This writeup will be short, to summarize how to enable ipf firewall in FreeBSD. In my experience with FreeBSD 5.4, it just work very well.
First, we need to enable it in the kernel configuration file. The default filename is GENERIC and located in /usr/src/sys/i386/conf/. First I make a copy of the configuration file, to BUDIHOST simply by using this command.
my.budihost.com# cp GENERIC BUDIHOST
Edit BUDIHOST, add these few lines:
options IPFILTER # IPFilter support
options IPFILTER_LOG # IPFilter logging support
options IPFILTER_DEFAULT_BLOCK # Block all packets by default
options RANDOM_IP_ID # RANDOM_IP_ID causes the ID field in IP packets to be randomized
These few lines also need to be added into /etc/rc.conf
ipfilter_enable=”YES” #Stateful firewall
ipfilter_program=”/sbin/ipf” # where the ipfilter program lives
ipfilter_rules=”/etc/ipf.rules” # loads rules definition text file
ipfilter_flags=”-F a -f /etc/ipf.rules” #IPFilter is enabled in the kernel and not module
After modification in your kernel configuration file, you need to rebuild and reinstall the new kernel with the new configuration.
my.budihost.com# cd /usr/src/
my.budihost.com# make buildkernel KERNCONF=BUDIHOST
my.budihost.com# make installkernel KERNCONF=BUDIHOST
Please check the error or any messages prompted after the buildkernel. If there is any problem, you might need to edit your configuration file, then rebuild. After you have sucessfully rebuild the kernel, then you can install it.
The firewall rules were stored in /etc/ipf.rules. You need to modify the file, to suite your production needs.
This is a sample configuration file. /etc/ipf.rules . You can open any additional port yourself, the configuration is simple straight forward.
Reboot your machine..
my.budihost.com# shutdown -r now
I have experience once, when I cannot ping to my own box. I also cannot check my email using webmail, the error message come out, no route to host. Its actually because of the firewall rule, u need to allow loopback interface to transfer. Solved! 😉