====== IpFw ======

Simple but nice firewall.
[[http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO | Good Reading]]

==== How to create forward for port ====

Rule below forward request to 5111 to port 232
<code bash>
ipfw add fwd localhost,5111 tcp from any to any 232 via en0
</code>

==== Diverting port using snort ====
Rule below will divert the traffic from one port to another.\
<code bash>
ipfw add 0010 divert 8080 tcp from any to any 80
</code>
NOTE : sysctl net.link.ether.bridge_ipfw=1   (this value enable the snort)
==== Common Attack Prevention ====

**# XMAS tree**
<code bash>
ipfw add 00011 deny log tcp from any to any in tcpflags fin,psh,urg recv em0
</code>
**# NULL scan (no flag set at all)**
<code bash>
ipfw add 00012 deny log tcp from any to any in tcpflags !fin,!syn,!rst,!psh,!ack,!urg recv em0
</code>
**# SYN flood (SYN,FIN)**
<code bash>
ipfw add 00013 deny log tcp from any to any in tcpflags syn,fin recv em0
</code>
**# Stealth FIN scan (FIN,RST)**
<code bash>
ipfw add 00014 deny log tcp from any to any in tcpflags fin,rst recv em0
</code>
**# forced packet routing**
<code bash>
ipfw add 00015 deny log ip from any to any in ipoptions ssrr,lsrr,rr,ts recv em0
</code>
**# ACK scan (ACK,RST)**
<code bash>
ipfw add 00016 deny log tcp from any to any in tcpflags ack,rst recv em0
</code>
**#deny fragments as bogus packets**
<code bash>
ipfw add 00017 deny log all from any to any frag in via em0
</code>