Admin... by accident!

You may have chosen to be an admin. I didn't!

  • Home
  • FreeBSD
  • GNU/Linux
  • Security
  • Network
  • Virtualization
  • Politics
  • Github
  • Donate
  • Me

How to setup a simple firewall in FreeBSD using IPFW

April 24, 2017 by Albert Valbuena

Setting the firewall up is a mandatory task on any computer facing the internet. This is a simple, straightforward how to article on how to setup a box with an easy firewall configuration on FreeBSD.

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

FreeBSD can play not only one but three firewalls. Networking is complicated by itself and firewalls can be complex too. So when they mix together your brain may collapse. Pick up one and then learn how the networks function and later how to manipulate the firewall.  One of those three firewalls in FreeBSD is IPFW. The minimal configuration for IPFW is the one written on this article. Don’t think of this firewall as a dumb, too simple firewall solution. Mac OS X, for example, uses it and puts a nice interface in the System Settings so any noob can use it. Although nowadays it’s using another firewall PFCTL I guess it’s from the OpenBSD, it has had IPFW for many years as the default firewall. And quite frankly it has served many users pretty well.

We will edit the main os configuration file with vi. But you can choose another editor like nano which is easier to use. If you prefer nano just type sudo pkg install nano. Agree with the installation and you can use it. Where this article says vi you can replace it by nano.

As always under FreeBSD the /etc/rc.conf file is the one in charge to activate OS level features as well as some other important software. Type this command to set the firewall configuration into the right file:

sudo vi /etc/rc.conf

Use this if you installed nano: sudo nano /etc/rc.conf

Now edit the rules so they look as follows.

firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_myservices="22 80 443 10000"
firewall_allowservices="any"
firewall_logdeny="YES"

Now you must start up the service in order for the firewall to start working. Type the following order at the terminal prompt.

sudo service ipfw onestart

The numbers appearing in the line firewall_myservices=”22 80…” are the ports the firewall leaves open. The rest of the ports to your server or workstation will remain closed. The opened ones are the basic to run a web server. Port number 22 is used for remote connections through SSH (secure shell). The number 80 is used by the HTTP protocol and since we are setting up a web server this is mandatory. Something similar happens with the port number 443 but this is the one for the https, which is the http protocol surrounded by an TLS encryption so no one can read the content in it. This is necessary to log in to let’s say your WordPress or Drupal site without anyone being able to see your password in plain text. Finally we’ll leave the port 10000 opened for the remote administration using webmin, which is a nice gui interface designed for administering servers.

There is another way to edit the /etc/rc.conf file instead of using the vi or nano editors. You can use a program called echo. With the example above if we want to a line at the end of the file using echo we would do like this:

First we have to become root so our prompt sign changes from the dollar sign or percentage (bash or sh use this sign $ and chs as well as tcsh uses this one %).

Now we will use the echo command to add the first line of the firewall configuration we need.

In order to check if the echo program has really written the configuration we wanted at the right place we will use another program called cat. Cat shows you the content of a file. So if you do cat /etc/rc.conf you will see all the content inside that particular file.

As you can see at the bottom of the file you have that line added.

Remember after adding all the rules to start the service so the firewall is really working. And if you are managing that particular machine remotely, remember to leave the port  open for ssh or the one you are using for remote access. Otherwise you will be locked out. Out means out. Something you really don’t want to happen to you.

After all these steps you have now a firewall protecting your machine. Mind this is not the most powerful and secure setup. But you have a base to build on top. IPFW configuration can be way more complicated depending on your needs and knowledge. But this configuration will let you accomplish simple workstation or web server tasks securely.

Use this link to get 100 $ credit at DOcean and support Adminbyaccident.com hosting costs.

Filed Under: How To's

Recent Posts

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0
  • How to configure Modsecurity 3 for WordPress on FreeBSD
  • How to configure Apache HTTP with a TLS reverse proxy backend on FreeBSD
  • How to detect a WAF – Web Application Firewall
  • How to install Matomo 4 on FreeBSD
  • How to test SSL/TLS configurations
  • How to configure Apache HTTP as a reverse proxy on FreeBSD
  • How to install Nextcloud on FreeBSD 12
  • How to install ModSecurity 3 on FreeBSD
  • How to replace a disk on a ZFS mirror pool
  • How to install Webmin on FreeBSD 12

Archives

  • February 2023
  • January 2023
  • December 2022
  • April 2022
  • March 2022
  • October 2021
  • September 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • September 2018
  • June 2018
  • May 2018
  • April 2018
  • February 2018
  • January 2018
  • November 2017
  • April 2017

RSS Admin… by accident!

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in