# A 'Closed' IPFW on 8.1 is not blocking ports



## ghostcorps (May 23, 2011)

Hi Guys

 I have set up IPFW on FreeBSD 8.1 amd64, but while I have set the 'closed' option in rc.conf, it is not actually blocking ports by default. For example, I comment out the line allowing port 21, but after I load the rules I can still access ftp. If I set it to deny, then it is denied.

 I have been discussing this with Jailed and he suggested that this may be related to some bugs with IPFW and the amd64-8.1. Has anyone discovered the same issue?

This is my IPFW config:

/etc/rc.conf

```
# ENABLE FIREWALL SETTINGS
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_type="closed"
```

/etc/sysctl.conf

```
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
```

/boot/loader.conf

```
## Enable ipfw
ipfw_load="YES"
ipdivert_load="YES"
```

/usr/src/sys/amd64/conf/MYKERNEL

```
# Firewall Support
options         IPFIREWALL
options         HZ=1000
options         IPDIVERT
```

This is a minimal ipfw ruleset that Jailed wrote for me to help test the firewall:
/etc/ipfw.rules

```
IPF="ipfw -q add"
ipfw -q -f flush

# allow all internal connections
$IPF 11 allow all from me to me

# allow all passive ports to all IPs.
$IPF 60 allow all from any to any 1024-65535

# allow pings both in and out
$IPF 90 allow icmp from any to any

# Connections to host.
$IPF 900 allow all from any to xxx.xxx.xxx.xx2 22
$IPF 910 allow all from any to xxx.xxx.xxx.xx2 80
$IPF 920 allow all from any to xxx.xxx.xxx.xx2 1194
                                                          
# Connections to Webserver.
$IPF 1000 allow all from any to xxx.xxx.xxx.xx3 80
$IPF 1010 allow all from any to xxx.xxx.xxx.xx3 443
$IPF 1020 allow all from any to xxx.xxx.xxx.xx3 21
```

Thanks.


----------



## qsecofr (May 24, 2011)

```
ipfw show
```
 displays a default deny rule at the bottom of your ruleset?  I assume you mean the xx3 IP.  You may want add port 20 after port 21.  One is control channel one is data.  If there is a default deny rule, and logging is on (5 may be too low a threshold to be helpful YMMV), then denied packets should be visible in /var/log/security


----------



## ghostcorps (May 25, 2011)

Thanks,

 If I run #ipfw show I get an allow all rule at the bottom of the list, what could possibly override the 'closed' option in rc.conf configuration if the program itself is not broken? 

 For now: I have gone the messy route of manually blocking all the ports I don't need, leaving the passive ports open. I will open port 20 as you say.


----------

