Introduction

After reading this howto, a FreeBSD stateful firewall setup is completed for either you gateway or workstation. This FreeBSD stateful firewall setup allows traffic initiated by your workstation or network to flow though, and denies traffic initiated from the outside. This howto also setup the internet connection sharing with other computers on the network. This is done by using natd and a traffic shaping solution that ensures that each computer has a equal share of the available bandwith. It also incorporate a dynamic traffic shaper, using dummynet pipes and queues, that makes sure that each computer has a equal share of the label bandwidth. Finally, the functionality can be extended by other with my other howto's. My goal was to write an howto about creating and IPFW and cut in two the howto due to size.

Why have firewall protection? Computers on the internet run the risk of being damaged or hijacked. Firewall software is a very powerful tool in fighting this. Having firewall software doesn't mean that your safe. You will still have to update your system in order to fix security bugs and check for viruses. Although the later isn't much of a problem for Unix like computers at the time of writing.

Why do traffic shaping? Computers on the network can use the internet connection so heavy that the internet connection sharing idea is defeated. The nat daemon still works for all computer, but the other computers have to wait because of the load. Traffic shaping ensures that each computer can use their fair share by dividing the bandwidth equaly. There are a couple of different traffic shaping configurations. The first kind is a static traffic shaper divides the bandwidth on the computers on the network. The second kind is a dynamic traffic shaper divides the bandwidth on the computer using the internet connection. Finally, a priority traffic shaper is one that gives priority to one kind of traffic over a other kind of traffic. This howto contains a setup for a dynamic priority traffic shaping solution that is implemented with the weighted ruby round algorithm of dummynet. This means the final traffic shaping solution will not be a real priority traffic shaping but it comes very close to the real thing.

Notes

This howto is written for IPFW2. If you are use IPFW1 then the ipfw firewall rules may need to be rewritten. FreeBSD 5.0 and above use IPFW2 by default. The lower versions use IPFW1 either as a default or because IPFW2 isn't supported.

Summary

1. The FreeBSD firewall and the natd daemon are loaded by adding the following lines to /etc/rc.conf:

   firewall_enable="YES"
   firewall_quiet="NO"
   firewall_type="/etc/firewall.conf"
   firewall_flags="-p /usr/bin/cpp"
   gateway_enable="YES"
   natd_enable="YES"
   natd_interface="xl1"
   natd_flags=""
   

2. The configuration exists out of three files, which you can download here and use. The main file uses the defined variables in (needs to be modified), to allow the same configuration file to be used in multiple situations. It then calles (needs to be modified, if you like to change the number of users) which in turn delicates some ipfw firewall rules to in order to reuse the ipfw firewall rules it contains. These tree files need to be copied to your /etc/ directory.
3. Finally, a new kernel is created. This adds some optional features (like diagnostic login) that are not available by default. This also build certain features statically in to the kernel which gives a little bit better response. This is done by adding the following lines to the file /usr/src/sys/i386/conf/GENERIC.

   options IPFIREWALL
   options IPFIREWALL_DEFAULT_TO_ACCEPT
   options IPFIREWALL_FORWARD
   options IPFIREWALL_VERBOSE
   options IPFIREWALL_VERBOSE_LIMIT=100
   options DUMMYNET
   

4. And then compiling them by executing these lines:

   cd /usr/src
   make buildkernel KERNCONF=GENERIC
   make installkernel KERNCONF=GENERIC
   reboot
   

Loading the FreeBSD firewall rules

The first step is about loading the FreeBSD firewall rules. FreeBSD loads the ipfw firewall rules during the boot process. It needs some information in order to load the ipfw firewall rules. It looks for that information in /etc/rc.conf. Open it and the following lines.

firewall_enable="YES"
firewall_quiet="NO"
firewall_type="/etc/firewall.conf"
firewall_flags="-p /usr/bin/cpp"

The FreeBSD firewall setup is done during the next boot by loading the ipfw firewall rules with the given flags. These particular flags tell that the files should be pre-processed with the C pre-processor. The C pre-processor, although written for a computer language, will allow use to have a easy configurable FreeBSD firewall rules (assuming I implemented required functionality in to the file).

gateway_enable="YES"
natd_enable="YES"
natd_interface="ed1"
natd_flags=""

These lines have to be added if the FreeBSD firewall protection is configured on a gateway. Without these lines, you will not be able to use the internet connection. These lines configures your gateway in to a network address translation (NAT) router. The first tells that packets may be passed between the interfaces. The other tree causes the NAT daemon to be loaded and configured on the external network interface controller (NIC).

