 flags S keep state

## Stateful outbound rules rl0 / rl0
pass out quick proto icmp from any to any keep state
pass out quick proto tcp/udp from any to any keep state keep frags


################################################################################

################################################################################

## To Activate : /sbin/ipnat -CF -f /etc/ipnat.rules
#
## By : XwinGs at KjLau
#
## rl1 : Internet
## rl0 : Local Lan

#--------------------------------------------------------------------
# Do 'normal' IP address translation. This line will take all packets
# going out on your external NIC (ed0) that have a source address coming
# from your internal network (192.168.1.0), and translate it to whatever
# IP address your external NIC happens to have at that time
#--------------------------------------------------------------------
map rl1 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map rl1 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:50000
map rl1 192.168.1.0/24 -> 0/32

## Port Forwadring
rdr rl1 0.0.0.0/0 port 222 -> 192.168.1.21 port 22 tcp