How to Monitor Kernel Events with KTR on FreeBSD

Learn how to monitor kernel events with Kernel Trace (KTR) on FreeBSD. KTR is a powerful tool for debugging and analyzing kernel behavior.

by İbrahim Korucuoğlu ( @siberoloji) | Thursday, March 20, 2025

Introduction

FreeBSD is a powerful and versatile operating system known for its robustness, security, and advanced networking capabilities. One of the key components of FreeBSD’s security infrastructure is its built-in firewall, IPFW (IP Firewall). IPFW is a stateful firewall that provides packet filtering, NAT (Network Address Translation), and traffic shaping. Enabling and configuring IPFW in the FreeBSD kernel is essential for securing your system and controlling network traffic.

This article provides a comprehensive guide on how to enable IPFW in the FreeBSD kernel, configure it, and set up basic firewall rules. Whether you’re a system administrator, a network engineer, or a FreeBSD enthusiast, this guide will help you understand and implement IPFW to protect your system.

Understanding IPFW

What is IPFW?

IPFW is a firewall and traffic management tool integrated into the FreeBSD operating system. It operates at the kernel level, allowing it to efficiently filter and manage network traffic. IPFW supports:

Packet Filtering: Blocking or allowing packets based on predefined rules.
Stateful Inspection: Tracking the state of network connections to allow or deny traffic dynamically.
NAT (Network Address Translation): Translating private IP addresses to public ones and vice versa.
Traffic Shaping: Controlling bandwidth usage to prioritize or limit specific types of traffic.

Why Use IPFW?

Security: IPFW protects your system from unauthorized access and malicious traffic.
Flexibility: It supports complex rule sets and advanced features like NAT and traffic shaping.
Integration: As a built-in tool, IPFW is tightly integrated with FreeBSD, ensuring optimal performance.
Customizability: You can tailor IPFW rules to meet the specific needs of your network.

Enabling IPFW in the FreeBSD Kernel

Before you can use IPFW, you need to ensure that it is enabled in the FreeBSD kernel. This involves modifying the kernel configuration and rebuilding the kernel if necessary.

Step 1: Check if IPFW is Already Enabled

FreeBSD’s default GENERIC kernel includes IPFW support. To check if IPFW is already enabled, run the following command:

sysctl net.inet.ip.fw.enable

If the output is 1, IPFW is already enabled. If the output is 0, you need to enable it.

Step 2: Enable IPFW in the Kernel Configuration

If IPFW is not enabled, you need to add it to your kernel configuration. Follow these steps:

Navigate to the Kernel Source Directory:
```
cd /usr/src/sys/amd64/conf
```
Edit the Kernel Configuration File: If you are using a custom kernel configuration file, open it in a text editor:
```
vi YOUR_KERNEL_CONFIG
```
Add or ensure the following lines are present:
```
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
```
- IPFIREWALL: Enables the IPFW firewall.
- IPFIREWALL_VERBOSE: Enables logging of firewall activity.
- IPFIREWALL_VERBOSE_LIMIT: Limits the number of logged packets to prevent log flooding.
- IPFIREWALL_DEFAULT_TO_ACCEPT: Sets the default policy to accept packets (you can change this to DENY for a more restrictive policy).

Recompile and Install the Kernel:

make buildkernel KERNCONF=YOUR_KERNEL_CONFIG
make installkernel KERNCONF=YOUR_KERNEL_CONFIG

Reboot the System:
```
reboot
```

After the system reboots, the new kernel with IPFW support will be active.

Configuring IPFW

Once IPFW is enabled in the kernel, you can configure it using the ipfw command-line utility. IPFW uses a set of rules to determine how to handle network traffic. These rules are processed in order, and the first matching rule determines the action taken.

Step 1: Enable IPFW at Runtime

To enable IPFW at runtime, use the following command:

sysctl net.inet.ip.fw.enable=1

To make this change persistent across reboots, add the following line to /etc/rc.conf:

firewall_enable="YES"

Step 2: Set the Default Policy

The default policy determines how IPFW handles packets that do not match any rules. You can set the default policy to allow or deny. For a secure setup, it is recommended to set the default policy to deny:

sysctl net.inet.ip.fw.default_to_accept=0

To make this change persistent, add the following line to /etc/rc.conf:

firewall_type="closed"

Step 3: Create Firewall Rules

IPFW rules are added using the ipfw add command. Each rule specifies a condition and an action. For example, to allow all traffic on the loopback interface, use:

ipfw add 100 allow ip from any to any via lo0

To allow incoming SSH traffic (port 22), use:

ipfw add 200 allow tcp from any to any 22

To deny all other traffic, use:

ipfw add 300 deny ip from any to any

Step 4: Save the Rules

To save your rules so they persist across reboots, use the following command:

service ipfw save

This will save the rules to /etc/ipfw.rules.

Advanced IPFW Configuration

Using Rule Sets

IPFW supports rule sets, which allow you to organize rules into groups. For example, you can create a rule set for inbound traffic and another for outbound traffic. To create a rule set, use the ipfw set command:

ipfw set 1 add 100 allow ip from any to any via lo0
ipfw set 1 add 200 allow tcp from any to any 22
ipfw set 2 add 100 allow ip from any to any via em0

To enable a rule set, use:

ipfw set enable 1

Enabling NAT

IPFW supports NAT, which is useful for sharing a single public IP address among multiple devices. To enable NAT, add the following lines to /etc/rc.conf:

gateway_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="em0"  # Replace with your external interface

Then, add a NAT rule:

ipfw add 500 nat 1 ip from any to any via em0

Traffic Shaping

IPFW supports traffic shaping using the dummynet module. To enable traffic shaping, add the following lines to /etc/rc.conf:

firewall_dummynet_enable="YES"

Then, create a traffic shaping rule:

ipfw add 600 pipe 1 tcp from any to any 80
ipfw pipe 1 config bw 1Mbit/s

This limits HTTP traffic to 1 Mbps.

Monitoring and Logging

Viewing Firewall Rules

To view the current firewall rules, use:

ipfw list

Viewing Firewall Logs

If you enabled logging with IPFIREWALL_VERBOSE, you can view the logs using:

dmesg | grep ipfw

Monitoring Traffic

To monitor traffic passing through the firewall, use:

ipfw show

Conclusion

Enabling and configuring IPFW in the FreeBSD kernel is a critical step in securing your system and managing network traffic. By following this guide, you can enable IPFW, create custom firewall rules, and leverage advanced features like NAT and traffic shaping. Whether you’re protecting a single server or an entire network, IPFW provides the tools you need to ensure security and performance.

With its flexibility and integration into FreeBSD, IPFW is an excellent choice for anyone looking to implement a robust firewall solution. By mastering IPFW, you can take full control of your system’s network traffic and safeguard it against potential threats.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< Disable Unused Kernel Drivers for Security on FreeBSD Enable IPFW Firewall in the Kernel on FreeBSD >