[Solved] Help needed freebsd firewall [Archive]

View Full Version : [Solved] Help needed freebsd firewall

Amanat

February 9th, 2010, 19:04

Dear All,
Actually i need help regarding firewall for freebsd.

Kindly let me know, which firewall is best in freebsd and i want these functionality, according to my network requirements.

By Now i m using debian and fedora and using Firewall-jay, which is supporting first 4 functions mentioned below, but in my opinion freebsd is best then ubuntu/debian. so i need solution for freebsd. i m new to freebsd, but i can get help from internet. but i need the solution for all, if possible

1. Transparent squid
2. IP Block # listed in a file
3. MAC Block # listed in a file
4. VPN

if also possible

5. P2P Blocking

Any Help would be greatly appreciated.
Waiting for your reply.

Warm Regards!

SirDice

February 9th, 2010, 20:19

1) http://forums.freebsd.org/showthread.php?t=10874
2) yes
3) not 100% sure but yes
4) security/openvpn good enough?

5) Tricky because just arbitrarily blocking ports doesn't work.

To prevent the last I would make sure no workstation can access the Internet directly. Browsing is done via a proxy, email is done via company mailserver. There's usually no real reason why any workstation would need to connect to something on the Internet directly. Proper configuration of the workstations is also key of course. If they're windows clients start by removing all local administrator access.

Amanat

February 9th, 2010, 21:41

Dear Sir,
Thanks for touching all the requisites number wise.
What actually the problem is that i have to block IPs and MAC Addresses for Windows Clients, when they are using p2p or some other software sucking bandwidth.

Just only help me making a script or a firewall rule that will get ips and mac from a txt file and block them as i have about 80 MAC and Ips blocked and saved in txt file which my firewall reads when it is reloaded.

e.g
mac.deny.txt
containing

AA:BB:CC:DD:EE:F1
AA:BB:CC:DD:EE:F2
AA:BB:CC:DD:EE:F3

you may get idea from dutchdeamon post http://forums.freebsd.org/showpost.php?p=35342&postcount=9

Amanat

February 9th, 2010, 21:50

actually i want to put all MAC in one file and All ips in second file. So that whenever i update file and reload firewall it may read the file and get updates which ips and mac need to be blocked.

MY present firewall is doing that for me but its rpm file and i m using it in debain and fedora.

By now i want to use pf, as it also provides CBQ and other features.

dutchdeamon has given an idea but i cannot understand what he said.

http://forums.freebsd.org/showpost.php?p=35342&postcount=9

SirDice

February 9th, 2010, 23:28

DD gave an example of how to load a list of IPs and load them into ipfw, which is a different firewall. Do note that FreeBSD comes with 3 different firewalls. Pick one and stick with it. Personally I like PF.

For storing lists of addresses PF uses tables. You can store those in a separate file. You can also add/remove addresses 'on-the-fly'.
http://www.openbsd.org/faq/pf/tables.html

Is this a company network or something else? If it's a company network I would make sure the regulations state that p2p software isn't allowed at all. Then simply make it impossible. No need to waste time finding hoggers :)

mbr661

February 10th, 2010, 02:46

Amanat,

I working on a very similar project myself. I'm running Squid (non transparent: LDAP Auth), OpenVPN, and PF on FreeBSD. I got everything working for the most part, so I may be able to help you.

Here is an example of my pf.conf with regards to tables:

table <emerging-threats> persist file "/usr/local/etc/IPBlocks/EmergingThreats"

block drop in log quick on $ext_if from <emerging-threats> to any
block drop out log quick on $ext_if from any to <emerging-threats>

Amanat

February 10th, 2010, 08:33

I am also planning for the project you are working but i didnt found any good how to, so i havent not yet completed, plz do share your project of squid ldap etc.

I have been confused in pf or ipfw

which one to use that will allow me to do what i want.

mac blocking ip blocking transparent squid etc etc?

Any suggestions and god how to on transparent squid on freebsd 8.0 or 7.2

Thanks in advance?

dennylin93

February 10th, 2010, 13:57

Both IPFW and PF are able to block IPs. They can also be used to setup transparent proxies.

However, you won't be able to block MACs with PF though. Blocking MACs isn't really useful since MACs can be changed easily.

Just block everyone, and then let authenticated users through. Take a look at authpf.

DutchDaemon

February 10th, 2010, 14:08

If you really really really really want something based on MAC address, you can write a small script that lifts the MAC addresses from arp -a, takes the IP addresses associated with them, and adds the ones you need to block to a table in pf by IP address.

Put the offending MAC address(es) in a textfile, use grep -f against the output of arp -a, use cut/awk to get the IP, use pfctl -t some_table -Ta IP-address, put it in cron, let it run every 5 minutes, etc etc.

Amanat

February 10th, 2010, 14:12

Sir,
Are you suggesting PF or IPFW, i am also interested in Bandwidth shaping with pf as squid delay pools are not controlling uploads.

At the begining i have compiled four times freebsd kernel for pf.

Still i didnt got Step by step tutorial for transparent squid, to bring smile on my tired face. Lolz.

Please send me links for pf and transparent proxy, SBS would be better.

Thanks for all for are helping me solve problems.

awaiting

Amanat

February 10th, 2010, 14:19

dennylin93

February 10th, 2010, 14:53

Are you suggesting PF or IPFW, i am also interested in Bandwidth shaping with pf as squid delay pools are not controlling uploads.

For traffic shaping, there's altq for PF, and dummynet for IPFW.

At the begining i have compiled four times freebsd kernel for pf.

You can just load the module for pf (kldload pf). No need to compile a custom kernel unless ALTQ is in use.

Still i didnt got Step by step tutorial for transparent squid, to bring smile on my tired face. Lolz.

