easy Firewall setup

krad kraduk at gmail.com
Tue Apr 26 09:23:45 UTC 2011

On 26 April 2011 08:52, Polytropon <freebsd at edvax.de> wrote:

> On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares <
> olivares14031 at gmail.com> wrote:
> > Thanks for sharing this.  I have a base FreeBSD 8.2 system on one
> > machine and I would like to setup a firewall that allows me to visit
> > websites and not allow incoming traffic.  Something easy to set up and
> > start like
> > /etc/local/rc.d/rc.pf start
> > or similar.  A nice example which I can change somethings like name of
> > network device, i.e, nv0, or similar device.
> >
> > I will try further reading and try to set something up as I am afraid
> > to screw things up.
> You can easily do this with IPFW (from the base system)
> Step 1: Create a file /etc/ipfw.conf which will contain
> your firewall rules. Depending on what you need, try out
> something like this:
>        -f flush
>        add allow ip  from any to any
>        add allow tcp from any to any ftp in recv xl0
>        add allow tcp from any to any ssh in recv xl0
>        add deny  ip  from any to any
> Of course you'll have to replace xl0 with the correct
> device name; "ifconfig -a" will surely tell you.
> Please see that this is just an excerpt of an example.
> In this case, FTP and SSH should be allowed for incoming,
> everything else will be denied. If you do not want to use
> FTP - nobody seriously wants that :-) - do not enable it.
> The reference for SSH also goes to the default port, maybe
> you want to choose a different one.
> Step 2: Edit /etc/rc.conf to contain the following lines:
>        firewall_enable="YES"
>        firewall_type="/etc/ipfw.conf"
> Step 3: Start (or restart) the firewall:
>        # /etc/rc.d/ipfw start
> See the information contained in "man ipfw"; it's "strong
> tobacco", but it provides very good knowledge about how to
> properly configure the firewall, containing examples that
> you can use for form your own rules, like "allow anything
> from inside to outside, but deny any requests coming from
> outside".
> --
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"

If you are new to firewalls and dont want to use something like pfsense, i
would stay away from ipfw (wait for flames 8) ) . This is not for any
technical reason as it is a perfectly good and well featured firewall. It is
however in my experience from a few years ago a little trickier to get the
rule orderings correct when you are natting things. Therefore I would advise
you use pf. Here is a simple starter ruleset to get you going.
Is provides no external access but you can easily uncomment the bits to
allow things through. Just drop it into /etc/pf.conf and run

echo -en "pf_enable=yes\npflog_enable=yes" >> /etc/rc.conf.local
/etc/rc.d/pf start
/etc/rc.d/pflog start

#table <sshhosts> const {, }
table <internal_nets> const {,, }

# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 800000, adaptive.end 1200000 }
set limit { states 1000000, frags 50000, src-nodes 300000 }
#set loginterface none
set optimization normal
set block-policy drop
set state-policy if-bound
set skip on lo0
#set skip on $vpn_ints

set require-order yes
set fingerprints "/etc/pf.os"

set skip on lo0
set skip on $int_if

# Normalization: reassemble fragments and resolve or reduce traffic
scrub all random-id fragment reassemble

nat on $ext_if from <internal_nets> to any -> ($ext_if)

# dump everything by default
block log on $ext_if all

# uncomment this to allow ssh through
# let ssh work and let those ppl ping me
#block in on  $ext_if proto tcp from any to any port ssh
#pass in quick on  $ext_if proto tcp from <sshhosts> to any port ssh keep
#pass in quick on  $ext_if inet proto icmp from <sshhosts> to any icmp-type
echoreq keep state
#pass out quick on  $ext_if proto tcp from any to any port ssh keep state

pass out on  $ext_if from any to any keep state

ps i have ripped this out of my existing rule set so its possible typos
have crept in

More information about the freebsd-questions mailing list