| Latest revision |
Your text |
| Line 1: |
Line 1: |
| − | {{welcome}}
| + | IPFW is already setup to default. |
| − | ==Introduction==
| + | OpenRC manages how ipfw (/etc/init.d/ipfw) configuration is initialized. |
| − | [https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports IPFW] or ipfirewall is an internet-protocol-firewall written for FreeBSD.
| + | |
| − | The ipfw system facility allows filtering, redirecting, and other operations on IP packets travelling through network interfaces.
| + | |
| − | A firewall configuration, or ruleset, is made of a list of rules numbered from 1 to 65535. Packets are passed to the firewall from a number of different places in the protocol stack (depending on the source and destination of the packet, it is possible for the firewall to be invoked multiple times on the same packet). The packet passed to the firewall is compared against each of the rules in the ruleset, in rule-number order (multiple rules with the same number are permitted, in which case they are processed in order of insertion). When a match is found, the action corresponding to the matching rule is performed.
| + | |
| | | | |
| − | | + | Do not use FreeBSD firewall guidance. |
| − | | + | |
| − | ==IPFW on GhostBSD==
| + | |
| − | | + | |
| − | On GhostBSD ipfw is managed by [[OpenRC]].
| + | |
| − | | + | |
| − | {|class="wikitable" style="width:96.5%;background:#FFFFFF; border:2px solid #008000"
| + | |
| − | |-
| + | |
| − | |style="text-align:center;padding: 10px" | [[File:Dialog-warning.png|35px|link=]] '''Attention: Please do not use FreeBSD firewall guidance on the FreeBSD handbook.'''
| + | |
| − | |}
| + | |
| − | | + | |
| − | IPFW is already setup to default: [[/boot/defaults/loader.conf#Set ipfw to default accept|Set ipfw to default accept]]<br/>
| + | |
| − | If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included.
| + | |
| − |
| + | |
| − | | + | |
| − | [[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/>
| + | |
| − | | + | |
| − | The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file. You have to create that file as it does not exist by default.<br/>
| + | |
| − | | + | |
| − | However, OpenRC (main branch) defines the firewall rules within the '''/etc/ipfw.rules''' file itself.<br/>
| + | |
| − | If the file does not exist on GhostBSD you have to create it.
| + | |
| − | | + | |
| − | See examples:
| + | |
| − | * [https://gist.github.com/nileshgr/5990712 Nilesh on Github]
| + | |
| − | * [https://unixguide.net/freebsd/fbsd_installguide71/06.09.4-IPFW_Rule_Sets.htm unixguide]
| + | |
| − | * [https://sirtoffski.github.io/docs/freebsd-ipfw/ ipfw.rules]
| + | |
| − | | + | |
| − | See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC]
| + | |
| − | | + | |
| − | ==IPFW Script==
| + | |
| − | #!/sbin/openrc-run
| + | |
| − | name="ipfw"
| + | |
| − | description="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
| + | |
| − | firewall_coscripts="natd ${firewall_coscripts}"
| + | |
| − | SYSCTL="/sbin/sysctl"
| + | |
| − | . /etc/network.subr
| + | |
| − | depend()
| + | |
| − | {
| + | |
| − | before net
| + | |
| − | provide firewall
| + | |
| − | keyword -jail -stop -shutdown
| + | |
| − | }
| + | |
| − | load_kld()
| + | |
| − | {
| + | |
| − | kldload -nq $1
| + | |
| − | }
| + | |
| − | start_pre()
| + | |
| − | {
| + | |
| − | load_kld ipfw
| + | |
| − | if yesno dummynet_enable; then
| + | |
| − | load_kld "dummynet"
| + | |
| − | fi
| + | |
| − | if yesno natd_enable; then
| + | |
| − | load_kld "ipdivert"
| + | |
| − | fi
| + | |
| − | if yesno firewall_nat_enable; then
| + | |
| − | load_kld "ipfw_nat"
| + | |
| − | fi
| + | |
| − | }
| + | |
| − | start()
| + | |
| − | {
| + | |
| − | local _firewall_type
| + | |
| − | _firewall_type=$1
| + | |
| − | ebegin "Starting $name"
| + | |
| − | # set the firewall rules script if none was specified
| + | |
| − | [ -z "${firewall_script}" ] && firewall_script='''/etc/ipfw.rules'''
| + | |
| − | if [ -r "${firewall_script}" ]; then
| + | |
| − | /bin/sh "${firewall_script}" "${_firewall_type}"
| + | |
| − | elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
| + | |
| − | ewarn 'Warning: kernel has firewall functionality, but' \
| + | |
| − | ' firewall rules are not enabled.' ewarn ' All ip services are disabled.'
