Solved Basic firewall config for a host

Bogdan

New Member

Reaction score: 1
Messages: 13

Hello, everyone, and nice to meet you!

I am new to FreeBSD (so fresh that I'm downloading the ISO as I write, that means I've never used FreeBSD before). I come from the Linux world and one of the first things I do when I install a distro, before going to update and configure it, is to set up the firewall (iptables in that case). I thought that the two hours it would take for the download to complete were just good to figure out how to set up a basic firewall on FreeBSD.

So I read about IPFW in the FreeBSD handbook (I'll get to pfSense later!) and I used that information to craft a firewall config for my host (a single desktop machine without NAT or network services right now) and, since I don't have the OS installed and running, I'd like to make sure that the steps I'm going to take are the right ones, especially when it comes to editing files which actually start the firewall.

If anyone would like to take two minutes to check the config steps posted below (or provide any suggestion to make it better), it would be very helpful and much appreciated!

Thank you!

**********************

Code:
/etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"

/etc/sysctl.conf
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5

/etc/ipfw.rules
ipfw -q -f flush
cmd="ipfw -q add"
INT1="re0"

${cmd} 00010 allow ip from any to any via lo0
${cmd} 00011 deny log all from any to 127.0.0.0/8 in via $INT1
${cmd} 00012 deny log all from 127.0.0.0/8 to any out via $INT1
${cmd} 00013 deny log all from 127.0.0.0/8 to any in via $INT1

${cmd} 00014 deny all from any to any frag

${cmd} 00020 check-state

# Allow out DNS requests
${cmd} 00110 allow udp from me to 8.8.8.8 53 out via $INT1 keep-state
${cmd} 00111 allow udp from me to 8.8.4.4 53 out via $INT1 keep-state

# Allow out HTTP and HTTPS over TLS
${cmd} 00200 allow tcp from me to any 80 out via $INT1 setup keep-state
${cmd} 00220 allow tcp from me to any 443 out via $INT1 setup keep-state

# Allow out SMTPS, POP-3 over SSL  & IMAP over SSL
${cmd} 00231 allow tcp from me to any 465 out via $INT1 setup keep-state
${cmd} 00232 allow tcp from me to any 993 out via $INT1 setup keep-state
${cmd} 00233 allow tcp from me to any 995 out via $INT1 setup keep-state

# Allow out ping
${cmd} 00250 allow icmp from me to any out via $INT1 keep-state

# Allow to synchronize with a remote NTP server
${cmd} 00260 allow udp from me to any 123 out via $INT1 keep-state

# Allow out SSH
${cmd} 00280 allow tcp from me to any 22 out via $INT1 setup keep-state

# deny and log everything else that's trying to get out.
${cmd} 00299 deny log all from any to any out via $INT1

#################################################################
# INBOUND SECTION
#################################################################

${cmd} 00450 deny all from 192.168.0.0/16 to any in via $INT1
${cmd} 00451 deny all from 172.16.0.0/12 to any in via $INT1
${cmd} 00452 deny all from 10.0.0.0/8 to any in via $INT1
${cmd} 00453 deny all from 0.0.0.0/8 to any in via $INT1
${cmd} 00454 deny all from 169.254.0.0/16 to any in via $INT1
${cmd} 00455 deny all from 192.0.2.0/24 to any in via $INT1
${cmd} 00456 deny all from 204.152.64.0/23 to any in via $INT1
${cmd} 00457 deny all from 224.0.0.0/3 to any in via $INT1

# Deny in pings
${cmd} 00470 deny icmp from any to any in via $INT1

# Deny in ident
${cmd} 00480 deny tcp from any to any 113 in via $INT1

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
${cmd} 00490 deny tcp from any to any 137 in via $INT1
${cmd} 00491 deny tcp from any to any 138 in via $INT1
${cmd} 00492 deny tcp from any to any 139 in via $INT1
${cmd} 00493 deny tcp from any to any 81 in via $INT1

# Reject & Log all incoming connections from the outside
${cmd} 00515 deny log all from any to any in via $INT1

${cmd} 00999 deny log all from any to any
 
Last edited:
OP
OP
B

Bogdan

New Member

Reaction score: 1
Messages: 13

It should be in rc.conf.
Thank you, you are right! It didn't work with the initial setup, so I had to figure it out. I updated the config and the script to reflect the changes.

I have to say that the networking speed is simply amazing with FreeBSD.
 
Top