IPFW Firewall installeren en configureren in FreeBSD

Gepubliceerd op 30 augustus 2008

Met IPFW (IP Firewall) beschikt FreeBSD over een krachtige ingebouwde firewall waarmee je netwerkverkeer kunt filteren en beveiligen. In deze handleiding lees je stap voor stap hoe je IPFW installeert, activeert en configureert.

IPFW installeren

Voordat je IPFW kunt gebruiken, moeten de benodigde broncodecomponenten worden geïnstalleerd.

Start de FreeBSD installatieconfiguratie:

/usr/sbin/sysinstall

Ga vervolgens naar:

Configure
└── Distributions
    └── src
        ├── base
        └── sys

Selecteer beide onderdelen en kies OK.

IPFW activeren

Laad de firewallmodule handmatig:

kldload -v ipfw.ko

IPFW automatisch starten bij het opstarten

Open het bestand:

ee /etc/rc.conf

Voeg de volgende regels toe:

firewall_enable="YES"
firewall_type="open"

Hiermee wordt IPFW automatisch geladen tijdens het opstarten van FreeBSD.

IPFW configuratiebestand

De firewallregels worden opgeslagen in:

/etc/ipfw.rules

Een voorbeeldconfiguratie:

################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="em0"     # interface name of NIC attached to Internet

# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0

# Allo if it matches an existing entry in the dynamic rules table
$cmd 00101 check-state

#loopback
$cmd 00010 allow all from any to any via lo0
$cmd 00011 deny ip from any to 127.0.0.0/8
$cmd 00012 deny ip from 127.0.0.0/8 to any

# ISP DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00020 allow tcp from any to 80.84.224.249 53 out via $pif setup keep-state
$cmd 00021 allow udp from any to 80.84.224.249 53 out via $pif keep-state
$cmd 00022 allow tcp from any to 80.84.224.26 53 out via $pif setup keep-state
$cmd 00023 allow udp from any to 80.84.224.26 53 out via $pif keep-state
$cmd 00024 allow tcp from any to 83.96.192.26 53 out via $pif setup keep-state
$cmd 00025 allow udp from any to 83.96.192.26 53 out via $pif keep-state

# FTP-DATA
$cmd 00040 allow tcp from any to any 20 in via $pif
$cmd 00041 allow tcp from any to any 20 out via $pif

# FTP
$cmd 00040 allow tcp from any to any 21 in via $pif
$cmd 00041 allow tcp from any to any 21 out via $pif

# SSH
$cmd 00030 allow tcp from any to any 22 in via $pif setup keep-state
$cmd 00031 allow tcp from any to any 22 out via $pif setup keep-state

# WWW
$cmd 00040 allow tcp from any to any 80 in via $pif
$cmd 00041 allow tcp from any to any 80 out via $pif

# HTTPS
$cmd 00050 allow tcp from any to any 443 in via $pif setup keep-state
$cmd 00051 allow tcp from any to any 443 out via $pif setup keep-state

# PLESK
$cmd 00060 allow tcp from any to any 8443 in via $pif setup keep-state
$cmd 00061 allow tcp from any to any 8443 out via $pif setup keep-state

# POPPASSD (Plesk)
$cmd 00060 allow tcp from 127.0.0.0/8 to any 106 in via $pif setup keep-state
$cmd 00061 allow tcp from 127.0.0.0/8 to any 106 out via $pif setup keep-state
$cmd 00060 allow udp from 127.0.0.0/8 to any 106 in via $pif setup keep-state
$cmd 00061 allow udp from 127.0.0.0/8 to any 106 out via $pif setup keep-state

# AUTH (Plesk)
$cmd 00041 allow tcp from any to any 113 out via $pif

# SMTPS (Plesk)
$cmd 00070 allow tcp from any to any 465 in via $pif setup keep-state
$cmd 00071 allow tcp from any to any 465 out via $pif setup keep-state
$cmd 00072 allow udp from any to any 465 in via $pif setup keep-state
$cmd 00073 allow udp from any to any 465 out via $pif setup keep-state

# FTPS (Plesk)
$cmd 00070 allow tcp from any to any 990 in via $pif setup keep-state
$cmd 00071 allow tcp from any to any 990 out via $pif setup keep-state
$cmd 00072 allow udp from any to any 990 in via $pif setup keep-state
$cmd 00073 allow udp from any to any 990 out via $pif setup keep-state

# plesk-license-update
$cmd 00071 allow tcp from any to any 5224 out via $pif setup keep-state
$cmd 00073 allow udp from any to any 5224 out via $pif setup keep-state

