From owner-freebsd-questions@FreeBSD.ORG Tue Apr 26 09:23:45 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEE5B106566B for ; Tue, 26 Apr 2011 09:23:45 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3D3128FC0A for ; Tue, 26 Apr 2011 09:23:44 +0000 (UTC) Received: by wyf23 with SMTP id 23so352024wyf.13 for ; Tue, 26 Apr 2011 02:23:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=iYOhEb/L8W1I+fvkGUNFKC2iG/w47sA4bQXxVO2MFGc=; b=VU51vmvtieLKaeirW7p3O9TZPYOEvgVvJ0fNxXbYJQH317tbx4tdsjifew2sD7MWpO wAMo6YufznBvh0EthoUsV72KTeuVNKWDT9zhHfWTfT91Kwq7Y3ZwJ808ur2CZvOXK7xX B8pr8qP/XyTrdHMaO2dXL534X12QoKJeL7mio= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=D03Sfb7jhPXr5njIbrB0zj7d9hiailA3x5iu/hZXkliLf4OFxs7rwDz2kcdw4qPquM EpUN+uPo8TC9KyO59ZOM9FYh9tObyNJE8I+yDQ/eeaoCwEHUm96BYl+4L9Gbzqee8Myy jgiEkvDplAdwHB18Ljo16lseXU+lWRcn5oI4Y= MIME-Version: 1.0 Received: by 10.216.191.208 with SMTP id g58mr486208wen.85.1303809823792; Tue, 26 Apr 2011 02:23:43 -0700 (PDT) Received: by 10.216.15.73 with HTTP; Tue, 26 Apr 2011 02:23:43 -0700 (PDT) In-Reply-To: <20110426095216.c9f1aa13.freebsd@edvax.de> References: <20110426095216.c9f1aa13.freebsd@edvax.de> Date: Tue, 26 Apr 2011 10:23:43 +0100 Message-ID: From: krad To: Polytropon Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Questions , Antonio Olivares Subject: Re: easy Firewall setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 09:23:45 -0000 On 26 April 2011 08:52, Polytropon wrote: > On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares < > olivares14031@gmail.com> wrote: > > Thanks for sharing this. I have a base FreeBSD 8.2 system on one > > machine and I would like to setup a firewall that allows me to visit > > websites and not allow incoming traffic. Something easy to set up and > > start like > > /etc/local/rc.d/rc.pf start > > or similar. A nice example which I can change somethings like name of > > network device, i.e, nv0, or similar device. > > > > I will try further reading and try to set something up as I am afraid > > to screw things up. > > You can easily do this with IPFW (from the base system) > > Step 1: Create a file /etc/ipfw.conf which will contain > your firewall rules. Depending on what you need, try out > something like this: > > -f flush > add allow ip from any to any > add allow tcp from any to any ftp in recv xl0 > add allow tcp from any to any ssh in recv xl0 > add deny ip from any to any > > Of course you'll have to replace xl0 with the correct > device name; "ifconfig -a" will surely tell you. > > Please see that this is just an excerpt of an example. > In this case, FTP and SSH should be allowed for incoming, > everything else will be denied. If you do not want to use > FTP - nobody seriously wants that :-) - do not enable it. > The reference for SSH also goes to the default port, maybe > you want to choose a different one. > > Step 2: Edit /etc/rc.conf to contain the following lines: > > firewall_enable="YES" > firewall_type="/etc/ipfw.conf" > > Step 3: Start (or restart) the firewall: > > # /etc/rc.d/ipfw start > > See the information contained in "man ipfw"; it's "strong > tobacco", but it provides very good knowledge about how to > properly configure the firewall, containing examples that > you can use for form your own rules, like "allow anything > from inside to outside, but deny any requests coming from > outside". > > > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > If you are new to firewalls and dont want to use something like pfsense, i would stay away from ipfw (wait for flames 8) ) . This is not for any technical reason as it is a perfectly good and well featured firewall. It is however in my experience from a few years ago a little trickier to get the rule orderings correct when you are natting things. Therefore I would advise you use pf. Here is a simple starter ruleset to get you going. Is provides no external access but you can easily uncomment the bits to allow things through. Just drop it into /etc/pf.conf and run echo -en "pf_enable=yes\npflog_enable=yes" >> /etc/rc.conf.local /etc/rc.d/pf start /etc/rc.d/pflog start ruleset ---------------------- ext_if=xl0 int_if=xl1 #table const { 1.1.1.1, 2.2.2.2 } table const { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } # Options: tune the behavior of pf, default values are given. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 800000, adaptive.end 1200000 } set limit { states 1000000, frags 50000, src-nodes 300000 } #set loginterface none set optimization normal set block-policy drop set state-policy if-bound set skip on lo0 #set skip on $vpn_ints set require-order yes set fingerprints "/etc/pf.os" set skip on lo0 set skip on $int_if # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub all random-id fragment reassemble nat on $ext_if from to any -> ($ext_if) # dump everything by default block log on $ext_if all # uncomment this to allow ssh through # let ssh work and let those ppl ping me #block in on $ext_if proto tcp from any to any port ssh #pass in quick on $ext_if proto tcp from to any port ssh keep state #pass in quick on $ext_if inet proto icmp from to any icmp-type echoreq keep state #pass out quick on $ext_if proto tcp from any to any port ssh keep state pass out on $ext_if from any to any keep state ------------------- ps i have ripped this out of my existing rule set so its possible typos have crept in