Solved Default freebsd firewall

Hi there,

I got a stupid question... does FreeBSD 11.0-RC3 (and even 10.3 release) come with a firewall by default? or is it something I have to configure after installation?

I am going to go with "yes, you have to", but I can hopefully be wrong :)

Thanks and kind regards,
 
This "solved" tag leaves me with questions. I read in the documentation that those three firewall implementations are there in order to serve different needs. That's fine, of course. But what exactly are those needs? Can something like a firewall really differ in architecture so that you HAVE to chose? My personal needs are: I want to have a DMZ with either virtual machines or jails, serving to the outside world, as well as a local zone with internal services. The client machines should be separated from those, without restrictions on outbound traffic. How can I decide which firewall will be the best fit for this scenario?

From what I understand, IPFW is the "native" FreeBSD firewall, PF is the OpenBSD firewall ported to FreeBSD and IPFILTER is a cross-platform firewall available on several *BSDs. Is this correct? But even if it is, it doesn't help me to decide ... is there some feature comparison somewhere?
 
From what I understand, IPFW is the "native" FreeBSD firewall, PF is the OpenBSD firewall ported to FreeBSD and IPFILTER is a cross-platform firewall available on several *BSDs. Is this correct? But even if it is, it doesn't help me to decide ... is there some feature comparison somewhere?

pf is the most highly regarded, is extremely well-documented, and is configured in a sort of logical flow that makes configs easy to read, so if you're starting from square one I'd say just go with that. You can set up a simple at-home firewall with just a few lines, or set up a complex firewall that's still fairly easy to comprehend from reading the configuration.

ipfilter is a port of the Solaris firewall; it predates the other two, and Solaris admins will already be familiar with it, so that's that. I don't really know what to say about ipfw.
 
IPFW has a few features that neither of the other two have, for example the capability to do Layer 2 filtering. It is also quite different in its rule syntax and formalism and it definitely the most "advanced" of the three options.
 
Should I keep this topic open? or leave it as solved? I don't mind either way :) my question has been answered, but if anybody else has more questions (regarding this topic), please feel free to go ahead.
 
But why then I got "connection refused" when trying to connect over tcp to my server?
Connection refused means you received a RST packet in response to a SYN (connection attempt). Which means there's nothing listening on that port. If a firewall would block it you would get a "connection timed out" or similar error message.

And why do you need to drag up a 7 year old thread?
 
Connection refused means you received a RST packet in response to a SYN (connection attempt). Which means there's nothing listening on that port. If a firewall would block it you would get a "connection timed out" or similar error message.

And why do you need to drag up a 7 year old thread?
I've wrote a server to listen tcp connections and test in on my local machine (mac), then I moved server on remote machine (FreeBSD) and when trying to connect I'm getting error.

"And why do you need to drag up a 7 year old thread?" – it is relevant to my request.
 
then I moved server on remote machine (FreeBSD) and when trying to connect I'm getting error.
Your service failed to start or isn't started at all. Or it's listening on a different port. As I said, a "connection refused" means you received a RST. You will receive a RST if you try to connect to a closed port. This has nothing to do with a firewall.

it is relevant to my request.
It's not. There is NO firewall turned on by default. That was the case 7 years ago, and is still the case today.
 
Your service failed to start or isn't started at all. Or it's listening on a different port. As I said, a "connection refused" means you received a RST. You will receive a RST if you try to connect to a closed port. This has nothing to do with a firewall.


It's not. There is NO firewall turned on by default. That was the case 7 years ago, and is still the case today.
Hm...ok, it's strange because on my local machine it works fine but on remote machine I got error :( and by the way I also can't connect with VS Code remote ssh plugin to my FreeBSD server as I did earlier with Linux machine.

I think I'll double check if firewall is turned on, don't know what else to do. What else could it possibly be?
 
Hm...ok, it's strange because on my local machine it works fine but on remote machine I got error :( and by the way I also can't connect with VS Code remote ssh plugin to my FreeBSD server as I did earlier with Linux machine.
This sounds more like your FreeBSD machine isn't even connected to the network. Or it doesn't have the IP address you think it has, in other words you're connecting to the wrong IP. That IP might belong to a different system (which doesn't have these services running). Another potential cause could be an IP conflict, two machines on the network having the same IP address.
 
If a firewall would block it you would get a "connection timed out" or similar error message.
This at least should be kind of on-topic in the thread: A good firewall software will leave you a choice whether packets are properly rejected (e.g. for TCP using RST) or just dropped.

While most default to the latter behavior, I personally prefer proper rejection. First, it leads to more robust networking behavior (no unnecessary timeouts), second it won't directly reveal to an attacker that some "firewalling" is in place.
 
This at least should be kind of on-topic in the thread: A good firewall software will leave you a choice whether packets are properly rejected (e.g. for TCP using RST) or just dropped.

While most default to the latter behavior, I personally prefer proper rejection. First, it leads to more robust networking behavior (no unnecessary timeouts), second it won't directly reveal to an attacker that some "firewalling" is in place.
There's some potential that a firewall returning an RST could result in some information leakage. If you look at the differences of the TTL value of a response between an open and firewalled port. The firewalled port will have a higher TTL value. Pretty much all firewalls default to a 'drop', not a 'block-return'.
 