| + | |
| − | fi
| + | |
| − | # Firewall logging
| + | |
| − | #
| + | |
| − | if yesno firewall_logging; then
| + | |
| − | sysctl net.inet.ip.fw.verbose=1 >/dev/null
| + | |
| − | fi
| + | |
| − | if yesno firewall_logif; then
| + | |
| − | ifconfig ipfw0 create
| + | |
| − | fi
| + | |
| − | eend 0
| + | |
| − | }
| + | |
| − | start_post()
| + | |
| − | {
| + | |
| − | local _coscript
| + | |
| − | # Start firewall coscripts
| + | |
| − | #
| + | |
| − | for _coscript in ${firewall_coscripts} ; do
| + | |
| − | if [ -f "${_coscript}" ]; then
| + | |
| − | service ${_coscript} start >/dev/null 2>/dev/null
| + | |
| − | fi
| + | |
| − | done
| + | |
| − | # Enable the firewall
| + | |
| − | #
| + | |
| − | if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
| + | |
| − | ewarn "failed to enable IPv4 firewall"
| + | |
| − | fi
| + | |
| − | if afexists inet6; then
| + | |
| − | if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
| + | |
| − | then
| + | |
| − | ewarn "failed to enable IPv6 firewall"
| + | |
| − | fi
| + | |
| − | fi
| + | |
| − | }
| + | |
| − | reverse_list()
| + | |
| − | {
| + | |
| − | _revlist=
| + | |
| − | for _revfile; do
| + | |
| − | _revlist="$_revfile $_revlist"
| + | |
| − | done
| + | |
| − | echo $_revlist
| + | |
| − | }
| + | |
| − | stop()
| + | |
| − | {
| + | |
| − | local _coscript
| + | |
| − | # Disable the firewall
| + | |
| − | #
| + | |
| − | ebegin "Stopping $name"
| + | |
| − | ${SYSCTL} net.inet.ip.fw.enable=0
| + | |
| − | if afexists inet6; then
| + | |
| − | ${SYSCTL} net.inet6.ip6.fw.enable=0
| + | |
| − | fi
| + | |
| − | # Stop firewall coscripts
| + | |
| − | #
| + | |
| − | for _coscript in `reverse_list ${firewall_coscripts}` ; do
| + | |
| − | if [ -f "${_coscript}" ]; then
| + | |
| − | service ${_coscript} stop >/dev/null 2>/dev/null
| + | |
| − | fi
| + | |
| − | done
| + | |
| − | eend 0
| + | |
| − | }
| + | |
| − | | + | |
| − | ==Some ideas about Firewalls==
| + | |
| − | An interesting article about firewalls you will find on the [https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls Gentoo wiki].
| + | |
| − | | + | |
| − | | + | |
| − | {|class="wikitable" style="width:95%;background:#FFFFFF; border:2px solid #008000;text-align:center;padding: 10px"
| + | |
| − | |'''Back to the''' [[image:Icon Disti GhostBSD.png|50px|link=GhostBSD Wiki]]'''Wiki'''
| + | |
| − | | + | |
| − | |}
| + | |
| − | | + | |
| − | | + | |
| − | [[Category:Central Station Sysutils]]
| + | |
