Difference between revisions of "Firewall"

From GhostBSD Wiki
Jump to: navigation, search
(Settings)
Line 19: Line 19:
 
If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included.  
 
If you run <code>[[Rc-update|rc-update]]</code> it shows all running services, ipfw included.  
 
   
 
   
==Settings==
 
 
 
name="ipfw"
 
description="Firewall, traffic shaper, packet scheduler, in-kernel NAT"
 
firewall_coscripts="natd ${firewall_coscripts}"
 
SYSCTL="/sbin/sysctl"
 
 
. /etc/network.subr
 
 
depend() {
 
before net
 
provide firewall
 
keyword -jail -stop -shutdown
 
}
 
 
load_kld(){
 
kldload -nq $1
 
}
 
 
start_pre()
 
{
 
load_kld ipfw
 
if yesno dummynet_enable; then
 
load_kld "dummynet"
 
fi
 
if yesno natd_enable; then
 
load_kld "ipdivert"
 
fi
 
if yesno firewall_nat_enable; then
 
load_kld "ipfw_nat"
 
fi
 
}
 
 
start()
 
{
 
local  _firewall_type
 
 
_firewall_type=$1
 
 
ebegin "Starting $name"
 
# set the firewall rules script if none was specified
 
[ -z "${firewall_script}" ] && firewall_script=/etc/ipfw.rules
 
 
if [ -r "${firewall_script}" ]; then
 
/bin/sh "${firewall_script}" "${_firewall_type}"
 
elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
 
ewarn 'Warning: kernel has firewall functionality, but' \
 
    ' firewall rules are not enabled.'
 
ewarn '          All ip services are disabled.'
 
fi
 
 
# Firewall logging
 
#
 
if yesno firewall_logging; then
 
sysctl net.inet.ip.fw.verbose=1 >/dev/null
 
fi
 
if yesno firewall_logif; then
 
ifconfig ipfw0 create
 
fi
 
eend 0
 
}
 
 
start_post()
 
{
 
local _coscript
 
 
# Start firewall coscripts
 
#
 
for _coscript in ${firewall_coscripts} ; do
 
if [ -f "${_coscript}" ]; then
 
service ${_coscript} start >/dev/null 2>/dev/null
 
fi
 
done
 
 
# Enable the firewall
 
#
 
if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
 
ewarn "failed to enable IPv4 firewall"
 
fi
 
if afexists inet6; then
 
if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
 
then
 
ewarn "failed to enable IPv6 firewall"
 
fi
 
fi
 
}
 
 
reverse_list()
 
{
 
_revlist=
 
for _revfile; do
 
_revlist="$_revfile $_revlist"
 
done
 
echo $_revlist
 
}
 
 
stop()
 
{
 
local _coscript
 
 
# Disable the firewall
 
#
 
ebegin "Stopping $name"
 
${SYSCTL} net.inet.ip.fw.enable=0
 
if afexists inet6; then
 
${SYSCTL} net.inet6.ip6.fw.enable=0
 
fi
 
 
# Stop firewall coscripts
 
#
 
for _coscript in `reverse_list ${firewall_coscripts}` ; do
 
if [ -f "${_coscript}" ]; then
 
service ${_coscript} stop >/dev/null 2>/dev/null
 
fi
 
done
 
eend 0
 
}
 
 
  
 
[[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/>
 
[[OpenRC]] manages how ipfw (/etc/[[Init.d|init.d]]/ipfw) configuration is initialized. <br/>

Revision as of 17:51, 17 October 2020

Welcome to Icon Disti GhostBSD.png Firewall.

Introduction

IPFW or ipfirewall is an internet-protocol-firewall written for FreeBSD. The ipfw system facility allows filtering, redirecting, and other operations on IP packets travelling through network interfaces. A firewall configuration, or ruleset, is made of a list of rules numbered from 1 to 65535. Packets are passed to the firewall from a number of different places in the protocol stack (depending on the source and destination of the packet, it is possible for the firewall to be invoked multiple times on the same packet). The packet passed to the firewall is compared against each of the rules in the ruleset, in rule-number order (multiple rules with the same number are permitted, in which case they are processed in order of insertion). When a match is found, the action corresponding to the matching rule is performed.


IPFW on GhostBSD

On GhostBSD ipfw is managed by OpenRC.

Dialog-warning.png Attention: Please do not use FreeBSD firewall guidance on the FreeBSD handbook.

IPFW is already setup to default: Set ipfw to default accept
If you run rc-update it shows all running services, ipfw included.


OpenRC manages how ipfw (/etc/init.d/ipfw) configuration is initialized.

The old way defined by TrueOS allows you to define the firewall rules via a /etc/ipfw.conf file. You have to create that file as it does not exist by default.

However, OpenRC (main branch) defines the firewall rules within the /etc/ipfw.conf file itself.

See: ipfw on OpenRC

Some ideas about Firewalls

An interesting article about firewalls you will find on the Gentoo wiki.


Back to the Icon Disti GhostBSD.pngWiki