how to build firewall on freebsd 5.2.1
--------------------------------------
+ you need build new kernel for freebsd with firewall support
[root@toady conf]# pwd
/usr/src/sys/i386/conf
[root@toady conf]# cp GENERIC FIREWALL
[root@toady conf]# diff -Nur GENERIC FIREWALL
--- GENERIC Mon Jan 26 19:42:11 2004
+++ FIREWALL Sat Apr 16 21:19:03 2005
@@ -19,10 +19,21 @@
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.394.2.3 2004/01/26 19:42:11 nectar Exp $
machine i386
-cpu I486_CPU
-cpu I586_CPU
+#cpu I486_CPU
+#cpu I586_CPU
cpu I686_CPU
-ident GENERIC
+ident FIREWALL
+
+## Enable ipfw.
+options IPFIREWALL
+options IPFIREWALL_VERBOSE
+
+## Enable ip6fw too.
+# options IPV6FIREWALL
+# options IPV6FIREWALL_VERBOSE
+
+## Enable NAT.
+options IPDIVERT
#To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" #Default places to look for devices.
[root@toady conf]# /usr/sbin/config FIREWALL
[root@toady compile]# pwd
/usr/src/sys/i386/compile
[root@toady compile]# make depend
[root@toady compile]# make
[root@toady compile]# make install
[root@toady boot]# pwd
/boot
[root@toady boot]# ls -al
...
drwxr-xr-x 2 root wheel 7168 Apr 16 23:10 kernel
drwxr-xr-x 2 root wheel 7168 Aug 31 2004 kernel.old
...
reboot the box
+ firewall settings:
[root@toady etc]# pwd
/etc
[root@toady etc]# diff -Nur rc.firewall rc.firewall.orig
--- rc.firewall Sun Apr 17 00:07:32 2005
+++ rc.firewall.orig Mon Feb 23 19:42:53 2004
@@ -151,9 +151,9 @@
############
# set these to your network and netmask and ip
- net="137.111.20.128"
- mask="255.255.255.128"
- ip="137.111.20.207"
+ net="192.0.2.0"
+ mask="255.255.255.0"
+ ip="192.0.2.1"
setup_loopback
@@ -169,14 +169,6 @@
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${ip} 25 setup
-
- # Allow access to our sshd
- ${fwcmd} add pass tcp from 137.111.18.0/25 to ${ip} 22 setup
- ${fwcmd} add pass tcp from 137.111.20.128/25 to ${ip} 22 setup
-
- # Allow access to our web
- ${fwcmd} add pass tcp from 137.111.0.0/16 to ${ip} 80 setup
- ${fwcmd} add pass tcp from 137.111.0.0/16 to ${ip} 443 setup
# Allow setup of outgoing TCP connections only
${fwcmd} add pass tcp from ${ip} to any setup
[root@toady etc]# diff -Nur rc.conf rc.conf.orig
--- rc.conf Sun Apr 17 00:29:10 2005
+++ rc.conf.orig Fri Apr 15 21:23:22 2005
@@ -132,20 +132,3 @@
# Enable network daemons for user convenience.
# Created: Fri Apr 15 21:23:22 2005
-
-## Enable sshd
-sshd_enable="YES"
-
-## firewall
-firewall_enable="YES" # Set to YES to enable firewall functionality
-firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
-firewall_type="client" # Firewall type (see /etc/rc.firewall)
-firewall_quiet="NO" # Set to YES to suppress rule display
-firewall_logging="YES" # Set to YES to enable events logging
-firewall_flags="" # Flags passed to ipfw when type is a file
-
-## natd
-natd_enable="YES"
-natd_interface="fxp0" # your public network interface
-natd_flags="-m" # preserve port numbers if possible
-
Reference:
----------
+ Building and Installing a Custom Kernel, FreeBSD Handbook
+ How to Build a FreeBSD-STABLE Firewall with IPFILTER <http://www.schlacter.net/public/FreeBSD-STABLE_and_IPFILTER.html>
+ FreeBSD Firewall Configuration <http://www.acme.com/firewall.html>
|