Skip to content

Instantly share code, notes, and snippets.

@WillSquire

WillSquire/install_ipfw_freebsd.md

Last active April 2, 2017 08:29
Show Gist options
  • Save WillSquire/dc07d802833eb2e52f1723223e1fa2c2 to your computer and use it in GitHub Desktop.
Save WillSquire/dc07d802833eb2e52f1723223e1fa2c2 to your computer and use it in GitHub Desktop.
Download ZIP
Install IPFW on FreeBSD
Raw
install_ipfw_freebsd.md

IPFW

To configure a IPFW firewall, first open up rc.conf with:

sudo ee /etc/rc.conf

Now add the following lines to the end of this file, where the ssh port number is the most important port number to add and should be replaced with the port number chosen whilst configuring the SSH (not doing so will lock out all SSH users from the system. Each port that is required should be listed in the port number area (port 80 might also be useful to add as it is a standard port for http connections, as is port 443 for https that might also be useful to add) and firewall_logdeny will tell the server to log any connection attept to the /var/log/security file:

firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_myservices="[ssh_port_number] [another_port_number] [another_port_number_etc]"
firewall_allowservices="any"
firewall_logdeny="YES"

If so desired, UDP or TCP can be specifically targeted in firewall_myservices adding an identifier as a suffix to the port number, i.e. [port_number]/tcp. Once all 'port numbers' are filled in, save and close with esc, enter and enter. Once finished, activate the firewall service with the following:

sudo service ipfw start

Once enabled, the ruleset being used by the firewall can be checked with:

ipfw list
Raw
install_ipfw_freebsd.sh
#!/bin/sh
#####################################
# Variables
#####################################
RC_CNF_DIR="/etc/rc.conf";
IPFW_PORTS_OPEN="22/tcp 80/tcp"; # 22=SSH(SUGGEST USING NON-DEFAULT PORT INSTEAD) 80=HTTP
#####################################
# Functions
#####################################
# set_line()
#
# Searches a file for an old string in each line of the file. If the
# old string is found within a line, the entire contents of the line
# gets replaced with a new string. Else (if the old string is not
# found) the new string gets added to the last line of the file.
#
# Uses sed command (BSD version, not GNU). "^" is used as "s"
# delimiter as "/" is too commonly used.
# @author Will Squire <will_squire@hotmail.co.uk>
#
# @example set_line "max_connections =" "max_connections = 501" /var/db/mysql/my.cnf
#
# @param $old_string
# @param $new_string
# @param $file
set_line() {
sed -i '' '/.*'"$1"'.*/{
h
s^.*^'"$2"'^
}
${
x
/^$/{
s^^'"$2"'^
H
}
x
}' $3
}
#####################################
# Configuration
#####################################
set_line "firewall_enable=" 'firewall_enable="YES"' $RC_CNF_DIR;
set_line "firewall_quiet=" 'firewall_quiet="YES"' $RC_CNF_DIR;
set_line "firewall_type=" 'firewall_type="workstation"' $RC_CNF_DIR;
set_line "firewall_myservices=" "firewall_myservices=\"${IPFW_PORTS_OPEN}\"" $RC_CNF_DIR;
set_line "firewall_allowservices=" 'firewall_allowservices="any"' $RC_CNF_DIR;
set_line "firewall_logdeny=" 'firewall_logdeny="YES"' $RC_CNF_DIR;
# Start or restart IPFW
service ipfw restart;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment