Solved Which Firewall should I use for protecting a single machine + implementing a kill switch

SDK Chan

SDK Chan

I have searched the web, and found these options:
Code: 
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_logdeny="YES"

As I understand it, it is a default firewall preconfigured, and provided through FreeBSDs IPFW2.
On linux I had a simple statefull firewall implemented with nftables.
This firewall seems to be for a workstation, but does it deny for example SSH connections to a port, too ?
Or is there a more strict firewall available ?
Which firewall would you recommend ?

How would it be possible to implement a kill switch, which acts like it does on many VPN applications under windows/linux ?

If it comes to firewall implementation, I sadly know almost nothing.
 
A good BSD machine doesn't run any services you don't want connections to in the first place.

I am not familiar with the Windows VPN kills switch. Can you elaborate?
 
Is the machine directly connected to the Internet or an internal network (home or work) and you are just looking to add a little bit more theoretical protection (everyone has their own comfort level on that).

That said, I agree with cracauer@ on "A good BSD machine doesn't run any services you don't want connections to in the first place."

But if you want to implement workstation firewall similar to Windows or others, the values in your OP are fine, they default to enabling IPFW which works just fine.

To me the best "kill switch" is the power cord or at a minimum the ethernet cable. If you are looking at something that drops all connections and completely blocks all traffic in and out, it could probably be done via some command line stuff which means it could be scripted, but you'd need to specify exactly what behavior you are looking for.
 
fernandel said:
I will put firewall_logging="YES" also.
Click to expand...
Noted that.

cracauer@ said:
I am not familiar with the Windows VPN kills switch. Can you elaborate?
Click to expand...
I am using a VPN service which provides wireguard config files.
I am always connected over LAN, and I am invoking the files through wg-quick up|down.
In case of a sudden disconnection I want to block internet access with my real IP-Address.
Windows is doing it similarly.

Maybe I need rules to block my real IP-Address space ?
My IP-Address is assigned through DHCP.

mer said:
Is the machine directly connected to the Internet
Click to expand...
It is connected to a home router from my ISP.

mer said:
and you are just looking to add a little bit more theoretical protection (everyone has their own comfort level on that).
Click to expand...
What I want is:
-> block listening to all ports available on my system
-> block any attempt to connect to my system remotely via SSH for example (not enabled by default on my system), but just in case
-> block all incoming (not needed) traffic

mer said:
But if you want to implement workstation firewall similar to Windows or others, the values in your OP are fine, they default to enabling IPFW which works just fine.
Click to expand...
Ok, so the only thing needed now is to add a kill switch.

mer said:
If you are looking at something that drops all connections and completely blocks all traffic in and out, it could probably be done via some command line stuff which means it could be scripted, but you'd need to specify exactly what behavior you are looking for.
Click to expand...
The behaviour I am looking for is:
-> if wg-quick looses connection to the VPN servers, block my real IP-Address, and cut the internet connection
-> if wg-quick is not on, block my internet connection
Something among that lines.
 
I would think that your IP connectivity through your VPN is the bigger threat than the ISP address you presumably rarely use (assuming all your traffic goes through the VPN).

Offhand I am not sure whether your rc.conf firewall settings are applied to wireguard interfaces that come up after boot. You might want to check that.
 
cracauer@ said:
I would think that your IP connectivity through your VPN is the bigger threat than the ISP address you presumably rarely use (assuming all your traffic goes through the VPN).
Click to expand...
Yes, everything, even the DNS connections.
Mullvad VPN is quite reliable.
I did purchase it with real cash, and had gloves on while preparing the envelope so, no finger prints could be identified.
They had actually a case where the police came in searching for a criminal, and Mullvad could not provide any information regarding the criminal.
So, they are quite trustful, maybe ?
At least they offer so many options, and do not require your email address, and what not.

cracauer@ said:
Offhand I am not sure whether your rc.conf firewall settings are applied to wireguard interfaces that come up after boot. You might want to check that.
Click to expand...
How can I check that ?
Sorry, but I am really at loss if it comes to internet or internet related topics. :'‑(

ipfw: limit 500 reached on entry 65500
Click to expand...
What does this statement mean ?
 
mer said:
If you are looking at something that drops all connections and completely blocks all traffic in and out, it could probably be done via some command line stuff which means it could be scripted
Click to expand...
Quoted from unixdigest (choosing your browser):
(e.g. a temporary failure in a VPN connection that reveals the true IP address - and thereby the location - of the user).
Click to expand...
Since librewolf makes harmless outgoing connections sometimes to update UBO, and other things, I cannot allow to reveal my real IP.
As a side note for the idea of a kill switch.
 
