Guide On How To Enable The Firewall On FreeBSD

Guide On How To Enable The Firewall On FreeBSD 2017-08-04T09:39:47+00:00

A Step By Step Guide On How To Enable And Configure The Firewall On FreeBSD
This is a straight forward procedure. The only pitfall I can think of is the possibility to lock yourself out of the system, which is a real “bugger” especially if you are doing this on a system that is 300 miles away with no other means to access it than SSH. So to be on the safe side be sure to add some IP addresses that should be able to connect to through the firewall at all times before starting it up. Now first things first let’s make sure the firewall starts at boot time add the following lines to /etc/rc.conf.

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Next create the “control files” which will be used for white and blacklisting. You can live without but it makes access control a lot smoother.

touch /etc/pf_hosts_any_port /etc/pf_hosts_ssh_port /etc/pf_hosts_www_port /etc/pf_hosts_ftp_port /etc/pf_hosts_bad

Now get the name of the current network card.

cat /etc/rc.conf |grep "ifconfig" |awk -F'[_=]' '{print $2}'

Next create the firewall configuration file. The example below is a typical Web server starter pack configuration.

vi /etc/pf.conf

Change the highlighted lines to match your setup. Like “xn0” should reflect your actual network card, ssh_service should match whatever you configured in /etc/ssh/sshd_config and the “ftp port” should match what passive range you want to use with your ftp server, if you intend on installing one that is. With that in mind here is a simple pf configuration file.

ext_if="xn0"
icmp_types="echoreq"
scrub in on $ext_if all fragment reassemble

block log all
set skip on lo0
antispoof for $ext_if
block in quick from urpf-failed

#
# Simple PF Ruleset By Allan Christensen Last Modified 31-05-2014 
#

ssh_service = 22 

#
# Tables Trusted Hosts
#

table  persist file "/etc/pf_hosts_any_port"
table  persist file "/etc/pf_hosts_ssh_port"
table  persist file "/etc/pf_hosts_www_port"
table  persist file "/etc/pf_hosts_ftp_port"

pass in quick on $ext_if from  to any
pass in quick on $ext_if proto tcp from  to $ext_if port $ssh_service
pass in quick on $ext_if proto tcp from  to $ext_if port http

#
# Tables Bad Hosts
#

table  persist file "/etc/pf_hosts_bad"
table  persist
table  persist  

block in quick from 
block in quick proto tcp from  to $ext_if port $ssh_service
block in quick proto tcp from  to $ext_if port http

#
# Block Probes That May Reveal Our Os
#

block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF

#
# Incomming Traffic
#

# TCP
pass in proto tcp to $ext_if port http synproxy state (source-track rule, max-src-states 64, max-src-conn 30, max-src-conn-rate 10/5, overload  flush global)
pass in proto tcp to $ext_if port $ssh_service keep state (max-src-conn 5, max-src-conn-rate 5/3, overload  flush global)

# FTP
pass in on $ext_if proto tcp from  to $ext_if port ftp
pass in on $ext_if proto tcp from  to $ext_if port 40000:40200
pass out proto tcp from $ext_if to  port ftp

# ICMP
pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types 

#
# Outgoing Traffic
#

# TCP
pass out quick on $ext_if inet proto tcp from $ext_if to any port smtp
pass out quick on $ext_if inet proto tcp from $ext_if to any port domain 
pass out quick on $ext_if inet proto tcp from $ext_if to any port http 
pass out quick on $ext_if inet proto tcp from $ext_if to any port https
pass out quick on $ext_if inet proto tcp from $ext_if to any port $ssh_service

# UDP
pass out quick on $ext_if inet proto udp from $ext_if to any port domain
pass out quick on $ext_if inet proto udp from $ext_if to any port ntp

# ICMP
pass out quick on $ext_if inet proto icmp from $ext_if to any

pass out keep state

Now we could fire up the firewall now “Ok that was a terrible joke I know”. But if anything goes wrong you may not be able to log in. So before we start up the firewall make sure your IP address is whitelisted. You can add your IP address to the following file(s). /etc/pf_hosts_any_port or to ba a bit more conservative /etc/pf_hosts_ssh_port the format is 1 IP address pr. line. Once you are ready lets fire up this baby.

/etc/rc.d/pf start

And we are done here.

Spell checkers don’t – Grammar checkers don’t either.