How to activate IPFW firewall in FreeBSD 11.x with DirectAdmin Hosting Control Panel
IPFW is one of the most frequently used firewalls used in FreeBSD. It is a stateful firewall which supports both IPv4 and IPv6.
IPFW comes with various features including:
- Kernel firewall filter rule processor
- Integrated packet accounting feature
- Logging facility
- NAT
- Dummynet traffic shaper
- Forward feature
- Bridge feature
- Ipstealth feature
How to enable IPFW in FreeBSD + DirectAdmin ?
IPFW is included in the basic FreeBSD install as a kernel loadable module, meaning that a custom kernel is not needed in order to enable IPFW.
1 Activate IPFW at startup:
1-1- Modify rc.conf using ee or nano :
# ee /etc/rc.conf
1-2- Add below line to the file and save
firewall_enable="YES"
2 Reboot your system to enable the firewall
# reboot
3 Adding more configurations for the firewall
After the reboot, modify the rc.conf again and add the following lines after firewall_enable=”YES” :
firewall_type="simple"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_script="YES”
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_script="YES”
4 Firewall rules:
Now add the rules for IPFW, try to edit the fules files using ee or nano :
# ee /etc/ipfw.rules
And paste below rules and save
These rules vary from one server to the other and you should try to modify these rules based on your own installation and needs. These rules are provided as an instance
#!/bin/sh
#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush
pif="em0"
#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag
#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state
$cmd allow icmp from any to any
#################################################
# Incoming/Outgoing Services
#################################################
$cmd 60001 allow tcp from any to any 21 setup limit src-addr 10
$cmd 60002 allow tcp from any to any 22 setup limit src-addr 8
$cmd 60003 allow tcp from any to any 25 setup limit src-addr 10
$cmd 60004 allow tcp from any to any 587 setup limit src-addr 20
$cmd 60005 allow tcp from any to any 53 setup limit src-addr 3
$cmd 60006 allow udp from any to any 53 limit src-addr 3
$cmd 60007 allow tcp from any to any 80 setup limit src-addr 20
$cmd 60008 allow tcp from any to any 110 setup limit src-addr 20
$cmd 60009 allow tcp from any to any 143 setup limit src-addr 10
$cmd 60010 allow tcp from any to any 443 setup limit src-addr 10
$cmd 60011 allow tcp from any to any 2222 setup limit src-addr 12
$cmd 60012 allow tcp from any to any 35000-35999 in setup limit src-addr 10
$cmd 60013 allow tcp from any to any 993 setup limit src-addr 10
$cmd 60014 allow tcp from any to any 995 setup limit src-addr 10
$cmd 60015 allow tcp from any to any 465 setup limit src-addr 10
$cmd 60016 allow tcp from any to any 585 setup limit src-addr 10
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any
#################################################
# ipfw Firewall Commands
#################################################
cmd="ipfw -q add"
ipfw -q -f flush
pif="em0"
#################################################
# Allow Loopback and Deny Loopback Spoofing
#################################################
$cmd allow all from any to any via lo0
$cmd deny all from any to 127.0.0.0/8
$cmd deny all from 127.0.0.0/8 to any
$cmd deny tcp from any to any frag
#################################################
# Stateful rules
#################################################
$cmd check-state
$cmd deny tcp from any to any established
$cmd allow all from any to any out keep-state
$cmd allow icmp from any to any
#################################################
# Incoming/Outgoing Services
#################################################
$cmd 60001 allow tcp from any to any 21 setup limit src-addr 10
$cmd 60002 allow tcp from any to any 22 setup limit src-addr 8
$cmd 60003 allow tcp from any to any 25 setup limit src-addr 10
$cmd 60004 allow tcp from any to any 587 setup limit src-addr 20
$cmd 60005 allow tcp from any to any 53 setup limit src-addr 3
$cmd 60006 allow udp from any to any 53 limit src-addr 3
$cmd 60007 allow tcp from any to any 80 setup limit src-addr 20
$cmd 60008 allow tcp from any to any 110 setup limit src-addr 20
$cmd 60009 allow tcp from any to any 143 setup limit src-addr 10
$cmd 60010 allow tcp from any to any 443 setup limit src-addr 10
$cmd 60011 allow tcp from any to any 2222 setup limit src-addr 12
$cmd 60012 allow tcp from any to any 35000-35999 in setup limit src-addr 10
$cmd 60013 allow tcp from any to any 993 setup limit src-addr 10
$cmd 60014 allow tcp from any to any 995 setup limit src-addr 10
$cmd 60015 allow tcp from any to any 465 setup limit src-addr 10
$cmd 60016 allow tcp from any to any 585 setup limit src-addr 10
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
#################################################
# Deny and Log
#################################################
$cmd deny log all from any to any
The “setup limit src-addr X” handles the connections to the server. In other words it limits the number of connections which an IP can make to a service (the X value)
5 Restart the IPFW to apply your rules:
# /etc/rc.d/ipfw stop
And then :
# /etc/rc.d/ipfw start
ALWAYS BACKUP YOUR SERVER BEFORE MAKING NEW CHANGES