IPFIREWALL (IPFW) Firewall
IPFIREWALL (IPFW) Firewall
The IPFIREWALL (IPFW) is a FBSD sponsored firewall software application authored and maintained by FBSD volunteer staff members. It uses the legacy stateless rules and a legacy rule coding technique to achieve what is referred to as simple stateful logic.
The IPFW stateless rule syntax is empowered with technically sophisticated selection capabilities which far surpasses the knowledge level of the customary firewall installer. IPFW is targeted at the professional user or the advanced technical computer hobbyist who has advanced packet selection requirements. A high degree of detailed knowledge into how different protocols use and create their unique packet header information is necessary before the power of the IPFW rules can be unleashed. Providing that level of explanation is out of the scope of this section of the handbook.
IPFW is composed of seven components; the kernel firewall filter rule processor and its integrated packet accounting facility (the primary component), the logging facility, the ‘divert’ rule which triggers the NAT facility, and the advanced special purpose facilities (the dummynet traffic shaper facilities the ‘fwd rule’ forward facility, the bridge facility, and the ipstealth facility).
See the FBSD man pages, 'man ipfw' or 'man ipfirewall' or 'man dummynet' for details.
From this point on I will use IPFW to mean IPFIREWALL.
IPFW is included in the basic FBSD install as a separate run time loadable module. IPFW will dynamically load its kernel loadable module when the rc.conf statement firewall_enable="YES" is used. You do not need to compile IPFW into the FBSD kernel.
Using the IPFW run time loadable module is recommended.
After rebooting your system with firewall_enable="YES" in rc.conf the following white highlighted message is displayed on the screen as part of the boot process.
IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled
You can disregard this message as it’s outdated and no longer is the true status of the IPFW loadable module. The loadable module really does have logging ability.
To set the verbose limit, there is a knob you can set in sysctl.conf by adding this statement to the file:
It is not a mandatory requirement that you enable IPFW by compiling the following options into the FBSD kernel. It’s only presented here as a background information option. Compiling IPFW into the kernel causes the loadable module to never be used.
Sample kernel source IPFW options statements are in the /usr/src/sys/i386/conf/LINT kernel source and are reproduced here.
options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 option IPDIVERT
IPFIREWALL This tells the compile to include IPFW as part of the kernel.
IPFIREWALL_VERBOSE enables the option to have IPFW log traffic by printing packet activity to syslogd for every rule that has the "log" keyword.
IPFIREWALL_VERBOSE_LIMIT=5 specifies the default number of packets from a particular rule is to be logged. Without this option each repeated occurrences of the same packet will be logged and eventually consume all the free disk space, resulting in services being denied due to lack of resources. The 5 is the number of consecutive times to log evidence of this unique occurrence.
IPDIVERT adds the userland natd function which is utilized by the divert natd IPFW rule statement.
A complete list of the IPFW options statements are in /usr/src/sys/i386/conf/LINT
Installer note: After compiling IPFW into your kernel you lose the ability to access all private LAN and public Internet networks, until you enable IPFW in rc.conf and reboot.
You have to tell FBSD to active it at boot time. You do that by adding the following statements to /etc/rc.conf:
firewall_enable="YES" # Start IPFW daemon firewall_script="/etc/ipfw.rules" # Use my custom rules. filewall_logging="YES" # Enable packet logging
For a completely open firewall, you have to create the /etc/ipfw.rules file with the following rules
ipfw –f flush ipfw add allow all from any to any
The ipfw command is the normal vehicle for making manual single rule additions or deletions to the firewall active internal rules while it's running. The problem with using this method is once your system is shutdown or halted, all the rules you added or changed or deleted are lost. Writing all your rules in a file and using that file to load the rules at boot time or to replace in mass the currently running firewall rules with changes you made to the files content is the recommended method used here.
The ipfw command is still a very useful for displaying the running firewall rules to the console screen. The IPFW accounting facility dynamically creates a counter for each rule that counts each packet that matches the rule. During the process of testing a rule, listing the rule with its counter is the only way of determining if the rule is functioning.
You would enter on the FBSD command line one of the following forms of the list command.
ipfw list List all rules in rule number sequence.
ipfw -t list List rules in rule number sequence with timestamp
of last time that rule was matched.
ipfw -a list List the accounting information, packet count for
matched rules along with the rules themselves. The first column is the rule number, followed by the number of outgoing matched packets, followed by the number of incoming matched packets, and finally followed by the rule itself.
ipfw -d list List dynamic rules in addition to static ones.
ipfw -d -e list Also show expired dynamic rules.
ipfw zero Clear all the accounting counters.
ipfw zero number Clear accounting counter just for this rule number.
ipfw show | more
If you have a big rule set with dynamic rules it will scroll off the screen. Suffix the command with ‘ | more’ which will only display the first screen full, and then you have to use the arrow keys or enter key to scroll down through the info.