# SEND & GET EMAIL
$cmd 00070 allow tcp from any to any 25 in via $pif setup keep-state
$cmd 00071 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00072 allow tcp from any to any 110 in via $pif setup keep-state
$cmd 00073 allow tcp from any to any 110 out via $pif setup keep-state
$cmd 00074 allow tcp from any to any 143 in via $pif setup keep-state
$cmd 00075 allow tcp from any to any 143 out via $pif setup keep-state
$cmd 00076 allow tcp from any to any 993 in via $pif setup keep-state
$cmd 00077 allow tcp from any to any 993 out via $pif setup keep-state
$cmd 00078 allow tcp from any to any 995 in via $pif setup keep-state
$cmd 00079 allow tcp from any to any 995 out via $pif setup keep-state

# PING
$cmd 00080 allow icmp from any to any in via $pif setup keep-state
$cmd 00081 allow icmp from any to any out via $pif setup keep-state

# TIME
$cmd 00090 allow tcp from any to any 37 out via $pif setup keep-state

# NTP
$cmd 00100 allow udp from any to any 123 out via $pif setup keep-state

# NNTP
$cmd 00110 allow tcp from any to any 119 in via $pif setup keep-state
$cmd 00111 allow tcp from any to any 119 out via $pif setup keep-state

# WHOIS
$cmd 00120 allow tcp from any to any 43 in via $pif setup keep-state
$cmd 00121 allow tcp from any to any 43 out via $pif setup keep-state

# FreeBSD updates
$cmd 00130 allow tcp from any to any out via $pif setup keep-state uid root

# Block NetBIOS
$cmd 00140 deny tcp from any to any 137 in via $pif
$cmd 00141 deny tcp from any to any 138 in via $pif
$cmd 00142 deny tcp from any to any 139 in via $pif
$cmd 00143 deny tcp from any to any 81 in via $pif

# MySQL
$cmd 00120 allow tcp from any to any 3306 in via $pif setup keep-state
$cmd 00121 allow udp from any to any 3306 in via $pif setup keep-state

# PostgreSQL
$cmd 00120 allow tcp from any to any 5432 in via $pif setup keep-state

# Tomcat
$cmd 00120 allow tcp from any to any 8080 in via $pif setup keep-state
$cmd 00120 allow tcp from any to any 9080 in via $pif setup keep-state
$cmd 00120 allow tcp from any to any 9008 in via $pif setup keep-state

$cmd 00150 deny log ip from any to any

Firewallregels laden

Nadat je de configuratie hebt opgeslagen, laad je de nieuwe firewallregels in met:

sh /etc/ipfw.rules

Wanneer je een andere bestandsnaam gebruikt, bijvoorbeeld:

/etc/ipfw.rules.jdn

dan laad je deze als volgt:

sh /etc/ipfw.rules.jdn

Firewall logging inschakelen

Wil je firewalllogging na iedere herstart automatisch inschakelen? Voeg dan de volgende regel toe aan:

/etc/sysctl.conf

net.inet.ip.fw.verbose_limit=5

IPFW configuratie controleren

Controleer of alle firewallregels correct zijn geladen:

ipfw -t list

Hiermee krijg je een overzicht van alle actieve firewallregels inclusief de tellerwaarden.

Samenvatting

Na het volgen van deze stappen is IPFW correct geïnstalleerd en geconfigureerd op je FreeBSD-server. De firewall wordt automatisch geladen bij het opstarten, gebruikt je eigen firewallregels en biedt logging zodat je netwerkverkeer kunt monitoren.

Tags:Firewall, Firewall logging, FreeBSD, IPFW, Netwerkbeveiliging, Plesk, Server hardening

IPFW Firewall installeren en configureren in FreeBSD

IPFW installeren

IPFW activeren

IPFW automatisch starten bij het opstarten

IPFW configuratiebestand

Firewallregels laden

Firewall logging inschakelen

IPFW configuratie controleren

Samenvatting

Over de auteur

Mark ter Weele

Add a Comment

IPFW installeren

IPFW activeren

IPFW automatisch starten bij het opstarten

IPFW configuratiebestand

Firewallregels laden

Firewall logging inschakelen

IPFW configuratie controleren

Samenvatting

Gerelateerde berichten

HTTP Security Headers instellen in Apache en DirectAdmin

Fail2Ban installeren op CentOS

LibSSH2 installeren als PHP-extensie in Plesk

Over de auteur

Mark ter Weele

Add a Comment