Firewall for Jail

[uutzinger]

In order to enable a firewall for the jail I have been experimenting with copying kernel modules to /boot/kernel on the host.
FreeNAS does not include a firewall with the host, therefore it is also not available for the jail.
FreeNAS has ipfw command tool, therefore it would make sense to first try including ipfw as the firewall of choice.

I installed FreeBSD on a virtual machine by following the Guide: How to Build FreeNAS (Part 2: Install and Build FreeNAS).
Then I copied the missing kernel modules to the FreeNAS host (scp module to /tmp, then mount -uw /, then copy to /boot/kernel, chmod 555 module)

Those modules were:
- ipfw.ko
- ipfw_nat.ko
- libalias.ko (needed for ipfw)

The recommended way to load ipfw is the following command (you need the part after && otherwise you will loose access to your host)

kldload ipfw && ipfw -q add 65000 allow all from any to any

I have been able to load other kernel modules that I needed for the jail but ipfw so far does not work:

kldload: can't load ipfw: Exec format error

The terminal console shows

linker_lib_elf: symbol ip_fw_ctl_ptr undefined
linker_load file: Unsupported file type

Does that mean I will need a custom build of FreeNAS or am I missing a *.ko.symbol file in /boot/kernel?

If a custom build is necessary what file/option on the FreeNAS development machine needs to be changed to include ipfw?

Urs

 

[uutzinger]

There is pf.ko in /boot/kernel which is used for the BSD pf firewall. There is also pfcntl command line tool available but there is no /dev/pf, so it will not work as firewall.

There is ipfw command line tool but there is no ipfw.ko and when added manually it can not be loaded with kldload. On regular FreeBSD machine it loads fine.

I have been trying to build FreeNAS with additional modules set in build/nano_env on the line where NANOBSD_MODULES= is defined. I have not tested the image yet but I doubt that is the right approach to enable a firewall.

I tried to compare NanoBSD configuration of BSD Router Project to the one of FreeNAS but I have not yet found the options, device, add_port or WITHOUT statement that appears to be responsible for disabling the firewall.

 

[uutzinger]

The following steps will enable firewall functionality in FreeNAS.
Currently there is no module in the FreeNAS GUI to manage a firewall.
You will need to use the shell to do this.

One will need custom build FreeNAS following posts from Joe Schmuck
Guide: How to Build FreeNAS (Part 1: Install and Build FreeNAS)
Guide: How to Build FreeNAS (Part 2: Install and Build FreeNAS)

If you do not want to build latest trunk and are interested in the stable version you will need to change command in part 2 with appropriate source: You can browse the source here http://support.freenas.org/browser and find appropriate directory under branch.

Configure FreeNAS build [replace 8.2.0 with what you got after downloading the source]

Code:

ee /usr/local/freebsd/8.2.0/build/nano_env 
on the line with 
NANO_MODULES="cxgb ... 
NANO_MODULES="libalias ipfw cxgb ...

Have FreeNAS load the kernel module at startup you need to edit rc.conf [replace 8.2.0 accordingly]

Code:

ee /usr/local/freebsd/8.2.0/nanobsd/Files/etc/rc.conf 
add lines
firewall_enable="YES"
firewall_type="OPEN" 

If you replace "open" with "client" or "closed" you will need to use the console to access your system.

Create build with kernel and world [replace 8.2.0 accordingly]

Code:

/usr/local/freebsd/8.2.0/build/do_build.sh -f

After a successful build, my images were here: /usr/local/freebsd/8.2.0/os-base/amd64/
There are two new files in /boot/kernel/ : ipfw.ko and libalias.ko They are small and should fit into current image size.

Those images can be installed from the GUI on your existing system or they can be used for a new install (iso).

For GUI firmware update you will need sha signature of your build:

Code:

sha256 FreeNASsomething.xz > FreeNASsomething.xz.sha

Once the firewall module is enabled on the host you can experiment with it also in the jail.

To check whether the firewall is loaded correctly you can use the following commands in the shell

Code:

kldstat
ipfw list

The first one should list ipfw.ko and libalias.ko. The second shows the active ruleset.

By the way ipfw can be managed from WebMin which can be installed in the jail from the ports.