MikeL's FreeBSD howto

MikeL's FreeBSD howto - Firewall

19-Sep-2005 Wait!
Everything on this page is out of date. Go directly to the FreeBSD handbook page. Copy their sample "ipf.rules" file there.
The only changes I made to it are to correct to use my interface, and in the FTP OUT rule, I had to drop the trailing "flags S keep state" in order for command-line ftp from the box to the outside world to work. (P.S. Although my description below is for a gateway machine, this was not -- strictly a standalone server.)

This is basically a checklist of how to setup a new system to be a firewall. The intent is not to cover everything in detail, merely to point you to each of the tasks that must be performed.

Obviously you must already have your hardware set up with two Network Interface Cards (NICs). One connected to the external network that you're protecting yourself from, the other connected to the internal network.

The manual for this process is: FreeBSD.org, Handbook ch. 6.

You'll have to build a custom kernel.
You must add the following (anywhere seems fine):
options IPFIREWALL
options IPDIVERT (I have this -- not sure where it came from or if it's really needed)
Edit /etc/rc.conf. Add the following:
gateway_enable="YES" (I have this -- not sure where it came from or if it's really needed)
firewall_enable="YES"
firewall_type="open"
firewall_quiet="NO"
While here, check your networking setup.
install 'ipfw'
This seems to have already been ther in 3.3-RELEASE
install 'natd'
I did not have to make it for 3.3-RELEASE, it was already there.
I did have to add the following to /etc/rc.conf:
natd_enable="YES"
natd_program="/sbin/natd"
natd_interface="x.y.z.q", where the address is the external interface.
Without this, stuff on the FreeBSD server sees the outside world, but computers on the inside of the firewall cannot see outside of it.
Once you have a system working again, change the "firewall_type" setting, and mess with /etc/rc.firewall for your specific needs.

Getting a Microsoft VPN (MS PPTP) client working through ipfw
I can state that the following does work -- I cannot say it is the optimal (ie. most limiting you can get away with).

	# The following (47, 1723) are for Microsoft PPTP.
	${fwcmd} add pass tcp from any 1723 to ${inet}:${imask}
	${fwcmd} add pass tcp from ${inet}:${imask} to any 1723
	${fwcmd} add pass tcp from ${oip} to any 1723

	${fwcmd} add pass gre from any to ${inet}:${imask}
	${fwcmd} add pass gre from ${inet}:${imask} to any
	${fwcmd} add pass gre from ${oip} to any

Getting a Cisco Systems VPN client working through ipfw
I can state that the following does work -- I cannot say it is the optimal (ie. most limiting you can get away with).

	# The following (500, 10000) are for Cisco VPN.
	${fwcmd} add pass udp from any 500 to ${inet}:${imask}
	${fwcmd} add pass udp from ${inet}:${imask} to any 500
	${fwcmd} add pass udp from ${oip} to any 500 keep-state

	${fwcmd} add pass udp from any 10000 to ${inet}:${imask}
	${fwcmd} add pass udp from ${inet}:${imask} to any 10000
	${fwcmd} add pass udp from ${oip} to any 10000 keep-state