Please send me links for pf and transparent proxy, SBS would be better.

Transparent proxy has been asked quite a few times already. A quick search should produce some promising results.

There are also some other examples on the web:

Intercepting traffic with IPFW on FreeBSD (http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw)
Intercepting traffic with PF on OpenBSD (http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf)
Transparent proxying with squid and pf (http://www.benzedrine.cx/transquid.html)

The configuration for Squid should be the same for all OSes. Only the firewall settings should vary.

For people new to PF, I'd recommend reading these:

PF FAQ (http://www.openbsd.org/faq/pf/)
pf.conf
pfctl

Hope it helps.

Amanat

February 10th, 2010, 16:23

Transparent proxying with squid and pf (http://www.benzedrine.cx/transquid.html) didnt worked for me as i cannot run
# chgrp _squid /dev/pf
it gives error
without it i think it wont work and it didnt.

SirDice

February 10th, 2010, 16:25

Remove the underscore from the username.

Amanat

February 10th, 2010, 16:51

Remove the underscore from the username.

also not working

squid is perfectly running

DutchDaemon

February 10th, 2010, 16:57

Do you _have_ a user/group 'squid'?

grep squid /etc/group /etc/passwd

ps aux | grep squid

gigs

February 10th, 2010, 16:58

Which version of pf is on FreeBSD 8.0? I see but not found for 8.0 (In RELENG_7 - pf is at OpenBSD 4.1). Also OpenBSD 4.5 have patch for pf. Is pf on 8.0 sure enough?

DutchDaemon

February 10th, 2010, 17:01

I've been using Squid/PF since dinosaurs roamed the earth (roughly 6,000 years, some say). There's nothing new about (or needed for) this setup.

Amanat

February 10th, 2010, 18:32

while creating cache dir, i used nobody:nobody, i am away from system as i came home from office, by tomorrow i will verify,
After enabling pf i wasn't abled to ssh , so i thought lets quarrel with it tomarrow.
what i think it don't have as i compiled squid my self.

dennylin93

February 11th, 2010, 01:57

Use the ports tree. It'll save you a lot of time and energy, and you won't shoot yourself in the foot.

Just:

# cd /usr/ports/www/squid
# make config install clean

For Squid 3.0, switch to www/squid30 instead.

Remember to select the correct options for transparent proxy.

mbr661

February 11th, 2010, 05:53

I am also planning for the project you are working but i didnt found any good how to, so i havent not yet completed, plz do share your project of squid ldap etc.

Dear Amanat,

Unfortunately, there is no shortcuts for this project, you need to study until you understand your system. I will recommend you read and follow the book "Squid: The Definitive Guide". By the time you go through it you'll understand Squid well enough to be able to maintain it later. I read the book and many how to's before I got it working. I never found one how to that had everything I needed.

Following is the portion of my squid.conf that relates to LDAP authentication:

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=yourdomain,dc=net" -D "cn=Squid,cn=Users,dc=yourdomain,dc=net" -w
"S1quid!@#$" -f "sAMAccountName=%s" -h 192.168.75.101(this is the ip of your AD server)
auth_param basic children 5
auth_param basic realm Internet Access Authentication
auth_param basic credentialsttl 5 minutes

For OpenVPN, I recommend your read the book "Building a Server with FreeBSD 7", chapter 19. This was the easiest part of the project because the instructions are very clear. OpenVPN works great!!

Once I got these three systems working together (FreeBSD, Squid, and OpenVPN), then I stared working on pf, which is where I am now.

Good luck and keep asking questions as you go.

Amanat

February 11th, 2010, 06:17

Dear mbr661,
I am intrested in transparent squid + freeradius + mysqlauth. I want to run squid as transparently, and i wana use freeradius and mysql for authentication and user logins as i have more then 1000 concurrent clients.

Amanat

February 11th, 2010, 10:01

i have configured squid from source squid 2.7 stable 7
now i want.

The freebsd box to act as
1. transparent proxy
2. local caching name server
3. firewall

when i put of firewall

squid using browser proxy setting works
local caching name/dns also works

but firewall is creating problem.

there is no user squid on my machine, i chown nobody:nobody cache directory

squid is working but i want to work it transparently
also i want to aloow dns from localnet and ssh from external and internal.

Help plz

dennylin93

February 14th, 2010, 13:01

It might be a good idea to start *reading* some documentation yourself.

Amanat

February 14th, 2010, 14:30

It might be a good idea to start *reading* some documentation yourself.

i followed this tutorial but when using transparent squid using pf i get problems, what are the problems in this tutorial.
http://askaa.wordpress.com/2009/09/03/install-freebsd-7-2-compile-kernel-squid-3-x/

its in Indonesian language i followed it thrice, also tried others but i think there is problem in pf.

Any help!

dennylin93

February 14th, 2010, 14:42

Can you post any details of the errors? Check the logs and output.

I don't understand Indonesian, but the tutorial compiles and installs Squid manually. This isn't what most FreeBSD users do. Try using the ports tree instead.

Amanat

February 14th, 2010, 14:58

its working fine, i also tried using ports but the same situation.

my firewall is attached. pf.conf
when i start it manual squid setting at browser also stops working.

Amanat

February 14th, 2010, 15:06

its working fine, i also tried using ports but the same situation.

my firewall is attached. pf.conf
when i start it manual squid setting at browser also stops working.

also i cannot start|stop|restart squid

using
/usr/local/squid/sbin/squid
or /usr/local/etc/rc.d/squid
or /etc/rc.d/squid

none of them are working but when i stop firewall squid works but i don't know how to stop squid or restart.

-k parse and NCd1 works with first command

Amanat

February 15th, 2010, 19:37

Thanks to All, Solved after brain storming search with google.

Thanks who tried to help. :)