Other Do you use firewall on your BSD system behind a home router?

[YYY__]

Some of the DIY systems I've tried leave it up to the user to install and configure a firewall, will I be safe behind a firewalled home router if I don't configure the system?
What are the default security defaults in FreeBSD?

 

[mer]

I typically enable the "workstation" variation of the firewall on my BSD systems, simply because it's easy to do and gives you "default deny in, permit out all keep state"

2 lines in /etc/rc.conf:
firewall_enable="yes"
firewall_type="workstation"

If you want to allow some traffic to originate from outside the box, like ability to ssh into it, a few more lines to /etc/rc.conf takes care of that:

Example: The following 2 line allow ssh in from 2 specific hosts.
firewall_myservices="ssh/tcp"
firewall_allowservices="192.168.251.11 192.168.252.11"

What are the default security defaults in FreeBSD?

That's a bit harder/longer to answer, but from a networking standpoint, "whatever service exposes a listening port is available". Sounds scary, but it's actually not that many in the default configuration of base install. The more applications you add, the more you can have, easy way to see is this command to see all IPV4 and IPV6 listening ports numerically:

sockstat -ln46

(that's a lowercase L)

If you ignore user processes like firefox, typically you'd see sshd, syslogd, ntpd, dns (if you've started unbound). A lot of the default config for the services listen on localhost only, a lot of whats started depends on whats in /etc/rc.conf as enabled.

 

[getopt]

will I be safe behind a firewalled home router

If you mean those commercial products typically provided by ISPs or bought on the market, you need to learn and understand the features of that product.
If you can configure this "home router" you may be fine within your needs or just not. It depends on your needs.

 

[zirias@]

I personally don't trust these "plastic routers". That's why I bought one that can be configured to act only as a DSL modem. I'm using a bhyve VM acting as router/firewall instead, with exclusive access to all physical NICs by PCI passthrough. This of course has another drawback: If some attacker manages to hijack another jail/vm on that machine and escape it, that attacker could also manipulate the firewall. Therefore, the best solution would be a dedicated firewall machine. But at least, the firewall is fully under my control.

 

[mer]

I personally don't trust these "plastic routers".

Agreed. But a better one is better than nothing. I do similar to you, own cable modem, pfSense after that then switch but still run workstation firewall on the devices behind pfSense.

 

[_martin]

No. But after ISP's converter I'm using my Mikrotik router with the custom rules (basically pass out, deny in). On Windows VMs where I do forward mstsc I'm using ACLs on them to allow only certain ranges. Other VMs where I allow SSH I don't keep firewall on. I used to have ACLs for OpenVPN but I found it easier to SSH to a client and forward whatever I needed.

 

[kpedersen]

I tend to not setup a firewall at all on my workstation machines. Mainly because I rarely listen on any TCP/UDP ports. netstat / sockstat are useful for verifying this.

However I am behind a server acting as a gateway, proxy, etc that I use a firewall on; not necessarily for security (again, I only open ports for things I want public anyway) but instead for NAT, port forwarding and tunnels.

 

[YYY__]

I was looking for a minimal configuration that doesn't interfere with normal desktop use. I didn't know about the default types (firewall_type). Configuring the firewall on FreeBSD is still a pending issue for me, I'm not a networking guy. Thanks for the answers.

 

[covacat]

many if not most of the home routers run some version of linux and use iptables internally
some allow ssh access so you can check the actual kernel rules yourself
they are okish for a home setup as long as you don't expose any admin/diagnostic interface to the net
most of them have various security bugs / backdoors that are never properly fixed but are exploitable (mostly) only from the LAN side

i have no firewall on my workstation (mac) and an isp provided ont/router (which is trivial to root from the inside).

 

[hardworkingnewbie]

This here is the topology of a typical home network:

For many people ISP modem, switch and access point are part of the multi purpose home router.

