From owner-freebsd-questions@FreeBSD.ORG Tue Apr 26 07:52:19 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44AA1106564A for ; Tue, 26 Apr 2011 07:52:19 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id 047758FC08 for ; Tue, 26 Apr 2011 07:52:18 +0000 (UTC) Received: from r55.edvax.de (port-92-195-63-56.dynamic.qsc.de [92.195.63.56]) by mx02.qsc.de (Postfix) with ESMTP id 4D4B91DD55; Tue, 26 Apr 2011 09:52:16 +0200 (CEST) Received: from r55.edvax.de (localhost [127.0.0.1]) by r55.edvax.de (8.14.2/8.14.2) with SMTP id p3Q7qGHh001561; Tue, 26 Apr 2011 09:52:16 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Tue, 26 Apr 2011 09:52:16 +0200 From: Polytropon To: Antonio Olivares Message-Id: <20110426095216.c9f1aa13.freebsd@edvax.de> In-Reply-To: References: Organization: EDVAX X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: FreeBSD Questions Subject: Re: easy Firewall setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 07:52:19 -0000 On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares wrote: > Thanks for sharing this. I have a base FreeBSD 8.2 system on one > machine and I would like to setup a firewall that allows me to visit > websites and not allow incoming traffic. Something easy to set up and > start like > /etc/local/rc.d/rc.pf start > or similar. A nice example which I can change somethings like name of > network device, i.e, nv0, or similar device. > > I will try further reading and try to set something up as I am afraid > to screw things up. You can easily do this with IPFW (from the base system) Step 1: Create a file /etc/ipfw.conf which will contain your firewall rules. Depending on what you need, try out something like this: -f flush add allow ip from any to any add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add deny ip from any to any Of course you'll have to replace xl0 with the correct device name; "ifconfig -a" will surely tell you. Please see that this is just an excerpt of an example. In this case, FTP and SSH should be allowed for incoming, everything else will be denied. If you do not want to use FTP - nobody seriously wants that :-) - do not enable it. The reference for SSH also goes to the default port, maybe you want to choose a different one. Step 2: Edit /etc/rc.conf to contain the following lines: firewall_enable="YES" firewall_type="/etc/ipfw.conf" Step 3: Start (or restart) the firewall: # /etc/rc.d/ipfw start See the information contained in "man ipfw"; it's "strong tobacco", but it provides very good knowledge about how to properly configure the firewall, containing examples that you can use for form your own rules, like "allow anything from inside to outside, but deny any requests coming from outside". -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...