I'd recommend against options IPFIREWALL_DEFAULT_TO_ACCEPT
. The default is to Default to Deny. The firewall comes up with just one rule deny ip from any to any
and stays that way until a script configures exactly what traffic should get through.
Follow-Up Note: RSA (one of the world's leading security technology companies) was hacked recently when part of their firewall was disabled during a maintenance window. This really underscores how quickly a system can be compromised given the right conditions.
If you insist on disabling the firewall until you explicitly block unwanted traffic, please consider using the sysctl available by adding net.inet.ip.fw.default_to_accept=1
to loader.conf
. This has the added benefit of being easily modified (no recompiling the kernel) if you change your mind at some point in the future.
Correct rules need to be reestablished every reboot. It will not directly affect other rules, but can indirectly (for instance, if another rule allowed the IP for whatever reason, this might block the IP...)
You're looking for the ever popular fail2ban, which reads logs files and bans IPs of people doing "bad" things.
Also, you don't really want too keep adding rules for each individual ban, this would quickly pollute the rules. You can add a rule to block a table however, then add the IPs to the table. A table is just a list of IPs so you can easily apply rules to the whole table rather than specifying them all individually.
For example, I have a 'default' firewall script that I use, the first two rules in this script are:
00030 deny ip from "table(1)" to me
00031 deny ip from "table(2)" to me
The keyword "me" means any of my local IP address. Table 1 is for Fail2Ban, when it finds an IP it doesn't like, it adds the IP to that table for a while. Table 2 is for Spamhaus's DROP list, a list of known professional spam systems (see their website for details).
You can add IPs to a table manually with this command:
ipfw table 2 add
On my servers Table 2 is populated automatically at start-up by a script /usr/local/etc/rc.d/spamhaus-drop
as follows:
#!/bin/csh
fetch -i /tmp/drop.lasso -o /tmp/drop.lasso "http://www.spamhaus.org/drop/drop.lasso"
sed -i '' "s/;.*//" /tmp/drop.lasso
ipfw table 2 flush
foreach IP ( `cat /tmp/drop.lasso` )
ipfw table 2 add $IP
end
I highly encourage you to write your own script to configure your firewall. It's pretty easy in FreeBSD with ipfw, and I wouldn't bother with a GUI (I know that sounds hard when it's all new, but the basics are easier than you think).
My configuration script is in /etc/ipfw.rules
and goes like this:
#!/bin/sh
#FOR KEAIRA - The computer this script was customized for.
ipfw -q -f flush # Delete all rules
cmd="ipfw add"
# Ban tables
$cmd 00030 deny ip from "table(1)" to me
$cmd 00031 deny ip from "table(2)" to me
# Statefull firewall config, more secure
$cmd 00060 check-state
# Allow outbound traffic
$cmd 00130 allow ip from me to any keep-state
# SSH - I have SSH on port 2222 to keep the script kiddies out.
$cmd 11020 allow tcp from any to me dst-port 2222 setup keep-state
# DNS
$cmd 11090 allow tcp from any to me domain setup keep-state
$cmd 11092 allow udp from any to me domain
# NTP
$cmd 11100 allow tcp from any to me ntp setup keep-state
$cmd 11101 allow udp from any to me ntp
# General Network - ICMP & IGMP
$cmd 61001 allow icmp from any to any
$cmd 61002 allow igmp from any to any
# Deny the rest
$cmd 65500 deny ip from any to any
This server is running SSH (on an alternate port), DNS, and NTP (time). The rest is just generic stuff I put in all of my firewall scripts. If you have other services you need to open, just let me know and I'll customize the example. Most service names you can get from /etc/services
though, which makes writing these very easy. It's not strictly necessary for each rule to have a different number, but it makes managing them easier. Rules are processed in order by number, but otherwise there's no significance to the numbers.
This script is "activated" by putting these lines in /etc/rc.conf
firewall_enable="YES" # Firewall On
firewall_script="/etc/ipfw.rules" # Firewall Script
Setting up Fail2Ban is a bit more work, but it's pretty straight forward too. If you want more details on that, just ask.
Best Answer
No, in OpenBSD v4.6 version, PF has no divert-like feature.
But good news, divert for PF will be included in OpenBSD v4.7 version
See http://www.mail-archive.com/source-changes@openbsd.org/msg11694.html for details. You could try it with OpenBSD-current branch / snapshots.