Anyway, the security is determined normally by two things:
a) operating system of the Router itself
b) exposing ports to the internet.

When talking about firewall what's normally meant is the packet filter builtin the router. A firewall can do more than that when using other programs/technics.

Default setup of packet filters is normally to allow all outbound traffic from your internal network to the internet, where the router is normally doing NAT, while dropping all incoming traffic which was not generated via NAT. That's it.

A packet filter can only decide based on origin, destination, port and some other stuff if it accepts a connection or not. It does not inspect the traffic. Firewalls on packet filter only base therefore are highly overrated, because they will not prevent you from downloading nasty stuff. The biggest security problem always sits before the computer, you know. They are covering you in a false sense of security which simply isn't there.

There are also various technics around, which were created e.g. back then by Skype, to punch holes into firewalls.

Also keep on mind that running a real firewall would also include the need to sometimes have a look at your files, so that you can adapt your rules and such, because running an additional firewall on your desktop systems will offer no additional security, since e.g. some bad program could just want to connect to somewhere port 443, so HTTPS. How are you able to judge if that outbound request is good or bad then, if not looking into the traffic?

So at the end of the day most people are fine with such a setup like above. These who need more normally are also paying nice prices for that.

So coming back in terms of firewall: only expose to the internet what is really necessary, the rest should be protected and dropped. Running firewall behind a home router normally does not increase your security.

 

[YYY__]

I understand. You can download a program that calls home, you don't necessarily need the incoming connection, besides the other devices connected to the LAN are also hot spots. A false sense of security, a very accurate expression.

 

[mer]

On a network, Windows machines are very chatty, always have been. Sending out lots of broadcast packets for their LAN segment, "Here I am! I am sharing these resources, what are you sharing". That would be seen by all the devices behind the switch in the picture above.

Running a packet filtering firewall on a workstation can (usually does) reduce the load on the workstation because you can filter out/drop that traffic if you are not interested in it very early on in the "Stack" from wire to application.
Network hygine is typically what it's called. "Don't spew stuff you shouldn't, drop stuff as early as you can if you aren't interested"

 

[kpedersen]

I understand. You can download a program that calls home, you don't necessarily need the incoming connection

Absolutely. This is generally what a proxy is very useful for. If you need to run scummy software, simply don't give it the details to the proxy (i.e tinyproxy/ssh -D) or the gateway and it can't escape the network.

I get an odd satisfaction watching Windows squirm trying to contact the "update" servers.

 

[bsduck]

I typically enable the "workstation" variation of the firewall on my BSD systems, simply because it's easy to do and gives you "default deny in, permit out all keep state"

Same for me.

 

[cy@]

I did run a firewall behind a commodity router at one time. With up to three connections to the Internet I used two, one through a commodity router and the other directly connected. However, the number of scans on my network are about 80k/day, I decided to redeploy the router for use as a single switch (and guest network) and use a second interface on my firewall (it has 6 interfaces) to connect to my ISP. Now my network traffic goes through interface B while interface A, which has assumed the router's MAC, is used for the the rest of the house. I had an unused interface on the firewall which allowed me to easily reconfigure.

The firewall uses ipfilter though at one point it used ipfw along side ipfilter so it could be used for traffic shaping at one point long ago. I may re-enable traffic shaping at some point in the future.

 

[Tieks]

I tend to not setup a firewall at all on my workstation machines. Mainly because I rarely listen on any TCP/UDP ports. netstat / sockstat are useful for verifying this.

Same here. Sockstat to check the local machine and some online portscanner to check the plastic router from outside.

 

[getopt]

While it is for sure contributing to entertainment reading what others do and do not. Make sure that your personal needs are matching the posters' ones. Good luck on verifying this. Oh! Wait a minute, what about the reputation of an avatar in Internet forums? Huh!?

 

[gpw928]

There are many reports of back doors on the consumer "WiFi router gateways". And they keep oncoming...

