i am setting up a BSD firewall for the first time. I have recompiled the kernel and all that, but am having trouble building a good ruleset. I have read the manpages but am still having trouble creating what I need. It is either nothing is going through or everything is. Does anybody know of a decent tutorial on creating rulesets with ipfw?

I have been using fbsd for my personal firewall at home for years now. Here is what I filter.

Block ICMP for starters.

You'll also want to filter ports that you don't want the world to be connecting to, for instance ssh. Even though ssh is encrypted, I only allow connections to that port from my internal network and the IP addresses of friends and other networks that I use. I am anal though.

To see a list of what's open, run netstat -an | grep LISTEN. You have to find out what's running on your box before you can know what rulesets to create. If you're using X, then I'd filter that port as well. Obviously it's only going to show up in a netstat output when it's up.

I compiled and briefly looked at a program called qtfw in the ports collection. It's a GUI front end to ipfw, but I don't use it.

If you want to look more at what's going on with incoming connections, turn on "log_in_vain"

# sysctl -a | grep vain
net.inet.tcp.log_in_vain: 1
net.inet.udp.log_in_vain: 1

These will be set to 0 by default.

Also, on your ipfw rules that you create, setup logging on the more important ones. You can use "log logamount" in your ipfw rules to write connection attempts to filtered ports to /var/log/security.

__________________
Brian Byers
cbbyers@cbbyers.com
http://www.cbbyers.com

I dug this URL up for you - http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html

__________________
Brian Byers
cbbyers@cbbyers.com
http://www.cbbyers.com

If the BSD you are using is FreeBSD, then it is pretty simple to do that:
- edit your /etc/rc.conf and enable the firewall script at boot time: insert a line like this firewall_enable="YES", and specify a type of firewall from the ones FreeBSD already includes: firewall_type="Open"|"Client"|"Simple"|"Unknown" or define your own type.
- take a look at /etc/rc.firewall and edit this file to suit your needs. This file contains a sample firewall configuration and I reccomend it.

If you want to do something more: to have a network behind this firewall, it would be a good ideea to set the firewall type to "Simple" and change the options for network address, external interface ip address etc. And if you have only one IP address and want to make possible "masquerading" you must add two more lines to /etc/rc.conf: natd_enable="YES" and natd_interface="your_external_interface_name(i.e. xl0)". To have this option working [nat] you must configure your kernel to support IPDIVERT

For any other information regarding firewalls you may contact me