download

Network Configuration—FirewallsPacket Filtering with IPFWIPFW (IPFIREWALL) is the oldest firewall package in FreeBSD. However, it hasevolved since its initial import in 1994, although it is still widely used on FreeBSDinstallations. It is also natively available on Apple Mac OS X (which is itself based onFreeBSD code).IPFW is a complicated firewall package. We will discuss the basics ofits functionalities in this chapter. It is highly recommended that you readipfw(8) manual pages for detailed information about thisfirewall package.IPFW is not statically linked into the system's default GENERIC kernel, but will beautomatically loaded if IPFW is enabled in the rc.conf configuration file.To enable IPFW, you should add the following line to the /etc/rc.conf file:firewall_enable="YES"Upon system boot up process, the system will automatically load the ipfw.komodule and dynamically link it to the kernel.The default policy for IPFW is to deny all IP traffic. Be careful whileenabling IPFW from a remote network session (for example SSH) or on aproduction server, as it may completely lock you out of the box and blockall outgoing and incoming network traffic.You may also prefer to re-build a customized kernel with built-in IPFW module forbetter performance and more control. To do so, you will need to create a customizedkernel configuration file and add the following line to it (for more information onhow to build a customized kernel, please refer to Chapter 2):optionsIPFIREWALLThis will statically link IPFIREWALL module into the kernel. Statically linking theIPFIREWALL module offers better performance as compared to the dynamicallyloaded module.IPFW blocks all traffic by default. To change this behavior, you should also add thefollowing line to your kernel configuration file:optionsIPFIREWALL_DEFAULT_TO_ACCEPTAs the name suggests, this will change the default behavior to accepting all trafficinstead of blocking it.[ 184 ]