It's certainly very sensible to enable a workstation firewall if you are roaming, or at any time you are connected to a network you don't fully trust.

At home, I run a custom Internet gateway with firewall on separate hardware. I have full control.

The issue with having both a workstation firewall, and a firewall at the Internet gateway, is that you have to endure double NAT. This mostly won't worry you except for issues of some very specific protocols, e.g. SIP, including VOIP.

 

[Lamia]

home, I run a custom Internet gateway with firewall on separate hardware. I have full control.

The issue with having both a workstation firewall, and a firewall at the Internet gateway, is that you have to endure double NAT. This mostly won't worry you except for issues of some very specific protocols, e.g. SIP, including VOIP.

You are absolutely correct. One acquires some skills overtime on how a company firewall should be configured e.g. setting up a DMZ.

Those consumer grade routers have limited functionalities. A switch to robust firewall changes the game.

I got on Fortinet at a job interview and it looked like *Sense, needless to say I found my way around it.

Pretty much all *BSD machines on the SOHO network have a fairly complex pf-based firewall.

Edit: Fortinet not fortinent.

 

[mer]

The issue with having both a workstation firewall, and a firewall at the Internet gateway, is that you have to endure double NAT.

NAT is a separate function from packet filtering/firewalling. IPFW on FreeBSD does not enable NAT, PF needs specific NAT rules.
A lot of consumer grade "wireless router/modem/firewall" devices (internet gateway) do have NAT automatically enabled, but running workstation firewall profile on FreeBSD does not enable NAT.

/etc/defaults/rc.conf:
rc.conf:firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES)
rc.conf:natd_enable="NO" # Enable natd (if firewall_enable == YES).
rc.conf:ipnat_enable="NO" # Set to YES to enable ipnat functionality

 

[hardworkingnewbie]

There are many reports of back doors on the consumer "WiFi router gateways". And they keep oncoming...

It is not just consumer grade... the first article found under your link mentioned back then in 2014 Cisco, Linksys, Sercomm und Netgear.

 

[mer]

It's not the back doors or CVEs that you hear about, it's the ones you don't.

 

[smithi]

I was looking for a minimal configuration that doesn't interfere with normal desktop use. I didn't know about the default types (firewall_type). Configuring the firewall on FreeBSD is still a pending issue for me, I'm not a networking guy. Thanks for the answers.

I will strongly suggest taking mer's advice in post #2 and subsequently, by enabling the 'workstation' firewall_type as shown.

You can refine it later if need be, but it does a very good job of protecting an individual system without adding undue restrictions. It was added later than the other types by Poul-Henning Kamp, one of the original ipfw authors.

Consider adding to rc.conf
firewall_logdeny=YES as well, so you'll see reports of blocked packets in /var/log/security, which may suggest useful rules to add later - but it's safe and solid 'out of the box'.

You can use

# ipfw -ted show

anytime as root to see which rules were used and when, including active and expired dynamic (stateful) rules, reference ipfw(8).

 

[zirias@]

I personally consider "desktop firewalls" (host-based packet filters, "workstation" firewall type, whatever you want to call it, I'm talking about packet filtering on the workstation/desktop that should be protected itself) unnecessary.

BUT: It depends a lot on the nature of your network. My POV here is a private network already protected by a firewall with several network zones, and all workstations/clients sitting in an internal, trusted zone.

So, the conclusion could already change a lot when we're for example talking about mobile devices (notebooks) that are potentially used in untrusted networks as well.

As always when talking about security: Almost everything depends on your scenario

 

[mer]

As always when talking about security: Almost everything depends on your scenario

Yep.
Laptops and other mobile things are always interesting corner cases, by definition, they may be behind network access that you don't control/trust. Public wifi, work wifi, bunch of others. In that case you would want to run something on your device; being lazy it's easier to leave it running even when behind trusted resources.

But again, all just my opinion, I have my reasons for doing so, it's fine if others disagree.