Transcription
AIPFWByNO V E R V I E WAllan JudeF O R M O S T O F T H E I R H I S T O RY, T H E B S Df a m i l y of operating systems has been known for making greatfirewalls. IPFW receives less attention than the PF packet filter,but it is very well featured with many advantages. IPFW wasfirst introduced with FreeBSD 2.0 in 1994, while dummynetfunctionality came along in 2.2.8 (1998).he current incarnation of IPFW, a complete rewrite dubbed IPFW2, was written and introduced in the summer of2002. IPFW is remarkably fast and hasvery good SMP scalability.IPFW is a “first match” firewall, meaning thateach packet is compared against a numberedrules list, and once a rule matches, the searchends. This allows the administrator to write therules in a specific order to achieve the greatestspeed, and avoid comparing certain packetsagainst more complex rules. Bandwidth andquality can be defined with pipes and queues,enforced with rules. IPFW also features an inkernel NAT implementation which augments theexisting user-space natd, full support for VIMAGE/VNET which creates a separate instance ofthe firewall in each VNET jail, multiple rule sets,T6 FreeBSD Journaldynamic rules, and tight integration with theoperating system to provide features includingrule matching against the user or jail which generated the packet.This article covers the basics of enabling andconfiguring IPFW. It then discusses someadvanced topics including rule numberingadvice, simulating real world networks, trafficprioritization and shaping, and using the in-kernel NAT implementation, including configuringport forwarding, in conjunction with jails. Thearticle then ends with an overview of some ofthe other features of IPFW.LOADING THE FIREWALLWhile IPFW can be compiled into a custom kernel, support is usually enabled by loading its kernel loadable module. Since the default policy is
Once the rules are in place, “serviceipfw start” will start the firewall andapply the rules. Remember to nohup thecommand if working remotely, otherwisethe connection may be closed when thefirewall module is loaded, before the rulesthat allow the connection are added.TIP: The /usr/share/examples/ipfw change rules.sh script will apply a newset of firewall rules, and then prompt the administrator to confirm that theyare satisfied with the new rules. If the administrator is not satisfied, or islocked out by the new rules, the old rules are restored after 30 seconds.SIMPLE RULESIPFW rules are fairly straightforward andeasy to write. The following is a brief walkthrough of the basic administration commands for the OPEN firewall:To show existing rules use ‘ipfw list’:# ipfw #listipfw list5084973634345520796777500100 0010050849736343455207967775allow ipallowfromipany to any via lo0fromanytoanyvialo00020000 deny ip from any to 127.0.0.0/80 0 deny0ipdenyfrom any toto any00300 00200 0fromip127.0.0.0/8127.0.0.0/865000 94077116494 77774399268246 allow ip from any to any0 0 deny0ipdenyfrom65535 00300 0fromipanyto any127.0.0.0/8 to any65000 94077116494 77774399268246 allow ipfroThe first column is the rule number. Eachrule is assigned a number which determinesfirewall enable ”YES”the order in which packets are compared. It isfirewall type ”OPEN”firewall enable ”YES”possible to have multiple rules with the samefirewall type ”OPEN”number, but this makes it more difficult toTo create a simple stateful firewall:manage those rules.The next field is thefirewall enable ”YES”number of packetsfirewall type ”CLIENT”that have matchedfirewall client net ”192.168.0.0/24” #Use the IP for your internal networkthe rule, followed byfirewall client net ipv6 ”” #Specify the internal IPv6 net if you have onethe total number ofbytes of those matching packets. These counters can be resetAnother option is to indicate the full pathusing the “zero” sub-command to “ipfw”.of a custom rule set file as the firewall type,The remainder of each line is the rule.and IPFW will read that file and interpret eachTo add a basic rule which blocks incomingline as the arguments of the IPFW command.connectionsto port 25, use this command:IPFW also supports using a preprocessor (suchThiscreatesrule number 5001. A rule isas m4) on the specified file, indicated by the alwayscreatedusing the keyword “add”, andp flag. This allows an administrator to createa single template that, when preprocessed, generates the firewall rules# ipfw add 5001 unreach port tcp from any to me dst-port 25specific to each different host.to deny all traffic, one should also either create a custom rule set, or load a sample ruleset. The built-in /etc/rc.firewall script containsthe logic for a number of basic firewall rulesets. The available templates are: open,closed, simple, client, and workstation.To enable IPFW, but not block any traffic,add the following lines to /etc/rc.conf:May/June 20147
