FreeBSD firewall configuration

Polytropon freebsd at
Mon Apr 10 19:37:58 UTC 2017

Re-including list, hope that's okay.

On Mon, 10 Apr 2017 09:34:16 +0200, Miha Smrekar wrote:
> OK, with that rule I have succesfully connected to my computer through
> PUTTY on SSH connection on 1024 port. I've done the same with ports 80 and
>  443.

Excellent. It all follows the same idea.

> Will those 3 rules be enough to block all the traffic on other ports, or do
> I have to block all other ports?

Depending on the firewall's configuration - "default to accept"
or "default to deny", you're probably safe when you explicitely
block everything first, and then define what you intendedly want
to allow.

For example:

	block all
	pass in quick on $ext_if inet proto tcp from any to $ext_if port 1024 keep state
	pass in quick on $ext_if inet proto tcp from any to $ext_if port 443 keep state	
	pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep state

This is what your configuration probably will look like.

> Can you also help me with the rule to forward incoming trafic to other
> interface?

You first need to put


into /etc/sysctl.conf and make this change active (read: reboot or
manually call "service sysctl restart".

Additionally, add


to /etc/rc.conf.

Now you can do something like this in your pf.conf:

	pass in on $ext_if from $ext_if:network to $int_if:network port 1024 keep state
	pass out on $int_if from $ext_if:network to $int_if:network port 1024 keep state

This for example would forward port 1024 traffic from the external
interface to the internal one. It's easy to define which one is which
using variables like ext_if and int_if for the actual network inter-
faces (see "ifconfig -a" to check).

I also recommend this article for more inspiration:

This is where I constructed the example from. ;-)

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list