Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: BSD Firewall
Special Forums IP Networking BSD Firewall Post 12700 by cbbyers on Sunday 6th of January 2002 04:13:40 AM
Old 01-06-2002
I have been using fbsd for my personal firewall at home for years now. Here is what I filter.

Block ICMP for starters.

You'll also want to filter ports that you don't want the world to be connecting to, for instance ssh. Even though ssh is encrypted, I only allow connections to that port from my internal network and the IP addresses of friends and other networks that I use. I am anal though.

To see a list of what's open, run netstat -an | grep LISTEN. You have to find out what's running on your box before you can know what rulesets to create. If you're using X, then I'd filter that port as well. Obviously it's only going to show up in a netstat output when it's up.

I compiled and briefly looked at a program called qtfw in the ports collection. It's a GUI front end to ipfw, but I don't use it.

If you want to look more at what's going on with incoming connections, turn on "log_in_vain"

# sysctl -a | grep vain
net.inet.tcp.log_in_vain: 1
net.inet.udp.log_in_vain: 1

These will be set to 0 by default.

Also, on your ipfw rules that you create, setup logging on the more important ones. You can use "log logamount" in your ipfw rules to write connection attempts to filtered ports to /var/log/security.
 

We Also Found This Discussion For You

1. BSD

for linux and BSD users interested in Unix system V/bsd

for all you unix/linux interested heres an online book for free that covers the basics of BSD SysV Unix commands and applications . giving the average linux user a perspective on the differences in context of the two operating systems and for BSD users covers material as a refernce guide. ... (0 Replies)
Discussion started by: moxxx68
0 Replies

LEARN ABOUT CENTOS

ipfw

IPFW(4)                                                    BSD Kernel Interfaces Manual                                                    IPFW(4)

NAME

     ipfw -- IP packet filter and traffic accounting

SYNOPSIS

     To compile ipfw into the kernel, place the following option in the kernel configuration file:

           options IPFIREWALL

     Other kernel options related to ipfw which may also be useful are:

           options IPFIREWALL_DEFAULT_TO_ACCEPT
           options IPFIREWALL_FORWARD
           options IPFIREWALL_VERBOSE
           options IPFIREWALL_VERBOSE_LIMIT=100

     To load ipfw as a module at boot time, add the following line into the loader.conf(5) file:

           ipfw_load="YES"

DESCRIPTION

     The ipfw system facility allows filtering, redirecting, and other operations on IP packets travelling through network interfaces.

     The default behavior of ipfw is to block all incoming and outgoing traffic.  This behavior can be modified, to allow all traffic through the
     ipfw firewall by default, by enabling the IPFIREWALL_DEFAULT_TO_ACCEPT kernel option.  This option may be useful when configuring ipfw for
     the first time.  If the default ipfw behavior is to allow everything, it is easier to cope with firewall-tuning mistakes which may acciden-
     tally block all traffic.

     To enable logging of packets passing through ipfw, enable the IPFIREWALL_VERBOSE kernel option.  The IPFIREWALL_VERBOSE_LIMIT option will
     prevent syslogd(8) from flooding system logs or causing local Denial of Service.  This option may be set to the number of packets which will
     be logged on a per-entry basis before the entry is rate-limited.

     Policy routing and transparent forwarding features of ipfw can be enabled by IPFIREWALL_FORWARD kernel option.

     The user interface for ipfw is implemented by the ipfw(8) utility, so please refer to the ipfw(8) manpage for a complete description of the
     ipfw capabilities and how to use it.

SEE ALSO

     setsockopt(2), divert(4), ip(4), ipfw(8), sysctl(8), syslogd(8), pfil(9)

BSD                                                              September 1, 2006                                                             BSD
All times are GMT -4. The time now is 07:02 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy