Difference between revisions of "Firewall"
(→IPFW on GhostBSD) |
|||
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{welcome}} | {{welcome}} | ||
+ | ==Introduction== | ||
+ | [https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports IPFW] or ipfirewall is an internet-protocol-firewall written for FreeBSD. | ||
+ | The ipfw system facility allows filtering, redirecting, and other operations on IP packets travelling through network interfaces. | ||
+ | A firewall configuration, or ruleset, is made of a list of rules numbered from 1 to 65535. Packets are passed to the firewall from a number of different places in the protocol stack (depending on the source and destination of the packet, it is possible for the firewall to be invoked multiple times on the same packet). The packet passed to the firewall is compared against each of the rules in the ruleset, in rule-number order (multiple rules with the same number are permitted, in which case they are processed in order of insertion). When a match is found, the action corresponding to the matching rule is performed. | ||
+ | |||
+ | |||
+ | |||
+ | ==IPFW on GhostBSD== | ||
+ | |||
+ | On GhostBSD ipfw is managed by [[OpenRC]]. | ||
+ | |||
+ | {|class="wikitable" style="width:96.5%;background:#FFFFFF; border:2px solid #008000" | ||
+ | |- | ||
+ | |style="text-align:center;padding: 10px" | [[File:Dialog-warning.png|35px|link=]] '''Attention: Please do not use FreeBSD firewall guidance on the FreeBSD handbook.''' | ||
+ | |} | ||
+ | |||
+ | IPFW is already setup to default: [[/boot/defaults/loader.conf#Set ipfw to default accept|Set ipfw to default accept]]<br/> | ||
+ | If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included. | ||
+ | |||
− | |||
[[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/> | [[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/> | ||
The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file. You have to create that file as it does not exist by default.<br/> | The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file. You have to create that file as it does not exist by default.<br/> | ||
− | However, OpenRC (main branch) defines the firewall rules within the /etc/ipfw. | + | However, OpenRC (main branch) defines the firewall rules within the '''/etc/ipfw.rules''' file itself.<br/> |
+ | If the file does not exist on GhostBSD you have to create it. | ||
+ | |||
+ | See examples: | ||
+ | * [https://gist.github.com/nileshgr/5990712 Nilesh on Github] | ||
+ | * [https://unixguide.net/freebsd/fbsd_installguide71/06.09.4-IPFW_Rule_Sets.htm unixguide] | ||
+ | * [https://sirtoffski.github.io/docs/freebsd-ipfw/ ipfw.rules] | ||
+ | |||
+ | See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC] | ||
+ | |||
+ | ==IPFW Script== | ||
+ | #!/sbin/openrc-run | ||
+ | name="ipfw" | ||
+ | description="Firewall, traffic shaper, packet scheduler, in-kernel NAT" | ||
+ | firewall_coscripts="natd ${firewall_coscripts}" | ||
+ | SYSCTL="/sbin/sysctl" | ||
+ | . /etc/network.subr | ||
+ | depend() | ||
+ | { | ||
+ | before net | ||
+ | provide firewall | ||
+ | keyword -jail -stop -shutdown | ||
+ | } | ||
+ | load_kld() | ||
+ | { | ||
+ | kldload -nq $1 | ||
+ | } | ||
+ | start_pre() | ||
+ | { | ||
+ | load_kld ipfw | ||
+ | if yesno dummynet_enable; then | ||
+ | load_kld "dummynet" | ||
+ | fi | ||
+ | if yesno natd_enable; then | ||
+ | load_kld "ipdivert" | ||
+ | fi | ||
+ | if yesno firewall_nat_enable; then | ||
+ | load_kld "ipfw_nat" | ||
+ | fi | ||
+ | } | ||
+ | start() | ||
+ | { | ||
+ | local _firewall_type | ||
+ | _firewall_type=$1 | ||
+ | ebegin "Starting $name" | ||
+ | # set the firewall rules script if none was specified | ||
+ | [ -z "${firewall_script}" ] && firewall_script='''/etc/ipfw.rules''' | ||
+ | if [ -r "${firewall_script}" ]; then | ||
+ | /bin/sh "${firewall_script}" "${_firewall_type}" | ||
+ | elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then | ||
+ | ewarn 'Warning: kernel has firewall functionality, but' \ | ||
+ | ' firewall rules are not enabled.' ewarn ' All ip services are disabled.' | ||
+ | fi | ||
+ | # Firewall logging | ||
+ | # | ||
+ | if yesno firewall_logging; then | ||
+ | sysctl net.inet.ip.fw.verbose=1 >/dev/null | ||
+ | fi | ||
+ | if yesno firewall_logif; then | ||
+ | ifconfig ipfw0 create | ||
+ | fi | ||
+ | eend 0 | ||
+ | } | ||
+ | start_post() | ||
+ | { | ||
+ | local _coscript | ||
+ | # Start firewall coscripts | ||
+ | # | ||
+ | for _coscript in ${firewall_coscripts} ; do | ||
+ | if [ -f "${_coscript}" ]; then | ||
+ | service ${_coscript} start >/dev/null 2>/dev/null | ||
+ | fi | ||
+ | done | ||
+ | # Enable the firewall | ||
+ | # | ||
+ | if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then | ||
+ | ewarn "failed to enable IPv4 firewall" | ||
+ | fi | ||
+ | if afexists inet6; then | ||
+ | if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 | ||
+ | then | ||
+ | ewarn "failed to enable IPv6 firewall" | ||
