12.7.4. Making the Firewall Load the Firewall Policy After Reboot: ipfilter

On FreeBSD, Firewall Builder generates the firewall policy in three files. Assuming the firewall object's name is firewall, these files are firewall-ipf.conf, firewall-nat.conf, firewall.fw. The first two files contain the configuration for ipfilter, while the last one is a shell script that activates it. This script can also configure aliased IP addresses on the firewall's interfaces, which is important if you use multiple addresses for NAT and want Firewall Builder to configure them for you.

The simplest way to activate the generated policy and to make sure it is activated at boot time is to put all three files in /usr/local/etc/ directory and modify script /etc/rc.conf by adding the following lines:

# Set to YES to enable firewall functionality
# Which script to run to set up the firewall

You can use the script fwbinstaller to copy all three generated files from the firewall management workstation to the firewall machine.

See also the excellent mini-HOWTO: Deploy fwbuilder-generated policy to remote FreeBSD-and-ipfilter-based firewall by Daniel Podolsky.

Another option is to copy generated files firewall-ipf.conf and firewall-nat.conf to the directory /etc/ on the firewall machine using the names ipf.rules and ipnat.rules and then use the standard way of loading an ipfilter policy. In order to activate it, edit file /etc/rc.conf by adding the following lines to it:

ipfilter_enable="YES"           # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
ipnat_enable="YES"              # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat"     # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules"  # rules definition file for ipnat

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.