You test a firewall by connecting with telnet to a random port that you don't have a service on. If it times out there probably is a firewall. If it says connection refused then there is no firewall.

If you are sure that you never want to reveal your ISP IP address then you should just shut off all outgoing traffic except to the VPN provider. Permanently. No need for a switch.
 
cracauer@ said:
You test a firewall by connecting with telnet to a random port that you don't have a service on. If it times out there probably is a firewall. If it says connection refused then there is no firewall.
Click to expand...
Code: 
Input:
telnet 127.0.0.1 telnet 127.0.0.1 10234

Output:
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host

Ok so, the firewall needs to be applied through or after wg-quick, I guess.
 
I found out that my current rules enable are:
Code: 
Input:
# ipfw list

Output:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any

Basically somewhere in this options I have to exclude my real IP address range, I think.
 
SDK Chan said:
Code: 
Input:
telnet 127.0.0.1 telnet 127.0.0.1 10234

Output:
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host

Ok so, the firewall needs to be applied through or after wg-quick, I guess.
Click to expand...

Of course you can't test with localhost. You need to come from a host out in the Internet.
 
cracauer@ said:
Of course you can't test with localhost. You need to come from a host out in the Internet.
Click to expand...
Code: 
Input:
telnet 8.8.8.8 10234

Output:
telnet: connect to address 8.8.8.8: Operation timed out
telnet: Unable to connect to remote host
Yes, it times out so, there is clearly a firewall there.
That is good.

cracauer@ said:
If you are sure that you never want to reveal your ISP IP address then you should just shut off all outgoing traffic except to the VPN provider. Permanently.
Click to expand...
Now I am trying to get that working.

Code: 
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any
This is a IPFW generated command list.
My understanding is, it goes from top to bottom, and can evaluate commands in the range of 1 to 65534, with 6535 marking the end.

Syntax:
CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC SRC_PORT to DST DST_PORT OPTIONS

My starting point would be:
Code: 
Instead of:
00100 allow ip from any to any via lo0

Changed:
10000 deny ip from any to any via lo0
...
10001 allow ip from 0.0.0.0/0 to 193.32.127.66:51820
10002 allow ip from 0.0.0.0/0 to 193.32.127.67:51820
10003 allow ip from 0.0.0.0/0 to 185.201.188.3:51820
...
something like that among the lines.
So, only the ip range specified in the wireguard config files would be allowed, and nothing else.
I guess the same needs to be done for the IPv6 equivalent.
 
SDK Chan said:
Code: 
Input:
telnet 8.8.8.8 10234

Output:
telnet: connect to address 8.8.8.8: Operation timed out
telnet: Unable to connect to remote host
Yes, it times out so, there is clearly a firewall there.
That is good.
Click to expand...

No, you need to come from a host on the internet, not connection to a host on the internet.
 
I am close to solving the issue.
There seems to be a command set which allows to set a kill switch like behaviour per wireguard config file.
The problem is, it is for linux iptables.
The code is:
Code: 
PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
What would be the equivalent for ipfw2 ?

EDIT: I am trying out firewall builder, hopefully this will help as it should be able to translate from iptable rules to ipfw2 rules.
 
Ok, my problems are solved.
Thinking over nights, I just decided to use the proxy extension of mullvad vpn, which only can connect to a wireguard interface.
If the wireguard interface lose connection to the server, then the proxy is going to block further attempts to connect me to a website.
 
You must log in or register to reply here.
Back
Top