How to Enable IPFW Firewall in the Kernel on FreeBSD Operating System

Learn how to enable IPFW in the FreeBSD kernel, configure it, and set up basic firewall rules to secure your system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  6 minute read  

Introduction

FreeBSD is a powerful and versatile open-source operating system known for its robustness, scalability, and advanced networking capabilities. One of the key features that make FreeBSD a popular choice for servers and network appliances is its built-in firewall solutions. Among these, IPFW (IP Firewall) stands out as a flexible and efficient firewall tool that can be used to secure a FreeBSD system.

IPFW is a stateful firewall that provides packet filtering, NAT (Network Address Translation), and traffic shaping. It is integrated into the FreeBSD kernel, making it a high-performance solution for network security. However, before you can use IPFW, you need to ensure that it is enabled in the FreeBSD kernel. This article will guide you through the process of enabling IPFW in the FreeBSD kernel, configuring it, and setting up basic firewall rules.

Prerequisites

Before proceeding, ensure that you have the following:

  1. A FreeBSD System: This guide assumes you have a working installation of FreeBSD. The steps should be applicable to most recent versions of FreeBSD.

  2. Root Access: You will need root or superuser privileges to modify the kernel and configure the firewall.

  3. Basic Knowledge of FreeBSD: Familiarity with FreeBSD’s command-line interface, text editing (using tools like vi or ee), and basic networking concepts will be helpful.

Step 1: Understanding IPFW

IPFW is a firewall tool that operates at the kernel level, allowing it to process network packets efficiently. It uses a set of rules to determine how to handle incoming and outgoing traffic. These rules can be based on various criteria, such as source and destination IP addresses, ports, protocols, and more.

IPFW supports both stateless and stateful filtering. In stateful mode, it can track the state of connections, allowing it to make more intelligent decisions about which packets to allow or deny. Additionally, IPFW can perform NAT, which is useful for sharing a single public IP address among multiple devices on a private network.

Step 2: Checking if IPFW is Already Enabled

Before making any changes, it’s a good idea to check whether IPFW is already enabled in your FreeBSD kernel. You can do this by running the following command:

sysctl net.inet.ip.fw.enable

If the output is net.inet.ip.fw.enable: 1, then IPFW is already enabled. If the output is 0, IPFW is disabled, and you will need to enable it.

Step 3: Enabling IPFW in the Kernel

There are two primary methods to enable IPFW in the FreeBSD kernel:

  1. Loading IPFW as a Kernel Module: This method is simpler and does not require a kernel rebuild. It is suitable for most users.

  2. Compiling IPFW into the Kernel: This method involves rebuilding the FreeBSD kernel with IPFW support. It is more complex but can be beneficial for performance and customization.

Method 1: Loading IPFW as a Kernel Module

To load IPFW as a kernel module, follow these steps:

  1. Edit the /etc/rc.conf File:

    Open the /etc/rc.conf file in a text editor:

    ee /etc/rc.conf

    Add the following lines to enable IPFW and set it to start at boot:

    firewall_enable="YES"
firewall_type="open"  # You can change this to "client", "simple", or a custom script

    The firewall_type option determines the default set of firewall rules. The open setting allows all traffic, which is useful for testing. You can later customize the rules to suit your needs.

  2. Load the IPFW Kernel Module:

    To load the IPFW module without rebooting, run:

    kldload ipfw

    You can verify that the module is loaded by running:

    kldstat | grep ipfw

  3. Start the Firewall:

    Start the IPFW firewall service:

    service ipfw start

    You can check the status of the firewall with:

    service ipfw status

Method 2: Compiling IPFW into the Kernel

If you prefer to compile IPFW directly into the kernel, follow these steps:

  1. Obtain the Kernel Source Code:

    Ensure you have the FreeBSD kernel source code. If you don’t, you can install it using:

    svnlite checkout https://svn.freebsd.org/base/head /usr/src

  2. Edit the Kernel Configuration File:

    Navigate to the kernel configuration directory:

    cd /usr/src/sys/amd64/conf  # Adjust the path if you're using a different architecture

    Copy the default kernel configuration file to a new file:

    cp GENERIC MYKERNEL

    Open the new configuration file in a text editor:

    ee MYKERNEL

    Add the following lines to enable IPFW support:

    options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT
    • IPFIREWALL: Enables the IPFW firewall.
    • IPFIREWALL_VERBOSE: Enables logging of firewall activity.
    • IPFIREWALL_VERBOSE_LIMIT: Limits the number of logged packets to prevent log flooding.
    • IPFIREWALL_DEFAULT_TO_ACCEPT: Sets the default policy to accept packets (you can change this to DENY for a more restrictive policy).

  3. Compile and Install the New Kernel:

    Compile the kernel with the new configuration:

    cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL

    Reboot the system to load the new kernel:

    reboot

  4. Enable IPFW at Boot:

    After rebooting, edit the /etc/rc.conf file to enable IPFW:

    ee /etc/rc.conf

    Add the following lines:

    firewall_enable="YES"
firewall_type="open"

    Start the IPFW service:

    service ipfw start

Step 4: Configuring IPFW Rules

With IPFW enabled, you can now configure firewall rules to control traffic. IPFW rules are processed in order, and the first matching rule determines the action taken (allow or deny).

  1. View Current Rules:

    To view the current IPFW rules, run:

    ipfw list

  2. Add Rules:

    You can add rules using the ipfw add command. For example, to allow SSH traffic (port 22), you can add:

    ipfw add allow tcp from any to any 22

    To block all incoming traffic except SSH, you can use:

    ipfw add allow tcp from any to any 22
ipfw add deny ip from any to any

  3. Save Rules:

    To make your rules persistent across reboots, save them to a script and configure IPFW to use it. For example, create a script at /usr/local/etc/ipfw.rules:

    ee /usr/local/etc/ipfw.rules

    Add your rules to the script:

    #!/bin/sh
ipfw -q flush
ipfw -q add allow tcp from any to any 22
ipfw -q add deny ip from any to any

    Make the script executable:

    chmod +x /usr/local/etc/ipfw.rules

    Update /etc/rc.conf to use the custom script:

    firewall_script="/usr/local/etc/ipfw.rules"

Conclusion

Enabling and configuring IPFW in the FreeBSD kernel is a straightforward process that significantly enhances the security of your system. Whether you choose to load IPFW as a kernel module or compile it directly into the kernel, the flexibility and power of IPFW make it an excellent choice for managing network traffic.

By following the steps outlined in this article, you can enable IPFW, configure basic firewall rules, and ensure that your FreeBSD system is well-protected against unauthorized access. As you become more familiar with IPFW, you can explore its advanced features, such as traffic shaping, NAT, and more complex rule sets, to further customize your firewall configuration.

Remember that firewall management is an ongoing process. Regularly review and update your rules to adapt to changing network requirements and security threats. With IPFW, you have a robust tool at your disposal to keep your FreeBSD system secure and efficient.


< Monitor Kernel Events with KTR on FreeBSDConfigure Kernel-Level NAT on FreeBSD >