IPFW2
Home ] Up ]
 

 

Ah yes, IPFW2!  Well, I searched high and low, and finally put together enough information to build IPFW2 into my new 4.7-RELEASE test machine.  Here is the process that I followed to get it compiled, installed and working:

Run /stand/sysinstall and choose configure, then distributions, then src, then lib, sbin and sys from the list.

Follow the instructions to install as normal, via cd, ftp, etc.

Once you have the sources installed, rebuild libalias...

cd /usr/src/lib/libalias
make -DIPFW2
make install

Next rebuild the ipfw(8) utility...

cd /usr/src/sbin/ipfw
make -DIPFW2
make install

Next, start working on the kernel configuration file in preparation for the rebuild...

cd /usr/src/sys/i386/conf
cp GENERIC FIREWALL

Add the following to 'FIREWALL' kernel config file ((un)commenting as you wish):

options MROUTING
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
#options IPFIREWALL_VERBOSE_LIMIT=100
#options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
#options IPV6FIREWALL_VERBOSE_LIMIT=100
#options IPV6FIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options IPSTEALTH
options TCPDEBUG
options DUMMYNET
options BRIDGE
options	IPFW2

Now that you have the required options in your kernel configuration file, start the rebuilding process...

/usr/sbin/config FIREWALL
cd ../../compile/FIREWALL

Make sure you have console access OR set firewall type to 'open' in /etc/rc.conf before running the following command!

make depend && make && make install && reboot

Ok, now that you have the kernel rebuilt and the machine reloaded, you are ready to start building the rules.  Now, the reason that I started this whole process of working on IPFW2 is because I am using FreeBSD as an Access Point for my 802.11b wireless network.  The real attraction here is that IPFW2 can do layer 2 filtering, which means that I can specifically define the MAC addresses of my wireless cards within the IPFW2 configuration, providing a great (extra) layer of security to my wireless network!

That's all for now..... more to come!


As promised, here is more!  I thought that I would post a few rules from my test firewall configuration, just as an example of command syntax:

fwcmd="/sbin/ipfw -q"

mymac="00:a0:cc:53:73:df"
bcastmac="ff:ff:ff:ff:ff:ff"
roguemac="00:80:5f:9f:40:47"
magnetomac="00:80:5f:19:e1:17"

ipanyany="ip from any to any"

${fwcmd} -f flush
${fwcmd} add permit ${ipanyany} MAC ${bcastmac} ${roguemac} in via dc0
${fwcmd} add permit ${ipanyany} MAC ${mymac} ${roguemac} in via dc0
${fwcmd} add permit ${ipanyany} MAC ${bcastmac} ${magnetomac} in via dc0
${fwcmd} add permit ${ipanyany} MAC ${mymac} ${magnetomac} in via dc0
${fwcmd} add permit ${ipanyany} MAC any ${mymac} out xmit dc0 keep-state
${fwcmd} add deny log ${ipanyany} MAC any any in via dc0
${fwcmd} add allow ${ipanyany}
${fwcmd} zero

The main difference that I noticed from the start is the order in which you list the MAC addresses.  For TCP/UDP/IP/etc. you list the SOURCE then the DESTINATION.  The syntax for the MAC address definitions is the opposite!  First, you list the DESTINATION, then the SOURCE.  The first two rules allow the machine 'ROGUE' to send frames to the broadcast MAC address ff:ff:ff:ff:ff:ff (like you would see in an ARP request) as well as to the MAC address of the dc0 NIC itself.

The above configuration is by no means a viable firewall rule set, and it was just created so that I could play with the syntax used to filter layer 2 addresses.  This knowledge will be applied to my ThinkPad HOSTAP within the next couple of days!


Here is another example!  This rule is part of set 2 and it allows all protocol types defined in /etc/protocols as a part of IPv6 to pass from any to any:

ipfw add 70 set 2 permit log { 41 or 43 or 44 or 59 or 59 or 60 } from any to any

Even though the man page (page 6) says that you can use parenthesis or braces, I received an error:

syntax error near unexpected token `('

when trying to use parenthesis, but braces did work.  Here is how that rule looks when issuing the ipfw -S show command:

00070 0 0 set 2 allow log { ipv6 or ipv6-route or ipv6-frag or ipv6-nonxt or ipv6-nonxt or ipv6-opts } from any to any

More to come...

 

 

My name is Michael Oliver, and I can be contacted by email here.
The current time is Sunday, 21-Jan-2018 04:37:51 UTC.
This page was last modified on Friday, 11-Mar-2011 21:01:58 UTC.
This page has received 5054 hits since October 11 2002.