Help needed freebsd firewall

A

Amanat

Dear All,
Actually i need help regarding firewall for freebsd.

Kindly let me know, which firewall is best in freebsd and i want these functionality, according to my network requirements.

By Now i m using debian and fedora and using Firewall-jay, which is supporting first 4 functions mentioned below, but in my opinion freebsd is best then ubuntu/debian. so i need solution for freebsd. i m new to freebsd, but i can get help from internet. but i need the solution for all, if possible

1. Transparent squid
2. IP Block # listed in a file
3. MAC Block # listed in a file
4. VPN

if also possible

5. P2P Blocking

Any Help would be greatly appreciated.
Waiting for your reply.

Warm Regards!
 
1) http://forums.freebsd.org/showthread.php?t=10874
2) yes
3) not 100% sure but yes
4) security/openvpn good enough?

5) Tricky because just arbitrarily blocking ports doesn't work.

To prevent the last I would make sure no workstation can access the Internet directly. Browsing is done via a proxy, email is done via company mailserver. There's usually no real reason why any workstation would need to connect to something on the Internet directly. Proper configuration of the workstations is also key of course. If they're windows clients start by removing all local administrator access.
 
Dear Sir,
Thanks for touching all the requisites number wise.
What actually the problem is that i have to block IPs and MAC Addresses for Windows Clients, when they are using p2p or some other software sucking bandwidth.

Just only help me making a script or a firewall rule that will get ips and mac from a txt file and block them as i have about 80 MAC and Ips blocked and saved in txt file which my firewall reads when it is reloaded.

e.g
mac.deny.txt
containing

AA:BB:CC:DD:EE:F1
AA:BB:CC:DD:EE:F2
AA:BB:CC:DD:EE:F3

you may get idea from dutchdeamon post http://forums.freebsd.org/showpost.php?p=35342&postcount=9
 
actually i want to put all MAC in one file and All ips in second file. So that whenever i update file and reload firewall it may read the file and get updates which ips and mac need to be blocked.

MY present firewall is doing that for me but its rpm file and i m using it in debain and fedora.

By now i want to use pf, as it also provides CBQ and other features.

dutchdeamon has given an idea but i cannot understand what he said.

http://forums.freebsd.org/showpost.php?p=35342&postcount=9
 
DD gave an example of how to load a list of IPs and load them into ipfw, which is a different firewall. Do note that FreeBSD comes with 3 different firewalls. Pick one and stick with it. Personally I like PF.

For storing lists of addresses PF uses tables. You can store those in a separate file. You can also add/remove addresses 'on-the-fly'.
http://www.openbsd.org/faq/pf/tables.html

Is this a company network or something else? If it's a company network I would make sure the regulations state that p2p software isn't allowed at all. Then simply make it impossible. No need to waste time finding hoggers :)
 
Amanat,

I working on a very similar project myself. I'm running Squid (non transparent: LDAP Auth), OpenVPN, and PF on FreeBSD. I got everything working for the most part, so I may be able to help you.

Here is an example of my pf.conf with regards to tables:

Code: 
table <emerging-threats> persist file "/usr/local/etc/IPBlocks/EmergingThreats"

block drop in log quick on $ext_if from <emerging-threats> to any
block drop out log quick on $ext_if from any to <emerging-threats>
 
I am also planning for the project you are working but i didnt found any good how to, so i havent not yet completed, plz do share your project of squid ldap etc.

I have been confused in pf or ipfw

which one to use that will allow me to do what i want.

mac blocking ip blocking transparent squid etc etc?

Any suggestions and god how to on transparent squid on freebsd 8.0 or 7.2

Thanks in advance?
 
Both IPFW and PF are able to block IPs. They can also be used to setup transparent proxies.

However, you won't be able to block MACs with PF though. Blocking MACs isn't really useful since MACs can be changed easily.

Just block everyone, and then let authenticated users through. Take a look at authpf.
 
If you really really really really want something based on MAC address, you can write a small script that lifts the MAC addresses from [cmd=]arp -a[/cmd], takes the IP addresses associated with them, and adds the ones you need to block to a table in pf by IP address.

Put the offending MAC address(es) in a textfile, use [cmd=]grep -f[/cmd] against the output of [cmd=]arp -a[/cmd], use [cmd=]cut/awk[/cmd] to get the IP, use [cmd=]pfctl -t some_table -Ta IP-address[/cmd], put it in cron, let it run every 5 minutes, etc etc.
 
Sir,
Are you suggesting PF or IPFW, i am also interested in Bandwidth shaping with pf as squid delay pools are not controlling uploads.

At the begining i have compiled four times freebsd kernel for pf.

Still i didnt got Step by step tutorial for transparent squid, to bring smile on my tired face. Lolz.