takes effect immediately. In this rule, the actionthat will be applied to a matching packet is“unreach port”, which will generate an ICMP replyinforming the remote host that the port is notaccessible, as opposed to “deny” which will silentlydrop the packet. The body of the rule “tcp fromany to me dst-port 25” determines which packetsmatch. The first keyword is the protocol (ip, icmp,tcp, udp, etc). The next section of the body indicates the source and destination addresses of thepacket; it allows keywords “any” and “me”, whichwill match any address assigned to any interface onthe machine. Finally, additional options can bespecified, including source and destination port(src-port and dst-port), direction (in or out), interface (via em0), attempts to create a new connection (keyword “setup”, packets with the SYN flagset, but the ACK flag not set), previously established connections (keyword “established”, packetswith ACK or RST flags set), and most other IP andTCP protocol headers.An example of a more advanced rule:usually late). Isolating the numbering system(5000s for rules, 30000s for pipes, 40000s forqueues) and potentially grouping into relatednumeric sets (5001, 30001, 40001),can assist with clarity and avoid confusion.SIMULATING REAL-WORLDNETWORKSIt is often desirable to test an application underreal world conditions, where the network is not aquiet LAN with no latency or congestion. IPFWhas a feature to simulate the real world conditionsof the public Internet called dummynet(4).Dummynet provides the ability to artificially limit,queue, delay or drop packets to create the desiredsimulated network conditions.To enable dummynet functionality, the kernelmodule must be loaded. This can be done automatically by adding the following to /etc/rc.confdummynet enable ”YES”The most basicexampleof dum# ipfw add 5002 allow log logamount 50 ip from 192.168.0.0/24 to any dst-port 80 setupmynet(4) is creatThis creates rule number 5002 (for consistency,ing a pipe with limited bandwidth:and administrator sanity, example ruleswill be numbered up from 5000). This# ipfw pipe 30003 config bw 5Mbit/srule will match, log and allow attempts# ipfw add 5003 pipe 30003 ip from any to 192.168.0.101to establish a new connection from thespecified subnet to any host on port80. A log limit has been set to 50 entries: whileThe first command configures pipe 30003 withadditional packets will be allowed, only the firsta bandwidth of 5 megabits per second. Pipe num50 packets that match this rule will be logged inbers are separate from rule numbers (for consisorder to prevent the logs from filling entries fortency, and administrator sanity, example pipes willallowed packets. If needed, the log counter canbe numbered in the 30000s, with the least signifibe reset to 0 with the “ipfw resetlog” command.cant bits matching the corresponding rule). Thesecond command creates firewall rule 5003 usingthe “add” keyword. Rule 5003 directs all matchNAMINGing traffic (that has not matched a previous rule)Rules, pipes and queues each have a separate rulethrough pipe 30003. This will effectively limit thenumber space, ranging between 1 and 65535.downstream bandwidth of the hostThis means it is possible to have a rule and a pipe192.168.0.101 through the firewall to 5 megabitswith the same number, without them being relatper second.ed. Whatever numbering system works for you,This is useful for shaping traffic from specifickeep in mind that having some kind of functionalhosts, or simulating slower links, but it does notisolation in your numbering is beneficial if you areprovide an especially real simulation in terms ofworking on a firewall (inevitably remotely, andqualitative network variability. A better simulationwould look like this:# ipfw pipe 30003 config bw 5Mbit/s delay 150 burst 128k plr 0.001 queue 32KBytes noerror8 FreeBSD Journal
