Warning - the following instructions will ravage your machine and then eat all the food in your refrigerator, and unlike the dwarves, they won't be kidding about breaking your dishes.

No, for real. Security is critical. Make sure you understand what you're doing before you implement anything. Don't assume I know what I'm doing.


First, please read the real documentation.

That said, here's an example that may be useful. This demonstrates ipfw being set up with a basic set of rules, including a blacklist and knockd configured to populate a knocklist.

This assumes your NIC is vtnet0, and it allows a bunch of services in #80, which you may well wish to trim back drastically.

Please ping me if you note errors or things I ought to change in these examples.

In /etc/rc.conf:

firewall_enable="YES"
firewall_script="/etc/fw/ipfw-rules"
knockd_enable="YES"

In /usr/local/etc/knockd.conf:

[options]
        logfile = /var/log/knockd.log
        interface = vtnet0

[openSSH]
        sequence    = 123,456,789,1234,5678
        seq_timeout = 10
        command     = /sbin/ipfw -q table knock add %IP%
        tcpflags    = syn

[closeSSH]
        sequence    = 5678,1234,789,456,123
        seq_timeout = 10
        command     = /sbin/ipfw -q table knock delete %IP%
        tcpflags    = syn

In /etc/fw/ipfw-rules:

# Example of a host to whitelist - see the start of rule 80, below.
HOME=1.2.3.4

echo Clearing ipfw rules...

/sbin/ipfw -f flush
/sbin/ipfw -f table all flush
/sbin/ipfw -q table knock destroy
/sbin/ipfw -q table knock create
/sbin/ipfw -q table blacklist destroy
/sbin/ipfw -q table blacklist create

echo Setting up ipfw blacklists...

# Personal blacklist from various sources.
# File format is one dotted quad per line, potentially
# with netmask.
cat /etc/fw/blacklist | while read address
do
    /sbin/ipfw -q table blacklist add $address
done

echo Installing ipfw rules...

/sbin/ipfw -q add 10 allow ip from any to any via lo0

/sbin/ipfw -q add 20 deny ip from any to 127.0.0.0/8
/sbin/ipfw -q add 20 deny ip from any to 10.0.0.0/8
/sbin/ipfw -q add 20 deny ip from any to 172.16.0.0/12
/sbin/ipfw -q add 20 deny ip from any to 192.168.0.0/16

/sbin/ipfw -q add 30 deny ip from 127.0.0.0/8 to any
/sbin/ipfw -q add 30 deny ip from 10.0.0.0/8 to any
/sbin/ipfw -q add 30 deny ip from 172.16.0.0/12 to any
/sbin/ipfw -q add 30 deny ip from 192.168.0.0/16 to any

/sbin/ipfw -q add 40 deny ip from any to ::1
/sbin/ipfw -q add 40 deny ip from ::1 to any

/sbin/ipfw -q add 50 allow icmp from any to me
/sbin/ipfw -q add 50 allow ipv6-icmp from :: to ff02::/16
/sbin/ipfw -q add 50 allow ipv6-icmp from fe80::/10 to fe80::/10
/sbin/ipfw -q add 50 allow ipv6-icmp from fe80::/10 to ff02::/16
/sbin/ipfw -q add 50 allow ipv6-icmp from any to any ip6 icmp6types 1
/sbin/ipfw -q add 50 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136

/sbin/ipfw -q add 60 deny all from 'table(blacklist)' to any

/sbin/ipfw -q add 70 check-state

/sbin/ipfw -q add 80 allow tcp from $HOME to any
/sbin/ipfw -q add 80 allow tcp from 'table(knock)' to any

/sbin/ipfw -q add 80 allow tcp from any to me dst-port 25  // SMTP
/sbin/ipfw -q add 80 allow tcp from any to me dst-port 53  // DNS
/sbin/ipfw -q add 80 allow udp from any to me dst-port 53  // DNS
/sbin/ipfw -q add 80 allow tcp from any to me dst-port 80  // HTTP
/sbin/ipfw -q add 80 allow tcp from any to me dst-port 443 // HTTPS
/sbin/ipfw -q add 80 allow tcp from any to me dst-port 587 // Submission
/sbin/ipfw -q add 80 allow tcp from any to me dst-port 993 // IMAPS

/sbin/ipfw -q add 90 allow all from me to any keep-state


# Blanket allow for debugging.
#/sbin/ipfw -q add 65000 allow ip from any to any
# implicit
#/sbin/ipfw add 65535 deny ip from any to any


CategoryHowTo

MasonLoringBliss/IPFWknockdHOWTO (last edited 2022-01-14T04:23:14+0000 by MasonLoringBliss)