Sun Dublan
HistoryHistory 
Notes 
ArchivesArchives 
B of M LexiconB of M Lexicon 
BIND JailBIND Jail 
CDRCDR 
ConversionConversion 
EmacsEmacs 
FirewallFirewall 
FreeBSDFreeBSD 
FunnyFunny 
HouseHouse 
IndexIndex 
jrfmsjrfms 
LinksLinks 
PerlPerl 
Perl umaskPerl umask 
PGP Key TroyPGP Key Troy 
PinoutsPinouts 
RandomTint.plRandomTint.pl 
RandomTint ScreenshotRandomTint Screenshot 
SHFSHF 
SnapshotSnapshot 
StatisticsStatistics 
UtopiaUtopia 
PhotosPhotos 
SecureSecure 
Troy's Notes for a FreeBSD Firewall 

Here are some notes of what to do to a stock install of FreeBSD 4.x in order to get it to be a firewall (bridging or natting) with an ntp server:

kernel options

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT

## for natting:
options IPDIVERT # works with firewall, but not with bridge

## for bridging:
options BRIDGE   # doesn't work with NAT, but works with firewall

rc.conf

gateway_enable="YES"

firewall_enable="YES"
firewall_type="Simple"
firewall_quiet="NO"

## for natting:
#natd_enable="YES"
#natd_interface="fxp0" # outside interface
#natd_flags=""
#natd_flags="-u"       # unregistered only

ntpdate_enable="YES"
ntpdate_program="ntpdate"
ntpdate_flags="time.nist.gov"

xntpd_enable="YES"
xntpd_flags="-c /etc/ntp/conf -p /var/run/ntpd.pid"

/etc/sysctl.conf

## if bridge, add these to sysctl.conf
# net.link.ether.bridge=1
# net.link.ether.bridge_cfg=fxp0,fxp1
# net.link.ether.bridge_ipfw=1  # for ipfw to pay attention

/etc/ntp/conf

# default deny all packets
restrict default ignore
# allow packets from 127.0.0.1
restrict 127.0.0.1
## add allowed ntp clients like this:
#restrict x.x.x.x mask 255.255.255.0

driftfile /etc/ntp/drift
server tick.cs.unlv.edu
server tick.usno.navy.mil
server time-a.timefreq.bldrdoc.gov
server time.nist.gov

Then:

# echo 0 > /etc/ntp/drift
-and-
edit and customize /etc/rc.firewall in the Simple section
4/4/2003 Webmaster: Troy Bowman