Is there a firewall running after fresh install - 7.1

Hello, I'm new to FreeBSD.

I just finished a fresh install of 7.1 and all went well. I used the standard/user options during installation.

Is there a firewall running on my system after this install? I don't see a firewall entry in rc.conf, but my system is acting as if there was a firewall around it.

If there is one, how can I tell?

Thanks in advance
 
GENERIC kernel? No. No firewall. If there's no firewall indicated using a custom kernel, it can only run as a module, which means it should show up in kldstat.
 
What makes you think there might be a firewall? What are you trying to do that fails? Trying to use it as a router without gateway_enable, or something?
 
No firewall is configured out of box. However default kernel does include pf and ipfw as module. For example, to configure pf add something as follows:
Code:
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pf_rules="/etc/pf.conf"
Once done create /etc/pf.conf:
Code:
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
 
table <blockedip> persist file "/etc/pf.block.ip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 

ext_if = "em1"
int_if = "em0"
 
scrub in all
 
block in all
block return 
 
pass out keep state
 
set skip on {lo0, $int_if}
 
block in quick from urpf-failed
 
antispoof log for $ext_if
 
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
 
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass in  on $ext_if proto tcp from any to any port 25 flags S/SA synproxy state
pass in on $ext_if proto tcp from ant to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
pass inet proto icmp all icmp-type $icmp_types keep state

See pf man page or PF faq @ openbsd.org
 
I think OP does not want a firewall, but suspects he's saddled with one.
 
Is there a firewall after install?

Thanks both of you for your help.

I thought the server was behind a router because I'm trying to set up openVPN (bridge) and I can connect, but cannot ping or browse the local net computers. I can browse the internet from the client too. On the other hand, I can ping the client from the network.

If there is no firewall, then it must be my configuration...

On to the firewall. Is PF the better choice for 7.1? I found a book: the book of PF that looks like a good one.
 
Each firewall has its fans, but I'll endorse PF without reservations.
 
Acts like a firewall...

DutchDaemon said:
GENERIC kernel? No. No firewall. If there's no firewall indicated using a custom kernel, it can only run as a module, which means it should show up in kldstat.

If that is the case, why is ssh the only thing that shows up on a port scan?

On FreeBSD 7.1-RELEASE (GENERIC) #0: Thu Jan 1 14:37:25 UTC 2009

Code:
m4# kldstat
Id Refs Address    Size     Name
 1    7 0xc0400000 97f830   kernel
 2    1 0xc0d80000 6a2c4    acpi.ko
 3    1 0xc3136000 22000    linux.ko
 
FreeBSD installs no network servers by default, so the fact that ssh is open means you must have opened it yourself (sshd_enable="YES" is probably in /etc/rc.conf). The fact that no other port is open does not mean there's a firewall installed. It just means that FreeBSD lets you decide which network servers to install/activate.
 
Back
Top