From owner-freebsd-questions@freebsd.org Mon Apr 10 19:37:57 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB642D37316 for ; Mon, 10 Apr 2017 19:37:57 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailrelay13.qsc.de (mailrelay13.qsc.de [212.99.187.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.antispameurope.com", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5F2B7F3A for ; Mon, 10 Apr 2017 19:37:56 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de ([213.148.129.14]) by mailrelay13.qsc.de; Mon, 10 Apr 2017 21:37:48 +0200 Received: from r56.edvax.de (port-92-195-127-117.dynamic.qsc.de [92.195.127.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id C1D033CBF9; Mon, 10 Apr 2017 21:37:47 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id v3AJblcM002082; Mon, 10 Apr 2017 21:37:47 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 10 Apr 2017 21:37:47 +0200 From: Polytropon To: Miha Smrekar Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD firewall configuration Message-Id: <20170410213747.c22fffa7.freebsd@edvax.de> In-Reply-To: References: <20170407210017.0c2c2cbb.freebsd@edvax.de> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-cloud-security-sender: freebsd@edvax.de X-cloud-security-recipient: freebsd-questions@freebsd.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mailrelay13.qsc.de with EE981696747 X-cloud-security-connect: mx01.qsc.de[213.148.129.14], TLS=1, IP=213.148.129.14 X-cloud-security: scantime:.2081 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2017 19:37:58 -0000 Re-including list, hope that's okay. On Mon, 10 Apr 2017 09:34:16 +0200, Miha Smrekar wrote: > OK, with that rule I have succesfully connected to my computer through > PUTTY on SSH connection on 1024 port. I've done the same with ports 80 and > 443. Excellent. It all follows the same idea. > Will those 3 rules be enough to block all the traffic on other ports, or do > I have to block all other ports? Depending on the firewall's configuration - "default to accept" or "default to deny", you're probably safe when you explicitely block everything first, and then define what you intendedly want to allow. For example: ext_if="xl0" block all pass in quick on $ext_if inet proto tcp from any to $ext_if port 1024 keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port 443 keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep state This is what your configuration probably will look like. > Can you also help me with the rule to forward incoming trafic to other > interface? You first need to put net.inet.ip.forwarding=1 into /etc/sysctl.conf and make this change active (read: reboot or manually call "service sysctl restart". Additionally, add gateway_enable="YES" to /etc/rc.conf. Now you can do something like this in your pf.conf: ext_if="xl0" int_if="fxp0" pass in on $ext_if from $ext_if:network to $int_if:network port 1024 keep state pass out on $int_if from $ext_if:network to $int_if:network port 1024 keep state This for example would forward port 1024 traffic from the external interface to the internal one. It's easy to define which one is which using variables like ext_if and int_if for the actual network inter- faces (see "ifconfig -a" to check). I also recommend this article for more inspiration: https://home.nuug.no/~peter/pf/en/long-firewall.html This is where I constructed the example from. ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...