Why not a /etc/rc.firewall for PF too ?

gotnull

gotnull

Hi,

An idea for developers, why not having a shell script like /etc/rc.firewall for PF ?
/etc/rc.firewall make your life easier to configure IPFW, without it, for me it would have been a nightmare to have a working firewall on FreeBSD, there is no doubt.
It contains various profiles well commented, there are helpful when you don't know what you do and it's a good start point to write your own script later.

PF seems used by a lot of the FreeBSD users, even more than IPFW from what I noticed on the forum, so having its own "wrapper" would be normal in the end, and just like IPFW it could support various profiles.

It could be nice what do you think ?

PS:
For those who want to reply "why don't you write it yourself" :
1) I am not the kind a guy you want to trust when it comes to network/firewall
2) I do not have the level required to write that type of shell script.
 
Ok I see, thank you for letting me know this, but in that case it could be possible to have multiple profiles already written (open, close, workstation, etc ...), that is doable right ?
The main idea is to have a working firewall out of the box just like what IPFW can offer.
Standardize instructions regardless of the firewall used, something like this:

Code: 
firewall_enable="yes"
firewall_name="pf"
firewall_allowservices="any"
firewall_type="workstation"
 
I think my recent comment about 'firewall by template' is appropriate here.
I don't think it is wise and you are handing unknowing users a loaded gun.
There are no shortcuts in security. Sink or swim.
My comments were in regard to this program: security/fwbuilder.
It can build pf rules for you. Do you think its wise to build a ruleset without knowing what it does?
 
First of all, sure, it would be technically possible, you could e.g. come up with some templates that are processed by a script to fill in a few parameters and produce a valid pf rules file which is then loaded ... it's cerntainly more involved, but technically possible.

But then, I'm with Phishfry, I don't see much use in "preconfigured firewalls". Security isn't something you can "switch on". To do a sane thing, you certainly need some kind of threat model and invest some thought in what exactly you want to prevent/mitigate, and why, and what are the tradeoffs.

And finally, if you still want something pre-configured: The "firewalls" available in FreeBSD don't differ in security. They do differ (a lot) in rules syntax and semantics (so, you should most likely pick the one you're most comfortable with), they do differ in less common features, they probably also differ in performance looking at specific scenarios. None of which will ever be relevant if you just want some template. So, if that's really what you want, just go with IPFW and what's already provided there.
 
PF has a 'pre-configured' config, it simply allows everything by default.
 
"default deny in, default allow out"
is about the simplest you can get. Anything the workstation sends out is allowed, state is kept. Anything originating from the outside is denied unless there is state for it.
 
Thank you for your reply guys.

I don't see pre-configured profiles as a final solution but more as a starting point for a personal configuration.
Consider a profile as a default configuration file, then modifications are expected like any config file.

I see no difference between it and a basic config file like /etc/ssh/sshd_config for example.
Safety is not guaranteed until some changes are made (port, group, key, etc ...).

Same thing for pre-configured firewall, using the default ssh config isn't perfect but that's way better than let the user pulling himself his own config file from scratch.
 
Well, it's simple isn't it? If you want something simple and pre-configured stick to the firewall_enable and firewall_type. If you want to switch to PF then learn how firewalls work and configure it correctly.
 
As a starting point I agree. Add a few things to /etc/rc.conf and you can tweak a default IPFW configuration.
I think compared to IPFW that pf configuration appears more complex (it's really not) and it may be more difficult to bury the config in a rc script. To me that would imply a "/etc/pf.conf.workstation.sample" and others. Not saying it's a bad idea, but I'm sure "patches would be welcome". I think there are plenty of online resources for configuring pf.
 
SirDice said:
Well, it's simple isn't it? If you want something simple and pre-configured stick to the firewall_enable and firewall_type. If you want to switch to PF then learn how firewalls work and configure it correctly.
Click to expand...
This is not about me.
I already used pf for a while (on desktop and server/nas) and learned about it by reading the handbook, some parts of the book called "book of pf" and few blog articles and various wiki (don't get me wrong I am not saying that I am mastering it), since I switched back to IPFW (excepted for some VMs) because I am more comfortable with it may be it'll change in the future, who knows!
I do not use firewall_type but a personal script, so obviously the benefit of this "potential feature" would not be "specially for me" but for everyone, the new comers included.

mer said:
As a starting point I agree
Click to expand...
It feels good not to be alone, it's an already existing feature in FreeBSD so it's strange to read reluctant comments about it.

mer said:
I think compared to IPFW that pf configuration appears more complex (it's really not) and it may be more difficult to bury the config in a rc script.
Click to expand...
It's a very different type of configuration, for me its approach implies a good knowledge of the network like every firewall some would say, but with PF everything is hidden behind sometimes one single word where other firewall are more descriptive. I imagine it is the reason of its popularity, the syntax is way cleaner less verbose, so quicker to write and read. As a non expert I prefer when I can see everything, it's a personal choice.

mer said:
To me that would imply a "/etc/pf.conf.workstation.sample" and others.
Click to expand...
Exactly, you read my mind here I thought about a /etc/pf.conf.d/pf.conf.open etc .. because that what I did before while I was testing pf in various scenario.
So instead of rewriting a script every time I just linked these "profile" and that was it.

mer said:
Not saying it's a bad idea, but I'm sure "patches would be welcome". I think there are plenty of online resources for configuring pf.
Click to expand...
Yes I suppose, chances I manage to patch something are pretty low but I'll think of it, thank you for your message.
 
gotnull said:
I do not use firewall_type but a personal script, so obviously the benefit of this "potential feature" would not be "specially for me" but for everyone, the new comers included.
Click to expand...
Wanting something simple to use kind of excludes the necessity for a specific firewall. They want something simple to enable and use, they're not going to care which of the firewalls actually gets enabled. Having to choose between different firewalls isn't on their radar.
 
You must log in or register to reply here.
Back
Top