Editing Firewall

{{welcome}}
==Introduction==
[https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports IPFW] or ipfirewall is an internet-protocol-firewall  written for FreeBSD. 
The ipfw system facility allows filtering, redirecting, and other operations on IP packets travelling through network interfaces.
A firewall	configuration, or ruleset, is made of a	list of	rules numbered    from 1 to 65535.  Packets are passed to the firewall from a number	of     different places in the protocol stack (depending on the source and destination of the packet, it	is possible for	the firewall to	be invoked     multiple times on the same	packet).  The packet passed to the firewall is     compared against each of the rules	in the ruleset,	in rule-number order     (multiple rules with the same number are permitted, in which case they     are processed in order of insertion).  When a match is found, the action     corresponding to the matching rule	is performed.




But on GhostBSD ipfw is managed by [[OpenRC]]. 

{|class="wikitable" style="width:96.5%;background:#FFFFFF; border:2px solid #008000" 
|- 
|style="text-align:center;padding: 10px" | [[File:Dialog-warning.png|35px|link=]] '''Attention:  Please do not use FreeBSD firewall guidance on the FreeBSD handbook.'''
|}

==IPFW on GhostBSD==
IPFW is already setup to default: [[/boot/defaults/loader.conf#Set ipfw to default accept|Set ipfw to default accept]]<br/>
If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included. 
 
[[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/>

The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file.  You have to create that file as it does not exist by default.<br/>

However, OpenRC (main branch) defines the firewall rules within the /etc/ipfw.conf file itself.

See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC]




{|class="wikitable" style="width:95%;background:#FFFFFF; border:2px solid #008000;text-align:center;padding: 10px" 
|'''Back to the''' [[image:Icon Disti GhostBSD.png|50px|link=GhostBSD Wiki]]'''Wiki'''

|}


[[Category:Central Station Sysutils]]
@@ Line 7: / Line 7: @@
-==IPFW on GhostBSD==
-On GhostBSD ipfw is managed by [[OpenRC]].
+But on GhostBSD ipfw is managed by [[OpenRC]].
 {|class="wikitable" style="width:96.5%;background:#FFFFFF; border:2px solid #008000"
@@ Line 16: / Line 15: @@
 |}
+==IPFW on GhostBSD==
 IPFW is already setup to default: [[/boot/defaults/loader.conf#Set ipfw to default accept|Set ipfw to default accept]]<br/>
 If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included.
 [[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/>
 The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file.  You have to create that file as it does not exist by default.<br/>
-However, OpenRC (main branch) defines the firewall rules within the '''/etc/ipfw.rules''' file itself.<br/>
+However, OpenRC (main branch) defines the firewall rules within the /etc/ipfw.conf file itself.
-If the file does not exist on GhostBSD you have to create it.
-See examples:
-* [https://gist.github.com/nileshgr/5990712 Nilesh on Github]
-* [https://unixguide.net/freebsd/fbsd_installguide71/06.09.4-IPFW_Rule_Sets.htm unixguide]
-* [https://sirtoffski.github.io/docs/freebsd-ipfw/ ipfw.rules]
 See: [https://github.com/OpenRC/openrc/blob/master/conf.d/ipfw ipfw on OpenRC]
-==IPFW Script==
- #!/sbin/openrc-run
- name="ipfw"
- description="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
- firewall_coscripts="natd ${firewall_coscripts}"
- SYSCTL="/sbin/sysctl"
- . /etc/network.subr
- depend()
- {
- before net
- provide firewall
- keyword -jail -stop -shutdown
- }
- load_kld()
- {
- kldload -nq $1
- }
- start_pre()
- {
- load_kld ipfw
- if yesno dummynet_enable; then
- load_kld "dummynet"
- fi
- if yesno natd_enable; then
- load_kld "ipdivert"
- fi
- if yesno firewall_nat_enable; then
- load_kld "ipfw_nat"
- fi
- }
- start()
- {
- local   _firewall_type
- _firewall_type=$1
- ebegin "Starting $name"
- # set the firewall rules script if none was specified
- [ -z "${firewall_script}" ] && firewall_script='''/etc/ipfw.rules'''
- if [ -r "${firewall_script}" ]; then
- /bin/sh "${firewall_script}" "${_firewall_type}"
- elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
- ewarn 'Warning: kernel has firewall functionality, but' \
- ' firewall rules are not enabled.' ewarn '           All ip services are disabled.'
- fi
- # Firewall logging
- #
- if yesno firewall_logging; then
- sysctl net.inet.ip.fw.verbose=1 >/dev/null
- fi
- if yesno firewall_logif; then
- ifconfig ipfw0 create
- fi
- eend 0
- }
- start_post()
- {
- local	_coscript
- # Start firewall coscripts
- #
- for _coscript in ${firewall_coscripts} ; do
- if [ -f "${_coscript}" ]; then
- service ${_coscript} start >/dev/null 2>/dev/null
- fi
- done
- # Enable the firewall
- #
- if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
- ewarn "failed to enable IPv4 firewall"
- fi
- if afexists inet6; then
- if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
- then
- ewarn "failed to enable IPv6 firewall"
- fi
- fi
- }
- reverse_list()
- {
- _revlist=
- for _revfile; do
- _revlist="$_revfile $_revlist"
- done
- echo $_revlist
- }
- stop()
- {
- local	_coscript
- # Disable the firewall
- #
- ebegin "Stopping $name"
- ${SYSCTL} net.inet.ip.fw.enable=0
- if afexists inet6; then
- ${SYSCTL} net.inet6.ip6.fw.enable=0
- fi
- # Stop firewall coscripts
- #
- for _coscript in `reverse_list ${firewall_coscripts}` ; do
- if [ -f "${_coscript}" ]; then
- service ${_coscript} stop >/dev/null 2>/dev/null
- fi
- done
- eend 0
- }
-==Some ideas about Firewalls==
-An interesting article about firewalls you will find on the [https://wiki.gentoo.org/wiki/Security_Handbook/Firewalls Gentoo wiki].