1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FreeBSD 9 home webserver, configure a firewall

Discussion in 'Firewalls' started by c00kie, Apr 14, 2012.

  1. c00kie

    c00kie New Member

    Messages:
    163
    Thanks Received:
    0
    Hi

    Background:

    I have four machines (one desktop, three laptops) on a home LAN network. The desktop and one of the laptops (FreeBSD 9) are patched in to my home router via ethernet. The remaining laptops connect to the internet wirelessly. The laptop with FreeBSD 9 installed is acting as a public webserver using port forwarding and NAT. Hence I can access my webserver both locally and via the public internet.

    On my FreeBSD 9 laptop machine and in file: /etc/rc.conf
    Code:
     ifconfig_re0="inet 192.168.0.5 netmask 255.255.255.0"
     default_router="192.168.0.1"
    


    Hence my external interface is: re0

    I'm experimenting with firewalls since my webserver is now publicly accessible from the internet. My first attempt with PF failed.

    From: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html

    I'm not sure if the above really applies to me. I'm not using my FreeBSD box to act as a switch to my LAN. Instead, all laptops (and the desktop) connect to the router independently either wirelessley or ethernet as is the case for the desktop and webserver.

    I thought this sounded a little more realistic:
    Ive tried PF, installed OK, and even rebuilt a custom kernel with support for ALTQ. Using PF and rules from this tutorial:

    http://home.nuug.no/~peter/pf/en/long-firewall.html#PREFACE

    my /etc/pf.conf would look like:
    Code:
    block all
    tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
    udp_services = "{ domain }"
    pass out proto tcp to port $tcp_services
    pass proto udp to port $udp_services
    


    This locks me out however - I can't access the webserver from inside the LAN and webpages didn't load upon browser refresh. I didn't attempt it externally i.e. from the public internet.

    I will have a second attempt of course, but could use a little advice on a simple ruleset (easiest to implement for a novice eg. PF or IPF) for a single machine home webserver connected to a router with port forwarding and public internet access.


    Thanks in advance.
     
  2. c00kie

    c00kie New Member

    Messages:
    163
    Thanks Received:
    0
    OK

    looking at some of the posts on this forum. I've decided to plump for PF. I've

    # cp /usr/share/examples/pf/pf.conf /etc/pf.conf

    My pf.conf file now looks like:

    Code:
    #ext_if="ext0"
    #int_if="int0"
    
    #table <spamd-white> persist
    
    #set skip on lo
    
    #scrub in
    
    #nat-anchor "ftp-proxy/*"
    #rdr-anchor "ftp-proxy/*"
    #nat on $ext_if from !($ext_if) -> ($ext_if:0)
    #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
    #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
    #rdr pass on $ext_if proto tcp from any to any port smtp \
    #	-> 127.0.0.1 port spamd
    
    #anchor "ftp-proxy/*"
    #block in
    #pass out
    
    #pass quick on $int_if no state
    #antispoof quick for { lo $int_if}
    
    #pass in on $ext_if proto tcp to {$ext_if} port ssh
    #pass in log on $ext_if proto tcp to {$ext_if} port smtp
    #pass out log on $ext_if proto tcp from {$ext_if} to port smtp
    #pass in on $ext_if inet proto icmp from any to {$ext_if} icmp-type { unreach, redir, timex }
    


    If I'm using only one machine for all intents and purposes. Are my external and internal interfaces going to be the same?

    i.e.

    Code:
    #ext_if="re0"
    #int_if="re0"
    
     
  3. c00kie

    c00kie New Member

    Messages:
    163
    Thanks Received:
    0
    I'll keep reading with http://www.openbsd.org/faq/pf/filter.html

    So far I have a basic ruleset:

    Code:
    # Pass traffic in on dc0 from the local network, 192.168.0.0/24,
    # to the OpenBSD machine's IP address 192.168.0.1. Also, pass the
    # return traffic out on dc0.
    pass in  on dc0 from 192.168.0.0/24 to 192.168.0.1
    pass out on dc0 from 192.168.0.1 to 192.168.0.0/24
    
    
    # Pass TCP traffic in on fxp0 to the web server running on the
    # OpenBSD machine. The interface name, fxp0, is used as the
    # destination address so that packets will only match this rule if
    # they're destined for the OpenBSD machine.
    pass in on fxp0 proto tcp from any to fxp0 port www 
    


    Very basic and this security thing makes one very paranoid. Not sure about how secure this is, but baby steps.
     
  4. plamaiziere

    plamaiziere New Member

    Messages:
    184
    Thanks Received:
    39
    I guess, because no one replies, that nobody understands what you want to achieve. I've understood in your previous posts that your web server is under FreeBSD and connected to a router. Now I see that this host has two interfaces and is protecting an OpenBSD behind one.

    A small description of the topology of your network will be helpful...

    Regards.
     
  5. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,515
    Thanks Received:
    2,349
    A really simple ruleset to protect one host and allow ssh and web.

    Code:
    
    set skip on lo0
    
    block all
    
    # We allow everything to go out
    pass out from any to any keep state
    
    # incoming rules
    # ssh
    pass in proto tcp from any to any port 22 keep state
    # web
    pass in proto tcp from any to any port 80 keep state
    
     
    c00kie thanks for this.
  6. c00kie

    c00kie New Member

    Messages:
    163
    Thanks Received:
    0
    Sure. http://drupal876.co.uk/img/network.jpg

    It's a very simple home network. I've ommitted the other computers on the LAN for brevity. The FreeBSD box is on all the time and in /etc/rc.conf I've ensured the macine has a static ip address with the following:

    Code:
    ifconfig_re0="inet 192.168.0.5 netmask 255.255.255.0"
    


    as opposed to

    Code:
    ifconfig_re0="DHCP"
    


    No switches, hubs or bridges and as far as I'm aware the FreeBSD box (laptop) has one NIC namely: re0.
     
  7. c00kie

    c00kie New Member

    Messages:
    163
    Thanks Received:
    0
    That's perfect thanks. I only need basic protection until the time comes when I become network admin. :)