Firewall and NAT

Although ipf and ipnat serve similar purposes as Linux' ipchains and iptables, pay attention to the fact that their configuration file syntaxes and the way they process rulesets are significantly different.

Quick start - ipf

You are not safe unless your machine is well secured. Log-in as root. Here is a basic /etc/ipf.conf file: 
pass in quick on lo0 all
pass out quick on lo0 all
block out quick all
block in all
Then, still as root, issue the following command: 
ipf -F a -f /etc/ipf.conf

At this stage you can use another machine to test these settings. Your box should now be deaf and mute to the outside world. Don't worry about lo0 (it is called "local interface", "localhost" or 127.0.0.1) which is allowed to communicate in the example above. It's an internal system interface required by some programs and tools (X-Window for example) and should not be blocked.

If everything went fine, edit your /etc/rc.conf file in order to automatically start ipf each time the system boots. Just add the following line at the end: 
ipfilter=YES
Then save the file, reboot and check again that everything is working as expected.

Bad news: you should not feel completely safe as long as you machine is connected to a network. Re-examine your configuration, do some security auditing yourself (`man netstat`, `man nmap`) and check log files on a regular basis.

Alternatively, if you need to access the internet from this machine right now, change the third line from the example above. Instead of: 
block out quick all
there should be: 
pass out quick all keep state
Then, again, issue a command to flush out the old configuration and make the new one operational: 
ipf -F a -f /etc/ipf.conf

Now your machine is secure enough to give you some time for reading the documentation listed at the bottom of this page. After that, you will be able to compose a set of rules yourself, according to your particular requirements.

While configuring firewall, pay attention to where words "any" and "all" are (in)appropriate.

Network Address Translation - ipnat

If you have more than one machine, you may want to use the NetBSD box as a gatweway/router between your ISP and the local network, and even as a port redirector. ipnat is an extremely flexible tool, however complex enough to stop discussing it here and rely exclusively on professional documentation.

General warning (a bit off-topic)

Just an example, which should help you keep yourself suspicious. "Once upon a time" I put in place a quite firm /etc/ethers, but being paranoid I wanted to be 100% sure. So, I initiated a connection from the another machine that I intended to deny access from. Much to my surprise the connection succeeded! In the end, detailed examination of `man 5 ethers` revealed the cause.

Make a copy of any configuration file you are about to edit, especially if it is crucial for the system integrity. In case of NetBSD, I would recommend adding .ok or just the current date at the end of the original name.

Information resources

  • IP Filter - short and easy, introductory overview of ipf and ipnat. Read-and-forget, but read.
  • Configuring IPFILTER - NetBSD firewall step-by-step configuration. It is one chapter from a larger document titled "NetBSD Security Processes and Services", where you can find also information about configuring ipnat.
  • ipf how-to. Excellent (comprehensive and well written) document about IP-filter package, by their creators. It's also a good introduction to the world of TCP/IP networking. Worth adding to bookmarks for future reference.

Do you remember what you have learned about how to approach documentation?


« prev
Your own kernel		 home next »
Diskless client
g00bers' guide to mastering NetBSD, Summer 2003.
Original: http://kocio.sdf-eu.org/ Comments appreciated: kocio@sdf-eu.org

5/6