IPFW
Way back in the midsts of time I picked IPF as my FreeBSD firewall of preference. It was a simple choice to make. There were two firewalls on offer. IPFW didn't handle state. In FreeBSD 4.0 IPFW became stateful. But there never seemed much reason top change my allegiance. Except for DUMMYNET. Which I just knew I'd want to play with one day. Well, that day arrived just the other day, when I found I needed to limit the traffic from a webserver.
Working out the correct way to configure IPFW didn't appear to be documented anywhere. Not that I really looked hard. When ipfw(8) didn't tell me precisely what I wanted I trawled the rc files manually. In /etc/defaults/rc.d I found this:
firewall_enable="NO" # Set to YES to enable firewall functionality firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file
Which pointed me to /etc/rc.firewall and the following:
# Define the firewall type in /etc/rc.conf. Valid values are: # open - will allow anyone in # client - will try to protect just this machine # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required)
Control freak that I am I wanted my own setup. So I created /etc/ipfw.rules Whacked in a pipe, and a rule to divert traffic through it:
pipe 1 config bw 128KBytes/s mask src-ip 123.123.123.123 add 10 set 1 pipe 1 tcp from 123.123.123.123 80 to any out via fxp0
Then it was just a simple case of amending /etc/rc.conf like so:
## Firewall stuff firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="/etc/ipfw.rules" firewall_quiet="NO" #change to YES once happy with rules firewall_logging_enable="NO"
Then running the rc script /etc/rc.d/ipfw start to fire it up.
Only thing. The script /etc/rc.firewall only flushes rules, not pipes. So a small edit was needed just in case I ever decide to hack the rules and restart the firewall... because I just know I'll never remember to flush the rules manually. Really simple:
--- rc.firewall-orig Thu Jun 5 02:57:21 2003
+++ rc.firewall Sun Oct 3 21:15:49 2004
@@ -106,6 +106,7 @@
# Flush out the list before we begin.
#
${fwcmd} -f flush
+${fwcmd} -f pipe flush
############
# Network Address Translation. All packets are passed to natd(8)
Job done.