Please send me links for pf and transparent proxy, SBS would be better.

Thanks for all for are helping me solve problems.

awaiting
 
DutchDaemon said:
If you really really really really want something based on MAC address, you can write a small script that lifts the MAC addresses from [cmd=]arp -a[/cmd], takes the IP addresses associated with them, and adds the ones you need to block to a table in pf by IP address.

Put the offending MAC address(es) in a textfile, use [cmd=]grep -f[/cmd] against the output of [cmd=]arp -a[/cmd], use [cmd=]cut/awk[/cmd] to get the IP, use [cmd=]pfctl -t some_table -Ta IP-address[/cmd], put it in cron, let it run every 5 minutes, etc etc.
Click to expand...

Sir, I lack experience in scripting, that is why i still havent been able to run my firewall, for transparent proxy, secondly i am new to freebsd.
 
Amanat said:
Are you suggesting PF or IPFW, i am also interested in Bandwidth shaping with pf as squid delay pools are not controlling uploads.
Click to expand...

For traffic shaping, there's altq() for PF, and dummynet() for IPFW.

At the begining i have compiled four times freebsd kernel for pf.
Click to expand...

You can just load the module for pf (# kldload pf). No need to compile a custom kernel unless ALTQ is in use.

Still i didnt got Step by step tutorial for transparent squid, to bring smile on my tired face. Lolz.

Please send me links for pf and transparent proxy, SBS would be better.
Click to expand...

Transparent proxy has been asked quite a few times already. A quick search should produce some promising results.

There are also some other examples on the web:

The configuration for Squid should be the same for all OSes. Only the firewall settings should vary.

For people new to PF, I'd recommend reading these:

Hope it helps.
 
Do you _have_ a user/group 'squid'?

# grep squid /etc/group /etc/passwd

# ps aux | grep squid
 
Which version of pf is on FreeBSD 8.0? I see but not found for 8.0 (In RELENG_7 - pf is at OpenBSD 4.1). Also OpenBSD 4.5 have patch for pf. Is pf on 8.0 sure enough?
 
I've been using Squid/PF since dinosaurs roamed the earth (roughly 6,000 years, some say). There's nothing new about (or needed for) this setup.
 
while creating cache dir, i used nobody:nobody, i am away from system as i came home from office, by tomorrow i will verify,
After enabling pf i wasn't abled to ssh , so i thought lets quarrel with it tomarrow.
what i think it don't have as i compiled squid my self.
 
Use the ports tree. It'll save you a lot of time and energy, and you won't shoot yourself in the foot.

Just:
Code: 
# cd /usr/ports/www/squid
# make config install clean

For Squid 3.0, switch to www/squid30 instead.

Remember to select the correct options for transparent proxy.
 
FreeBSD, Squid, OpenVPN, and PF

Amanat said:
I am also planning for the project you are working but i didnt found any good how to, so i havent not yet completed, plz do share your project of squid ldap etc.
Click to expand...

Dear Amanat,

Unfortunately, there is no shortcuts for this project, you need to study until you understand your system. I will recommend you read and follow the book "Squid: The Definitive Guide". By the time you go through it you'll understand Squid well enough to be able to maintain it later. I read the book and many how to's before I got it working. I never found one how to that had everything I needed.

Following is the portion of my squid.conf that relates to LDAP authentication:

Code: 
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=yourdomain,dc=net" -D "cn=Squid,cn=Users,dc=yourdomain,dc=net" -w 
"S1quid!@#$" -f "sAMAccountName=%s" -h 192.168.75.101(this is the ip of your AD server)
auth_param basic children 5
auth_param basic realm Internet Access Authentication
auth_param basic credentialsttl 5 minutes

For OpenVPN, I recommend your read the book "Building a Server with FreeBSD 7", chapter 19. This was the easiest part of the project because the instructions are very clear. OpenVPN works great!!

Once I got these three systems working together (FreeBSD, Squid, and OpenVPN), then I stared working on pf, which is where I am now.

Good luck and keep asking questions as you go.
 
Dear mbr661,
I am intrested in transparent squid + freeradius + mysqlauth. I want to run squid as transparently, and i wana use freeradius and mysql for authentication and user logins as i have more then 1000 concurrent clients.
 
i have configured squid from source squid 2.7 stable 7
now i want.

The freebsd box to act as
1. transparent proxy
2. local caching name server
3. firewall


when i put of firewall

squid using browser proxy setting works
local caching name/dns also works

but firewall is creating problem.

there is no user squid on my machine, i chown nobody:nobody cache directory

squid is working but i want to work it transparently
also i want to aloow dns from localnet and ssh from external and internal.

Help plz
 
You must log in or register to reply here.
Back
Top