A bare bones home firewall
Here we're going to look at a simple firewall using FreeBSD's own 'ipfw'. This is a bare bones, protect-this-machine-only firewall and will work fine if you have no network behind your FreeBSD machine and no special needs:
/sbin/ipfw add 00100 allow ip from any to any via lo0
/sbin/ipfw add 00200 deny ip from any to 127.0.0.0/8
/sbin/ipfw add 00300 deny ip from 127.0.0.0/8 to any
/sbin/ipfw add 04000 check-state
/sbin/ipfw add 05000 allow udp from me to any keep-state
/sbin/ipfw add 06000 deny udp from any to me
/sbin/ipfw add 07500 allow tcp from me to any keep-state
/sbin/ipfw add 08000 deny tcp from any to me
/sbin/ipfw add 50000 allow icmp from me to any keep-state
/sbin/ipfw add 52000 deny icmp from any to me icmptype 8
/sbin/ipfw add 53000 allow log icmp from any to me
#/sbin/ipfw add 65535 deny ip from any to any
I've put the blank lines in to divide up the different functional parts of the rules. The first three rules (100-300) are standard and allow internal communications on your machine and then stop any possible abuse of that restricted address space. The next rule (04000) is to allow traffic in that was already initiated by your machine via one of the later "keep-state" rules. The next four rules (in two sets of two) are the heart of the firewall and each set basicly says, "let me send traffic anywhere, create a dynamic rule (to accept the return traffic via rule 4000), then deny any other such traffic." We do this for each of the two major protocols, TCP and UDP. This will cover the vast majority of your traffic. And finally, we do almost the same thing for the ICMP traffic, however we only block unrequested, incoming ping traffic ("icmptypes 8"). Other types of ICMP traffic should generally be allowed as it may contain important network error information. And, at the end, I've left in a comment to remind myself of the default rule -- any IP traffic that wasn't already handled by the other rules will be unceremoniously denied.
To make this firewall effective on system boot, you must do just a few things. First, put it into a file (I'd recommend "/usr/local/etc/rc.ipfw"). Then, place the following lines into "/etc/rc.conf":
And, that's it! Now every time you boot your machine, you'll be protected from unwanted network traffic. And, if you don't want to reboot, you can make this effective immediately by doing two things (both as user root, please). First, ensure that the "ipfw.ko" kernel module is loaded (check with "kldstat" and if it's not listed enter the command "kldload ipfw"). Next, run the script you've just created with the command "sh /usr/local/etc/rc.ipfw". Be warned, though, that if you have any active TCP sessions when you activate the firewall they might be cut off from further communication, as the firewall wasn't active to create the dynamic rules (via "keep-state" rules) when the session was started.
If you need something more from your firewall, take a look at this follow-up article, "A Fancy Home Firewall." In it, I expand on this example and explain a rule set that can allow traffic from a private network behind your FreeBSD machine, VPN traffic, and more.
[ tags: freebsd, firewall, ipfw ]