# Some help clarify rc.conf entries for ipfw?



## sdad (Jan 1, 2011)

Using 8.1 minimal install. Not connected to any network yet. 

Setting up ipfw for first time, I am trying to understand, more than cookbook, what's I'm doing. Firewall_type is very clear, except in this regards: One type is filename, which I see is the full path to firewall rules.  But then there is firewall_script which goes to a different file.  They both seem to be rulesets, and it appears to me that what I want to use is firewall_scripts, not type filename, so that I can more conveniently modify and restart firewall while trying out rule creation, etc. This further leaves me wondering about type.  Current I have set to "open", feel uncomfortable with that, would prefer "closed", but does it make any difference since I am opening the script file.  Or, does this affect the tiny space during boot until the rules are in affect?  My script file is working, as I can see the rules being displayed during boot.

1. For the student (me), should I use the script file over the filename?
2. If I use script, do I need firewall_type?
3. If I do use firewall_type and script, am I more correct in selecting "closed" until the script is running?

Thanks


----------



## codeWarrior (Jan 1, 2011)

IMHO: the easiest & most managable way to deal with your firewall is like this:

in your /etc/rc.conf file:

```
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/usr/local/etc/ipfw/ipfw-rules.sh"
```

Which links to an external firewall script that contains your firewall rules. In my case: the firewall rules are located in /usr/local/etc/ipfw/ipfw-rules.sh

The ipfw-rules.sh is a shell script that allows you to build your rules externally and load / reload them on the fly. When ipfw launches -- it executes the shell script... and you can modify the script at any time and execute it... 

My ipfw-rules.sh script looks _SOMETHING_ like this: 


```
# IPFW FIREWALL RULES
# G. Patnude

IPF="ipfw -q add"
ipfw -q -f flush

# BRUTEBLOCKD:
$IPF 5 deny ip from 'table(1)' to any

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# FTP:
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out

# SSH:
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out

# MAIL:
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out

# BIND / DNS:
$IPF 170 allow udp from any to any 53 in
$IPF 172 allow tcp from any to any 53 in
$IPF 174 allow udp from any to any 53 out
$IPF 176 allow tcp from any to any 53 out

# RNDC / BIND:
$IPF 180 allow udp from any to any 953 in
$IPF 182 allow tcp from any to any 953 in
$IPF 184 allow udp from any to any 953 out
$IPF 186 allow tcp from any to any 953 out

# APACHE / HTTPD:
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
...
...
...
...
# EVERYTHING ELSE IS DENIED
$IPF 65000 deny log all from any to any
```

NOTE: I actually run with about 200+ different rules... by embedding them in an external shell script -- I find it VERY easy to add a rule and reload the ruleset by simply executing:

[CMD=""]sh /usr/local/etc/ipfw/ipfw-rules.sh[/CMD]


----------



## DutchDaemon (Jan 1, 2011)

codeWarrior, thanks for trying, but please re-read Posting and Editing in the FreeBSD Forums I: proper formatting.


----------

