IPFW Configuring IPFW for the first time .....Trying to understand the rules

john_rambo · Oct 28, 2021

I read this Wiki >>> https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-ipfw

To use one of the default firewall types provided by FreeBSD, add another line which specifies the type:
# sysrc firewall_type="open"
The available types are:

open: passes all traffic.

client: protects only this machine.

simple: protects the whole network.

closed: entirely disables IP traffic except for the loopback interface.

workstation: protects only this machine using stateful rules.

UNKNOWN: disables the loading of firewall rules.

Under Linux I was using ufw to configure iptables. I was using the policy deny all in & allow all out.
I have presently applied the workstation type by using the command

Code:

sysrc firewall_type=workstation

This is the my present configuration

Code:

~> sudo ipfw show
Password:
00100  62  8626 allow ip from any to any via lo0
00200   0     0 deny ip from any to 127.0.0.0/8
00300   0     0 deny ip from 127.0.0.0/8 to any
00400   0     0 deny ip from any to ::1
00500   0     0 deny ip from ::1 to any
00600   0     0 allow ipv6-icmp from :: to ff02::/16
00700   0     0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800   0     0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900   0     0 allow ipv6-icmp from any to any icmp6types 1
01000   0     0 allow ipv6-icmp from any to any icmp6types 2,135,136
01100   0     0 check-state :default
01200   0     0 allow tcp from me to any established
01300  60 16846 allow tcp from me to any setup keep-state :default
01400 144 13683 allow udp from me to any keep-state :default
01500   0     0 allow icmp from me to any keep-state :default
01600   0     0 allow ipv6-icmp from me to any keep-state :default
01700   0     0 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800   0     0 allow udp from any 67 to me 68 in
01900   0     0 allow udp from any 67 to 255.255.255.255 68 in
02000   0     0 allow udp from fe80::/10 to me 546 in
02100   0     0 allow icmp from any to any icmptypes 8
02200   0     0 allow ipv6-icmp from any to any icmp6types 128,129
02300   0     0 allow icmp from any to any icmptypes 3,4,11
02400   0     0 allow ipv6-icmp from any to any icmp6types 3
65000   5   800 count ip from any to any
65100   0     0 deny { tcp or udp } from any to any 135-139,445 in
65200   0     0 deny { tcp or udp } from any to any 1026,1027 in
65300   0     0 deny { tcp or udp } from any to any 1433,1434 in
65400   0     0 deny ip from any to 255.255.255.255
65500   1    32 deny ip from any to 224.0.0.0/24 in
65500   0     0 deny udp from any to any 520 in
65500   0     0 deny tcp from any 80,443 to any 1024-65535 in
65500   4   768 deny ip from any to any
65535   0     0 allow ip from any to any

Is the above configuration the same as I was using under Linux that is deny all in and allow all out ?

I don't need a single incoming port to be open. This is my desktop. I want IPFW to be as restrictive as possible. If IPFW blocks any outgoing ports which does not interfere with my daily activities like web browsing, email (thunderbird), IRC (pidgin) I don't have any issues with that.

chrbr · Oct 28, 2021

I am not sure to which extend you follow other threads. Phishfry has recommended https://imaprettykitty.com/wof/. Usually I do not copy&paste answers but this site might answer your questions. If yes press "thank you" at https://forums.freebsd.org/threads/how-to-use-sshd-on-lan-interfaces-only.82581/#post-538704 post #18 :beer:

.

dd_ff_bb · Oct 28, 2021

Normally i use pf but here you :

Once you select pre defined ~~rules~~ firewall type as "workstation" its already deny all in so you don't need to deny any other incoming.

/etc/rc.conf:

firewall_enable="YES" #enable ipfw
firewall_quiet="YES" # don't log to standard output
firewall_type="workstation" # load workstation set deny all in default
firewall_myservices="22" # allow ssh service
firewall_allowservices="192.168.1.206" # only allow ssh from this ip
firewall_logdeny="YES" # log denied packages

if you dont want to allow ssh as well just comment (#) firewall_myservices and firewall_allowservices

also take a look at /etc/rc.firewall

john_rambo · Oct 28, 2021

chrbr said:
I am not sure to which extend you follow other threads. Phishfry has recommended https://imaprettykitty.com/wof/. Usually I do not copy&paste answers but this site might answer your questions. If yes press "thank you" at https://forums.freebsd.org/threads/how-to-use-sshd-on-lan-interfaces-only.82581/#post-538704 post #18
.

Thanks for that I am reviewing those rules carefully.

dd_ff_bb said:
Normally i use pf but here you :

Once you select pre defined ~~rules~~ firewall type as "workstation" its already deny all in so you don't need to deny any other incoming.