This will reconfigure pipe 30003 with convenientoptions that can help to reproduce applicationbehavior caused by network issues. The delayoption will add 150ms of latency to each packet,simulating the latency between Los Angeles andLondon. The burst option will allow slightly morethan the maximum amount of bandwidth to beused, if the pipe was not full beforehand. If thepipe is idle then the first 128kb of data is passedwithout being rate limited. The next option simulates a packet loss rate (plr) of 0.1%, causing anoccasional retransmit, as might be expected on aless than ideal network. The queue option setsthe maximum amount of excess data (in packetsor KBytes) that will be accepted before additionalpackets are refused. This can be used to simulatebuffer bloat, by setting a low rate limit with alarge queue. The final option, noerror, causes thefirewall not to return an error to the callingapplication when a packet is dropped.Normally, if more data is trying to be sent thancan be transmitted within the rate limit set, thefirewall notifies the calling application with thesame error that would be returned if thedevice queue was full on an unrestricted network.By suppressing this error, it simulates loss at anupstream router further along the path, wherethe application will be unaware that the packethas been dropped until it is not acknowledged onthe other side of the connection.CONTROLLING THE FLOWOF DATAPipes can also be allocated dynamically. Forexample, if there are many clients behindthe firewall, each client can be limited to a5Mbit/s flow by creating a dynamic pipebased on a mask (/24 in this case):that a set amount of bandwidth is shared equallyamong a set of hosts. In this case, rather thanpushing all of the bandwidth directly through apipe, the firewall can be used to create a numberof queues with different priorities in order to classify the different types of traffic.When a dynamic queue is created with a mask,each flow (in the following case, 1 per source ipaddress in the subnet) shares a parent pipe evenly.Create a pipe with limited bandwidth and thencreate a queue to use that pipe. Queue numbersare separate from pipe numbers (for consistency,and administrator sanity, example queues will benumbered up from 40000). Add a rule that matches the desired traffic. The queue rule will create adynamic queue for each unique flow identifier, asdetermined by the specified mask. Each flow willhave equal access to the limited pipe.# ipfw pipe 30005 config bw 75Mbit/s# ipfw queue 40005 pipe 30005 mask src-ip 0x000000ff# ipfw add 5005 queue 40005 ip from any to 192.168.0.0/24Contrast this to dynamic pipes, where eachsource ip address (flow identifier) had its ownseparate rate limit.Sometimes, sharing equally is fine. However“all hosts are equal, but some hosts are moreequal than others”. Queues can be weighted,allowing certain traffic to get a greater share ofthe available pipe:#####ipfwipfwipfwipfwipfwpipe 30006 config bw 75Mbit/squeue 40006 pipe 30006 mask src-ip 0x000000ff weight 5queue 40007 pipe 30006 mask src-ip 0x000000ff weight 25add 5006 queue 40006 ip from any to 192.168.0.0/24add 5007 queue 40007 ip from any to 192.168.1.0/24# ipfw pipe 30004 config bw 5Mbit/s mask src-ip 0x000000ff# ipfw add 5004 pipe 30004 ip from any to 192.168.0.0/24Creating a pipe to allocate bandwidth and two queues with different weightings, with supportingIt is also possible to mask based on destinationip, source or destination port, or protocol.One other option is to mask ‘all’ bits (sourceand destination IP, source and destination port,and protocol). This limits any single connection(flow) to 5Mbit/s, but allows each client multipleconnections at this speed:# ipfw pipe 30004 config bw 5Mbit/s mask allSometimes the goal of traffic shaping is not tolimit the traffic of any one host, but to ensureMay/June 20149
subnet rules, means that hosts in the secondsubnet get higher priority access to the allocatedbandwidth.This same style of traffic management can alsobe applied to specific applications and services.Set up a pipe, add two differently weightedqueues, plug the queues into rules for thespecific service, and add a final catch all:#######ipfwipfwipfwipfwipfwipfwipfwThe above rule set creates a pipe with 50megabits per second of bandwidth and a maximum queue of 20 packets. Two queues are thencreated, where the first has a weight 10 timeshigher than the second. Traffic is then classifiedinto one of these two queues. Packets with asource or destination port of 5060 (SIP), or packets with the IPTOS LOWDELAY flag go into thehigh priority queue (40008), and the rest ofthe traffic goes into the low priority queuepipe 30008 config bw 50Mbit/s queue 20(40011). This should help ensure that VoIPqueue 40008 pipe 30008 mask all weight 100calls do not suffer during periods of peakqueue 40011 pipe 30008 mask all weight 10network activity.add 5008 queue 40008 ip from any to any dst-port 5060Network traffic can also be shapedadd 5009 queue 40008 ip from any to any src-port 5060based on criteria specific to the machineadd 5010 queue 