# IPFW for Jails. Is there an easy way?



## ghostcorps (Oct 11, 2010)

Hi Guys

I am trying to set up IPFW on a jailed server (FreeBSD 8.1), but I don't seem to have enough of a clue 

This is what I have configured so far:

/etc/rc.conf

```
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="client"
```

/etc/ipfw.rules

```
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
#$IPF 130 allow tcp from any to any 22 in
#$IPF 140 allow tcp from any to any 22 out
#$IPF 150 allow tcp from any to any 25 in
#$IPF 160 allow tcp from any to any 25 out
#$IPF 170 allow udp from any to any 53 in
#$IPF 175 allow tcp from any to any 53 in
#$IPF 180 allow udp from any to any 53 out
#$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

# deny and log everything
$IPF 500 deny log all from any to any
```
nb. I am following this guide: FreeBSD Setting up Firewall using IPFW


When I restart I get the following lines in dmesg:

```
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to deny, logging disabled
```

But when I try to start the firewall it fails:


```
# sh /usr/local/etc/ipfw.rules

ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: socket: Operation not permitted
ipfw: sysctlbyname("net.inet.ip.fw.verbose_limit")
```

I have read that I may need to configure it from the host, but since it is a remote server I am hesitant in case I block myself.

I have found a lot of advice on the matter, but it's a little too advanced for me I think... Is there an easy way to get this done?


----------



## SirDice (Oct 11, 2010)

With a standard jail it is never going to work. You might get it to work if you enable VIMAGE. More info can be found here: http://wiki.freebsd.org/NetworkVirtualization


----------



## mecano (Oct 11, 2010)

ghostcorps said:
			
		

> I have read that I may need to configure it from the host, but since it is a remote server I am hesitant in case I block myself.



It's best practice to set it from "host", save your time.


P.-S. I guess everybody is always fearfull to block itself with firewalls, have a solid rule for your own connection and then never touch it ; you're ok to go.


----------



## ghostcorps (Oct 12, 2010)

Thanks guys

Sounds like I'll just have to be very careful


----------



## ghostcorps (Oct 12, 2010)

Hello again,

 I am about to bite the bullet and reboot, but I was wondering if someone could cast a critical eye over my settings... the rules are at their most basic simply allowing all ssh, sql (using 8080), http and ftp traffic.

Once I know it works, I can try to get tricky with my jails.

Also, I am getting come conflicting opinions on whether I need to use NAT for ipfw w/jails. What is the consensus?

Host
/etc/rc.conf

```
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="simple"
```

/etc/ipfw.rules

```
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (21), ssh (22), http (80), sql (8080)
# not mail (25), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
#$IPF 150 allow tcp from any to any 25 in
#$IPF 160 allow tcp from any to any 25 out
#$IPF 170 allow udp from any to any 53 in
#$IPF 175 allow tcp from any to any 53 in
#$IPF 180 allow udp from any to any 53 out
#$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out
$IPF 250 allow tcp from any to any 8080 in
$IPF 260 allow tcp from any to any 8080 out


# deny and log everything
$IPF 500 deny log all from any to any
```


----------



## mecano (Oct 12, 2010)

I'm not IPFW fluent but it looks ok, you can add a rule to deny "Source Routed Packets", something like 
	
	



```
unreach host log ip from any to any ipoptions ssrr,lsrr
```
 but check the syntax before using it. You can also block multicast "from 224.0.0.0/4 to any in". Also FTP shouldn't work with a simple port 21 rule.


----------

