Solved Firewall for home user?

Hello.
I am using 11.1 on my two laptops. One has a wireless card which currently not supported, other's wireless card is out of order. I have 8.1 on my one laptop, and desktop none of which have wireless connectivity. I dont have a technical use of FreeBSD on these four machines. I use them as a normal home user. As I have fairly old machines except one, I use XFCE.

I thoroughly read entire chapter (#29) on firewalls from the handbook. I also went through some posts of this forum, and I also went through "A Beginner's Guide To Firewalling with pf" at srobb.net But none of the articles were intended for a single user computer.

I would like a firewall/rule-set that would provide me best possible security for internet use. Is there any thread/post already out there? If not, could anybody kindly guide me how to do it?

Thanks a lot in advance.
—usernamekiran
 
I would like a firewall/rule-set that would provide me best possible security for internet use. Is there any thread/post already out there? If not, could anybody kindly guide me how to do it?

I've posted the pf ruleset I use on my laptops before. It's very restrictive on incoming connections.

I included a less radical version of it in my tutorial:

Code:
### Macro name for external interface
ext_if = "Network Interface Designation Goes Here"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
 
I suppose the best possible to achieve is basically to block all incoming traffic and use statefull filtering on the outgoing traffic, as long as its origin is local.

Then optionally open ports which you might need.
 
Till now, I have not done anything regarding the firewall. Where should I start at? Also, where should I put the code?

As title says — "Firewall for home user", IMHO ipfw should fully satisfy regular home user,
and even not only "regular", and not only "home", because it also works very well.
Just add
Code:
firewall_enable="YES"
firewall_type="workstation"

# log denied packets to /var/log/security
firewall_logdeny="YES"
to /etc/rc.conf.

Then execute # service ipfw start.

If you also need ssh support, and, for example, vnc, also add
Code:
firewall_myservices="22 5900"
firewall_allowservices="any"

Here is all available options to use with "workstation" firewall type
Code:
        # Configuration:
        #  firewall_myservices:         List of ports/protocols on which this
        #                                host offers services.
        #  firewall_allowservices:      List of IPv4 and/or IPv6 addresses
        #                                that have access to
        #                                $firewall_myservices.
        #  firewall_trusted:            List of IPv4 and/or IPv6 addresses
        #                                that have full access to this host.
        #                                Be very careful when setting this.
        #                                This option can seriously degrade
        #                                the level of protection provided by
        #                                the firewall.
        #  firewall_logdeny:            Boolean (YES/NO) specifying if the
        #                                default denied packets should be
        #                                logged (in /var/log/security).
        #  firewall_nologports:         List of TCP/UDP ports for which
        #                                denied incoming packets are not
        #                                logged.
See /etc/rc.firewall to view all available options.
 
Rather than repeat myself, would you please take a look where I already explain how to set it up?

What firewall rules you use are up to you.

As title says — "Firewall for home user", IMHO ipfw should fully satisfy regular home user,
and even not only "regular", and not only "home", because it also works very well.

Hi. Thanks for replies everybody. If I understood it correctly, should I go with following method?

Step 1:
Create /etc/pf.conf with following contents:
Code:
block in all
pass out all keep state

Step 2:
Add following code to /etc/rc.conf
Code:
moused_enable="YES"
mouse_type="auto"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
powerd_enable="YES"
powerd_flags="-a adaptive -b hiadaptive"
sendmail_enable="NO"
fsck_y_enable="YES"
swapexd_enable="YES"
mixer_enable="YES"
snddetect_enable="YES"
syslogd_flags="-c -ss"
linux_enable="YES"
clear_tmp_enable="YES"
clean_tmp_X="YES"
avahi_daemon_enable="YES"
firewall_enable="YES"
firewall_type="workstation"
# log denied packets to /var/log/security
firewall_logdeny="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

3: Add following content to /etc/pf.conf
Code:
### Macro name for external interface
ext_if = "Network Interface Designation Goes Here"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spoof
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any

### Keep and modulate state of outbound traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

4: reboot.

Regards,
usernamekiran.
 
Hi.
  1. You do not need the mouse stuff if you are using a USB mouse, just for a PS/2 one;
  2. sysutils/powerdxx works better than the powerd for most people;
  3. fsck_y_enable="YES" just make sense if you will be using UFS and not ZFS. Also, it does not fix everything automatically. If there are problems you may need to run it manually in single user mode;
 
Hi. Thanks for replies everybody. If I understood it correctly, should I go with following method?
...

Step 2:
Add following code to /etc/rc.conf
Code:
[b]firewall_enable="YES"[/b]
firewall_type="workstation"
# log denied packets to /var/log/security
firewall_logdeny="YES"
[b]pf_enable="YES"[/b]
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
...



No!!!! You do not need to create pf.conf to use ipfw, it is two different firewall implementations!
Pf and ipfw are two different firewalls!!!


All you need to do:

1. Just add
Code:
firewall_enable="YES"
firewall_type="workstation"

# log denied packets to /var/log/security
firewall_logdeny="YES"
to /etc/rc.conf.


2. Execute # service ipfw start


3. You're using ipfw firewall now.


4. ???


5. PROFIT!
 
Hi.
  1. You do not need the mouse stuff if you are using a USB mouse, just for a PS/2 one;
  2. sysutils/powerdxx works better than the powerd for most people;
  3. fsck_y_enable="YES" just make sense if you will be using UFS and not ZFS. Also, it does not fix everything automatically. If there are problems you may need to run it manually in single user mode;
Understood.

No!!!! You do not need to create pf.conf to use ipfw, it is two different firewall implementations!
Pf and ipfw are two different firewalls!!!

Erm... A user can not use two firewalls at the same time? I mean, the settings posted above would be secure, right? Or would it cause problems, inconvenience, and/or errors?
 
Yes, you've made the mistake of adding the ipfw lines ILUXA provided to your /etc/rc.conf file. ;)

ILUXA and I have discussed this before and I respect his opinion. He is of the opinion the ipfw is sufficient for home users, and it no doubt is. I've always used the pf firewall going back to PC-BSD, and use it on my OpenBSD box, so that's what I prefer. I don't need remote access and use restrictions in my rules some people might think excessive.

But choose 1 or the other and learn about it.
 
(a very thoughtful) hmm. That makes sense. Learning about one at a time.

I will go with ILUXA's suggestion. :)

Thanks for your help everybody.
(Are you guys on wikipedia too? If not, you should seriously consider about joining it.)
See you around. :)
 
Back
Top