IPFW sample configuration

We have put together the following sample IPFW firewall configuration for securing your FreeBSD VPS.  Here is how to set it up.

First, use a text editor in your VPS (such as vi) to create the file /etc/ipfw.sh and paste in the following info.  Note to replace X.X.X.X with your public IP address:

--

#!/bin/sh
#
# flush existing rules
ipfw -q flush
# allow established connections
ipfw -q add 1 check-state
# allow loopback traffic
ipfw -q add 2 allow all from any to any via lo0
# allow previously established TCP connections
ipfw -q add 3 allow tcp from any to any established
# reassemble incoming fragmented packets
ipfw -q add 4 reass all from any to any in
#
# public services inbound: 22/tcp (SSH) and 80/tcp (HTTP)
ipfw -q add 100 set 1 allow tcp from any to X.X.X.X 22 in setup keep-state
ipfw -q add 101 set 1 allow tcp from any to X.X.X.X 80 in setup keep-state
#
# allow all traffic going out
ipfw -q add 200 set 1 allow udp from X.X.X.X to any out keep-state
ipfw -q add 201 set 1 allow tcp from X.X.X.X to any out setup keep-state
#
# allow common ICMP types in and out
ipfw -q add 400 set 1 allow icmp from X.X.X.X to any icmptypes 0,3,8,11,12,13,14
ipfw -q add 401 set 1 allow icmp from any to X.X.X.X icmptypes 0,3,8,11,12,13,14
#
# allow tcp connections out on backup interface
ipfw -q add 500 set 1 allow tcp from any to any out via re1 setup keep-state
#
# deny everything else coming in
ipfw -q add 999 set 1 deny all from any to any

--

Make sure to replace X.X.X.X with your public IP address.  You can add additional rules after 101 to open more ports if needed for additional services.  Save the file, and then set permissions on it:

chmod 700 /etc/ipfw.sh

Now, add the following two lines to your /etc/rc.conf file:

firewall_enable="YES"
firewall_script="/etc/ipfw.sh"

To test it out, reboot your VPS. Once it comes back you should be able to ping it and SSH in. You can verify that the firewall rules are loaded by running ipfw -t list

# ipfw -t list
00001 check-state
00002 allow ip from any to any via lo0
00003 allow tcp from any to any established
00100 Mon Jan 11 16:55:06 2010 allow tcp from any to 204.109.63.104 dst-port 22 in setup keep-state
00100 allow tcp from any to 204.109.63.104 dst-port 80 in setup keep-state
00200 Mon Jan 11 16:54:58 2010 allow udp from 204.109.63.104 to any out keep-state
00201 allow tcp from 204.109.63.104 to any out setup keep-state
00400 allow icmp from 204.109.63.104 to any icmptypes 0,3,8,11,12,13,14
00401 allow icmp from any to 204.109.63.104 icmptypes 0,3,8,11,12,13,14
00999 Mon Jan 11 16:55:02 2010 deny ip from any to 204.109.63.104 in
65535 Mon Jan 11 16:52:10 2010 deny ip from any to any

Note that the timestamps show the last time a packet triggered the rule indicated. If you make a mistake, you can use VNC to login to the console of your VPS and repair. 

If you add additional rules, you can reload the rule set by running /etc/rc.d/ipfw restart

For more information on IPFW, refer to The FreeBSD Handbook.

Instantly deploy a BSD cloud VPS with RootBSD

deploy instantly

  • Fast SSD hosting
  • Full root access
  • IPv6 and IPv4 enabled hosting
  • Over 25 data center locations worldwide
  • Friendly and knowledgeable support
  • Build with current FreeBSD, OpenBSD, NetBSD, Linux releases