Ed. Note: This article has been revised to correct information about M0n0wall’s relation to OpenBSD PF.
Packet filtering need not be complicated. For both power and ease of use,
consider a BSD-based packet filer, like ipfilter. When coupled with m0n0wall,
a specialized implementation of FreeBSD + ipfilter designed for routers and
firewalls, it is even easier to use.
Iptables usually gloms all the glory, since it is the packet filter included in the Linux kernel. But there is an alternative worth considering that is at least equally powerful and easier to use: ipfilter. ipfilter runs on most Unix variants, and the easiest way to get acquainted with it is by running m0n0wall.
m0n0wall is a specialized implementation of FreeBSD designed for routers and firewalls. It weighs in at well under 10 megabytes, but you still get a complete operating system, firewall, Web administration, traffic shaping, DNS server, DHCP server, SNMP, support for DynDNS updates and a whole lot more. m0n0wall offers a nice pointy-clicky interface for setting up a stout ipfilter firewall. For ultimate power, however, you really want to know how to write rules from scratch.
ipfilter rule syntax is not like iptables rules, which look like they came from the mind of a demented programmer. Instead, they are closer to natural language. This example is the unrestricted rules for the localhost (lo) interface:
pass in quick on lo0 all pass out quick on lo0 all |
A default deny inbound policy looks like this:
block in all |
But ipfilter won’t stop here; it will parse all the rules that follow this one. ipfilter stops on the last match. So what if you want to block all incoming traffic, with no exceptions? Use the quick keyword:
block in quick all |
The quick keyword is a mighty tool, and one that is better used as specifically as possible. For example, you can block all traffic from a particular host or network, and allow all the rest:
pass in inet proto icmp all icmp-type $icmp_types keep state |
This allows inbound traffic for a Web server:
block in quick from 207.46.232.182/28 to any pass in all |
pass in on $ext_if inet proto tcp from any to $webserver port = 80 keep state |
This allows all inbound ICMP:
See the IPF Howto manual to learn how to write your own ipfilter rules.
This article was originally published on Jan 14, 2008
Acceptable Use Policy
Advertiser Disclosure:
Thanks for your registration, follow us on our social networks to keep up-to-date
Carla Schroder is a ServerWatch contributor.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
