easy Firewall setup
krad
kraduk at gmail.com
Tue Apr 26 09:23:45 UTC 2011
On 26 April 2011 08:52, Polytropon <freebsd at edvax.de> wrote:
> On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares <
> olivares14031 at gmail.com> wrote:
> > Thanks for sharing this. I have a base FreeBSD 8.2 system on one
> > machine and I would like to setup a firewall that allows me to visit
> > websites and not allow incoming traffic. Something easy to set up and
> > start like
> > /etc/local/rc.d/rc.pf start
> > or similar. A nice example which I can change somethings like name of
> > network device, i.e, nv0, or similar device.
> >
> > I will try further reading and try to set something up as I am afraid
> > to screw things up.
>
> You can easily do this with IPFW (from the base system)
>
> Step 1: Create a file /etc/ipfw.conf which will contain
> your firewall rules. Depending on what you need, try out
> something like this:
>
> -f flush
> add allow ip from any to any
> add allow tcp from any to any ftp in recv xl0
> add allow tcp from any to any ssh in recv xl0
> add deny ip from any to any
>
> Of course you'll have to replace xl0 with the correct
> device name; "ifconfig -a" will surely tell you.
>
> Please see that this is just an excerpt of an example.
> In this case, FTP and SSH should be allowed for incoming,
> everything else will be denied. If you do not want to use
> FTP - nobody seriously wants that :-) - do not enable it.
> The reference for SSH also goes to the default port, maybe
> you want to choose a different one.
>
> Step 2: Edit /etc/rc.conf to contain the following lines:
>
> firewall_enable="YES"
> firewall_type="/etc/ipfw.conf"
>
> Step 3: Start (or restart) the firewall:
>
> # /etc/rc.d/ipfw start
>
> See the information contained in "man ipfw"; it's "strong
> tobacco", but it provides very good knowledge about how to
> properly configure the firewall, containing examples that
> you can use for form your own rules, like "allow anything
> from inside to outside, but deny any requests coming from
> outside".
>
>
>
>
> --
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>
If you are new to firewalls and dont want to use something like pfsense, i
would stay away from ipfw (wait for flames 8) ) . This is not for any
technical reason as it is a perfectly good and well featured firewall. It is
however in my experience from a few years ago a little trickier to get the
rule orderings correct when you are natting things. Therefore I would advise
you use pf. Here is a simple starter ruleset to get you going.
Is provides no external access but you can easily uncomment the bits to
allow things through. Just drop it into /etc/pf.conf and run
echo -en "pf_enable=yes\npflog_enable=yes" >> /etc/rc.conf.local
/etc/rc.d/pf start
/etc/rc.d/pflog start
ruleset
----------------------
ext_if=xl0
int_if=xl1
#table <sshhosts> const { 1.1.1.1, 2.2.2.2 }
table <internal_nets> const { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 800000, adaptive.end 1200000 }
set limit { states 1000000, frags 50000, src-nodes 300000 }
#set loginterface none
set optimization normal
set block-policy drop
set state-policy if-bound
set skip on lo0
#set skip on $vpn_ints
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
set skip on $int_if
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub all random-id fragment reassemble
nat on $ext_if from <internal_nets> to any -> ($ext_if)
# dump everything by default
block log on $ext_if all
# uncomment this to allow ssh through
# let ssh work and let those ppl ping me
#block in on $ext_if proto tcp from any to any port ssh
#pass in quick on $ext_if proto tcp from <sshhosts> to any port ssh keep
state
#pass in quick on $ext_if inet proto icmp from <sshhosts> to any icmp-type
echoreq keep state
#pass out quick on $ext_if proto tcp from any to any port ssh keep state
pass out on $ext_if from any to any keep state
-------------------
ps i have ripped this out of my existing rule set so its possible typos
have crept in
More information about the freebsd-questions
mailing list