FreeBSD 9 home webserver, configure a firewall

[c00kie]

Hi

Background:

I have four machines (one desktop, three laptops) on a home LAN network. The desktop and one of the laptops (FreeBSD 9) are patched in to my home router via ethernet. The remaining laptops connect to the internet wirelessly. The laptop with FreeBSD 9 installed is acting as a public webserver using port forwarding and NAT. Hence I can access my webserver both locally and via the public internet.

On my FreeBSD 9 laptop machine and in file: /etc/rc.conf

 ifconfig_re0="inet 192.168.0.5 netmask 255.255.255.0"
 default_router="192.168.0.1"

Hence my external interface is: re0

I'm experimenting with firewalls since my webserver is now publicly accessible from the internet. My first attempt with PF failed.

From: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html

With NAT only a single account is needed with your ISP. The other four PCs may then be cabled to a switch and the switch to the NIC in your FreeBSD system which is going to service your LAN as a gateway. NAT will automatically translate the private LAN IP address for each separate PC on the LAN to the single public IP address as it exits the firewall bound for the public Internet. It also does the reverse
translation for returning packets.

I'm not sure if the above really applies to me. I'm not using my FreeBSD box to act as a switch to my LAN. Instead, all laptops (and the desktop) connect to the router independently either wirelessley or ethernet as is the case for the desktop and webserver.

I thought this sounded a little more realistic:

Alternatively, a firewall might be configured to protect only the system it is running on--this is called a “host based firewall”, and is particularly appropriate for servers on an untrusted network

Ive tried PF, installed OK, and even rebuilt a custom kernel with support for ALTQ. Using PF and rules from this tutorial:

http://home.nuug.no/~peter/pf/en/long-firewall.html#PREFACE

my /etc/pf.conf would look like:

block all
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
pass out proto tcp to port $tcp_services
pass proto udp to port $udp_services

This locks me out however - I can't access the webserver from inside the LAN and webpages didn't load upon browser refresh. I didn't attempt it externally i.e. from the public internet.

I will have a second attempt of course, but could use a little advice on a simple ruleset (easiest to implement for a novice eg. PF or IPF) for a single machine home webserver connected to a router with port forwarding and public internet access.


Thanks in advance.

 

[c00kie]

OK

looking at some of the posts on this forum. I've decided to plump for PF. I've

# cp /usr/share/examples/pf/pf.conf /etc/pf.conf

My pf.conf file now looks like:

#ext_if="ext0"
#int_if="int0"

#table <spamd-white> persist

#set skip on lo

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#	-> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if}

#pass in on $ext_if proto tcp to {$ext_if} port ssh
#pass in log on $ext_if proto tcp to {$ext_if} port smtp
#pass out log on $ext_if proto tcp from {$ext_if} to port smtp
#pass in on $ext_if inet proto icmp from any to {$ext_if} icmp-type { unreach, redir, timex }

If I'm using only one machine for all intents and purposes. Are my external and internal interfaces going to be the same?

i.e.

#ext_if="re0"
#int_if="re0"

 

[c00kie]

I'll keep reading with http://www.openbsd.org/faq/pf/filter.html

So far I have a basic ruleset:

# Pass traffic in on dc0 from the local network, 192.168.0.0/24,
# to the OpenBSD machine's IP address 192.168.0.1. Also, pass the
# return traffic out on dc0.
pass in  on dc0 from 192.168.0.0/24 to 192.168.0.1
pass out on dc0 from 192.168.0.1 to 192.168.0.0/24


# Pass TCP traffic in on fxp0 to the web server running on the
# OpenBSD machine. The interface name, fxp0, is used as the
# destination address so that packets will only match this rule if
# they're destined for the OpenBSD machine.
pass in on fxp0 proto tcp from any to fxp0 port www

Very basic and this security thing makes one very paranoid. Not sure about how secure this is, but baby steps.

 

[plamaiziere]

I'll keep reading with http://www.openbsd.org/faq/pf/filter.html

So far I have a basic ruleset:

I guess, because no one replies, that nobody understands what you want to achieve. I've understood in your previous posts that your web server is under FreeBSD and connected to a router. Now I see that this host has two interfaces and is protecting an OpenBSD behind one.

A small description of the topology of your network will be helpful...

Regards.

 

[SirDice]

A really simple ruleset to protect one host and allow ssh and web.

set skip on lo0

block all

# We allow everything to go out
pass out from any to any keep state

# incoming rules
# ssh
pass in proto tcp from any to any port 22 keep state
# web
pass in proto tcp from any to any port 80 keep state

 

[c00kie]

A small description of the topology of your network will be helpful...

Regards.

Sure. http://drupal876.co.uk/img/network.jpg

It's a very simple home network. I've ommitted the other computers on the LAN for brevity. The FreeBSD box is on all the time and in /etc/rc.conf I've ensured the macine has a static ip address with the following:

ifconfig_re0="inet 192.168.0.5 netmask 255.255.255.0"

as opposed to

ifconfig_re0="DHCP"

No switches, hubs or bridges and as far as I'm aware the FreeBSD box (laptop) has one NIC namely: re0.

 

[c00kie]

A really simple ruleset to protect one host and allow ssh and web.

set skip on lo0

block all

# We allow everything to go out
pass out from any to any keep state

# incoming rules
# ssh
pass in proto tcp from any to any port 22 keep state
# web
pass in proto tcp from any to any port 80 keep state

That's perfect thanks. I only need basic protection until the time comes when I become network admin.