Contents
How to activate IPFW firewall in FreeBSD 11.x with DirectAdmin Hosting Control Panel
IPFW comes with various features including:
- Kernel firewall filter rule processor
- Integrated packet accounting feature
- Logging facility
- NAT
- Dummynet traffic shaper
- Forward feature
- Bridge feature
- Ipstealth feature
How to enable IPFW in FreeBSD + DirectAdmin ?
IPFW is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPFW.
1 Activate IPFW at startup:
1-1- Modify rc.conf using ee or nano :
# ee /etc/rc.conf
1-2- Add below line to the file and save
firewall_enable="YES"
2 Reboot your system to enable the firewall
# reboot
3 Adding more configurations for the firewall
After the reboot, modify the rc.conf again and add the following lines after firewall_enable=”YES” :
firewall_type="simple" firewall_script="/etc/ipfw.rules" firewall_logging="YES" firewall_script="YES”
4 Firewall rules:
Now add the rules for IPFW, try to edit the fules files using ee or nano :
[cc]# ee /etc/ipfw.rules[/cc]
And paste below rules and save
#!/bin/sh ################################################# # ipfw Firewall Commands ################################################# cmd="ipfw -q add" ipfw -q -f flush pif="em0" ################################################# # Allow Loopback and Deny Loopback Spoofing ################################################# $cmd allow all from any to any via lo0 $cmd deny all from any to 127.0.0.0/8 $cmd deny all from 127.0.0.0/8 to any $cmd deny tcp from any to any frag ################################################# # Stateful rules ################################################# $cmd check-state $cmd deny tcp from any to any established $cmd allow all from any to any out keep-state $cmd allow icmp from any to any ################################################# # Incoming/Outgoing Services ################################################# $cmd 60001 allow tcp from any to any 21 setup limit src-addr 10 $cmd 60002 allow tcp from any to any 22 setup limit src-addr 8 $cmd 60003 allow tcp from any to any 25 setup limit src-addr 10 $cmd 60004 allow tcp from any to any 587 setup limit src-addr 20 $cmd 60005 allow tcp from any to any 53 setup limit src-addr 3 $cmd 60006 allow udp from any to any 53 limit src-addr 3 $cmd 60007 allow tcp from any to any 80 setup limit src-addr 20 $cmd 60008 allow tcp from any to any 110 setup limit src-addr 20 $cmd 60009 allow tcp from any to any 143 setup limit src-addr 10 $cmd 60010 allow tcp from any to any 443 setup limit src-addr 10 $cmd 60011 allow tcp from any to any 2222 setup limit src-addr 12 $cmd 60012 allow tcp from any to any 35000-35999 in setup limit src-addr 10 $cmd 60013 allow tcp from any to any 993 setup limit src-addr 10 $cmd 60014 allow tcp from any to any 995 setup limit src-addr 10 $cmd 60015 allow tcp from any to any 465 setup limit src-addr 10 $cmd 60016 allow tcp from any to any 585 setup limit src-addr 10 ################################################# # Deny Port scanning (Nmap) ################################################# $cmd 00600 deny log logamount 50 ip from any to any ipoptions rr $cmd 00610 deny log logamount 50 ip from any to any ipoptions ts $cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr $cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr $cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin $cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst ################################################# # Deny and Log ################################################# $cmd deny log all from any to any
5 Restart the IPFW to apply your rules:
# /etc/rc.d/ipfw stop
And then :
# /etc/rc.d/ipfw start