/etc/rc.conf:

firewall_enable="YES" #enable ipfw
firewall_quiet="YES" # don't log to standard output
firewall_type="workstation" # load workstation set deny all in default
firewall_myservices="22" # allow ssh service
firewall_allowservices="192.168.1.206" # only allow ssh from this ip
firewall_logdeny="YES" # log denied packages

if you dont want to allow ssh as well just comment (#) firewall_myservices and firewall_allowservices

also take a look at /etc/rc.firewall

I am confused about one thing. Are all those rules need to be written in /etc/rc.conf ? I have added the line firewall_enable="YES" to /etc/rc.conf but when I run the command #sysrc firewall_type=workstation & then use the command sudo ipfw show it shows the changes immediately. So why the need to add those lines to /etc/rc.conf ?
BTW, I have learned that after implementing a new rule like workstation the IPFW service needs to be restarted with the commands service ipfw stop & service ipfw start.

dd_ff_bb · Oct 28, 2021

john_rambo said:
when I run the command #sysrc firewall_type=workstation

john_rambo said:
So why the need to add those lines to /etc/rc.conf ?

sysrc is doing the same thing (automated way) as editing rc.conf manually. So if you use sysrc you don't need to edit rc.conf manually.

john_rambo said:
IPFW service needs to be restarted with the commands service ipfw stop & service ipfw start.

or you can simply reload your rules file (basically sh script) if you have one

john_rambo · Oct 28, 2021

dd_ff_bb said:
sysrc is doing the same thing (automated way) as editing rc.conf manually. So if you use sysrc you don't need to edit rc.conf manually.

or you can simply reload your rules file (basically sh script) if you have one

Got it. The website that chrbr mentioned which was provided by Phishfry on another thread. If you compare the rules that the type workstation generates with the rules mentioned in that website in your opinion is the rules on that website more restrictive ?

dd_ff_bb · Oct 28, 2021

john_rambo said:
If you compare the rules the type workstation generates with the rules mentioned in that website in your opinion is the rules on that website more restrictive ?

I didnt look at that website. But basically as i mentioned before workstation is deny all in so i dont know how more restrictive you can be.

Also the reason i mentioned to look into /etc/rc.firewall was for this clarification.

Anyways i'll do the heavy lifting for you. From /etc/rc.firewall:

Code:

############
# Define the firewall type in /etc/rc.conf.  Valid values are:
#   open        - will allow anyone in
#   client      - will try to protect just this machine
#   simple      - will try to protect a whole network
#   closed      - totally disables IP services except via lo0 interface
#   workstation - will try to protect just this machine using stateful
#                 firewalling. See below for rc.conf variables used
#   UNKNOWN     - disables the loading of firewall rules.
#   filename    - will load the rules in the given filename (full path required)
#
# For ``client'' and ``simple'' the entries below should be customized
# appropriately.

############

Edit: My suggestion read rest of the file as well so you'll understand what its doing

john_rambo · Oct 28, 2021

dd_ff_bb said:
I didnt look at that website. But basically as i mentioned before workstation is deny all in so i dont know how more restrictive you can be.

Also the reason i mentioned to look into /etc/rc.firewall was for this clarification.

Anyways i'll do the heavy lifting for you. From /etc/rc.firewall:

Code:

############ # Define the firewall type in /etc/rc.conf. Valid values are: # open - will allow anyone in # client - will try to protect just this machine # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface # workstation - will try to protect just this machine using stateful # firewalling. See below for rc.conf variables used # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # # For ``client'' and ``simple'' the entries below should be customized # appropriately. ############

Edit: My suggestion read rest of the file as well so you'll understand what its doing

Yes, I read the exact same thing in the wiki page that mentioned in my first post. Okay so IPFW is doing its job so I can relax & do my work. Thanks a lot to both of you.

john_rambo · Oct 30, 2021

dd_ff_bb

Can you please tell me what this last line of the workstation type does ?

Code:

65535 allow ip from any to any

chrbr · Oct 30, 2021

The firewall ipfw processes rules one by one until one applies. In your configuration it will never apply because everything is denied in line 65000. BTW: There might have been a change in FreeBSD12.* which I run to FreeBSD13.*. I also use the workstation rule. But the last two lines of ipfw show deny everything. Somewhere in the configurations is a default for the last line. It is to allow or deny everything. There is the possibility to overwrite that in /etc/rc.conf.

john_rambo · Oct 30, 2021

chrbr said:
The firewall ipfw processes rules one by one until one applies. In your configuration it will never apply because everything is denied in line 65000. BTW: There might have been a change in FreeBSD12.* which I run to FreeBSD13.*. I also use the workstation rule. But the last two lines of ipfw show deny everything. Somewhere in the configurations is a default for the last line. It is to allow or deny everything. There is the possibility to overwrite that in /etc/rc.conf.

Since I am new to FreeBSD I am experimenting with different stuff so that I can learn. I just disabled IPFW & enabled PF. I have to admit that PF is much easier to configure than IPFW. To apply deny all in and allow all out the only thing to do is add the following lines to /etc/pf.conf

Code:

block in all
pass out all keep state

My next task is to learn how to block all outgoing ports by default and allowing only specific ports which are needed for everyday tasks like web browsing, using email clients, etc. I know how to do that under Linux using ufw. This is an tutorial which I used to follow when I was using Linux >> Click here

chrbr · Oct 30, 2021

Dear john_rambo,
I have almost no knowledge about pf. There is just one thing. The pf firewall has been ported from OpenBSD long time ago. Nowadays there are differences between both variants. This should one have in mind if it is about tutorials and so on. But it is good so see you experimenting and reporting your findings. I can learn from your results.

hardworkingnewbie · Oct 30, 2021

Here's the Pf firewall handbook by Peter Hansteen: https://home.nuug.no/~peter/pf/en/

While Hansteen refers to OpenBSD, he explicitly also tells when OpenBSD differs and how FreeBSD still works. So a good overall read for FreeBSD as well, and very detailed.