TUCoPS :: Unix :: General :: ipfw.txt

Linux/FreeBSD IP Firewalling

::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::              .ooO Linux/FreeBSD IP Firewalling by jus Ooo.               ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::
::                                                                          ::
:: In FK3 Vortexia described "the poor man's firewall", that is tcp         ::
:: wrappers, and how to set them up and use them as basic protection against::
:: unwanted connections. The next step is to make use of Linux's ipfwadm or ::
:: fBSD's ipfw to setup a proper firewall to automatically block out        ::
:: potential attackers and keep certain services only available to your LAN ::
:: (i.e. SQUID).                                                            ::
::                                                                          ::
:: Most generic or standard *nix kernels should have firewalling compiled,  ::
:: if not you will get errors when trying to use ipfw/ipfwadm. Just rebuild ::
:: your kernel to include firewalling.                                      ::
::                                                                          ::
:: OK, to setup firewall rules under linux "ipfwadm" is used. "man ipfwadm" ::
:: will give some further insight as to what can be done with this tool,    ::
:: we're gunna focus on just keeping incoming connections where we want em  ::
::                                                                          ::
:: Typing ipfwadm -I -l will give you a list of current firewall rules in   ::
:: their order, you will most likely have nothing there. Lets try something ::
:: simple first, like block off your ftpd to all but yourself :)            ::
::                                                                          ::
:: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 21 will disallow all    ::
:: connections from anywhere to port 21. Even from 127.0.0.1, so if you     ::
:: want to be able to connect to your own ftpd you need to add a rule to    ::
:: allow 127.0.0.1 though. If you are on dialup and get a dynamic IP, fill  ::
:: in 0.0.0.0/0 in place of "yourip".                                       ::
::                                                                          ::
:: Note, if you are working on a machine remotely and firewalling it, you   ::
:: could lock yourself out accidently. Then your screwed, so place a rule   ::
:: in your firewall to allow connections from a trusted host at all times,  ::
:: ie ipfwadm -I -i accept -P ip -S 196.23.2.14 -D yourip. That will allow  ::
:: all types of connection to all ports from host 196.23.2.14. Note that it ::
:: is not always good security practice for your firewall to explicity trust::
:: any box!                                                                 ::
::                                                                          ::
:: Remember that the firewall runs down the list of rules until it meets a  ::
:: match with any connection attempt, so rule 1 will have preference over   ::
:: rule 2, etc. Place your rules accordingly. Lets say you wanted to allow  ::
:: access to SQUID on 3128 to only your LAN (which owns 196.34.23.*) but    ::
:: not to any else out there.                                               ::
::                                                                          ::
:: ipfwadm -I -i deny -P tcp -S 0.0.0.0/0 -D yourip 3128                    ::
:: ipfwadm -I -i accept -P tcp -S 196.34.23.0/24 -D yourip 3128             ::
::                                                                          ::
:: Easy huh? Use -a instead of -i to add a rule at the end of the rules     ::
:: chain instead of at the front.                                           ::
::                                                                          ::
:: Under fBSD its even simpler using ipfw. "ipfw list" will give you a list ::
:: of currently existing rules. More than likely there is nothing except    ::
:: the last rule which allows all traffic through. ipfw allows us to specify::
:: a number for each rule thats created, making it easier to work with      ::
:: rules' order of preference. To add a rule like above for the ftpd, type  ::
:: ipfw add 1000 deny tcp from any to youripgoeshere 21 That will disallow  ::
:: any connections to your ftpd. The "1000" is the rule number, use ipfw    ::
:: list to decide an appropriate number, but remember you have all the      ::
:: numbers available down to approx 65k :)                                  ::
::                                                                          ::
:: Similarily, the SQUID setup as above is done by using a rule to block    ::
:: all access to port 3128, an then a rule before that to allow access from ::
:: our subnet. ipfw add 500 deny tcp from any to youripgoeshere 3128        ::
:: disallows all connections, and ipfw add 450 allow tcp from 196.34.23.0/24::
:: to youripgoeshere 3128 will allow connections from our subnet            ::
:: 196.34.23.0/24.                                                          ::
::                                                                          ::
:: RTFM for more. -jus                                                      ::
::                                                                          ::
::--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--::


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH