Frustration with BSD/OS 4.2 and IPFW

Posted on 2001-06-08
Last Modified: 2013-12-06

I am offering a ton of points for anyone that can get me through this problem!

 I am a knowledgable person in linux - sysadmin for 4 years, I just aquired a BSD/OS 4.2 server which will be used to replace the linux server as soon as possible. I have been able to learn what is different and setup without problem sendmail/ samba/ ftp, etc  

Here is my problem: I cant understand for anything the whole ipfw setup.  It is NOTHING like the ipchains in linux.

I know that I must setup the kernel to accept IPFW, done.
I know that I will need to make a few scripts for all the rules.  BUT there is NO documentation on this, oh yes I have read the man pages, but they give me all the options and flags but not the format or which file is which nor where to put anything. I AM LOST!

in rc.local I put:

# to enable IP packet forwarding (routing):lifornia.  All rights reserved.
echo 'starting ip forward logging...'
ipfwlog -n -d -l /var/log/ipfw_log/ipfw.log

echo -n "IP forwarding: "; sysctl -w net.inet.ip.forwarding=1

if [ -f /etc/ipfw_rules/rc.iprules ]; then

echo -n 'starting IPFW...'
echo -n 'output...'
ipfw output -push /etc/ipfw_rules/rc.iprules
echo -n 'input...'ico rc.local
ipfw input -push /etc/ipfw_rules/rc.iprules

# to enable IPv6 packet forwarding (routing):
# echo -n "IPv6 forwarding: "; sysctl -w net.inet.ipv6.forwarding=1

# to disable forwarding of source-routed packets:
# echo -n "source-route: "; sysctl -w net.inet.ip.forwsrcrt=0

I have a test file called rc.iprules:

#general ipfw rules
#define computer1
#define computer2

tcp {
      srcaddr(computer1) { accept; }
      srcaddr(computer2) { accept; }

Now when I reboot I am told that I am not using a proper BSD filter....... Ok so I read my man pages and see that I should have sent the file rc.iprules through the ipfwasm program to make it a assembled BSD IP filter.

I have been on this for a week and I am getting very frustrated for lack of documents.  I would like if possible for someone to take me by the hand in doing a very basic ipfw setup from start to finish which later I can use to be my base of a complete firewall setup.


I was not allowed to offer the 800 points that I wanted, but help me with this and we will work out a way to get it up to 800 points

-------------------- Part of answer ----------
Sorry but need to add one more comment for future ipfw people.

I have one little error in my setup, when you reboot (which I did this morning) all configs are gone.
Why? The directory of /var/run/ipfw is a cache directory, what is there only remains as long as you
dont reboot :)

So you need to change the rc.local, and the use of the ipfwcmp/ipfw commands to reflect this.

ipfw input -push /etc/ipfw_rules/input

ipfwcmp -o /etc/ipfw_rules/input /etc/ipfw_rules/input.bak
ipfw input -replace /etc/ipfw_rules/input

I checked and it works , even with a reboot. Recall the directory that I used /etc/ipfw_rules  does
not exist, I made it, you can make any directory that you want.

Sorry for the error

Question by:sherapr
  • 4
  • 2
  • 2
  • +2

Expert Comment

ID: 6169840
I'm not familiar with the setup so the best/only option I can recommend is the bsdi-user mailing list.  There's a searchable archive at under the Mailing Lists link.

Good luck!

Author Comment

ID: 6169871
been there, done that, it didnt help, basically I get man page info, which I already have in my box
LVL 40

Expert Comment

ID: 6172215
I think I need a bit of information to be able to help.

Do you have a netblock or a single IP for your Internet connection?  

Will there be any Internet accessible servers on the inside?

You mention BSD 4.2, are we talking about FreeBSD 4.2 or BSD 4.2 from BSDi?
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Expert Comment

ID: 6172542
don't know if this helps as i've been running an older version for years, but...

a simle rules script on my version would look something like the following...


fwcmd = "/sbin/ipfw -q"
int_net = ""
int_if = "de1"
int_ip = ""
ext_if = "de0"
ext_ip = "x.x.x.x"

  # clear the rules
  $fwcmd -f flush

  # divert/nat rules here

  # localhost rules
  $fwcmd add pass all from any to any via lo0
  $fwcmd add drop all from to

  # no spoof
  $fwcmd add drop all from $int_net in recv ${ext_if}

  # no private
  $fwcmd add drop all from in recv ${ext_if}
  $fwcmd add drop all from in recv ${ext_if}
  $fwcmd add drop all from in recv ${ext_if} # duplicate of anti-spoof

  # deny everything to firewall
  $fwcmd add drop all from any to ${ext_ip} in recv ${ext_if}

  # http allowances
  $fwcmd add allow tcp from ${int_net} to any 80 in recv ${int_if}
  $fwcmd add allow tcp from ${int_net} to any 80 out xmit ${ext_if}
  $fwcmd add allow tcp from any 80 to ${int_net} in recv ${ext_if} established
  $fwcmd add allow tcp from any 80 to ${int_net} out xmit ${int_if} established

  # dns allowances (should be set to external dns host..but we have all)
  $fwcmd add allow udp from ${int_net} to any 53 in recv ${int_if}
  $fwcmd add allow udp from ${int_net} to any 53 out xmit ${ext_if}
  $fwcmd add allow udp from any 53 to ${int_net} in recv ${ext_if}
  $fwcmd add allow udp from any 53 to ${int_net} out xmit ${int_if}

  # last rule (should be set by default, but we'll implicitly put it and use it for logging)
  $fwcmd add drop log any from any to any

Author Comment

ID: 6172581
Thanks but I already fixed this yesterday, just didnt have time to come in and delete the question

jlevie -- BSD/OS 2.4 is the flavor of BSD that I have, There is BSDI, FreeBSD, OpenBSD, or NetBSD, BSDI/OS


Author Comment

ID: 6172583
Droby10 --- sorry your answer wont do, first I already fixed it myself, and second you seem to be using a different version of BSD

Expert Comment

ID: 6172591
glad to know you resolved your problem.

Author Comment

ID: 6173193
I dont want to delete this question becouse in my search through the internet I have found that others have asked this question without getting an answer.  So I want to answer my own question to give others the chance, and not to go through the 7 headache days that I have gone through.
Excuse any misuse of terms, recall I learned this on my own.

What I leaarned about BSD/OS 4.2 IPFW and it's setup:

1. It is very powerful once you know what your doing
2. There is very little written for it
3. Inportant commands to learn: ipfw , ipfwcmp
4. Learn that that compiled rule sets go to /var/run/ipfw
5. Some commands in the man files do NOT work (ie: display)

To get ipfw to work you need to put stuff in the start up file to tell the system that you want to use ipfw and where the rule sets are..... I have found that putting this in rc.local works great. To make a very BASIC entery you could add the following lines to rc.local

vi rc.local.........

# to enable IP packet forwarding (routing):lifornia.  All # rights reserved.
echo 'starting ip forward logging...'
ipfwlog -n -d -L /var/log/ipfw_log/ipfw.log

echo -n "IP forwarding: "; sysctl -w net.inet.ip.forwarding=1

echo -n 'starting IPFW...'
echo -n 'output...'
ipfw output -push /var/run/ipfw/input
echo -n 'input...'
ipfw input -push /var/run/ipfw/output

First we turn on logging, and I have an echo statement so I can see that the log turned on when the computer boots. Since I wanted to be able to see only ipfw stuff in the log, I create a seprate log called ipfw.log.  There is alot of stuff you can do with the log but for that you will need to read the man of ipfwlog.

Second: The line that reads: echo -n "IP forwarding: "; sysctl -w net.inet.ip.forwarding=1
Is to turn on ipforwarding itself.  I didnt have to put this line, it was already in my rc.local with a # to comment it out.  NOTE: you may have to compile the kernel to allow ipfw, the steps are easy and they are in the book so I wont go into that here.

Step 3: you have to tell ipfw where it's configuration files are kept.  I have found that the compiled file works best from /var/run/ipfw.  You can make one configuration file for every rule, or you can have one for everything coming in "input", one for everything going out "output", things that should happen apon starting ipfw "pre-input", and many more (this can be found in the man of ipfw) Just to keep this simple I have a input and output in the example but actually have also pre-input.  Oh ya, file name dont matter from what I can tell, I used test-input and it worked just as well as input.bak. I use -push to shove these rules onto the whole chain.  The echo commands are just for show at boot up, they are not needed.  

Ok we are done with the rc.local file. Now the fun begins. I will not explain what a rule means becouse each command of the rules are well documented in the man files and the manual.  But will give some not so clear, or not documented stuff here.  You will be making some simple files that later you will need to compile, I like to keep things neet so inside of /etc I made a subdirectory called /etc/ipfw_rules  You can really put this stuff anywhere you want it.  Inside of /etc/iprw_rules I type vi input.bak (my name, you can put anything you want). In the file input.bak I put:

// general ipfw rules
#define computer1
#define computer2

tcp {
     srcaddr(computer1) { accept; }
     srcaddr(computer2) { accept; }
udp {

------- end ----------

Now from reading I do know that the compiler I will use is ipfwcmp and it uses cpp which is a C compiler.  So with little experience in C but a good book on hand :)  I know that I can #define things that I will be typing over and over.  You can define you lo0, your local net, your external connection ip, all those things that you will put rules on using a #define statement.  For simplicity I just added  two computers but could have put
      #define LOCAL_NET
Which would have included all the local computers, but if I want to rule out one computer or another I wouldnt be able to use LOCAL_NET

All the rest of the stuff in this file is well explained with the man and manual so I wont go into it.

Save your file, input.bak :wq  and now we will compile:

type the following on the command line:
ipfwcmp -o /var/run/ipfw/input /etc/ipfw_rules/input.bak
------------ NOTE ---------
Basically this saids to use ipfwcmp and to make a file called /var/run/ipfw/input from a file called /etc/ipfw_rules/input.bak
-----------End of NOTE ---------

Now type the following on the command line:
ipfw input -replace /var/run/ipfw/input
----------NOTE ----------
This calls ipfw to set /var/run/ipfw/input as the input rules sourse and to replace any others that I may have.

If you didnt get any errors you can now try out your new rules. Want to see how the computer sees the rule: type ipfw on a command line and hit enter, your rule should be there.  Try pinging your different machines and you will see that using my sample nobody can ping in or out. This is not a useful script - it is just an example to show the basic steps.

Now if your like me and make many input scripts just to see how they will work and to play with the rules you will start filling up the /var/run/ipfw directory, make sure to clean it with rm, it will grow fast while learning :)

Writing these instructions it all seems so very easy and so very logical, but it took me 7 days to  get here and alot of screeming.  I hope this will help someone else that is in the same position :)

I think later I will make a web page with good instructions, becouse there is a VERY big lack of documentation for BSD/OS 4.2 out in the net.  

thanx for your time
Shera - Happy again!


Expert Comment

ID: 6173312
Hello everyone.

sherapr has request that the points be reduced to zero and the question moved to the PAQ.  If there are no objects, I'll do that in a couple of days.

Community Support Moderator

Accepted Solution

teacher_mod earned 0 total points
ID: 6188811
reducing points to zero and PAQing

Community Support Moderator

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (, discussed installing the Solaris Operating S…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question