This sounds more like your FreeBSD machine isn't even connected to the network. Or it doesn't have the IP address you think it has, in other words you're connecting to the wrong IP. That IP might belong to a different system (which doesn't have these services running). Another potential cause could be an IP conflict, two machines on the network having the same IP address.
I can connect to FreeBSD machine over ssh to compile server code so it is visible and have IP.
 
So, your code is supposed to open a listening socket. You could at least simply verify that with sockstat -l.

And then, maybe we should just have a look at your code. There's a subforum about coding. I agree with SirDice that your problem is (most likely!) in no way related to this thread.
 
So, your code is supposed to open a listening socket. You could at least simply verify that with sockstat -l.

And then, maybe we should just have a look at your code. There's a subforum about coding. I agree with SirDice that your problem is (most likely!) in no way related to this thread.
I've tested server code on my local mac and it works. If there were any errors during server startup I'll see error cause I check every return value related to socket creation and listening.

Code:
C:
#include <err.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/event.h>
#include <sys/socket.h>
#include <unistd.h>

#define NUM_CLIENTS 10
#define MAX_EVENTS 32
#define MAX_MSG_SIZE 256

extern char * __progname;

struct client_data {
    int fd;
} clients[NUM_CLIENTS];

int get_conn(int fd) {
    for (int i = 0; i < NUM_CLIENTS; i++)
        if (clients[i].fd == fd)
            return i;
    return -1;
}

int conn_add(int fd) {
    if (fd < 1) return -1;
    int i = get_conn(0);
    if (i == -1) return -1;
    clients[i].fd = fd;
    return 0;
}

int conn_del(int fd) {
    if (fd < 1) return -1;
    int i = get_conn(fd);
    if (i == -1) return -1;
    clients[i].fd = 0;
    return close(fd);
}

void recv_msg(int s) {
    char buf[MAX_MSG_SIZE];
    int bytes_read = recv(s, buf, sizeof(buf) - 1, 0);
    buf[bytes_read] = 0;
    printf("\nclient #%d: %s", get_conn(s), buf);
    fflush(stdout);
}

void send_welcome_msg(int s) {
    char msg[80];
    sprintf(msg, "welcome! you are client #%d!\n", get_conn(s));
    send(s, msg, strlen(msg), 0);
}

void run_event_loop(int kq, int local_s) {
    struct kevent evSet;
    struct kevent evList[MAX_EVENTS];
    struct sockaddr_storage addr;
    socklen_t socklen = sizeof(addr);

    printf("strarted to listen\n");
    while (1) {
        int num_events = kevent(kq, NULL, 0, evList, MAX_EVENTS, NULL);
        for (int i = 0; i < num_events; i++) {
            // receive new connection
            if (evList[i].ident == local_s) {
                int fd = accept(evList[i].ident, (struct sockaddr *) &addr, &socklen);
                if (conn_add(fd) == 0) {
                    EV_SET(&evSet, fd, EVFILT_READ, EV_ADD, 0, 0, NULL);
                    kevent(kq, &evSet, 1, NULL, 0, NULL);
                    send_welcome_msg(fd);
                } else {
                    printf("connection refused.\n");
                    close(fd);
                }
            } // client disconnected
            else if (evList[i].flags & EV_EOF) {
                int fd = evList[i].ident;
                printf("client #%d disconnected.\n", get_conn(fd));
                EV_SET(&evSet, fd, EVFILT_READ, EV_DELETE, 0, 0, NULL);
                kevent(kq, &evSet, 1, NULL, 0, NULL);
                conn_del(fd);
            } // read message from client
            else if (evList[i].filter == EVFILT_READ) {
                recv_msg(evList[i].ident);
            }
        }
    }
}

int create_socket_and_listen() {
    struct addrinfo *addr;
    struct addrinfo hints;
    memset(&hints, 0, sizeof hints);
    hints.ai_flags = AI_PASSIVE;
    hints.ai_family = PF_UNSPEC;
    hints.ai_socktype = SOCK_STREAM;
    getaddrinfo("127.0.0.1", "8080", &hints, &addr);
    int local_s = socket(addr->ai_family, addr->ai_socktype, addr->ai_protocol);

    int bindResult = bind(local_s, addr->ai_addr, addr->ai_addrlen);
    if(bindResult != 0) {
        printf("bindResult %d\n", bindResult);
        exit(bindResult);
    }

    int listenResult = listen(local_s, 5);
    if(listenResult != 0) {
        printf("listenResult %d\n", listenResult);
        exit(listenResult);
    }

    return local_s;
}

int main(int argc, char *argv[]) {
    int local_s = create_socket_and_listen();
    int kq = kqueue();
    struct kevent evSet;
    EV_SET(&evSet, local_s, EVFILT_READ, EV_ADD, 0, 0, NULL);
    kevent(kq, &evSet, 1, NULL, 0, NULL);
    run_event_loop(kq, local_s);
    return EXIT_SUCCESS;
}
 
So, your code is supposed to open a listening socket. You could at least simply verify that with sockstat -l.

And then, maybe we should just have a look at your code. There's a subforum about coding. I agree with SirDice that your problem is (most likely!) in no way related to this thread.
I think it's not code related because it works fine on my local machine I think the problem is related to some FreeBSD settings.
 
Is this supposed to be some sort of troll? I mean, you hardcode 127.0.0.1, the IPv4 address of the local loopback interface, for binding/listening, and expect to connect to that from some remote machine?
Millions of tons of excuses ((( I just copy-pasted it from my local machine. Now it works on remote machine too. Thank you :)
 
Back
Top