Solved Application Firewall

[Phishfry]

Can anyone recommend an Application Firewall for FreeBSD?

Open Snitch on Linux sounds interesting.

GitHub - evilsocket/opensnitch: OpenSnitch is a GNU/Linux port of the Little Snitch application firewall

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall - GitHub - evilsocket/opensnitch: OpenSnitch is a GNU/Linux port of the Little Snitch application firewall

github.com

 

[Phishfry]

Does MAC do anything similar? I have Sandboxie with jails. I want Zone Alarm. Tripwire is just a tattletale.

Chapter 18. Mandatory Access Control

This chapter focuses on the MAC framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms

docs.freebsd.org

Looking at mac_bsdextended(4) it appears it can.

The actual firewall:

ugidfw(8)

www.freebsd.org

Small Primer

Can you whitelist applications?
My traditional approach has been NanoBSD. Simply rip everything out you don't need.
I would like to hear alternatives.

 

[Phishfry]

So /etc/rc.bsdextended file is the controller.
Examples from the script.

# Build a generic list of rules here, these should be
# modified before using this script.
#
# For apache to read user files, the ruleadd must give
# it permissions by default.
####
#${CMD} add subject uid 80 object not uid 80 mode rxws;
#${CMD} add subject gid 80 object not gid 80 mode rxws;

####
# majordomo compat:
#${CMD} add subject uid 54 object not uid 54 mode rxws;
#${CMD} add subject gid 26 object gid 54 mode rxws;

####
# This is for root:
${CMD} add subject uid 0 object not uid 0 mode arxws;
${CMD} add subject gid 0 object not gid 0 mode arxws;

####
# And for majordomo:
#${CMD} add subject uid 54 object not uid 54 mode rxws;
#${CMD} add subject gid 54 object not gid 54 mode rxws;

####
# And for bin:
${CMD} add subject uid 3 object not uid 3 mode rxws;
${CMD} add subject gid 7 object not gid 7 mode rxws;

Time to read the frigging manual.
add subject uid xx
object not uid xx
mode $$$$

 

[mer]

So are you looking for something that will let you "block out traffic from program XYZ", kind of like what I think Windows Firewall will do?
What do the uid/guid apply to? The originator of the traffic? If a user is browsing the web, I don't think the uid/guid of the outbound traffic is going to be anything but the users uid/guid.

My opinion, take it for what it costs you, the best "application firewall" is:
Use PF
Start with default deny in/out all interfaces, ok you can set skip on lo
Figure out what is broken
Add pass rules to allow that traffic out, keep state will allow the return traffic.

You can have functional systems with not much allowed.
DNS, HTTP/HTTPS, NTP for a start, maybe add some of the mail traffic (25, imap/imaps) really isn't much at all for a working system.

default deny is good because it means "connections that ORIGINATE outside your box are denied by default"

 

[jbo@]

I agree with mer. PF is quite nice.
On a desktop/workstation, this is a good start:

jbo@beefy02 /u/h/jbo> cat /etc/pf.conf 
# Interfaces
if_loc0="lo0"

# Skip on localhost
set skip on { $if_loc0 }

# Rules
block in all
pass out all

 

[Phishfry]

I am really just exploring the capabilities of FreeBSD. MAC has been around quite a while.

This is my focus

MAC Policy Enforcement
File System
File system mounts, modifying directories, modifying files, etc.


File control. Automatically block not automatically run.
Check against list if OK to run or even view. Hence these permissions in example:

mode rxws

This thread was moved to the Networking category.
I am sorry for the confusion.

 

[mer]

This thread was moved to the Networking category.

MAC is similar (conceptually) to SELinux, basically locking down applications and actions on a machine. Not directly related to network traffic, but more a superset/finer grained control over what a user or application can actually do (extension beyond standard chmod, setguid type of stuff).
It was probably moved to networking because the config snippet you have looks similar to ipfw rules. Without knowing what {CMD} there is no way of knowing what you are trying to do.

The term firewall is over used and without enough context I lose what is meant.

It sounds like your basic question is:
Are there any tools that make it easy for me to write FreeBSD Mandatory Access Control rules to lock down my workstation.

Is that a reasonably close restatement?

 

[Phishfry]

Are there any tools that make it easy for me to write FreeBSD Mandatory Access Control rules to lock down my workstation.

Is that a reasonably close restatement?

Absolutely.
And the goals may have changed when I found out what I have to work with.

Little snitch is much like Zone Alarm. An internet application firewall.
Tells you what is sending packets behind your back. Has block rules.

So I did expand the scope with the available toolset at hand. MAC File Control is much more comprehensive.

Administering FreeBSD ASLR Through Firewall Rules

 

[Snubbi]

Sorry. What I thought is enough to put it in /etc/pf.conf and then you desktop/workstation is secured.

# Interfaces
if_loc0="lo0"

# Skip on localhost
set skip on { $if_loc0 }

# Rules
block in all
pass out all

 

[mer]

That gives you the "block all traffic that originates from outside on all interfaces, pass out all traffic that originates from me". I think "keep state" is the default on pass rules so that should allow replies to your traffic come back. The skip for localhost means don't filter traffic at all on lo0.
That certainly is a good default configuration, others may tighten up the pass rules to only allow a subset of traffic out. Amazing how far you can get if the only things you allow out are DNS, NTP, HTTP/HTTPS, SSH and some email related ports.

 

[Snubbi]

I found this about PF firewall https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-configure-the-pf-firewall-on-freebsd/ Is it something that can be used. I come from Linux where there was a graphics program "GUFW" So it's a little different in FeeBSD

 

[mer]

I found this about PF firewall https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-configure-the-pf-firewall-on-freebsd/ Is it something that can be used. I come from Linux where there was a graphics program "GUFW" So it's a little different in FeeBSD

Yes that looks like a reasonable tutorial. A favorite of mine is a book called "The Book of PF" by Peter Hansteen. It's been out for a while, a little bit OpenBSD centric but the basics apply to FreeBSD. It lays things out so you can understand them. I'm not sure if it's been updated or even still in print.
Just checked, https://www.amazon.com/Book-PF-3rd-No-Nonsense-Firewall-ebook/dp/B00O9A7E88
up to at least a 3rd version. At 396 pages it's more than double the one I have.

 

[gpw928]

Peter N. M. Hansteen also has a Firewalling with PF tutorial.

 

[Phishfry]

Thanks everyone I am going to mark this as Solved.
I will direct my future questions at ugidfw which offers what I desire. Application Firewall.

I also recommend The Book of PF. I used Ver2 and for basic usage it is all you will need. Little changes.
I do like the way he spells it out for all 3 BSD versions. I really felt I learned from that book.
I tried cut and paste from the web, the Firewall Builder but dug out the book and had it going in 12 hours.
All the other ways were great to learn terminology but in the end you have to write your own rules and recognize the rule order is just as important.

Having an outside network to double check on your work is most helpful.