+ | fi | ||
+ | fi | ||
+ | } | ||
+ | reverse_list() | ||
+ | { | ||
+ | _revlist= | ||
+ | for _revfile; do | ||
+ | _revlist="$_revfile $_revlist" | ||
+ | done | ||
+ | echo $_revlist | ||
+ | } | ||
+ | stop() | ||
+ | { | ||
+ | local _coscript | ||
+ | # Disable the firewall | ||
+ | # | ||
+ | ebegin "Stopping $name" | ||
+ | ${SYSCTL} net.inet.ip.fw.enable=0 | ||
+ | if afexists inet6; then | ||
+ | ${SYSCTL} net.inet6.ip6.fw.enable=0 | ||
+ | fi | ||
+ | # Stop firewall coscripts | ||
+ | # | ||
+ | for _coscript in `reverse_list ${firewall_coscripts}` ; do | ||
+ | if [ -f "${_coscript}" ]; then | ||
+ | service ${_coscript} stop >/dev/null 2>/dev/null | ||
+ | fi | ||
+ | done | ||
+ | eend 0 | ||
+ | } | ||
+ | |||
+ | ==Some ideas about Firewalls== | ||
+ | An interesting article about firewalls you will find on the [https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls Gentoo wiki]. | ||
+ | |||
+ | |||
+ | {|class="wikitable" style="width:95%;background:#FFFFFF; border:2px solid #008000;text-align:center;padding: 10px" | ||
+ | |'''Back to the''' [[image:Icon Disti GhostBSD.png|50px|link=GhostBSD Wiki]]'''Wiki''' | ||
+ | |||
+ | |} | ||
− | + | [[Category:Central Station Sysutils]] |
Latest revision as of 08:39, 18 October 2020
Welcome to Firewall. |
Introduction[edit]
IPFW or ipfirewall is an internet-protocol-firewall written for FreeBSD. The ipfw system facility allows filtering, redirecting, and other operations on IP packets travelling through network interfaces. A firewall configuration, or ruleset, is made of a list of rules numbered from 1 to 65535. Packets are passed to the firewall from a number of different places in the protocol stack (depending on the source and destination of the packet, it is possible for the firewall to be invoked multiple times on the same packet). The packet passed to the firewall is compared against each of the rules in the ruleset, in rule-number order (multiple rules with the same number are permitted, in which case they are processed in order of insertion). When a match is found, the action corresponding to the matching rule is performed.
IPFW on GhostBSD[edit]
On GhostBSD ipfw is managed by OpenRC.
Attention: Please do not use FreeBSD firewall guidance on the FreeBSD handbook. |
IPFW is already setup to default: Set ipfw to default accept
If you run rc-update
it shows all running services, ipfw included.
OpenRC manages how ipfw (/etc/init.d/ipfw) configuration is initialized.
The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file. You have to create that file as it does not exist by default.
However, OpenRC (main branch) defines the firewall rules within the /etc/ipfw.rules file itself.
If the file does not exist on GhostBSD you have to create it.
See examples:
See: ipfw on OpenRC
IPFW Script[edit]
#!/sbin/openrc-run name="ipfw" description="Firewall, traffic shaper, packet scheduler, in-kernel NAT" firewall_coscripts="natd ${firewall_coscripts}" SYSCTL="/sbin/sysctl" . /etc/network.subr depend() { before net provide firewall keyword -jail -stop -shutdown } load_kld() { kldload -nq $1 } start_pre() { load_kld ipfw if yesno dummynet_enable; then load_kld "dummynet" fi if yesno natd_enable; then load_kld "ipdivert" fi if yesno firewall_nat_enable; then load_kld "ipfw_nat" fi } start() { local _firewall_type _firewall_type=$1 ebegin "Starting $name" # set the firewall rules script if none was specified [ -z "${firewall_script}" ] && firewall_script=/etc/ipfw.rules if [ -r "${firewall_script}" ]; then /bin/sh "${firewall_script}" "${_firewall_type}" elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then ewarn 'Warning: kernel has firewall functionality, but' \ ' firewall rules are not enabled.' ewarn ' All ip services are disabled.' fi # Firewall logging # if yesno firewall_logging; then sysctl net.inet.ip.fw.verbose=1 >/dev/null fi if yesno firewall_logif; then ifconfig ipfw0 create fi eend 0 } start_post() { local _coscript # Start firewall coscripts # for _coscript in ${firewall_coscripts} ; do if [ -f "${_coscript}" ]; then service ${_coscript} start >/dev/null 2>/dev/null fi done # Enable the firewall # if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then ewarn "failed to enable IPv4 firewall" fi if afexists inet6; then if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1 then ewarn "failed to enable IPv6 firewall" fi fi } reverse_list() { _revlist= for _revfile; do _revlist="$_revfile $_revlist" done echo $_revlist } stop() { local _coscript # Disable the firewall # ebegin "Stopping $name" ${SYSCTL} net.inet.ip.fw.enable=0 if afexists inet6; then ${SYSCTL} net.inet6.ip6.fw.enable=0 fi # Stop firewall coscripts # for _coscript in `reverse_list ${firewall_coscripts}` ; do if [ -f "${_coscript}" ]; then service ${_coscript} stop >/dev/null 2>/dev/null fi done eend 0 }
Some ideas about Firewalls[edit]
An interesting article about firewalls you will find on the Gentoo wiki.
Back to the Wiki |