C directives are pieces of code that manipulates the file(s) before its is passed to IPFW. The FreeBSD firewall configuration file(s) will use the following five directives: include, define, ifdef, else and endif . The include directive will copy the context of a file in the place of the directive. The context appears to be in the file is read ( in our case) for the point of view of the caller. The next directive defines a constant. The constant is replaced with its value everywhere it used. The one exception is when they are used in directives like ifdef . This directive checks if a constant is defined or not. The text between ifdef and else is added to the output if the constant is defined and otherwise the text between else and endif .

Configuring the FreeBSD firewall rules

The previous section explained that the FreeBSD firewall loads a configuration file called This FreeBSD firewall configuration file accualy uses tree files to load the FreeBSD firewall rules. The main script is Some ipfw firewall rules are loaded by calling Its out of the scope of this howto to explain the workings of these two scripts. To make it easier to configure the firewall it uses This is all that is requered when you're fine with the default FreeBSD firewall rules. These tree files has to be downloaded in to /etc/ . This can be done with the following commands.

cd /etc/
fetch 
fetch 
fetch 
fetch 

Having these FreeBSD firewall configuration files doesn't do much good until they are filled with network information. This information need to be written down in with your editor. The requered information is what local services the computer have and how high the available bandwidth is. The IP addresses in the configuration file have the format: IP address/netmask. Where netmask is the number of 1 bits.

Finally, there can be situations where this FreeBSD firewall setup doesn't fully suit you. (Perhaps there are more than tree users.) I've included a overview of the FreeBSD firewall rules for during the modifications. I would still advise you to read all the tree ipfw firewall configuration files thought one time, before making any changes.

Compiling the firewall into the kernel

The thirty an final step is to build a specialized kernel. This can be skipped if a triffic shaping solution is not requered. Make sure that NO_TRAFFIC_SHAPER is defined in if you decide to skip this section. Before we go on I like a note on the scope of this section. The scope for this section is limited. More information can be found in the section of the

The first step is to open the kernel configuration file (the default for the i386 architect is /usr/src/sys/i386/conf/GENERIC) and add the following lines to it. The purpuse of most will be clear except maybe DUMMYNET. This refers to code needed for the traffic shaper features.

options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options DUMMYNET

I have added the IPFIREWALL_DEFAULT_TO_ACCEPT option because this reduces the change of locking myself out when I'm experimenting with my FreeBSD firewall software. This doesn't relieve you from being near the console, because its still possible. This can be removed in order to increse the FreeBSD firewall security.

A new kernel need to be compiled an installed when this is done. Your working directory must be /usr/src and you should look if and error has accord after each of the command. If this is the case then abort the procedure and look though the kernel configuration to see if you commented something out that is required. If there are no error messages then the computer can reboot.

cd /usr/src
make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
reboot

The new kernel can be tested with the following commands. These will give either a conformation line or no line at all. On the other hand if your kernel installation wasn't successful then an error message like: "ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Protocol not available" is printed. Please continue running the following list of commands:

• /sbin/ipfw add divert natd ip from any to any
• /sbin/ipfw add 1 count log ip from any to any (Note: This one won't give an error. Instead check the file /var/log/security contains the loging of ipfw.)
• /sbin/ipfw pipe 1 config bw 100Kbit/s
• /sbin/ipfw queue 1 config queue 96KByte weight 100 pipe 1 mask-all

Final notes

Using firewall protectection is important because it provides a powerfull security that gives protection from attacks. Everyone should have one on each computer.

I didn't go into the detail about this FreeBSD firewall setup and it may not fully be to your liking. However, I hope I've given enough guidance and support to make some changes for your self.

In addition, I like to encourage you to contact me, if you have questions or feedback about this howto. I can be contact my though the feedback link on top.