40008 ip from any to any iptos lowdelaythe firewall is on. IPFW can match trafficbased on the user, group, or jail that genadd 5011 queue 40011 ip from any to anyerated the ipe 30014 config bw 100Mbit/spipe 30015 config bw 5Mbit/spipe 30016 config bw 10Mbit/sadd 5012 allow ip from any to any uid rootadd 5013 allow ip from any to any gid wheeladd 5014 pipe 30014 ip from any to any jail 4 inadd 5015 pipe 30015 ip from any to any jail 4 outadd 5016 pipe 30016 ip from any to anyI S I L O N The industry leader in Scale-Out Network Attached Storage (NAS)Isilon is deeply invested in advancing FreeBSDperformance and scalability. We are lookingto hire and develop FreeBSD committers forkernel product development and to improvethe Open Source Community.g!niriHeWe’rWith offices around the world,we likely have a job for you!Please visit our website athttp://www.emc.com/careersor send direct inquiries toannie.romas@emc.com.10 FreeBSD Journal
This set of rules will shape the traffic basedon the user or jail that generated it. The firstthree commands configure pipes with specificamounts of available bandwidth. The next tworules allow all traffic generated by root, ormembers of the wheel group, to passunshaped. The next pair of rules matches trafficflowing in and out of a specific jail, creating anasymmetric connection, limiting traffic to100mbps inbound, but only 5mbps outbound.The final rule matches all other traffic (otherusers and jails) and limits them to 10mbps total(not per direction).BASIC NAT FOR A JAILIPFW can be useful if you need to quickly setupbasic NAT to allow a number of jails on a publicfacing machine to access the Internet, withouteach having a dedicated IP address. This example assumes the jails have internal IP addressesbound to lo0.To enable NAT, add the following to/etc/rc.conf:ideal for IP- or port-based load balancing. IPFWcan create a software monitor port with the“tee” keyword, which will send a copy of eachmatching packet to userland via a divert(4)socket. IPFW may also be used to mark packetswith a specific FIB (Forwarding InformationBase), causing matching packets to be routedusing a specific kernel routing table.CONCLUSIONThis article only begins to scratch the surface ofthe capabilities and features of IPFW. The IPFWman page provides extensive documentation ofeach feature with plentiful examples. TheFreeBSD handbook also includes a chapteron IPFW with additional explanation andexamples. Users with questions are encouragedto address them to the freebsdquestions mailing list or poston the FreeBSD Forums. gateway enable ”YES”firewall enable ”YES”firewall type ”OPEN”firewall nat enable ”YES”firewall nat interface ”em0”#public interfacefirewall nat flags ”redirect port tcp 10.99.0.2:80 80 redirect port tcp 10.99.0.2:443 443”This will create an open firewall that will NAToutbound traffic via the IP address assigned toem0. It also configures port forwarding, to redirect inbound traffic on ports 80 and 443 to theprivate IP of the jail.ADDITIONAL FUNCTIONALITYIPFW has a number of other keywords that canbe used to create advanced rule sets. The“prob” keyword, as part of the rule action,determines the probability that a packet willmatch the rule. Using this, the administratorcan construct rules to direct portions of trafficin different ways, for split testing, load balancing, or simulating failure. Packets can also be“tagged” with numeric ID numbers to be usedin later rules for things such as establishing trustrelationships between interfaces. IPFW includesa forwarding capability; the “fwd” keyword willchange the internal next-hop field of the packetas it passes through the firewall. This does notmodify the headers of the packet, but changeshow the kernel will route the packet and isAllan Jude is VP of operations atScaleEngine Inc., a global HTTP and VideoStreaming Content Distribution Network,where he makes extensive use of ZFS onFreeBSD. He is also the host of the videopodcasts “BSD Now” (with Kris Moore) and“TechSNAP” on JupiterBroadcasting.com.Allan is currently working on earning hisFreeBSD doc commit bit, improving thehandbook and documenting ZFS. He taughtFreeBSD and NetBSD at Mohawk College inHamilton, Canada from 2007-2010 and has12 years of BSD unix sysadmin experience.May/June 201411
he current incarnation of IPFW, a com-plete rewrite dubbed IPFW2, was writ-ten and introduced in the summer of 2002. IPFW is remarkably fast and has very good SMP scalability. IPFW is a "first match" firewall, meaning that each packet is compared against a numbered rules list, and once a rule matches, the search ends.
