download

Chapter 12There are also a few more options that you can add to the kernel configuration filethat affects the ipfw behavior. This includes enabling the syslogd(8) logging feature:optionsoptionsIPFIREWALL_VERBOSEIPFIREWALL_VERBOSE_LIMITThis can also be done by adding the following line to the /etc/rc.conf file:firewall_logging="YES"Once you have finished enabling the firewall, either by rebuilding the kernel or byloading the kernel module dynamically, you should create your own firewall ruleset.The ruleset is then saved to any custom configuration file and loaded by ipfw duringboot time (or manually).Obviously, you should have a clear plan on which packets you are goingto permit or block. You are advised not to start writing firewall ruleswithout having a well thought-out firewall plan. Otherwise you maycreate a big mess rather than securing your network or host.Basic ConfigurationThe good news is that ipfw(8) has a very clear and readable rule syntax. A simpleipfw(8) rule looks like the following:# add 100 permit ip from 192.168.1.0/24 to anyThe first keyword in the above example is a command that tells ipfw that you areactually "adding" a new rule, and the rule number you selected is 100, which isoptional. If you do not specify a rule number, ipfw will choose the first free number(starting from 100) and increments the number by 100 for further rules (for example200, 300 and so on). This is very useful, when you want to actually "insert" a firewallrule in a specific location into an existing ruleset (we will come back to this, later inthis chapter).IPFW evaluates the rules sorted by the rule number. A packet is testedagainst first rule in the list and action will be taken once packet matcheswith a rule in the list. Once matched, no further check will be performedon the packet, and the specified action (for example permit, deny, forward,and so on) will be taken before IPFW proceeds to the next packet.[ 185 ]