Skip to content

How to Build an IPFW on FreeBSD 4.x

How to Build an IPFW on FreeBSD 4.x

First of all, you need to view the Current Kernel options.

And see whether the Following lines exist

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN

If they don’t exist, you need to add these options and recompile the kernel.

This is how to configure and compile your kernel.

cd /usr/src/sys/i386/conf
cp GENERIC FWKERNEL

(or whatever you want to name it to)

vi FWKERNEL

Add the following config options:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN

Save and exit.

cd /usr/src
make buildkernel KERNCONF=FWKERNEL
make installkernel KERNCONF=FWKERNEL

Now, the new Kernel should have been configured.

IF YOU ARE SETTING THIS UP OVER SSH (REMOTE) DO NOT RESTART YOUR MACHNE YET, OTHERWISE YOU WILL LOCK YOURSELF OUT!!!

To setup the firewall on your machine, you need to add some options onto /etc/rc.conf
At the moment its set to DENY, so you need to add some allow Rules etc etc.

Before you change your rc.conf, I suggest you make a backup copy of it.

cp /etc/rc.conf /etc/rc.conf.old

Now edit /etc/rc.conf and add the following lines:

firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"

Now, save the rc.conf

Final Step is to create the firewall script ipfw.rules and place it in /etc Directory.

#!/bin/sh
fwcmd=”/sbin/ipfw”
$fwcmd -f flush
$fwcmd add allow ip from 123.123.123.123 to any via sis0
$fwcmd add allow ip from any to 123.123.123.123 via sis0
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow tcp from any to any out xmit sis0 setup
$fwcmd add allow tcp from any to any via sis0 established
$fwcmd add allow tcp from any to any 22 setup
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 21 setup
$fwcmd add allow tcp from any to any 7000 setup
$fwcmd add reset log tcp from any to any 113 in recv sis0
$fwcmd add allow udp from any to any 53 out xmit sis0
$fwcmd add allow udp from any 53 to any in recv sis0
$fwcmd add 03000 allow icmp from me to any
$fwcmd add 04000 deny icmp from any to any
$fwcmd add 65435 deny log ip from any to any
$fwcmd add deny log all from any to any

On the Firewall Rules (see below) , I have added 2 Rules where It will allow A certain IP to access the Machine no matter what. So, Replace the IP 123.123.123.123 With your Static IP.

$fwcmd add allow ip from 123.123.123.123 to any via sis0
$fwcmd add allow ip from any to 123.123.123.123 via sis0

NOTE: You need to change it to YOUR machine's interface name to whatever it is called. In my case, it was sis0. Just do ifconfig on the terminal and It will tell you what its called. THIS IS VERY IMPORTANT.

When you Reboot Your Machine You should have a working Firewall!!!

comments powered by Disqus