Chapter 1. Introduction

Table of Contents

This book is about one of the native firewalls included with FreeBSD, ipfw(8) - the Internet Protocol FireWall. ipfw is designed to operate on a FreeBSD host with multiple network interfaces, to filter out unwanted traffic and pass through desired traffic. It does this based on a collection of rules (numbered, text based statements) that are entered into the system from the command line. This usage model is different from many other firewall products that employ Graphical User Interfaces (GUIs), or separate control programs. All ipfw statements are entered into the user shell, typically by a user with root privileges or access to root privilege by means of programs that elevate normal user privileges such as sudo(8) or doas(1).

ipfw reads network traffic from the interfaces it knows about and processes them inside the FreeBSD kernel. ipfw itself is a kernel module that can be either compiled into the kernel or loaded at run time. It includes a number of other kernel modules (ipfw_nat, ipfw_nptv6, etc.) many of which are discussed in this book.

A bird’s-eye view of ipfw operation notes that:

  1. Rules are organized into a sorted list based on a rule number

  2. Packets entering the kernel from a network interface or leaving the kernel via a network interface are checked against the ruleset

  3. Rules are checked one by one and the first rule that matches the packet characteristics wins - that is, ipfw accepts the packet for processing - allowing transit through the firewall, denying transit, updating a counter, or moving the packet into userspace for specialized processing.

The book makes frequent reference to the ipfw(8) manual page and the reader is advised to become familiar with the manual page alongside this book. There is also a section on ipfw in the FreeBSD Handbook Page on IPFW. The intent with this book is to provide examples and informative material beyond the manual page and handbook to increase understanding and usage of ipfw.

Throughout this book are many examples of using ipfw with virtual machines to simulate actual hardware. These examples were developed with QEMU version 9.2.0. It is, of course, entirely possible to perform all the examples in this book with real hardware. QEMU provides a way to perform the examples without spending any money for hardware. In either case, some setup is required.

Note that QEMU command syntax with some of the examples may have changed slightly by the time this book becomes available. Use the latest QEMU release where possible, and check the QEMU documentation if the examples in this book do not work correctly.

Also used are a number of scripts that allow easy if_bridge(4) and tap(4) setup, virtual machine setup, and data transfer from external VMs to or through a firewall VM. In the early examples, data transfer is accomplished with the netcat program, specifically the version distributed with the nmap package (www.nmap.org). This version, ncat(1), has the best coverage of features that are used throughout the book. A familiarity with the man page for ncat(1) is helpful, but not required.

All scripts used in this book are found in Appendix B and published under the BSD 3-clause license. The scripts are also available on the GitHub IPFW Primer page.

When copy/pasting examples, be aware that some desktop copy/paste functions add an extra space (or multiple spaces) to the end of a line, messing up the Unix continuation character convention ' …​ \' at the end of a line. Ensure that the paste function does not introduce extra spaces at the end of the line.

The examples in this book involve passing data between interfaces on the host system. A running firewall on the host such as pf, ipfw, or ipfilter (also known as ipf) may interfere with data transfer, so ensure that any host system firewall is disabled. In addition, take any necessary steps to ensure that this does not compromise the security of the host.

1.1. Quick Start

Instructions for setting up all virtual machines (VMs) are found in Appendix A.

In general you will need the following:

  • Intel®/AMD® machine with a 64-bit processor. Any machine manufactured to recent Microsoft Windows® specifications should work. Processor speed will determine how responsive the virtual machines appear, so the faster, the better.

  • At minimum, 8GB RAM. Each virtual machine is configured to use 1GB and for the first half of the book, only four VMs are used at the same time. In later chapters, the jail1 VM, will require more memory (8GB).

  • At least 50GB of free disk space to install all virtual machines. Each virtual machine uses 4GB and the jail1 VM uses 12GB.

For the first half of this book, only four virtual machines are necessary - the firewall VM, and the internal, external1 and external2 VMs.

Additional detail, along with setup instructions for all virtual machines, is provided in Appendix A.