This is a straight forward procedure. The only pitfall I can think of is the possibility to lock yourself out of the system, which is a real “bugger” especially if you are doing this on a system that is 300 miles away with no other means to access it than SSH. So to be on the safe side be sure to add some IP addresses that should be able to connect to through the firewall at all times before starting it up. Now first things first let’s make sure the firewall starts at boot time add the following lines to /etc/rc.conf.
pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags=""
Next create the “control files” which will be used for white and blacklisting. You can live without but it makes access control a lot smoother.
touch /etc/pf_hosts_any_port /etc/pf_hosts_ssh_port /etc/pf_hosts_www_port /etc/pf_hosts_ftp_port /etc/pf_hosts_bad
Now get the name of the current network card.
cat /etc/rc.conf |grep "ifconfig" |awk -F'[_=]' '{print $2}'
Next create the firewall configuration file. The example below is a typical Web server starter pack configuration.
vi /etc/pf.conf
Change the highlighted lines to match your setup. Like “xn0” should reflect your actual network card, ssh_service should match whatever you configured in /etc/ssh/sshd_config and the “ftp port” should match what passive range you want to use with your ftp server, if you intend on installing one that is. With that in mind here is a simple pf configuration file.
ext_if="xn0" icmp_types="echoreq" scrub in on $ext_if all fragment reassemble block log all set skip on lo0 antispoof for $ext_if block in quick from urpf-failed # # Simple PF Ruleset By Allan Christensen Last Modified 31-05-2014 # ssh_service = 22 # # Tables Trusted Hosts # table persist file "/etc/pf_hosts_any_port" table persist file "/etc/pf_hosts_ssh_port" table persist file "/etc/pf_hosts_www_port" table persist file "/etc/pf_hosts_ftp_port" pass in quick on $ext_if from to any pass in quick on $ext_if proto tcp from to $ext_if port $ssh_service pass in quick on $ext_if proto tcp from to $ext_if port http # # Tables Bad Hosts # table persist file "/etc/pf_hosts_bad" table persist table persist block in quick from block in quick proto tcp from to $ext_if port $ssh_service block in quick proto tcp from to $ext_if port http # # Block Probes That May Reveal Our Os # block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in log quick on $ext_if proto tcp flags /WEUAPRSF block in log quick on $ext_if proto tcp flags SR/SR block in log quick on $ext_if proto tcp flags SF/SF # # Incomming Traffic # # TCP pass in proto tcp to $ext_if port http synproxy state (source-track rule, max-src-states 64, max-src-conn 30, max-src-conn-rate 10/5, overload flush global) pass in proto tcp to $ext_if port $ssh_service keep state (max-src-conn 5, max-src-conn-rate 5/3, overload flush global) # FTP pass in on $ext_if proto tcp from to $ext_if port ftp pass in on $ext_if proto tcp from to $ext_if port 40000:40200 pass out proto tcp from $ext_if to port ftp # ICMP pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types # # Outgoing Traffic # # TCP pass out quick on $ext_if inet proto tcp from $ext_if to any port smtp pass out quick on $ext_if inet proto tcp from $ext_if to any port domain pass out quick on $ext_if inet proto tcp from $ext_if to any port http pass out quick on $ext_if inet proto tcp from $ext_if to any port https pass out quick on $ext_if inet proto tcp from $ext_if to any port $ssh_service # UDP pass out quick on $ext_if inet proto udp from $ext_if to any port domain pass out quick on $ext_if inet proto udp from $ext_if to any port ntp # ICMP pass out quick on $ext_if inet proto icmp from $ext_if to any pass out keep state
Now we could fire up the firewall now “Ok that was a terrible joke I know”. But if anything goes wrong you may not be able to log in. So before we start up the firewall make sure your IP address is whitelisted. You can add your IP address to the following file(s). /etc/pf_hosts_any_port or to ba a bit more conservative /etc/pf_hosts_ssh_port the format is 1 IP address pr. line. Once you are ready lets fire up this baby.
/etc/rc.d/pf start
And we are done here.