New And Confused (Firewalls)

Kaj · Nov 20, 2008

Hello group.

I've managed to get Freebsd-7.0 installed with kde...so far I'm loving
it. Just figured out how to update ports via portsnap and install
them with portmaster. So far so good.

I googled freebsd security and came across the article below.
http://www.onlamp.com/pub/a/bsd/2002/08/08/FreeBSD_Basics.html
Disabled the stuff/sevices that I wasn't using in /etc/rc.conf
sshd/sendmail etc.

This is a desktop system that I'm wanting to build a firewall for, from
what I've read the PF firewall is the way to go. I'm behind a router
and all off the on-line security test shows everything to be stealth,
dunno how good these cheap linksys hardware firewalls are, best add
another layer of protection.

I'm a total loss here. The more I read and google about PF the more
confused I get about rules/syntax. (Don't laugh, but I've never wrote a
firewall rule in my life) I come from Linux where I just installed
programs like firestarter that had a GUI and I just pointed and clicked.

Is there an idiots guide to PF or books you could recommend? I really
want to learn this system.

Mandatory Access Control also looks very confusing to me.
http://www.freebsd.org/doc/en/books/handbook/mac.html
How do you know what files need mac access etc?

TIA

Mel_Flynn · Nov 20, 2008

Kaj said:
I'm a total loss here. The more I read and google about PF the more
confused I get about rules/syntax. (Don't laugh, but I've never wrote a
firewall rule in my life) I come from Linux where I just installed
programs like firestarter that had a GUI and I just pointed and clicked.

Is there an idiots guide to PF or books you could recommend? I really
want to learn this system.

First of, desktops need little protection in general. I suspect your router just does NAT. If you enabled a "Forward all incoming traffic to my desktop", then you need to add some filtering.

I would start with

Code:

sockstat -4l

. This lists all IPv4 listeners along with the program that created this listener. Anything you don't want to have accessed from the outside, you write down.

The best source about pf configurations is `man pf.conf` and a more step-by-step approach in the PF Faq.

The important thing to remember about PF is that there's a lot of ways to do the same things and they are ultimately translated to simple block and pass rules. Achors, tables, macros and tags all assist the administrator in providing more intuitive and manageable ways to maintain rulesets.

Kaj said:
Mandatory Access Control also looks very confusing to me.
http://www.freebsd.org/doc/en/books/handbook/mac.html
How do you know what files need mac access etc?

MAC is more of an enterprise feature, giving more fine grained control to system administrators over system calls, program envocation, document access, etc, using multiple parameters to deny or allow access. It's more suitable for routers, application and document servers, allthough it's probably possible to implement parental control on a shared desktop through MAC, it's not it's primary focus.

jb_fvwm2 · Nov 20, 2008

grab a few well-commented freebsd ipfw configuration
files from the web, edit them to suit your
network/machine topology, and test the results a bit?
...............
might be easier/quicker (a few days) than learning
ipfw itself.
Not that the latter would be worse, depends upon
how much time you have

Djn · Nov 20, 2008

All you really need is to block all incoming traffic except responses to outgoing queries, and whatever you explicitly want in - this is only a few rules.

The OpenBSD guide to pf is decent. Paring their example down a bit, how about this?

Code:

ext_if = "re0"
tcp_services = "{22, 80}"
icmp_types="echoreq"

set skip on lo
scrub in
block in
pass out keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state

That allows ssh, http, ping requests, and answers to outgoing queries in, and everything out.

Note that this is entirely untested.

hugo · Nov 20, 2008

As Mel said, man pf.conf and http://www.openbsd.org/faq/pf are the best references. With some practice and (even) just the manpage, you can write a working ruleset.

tbyte · Nov 20, 2008

I personally prefer IPFW syntax. Probably because I'm used to it. But it does it's job pretty good and I have never needed anything else except PF's in kernel NAT on some of ours heavy loaded machines (which do only NAT currently

). But when libalias is ported reliably in the kernel I'll switch to only IPFW setups.

PS: I really want to see some performance tests of PF vs IPFW

robertclemens · Nov 20, 2008

If you have an interest in actually learning firewalling and syntax for writing your own policies and you know neither pf or ipfw; I would kindly suggest learning pf as it's usage is on the rise. PF is quite the capable firewall and it's syntax is useful and neat.

IPFW is very very easy to get up and going and it would be recommended if you just wanted to get a firewall up quick and easy and don't give a hoot n' hollar about learning much about writing your own firewall scripts. IPFW has several easy to read/modify scripts out on the web for immediate usage and requires very little understanding to put it to use.

The best place I found for figuring PF out was reading other people's script they had tossed together. Shortly thereafter you can piece it all together and follow it just like reading a book.

Good luck to you.

nage · Nov 20, 2008

Hello.

I think the idea of packet filtering is simple and straightforward, most people have problem with it just because them don't know basic TCP/IP, so if you don't know it, I strongly recommend you to read about it before you proceed.

* Trying to filter traffic on a network without understanding the network will just make your work harder if not impossible.

Read the PF FAQ
And for in-depth discussion there is The book of PF

Advices:
* Use a Default Deny policy. - I don't know about you but I'd hate to think there was packets being accepted and I was not aware of it.
* make sure to log what is being blocked (it will help to debug if packets you want aren't being accepted)

and for a real-time display of logged packets use:

Code:

tcpdump -n -e -ttt -i pflog0

----

There is a Firewall Builder port on /usr/ports/security/fwbuilder/ - http://www.fwbuilder.org/
that might help you if you want a GUI solution.
I've never used it so don't know much about it.

Mel_Flynn · Nov 21, 2008

I would definitely recommend changing the location pf.conf, by setting:

pf_rules="/path/to/alternate/pf.conf"

in /etc/rc.conf.

when using a GUI, or running mergemaster on upgrades will be very annoying.

When editing by hand, it's a good idea to insert a start and end banner where all your rules are kept, so that mergemaster will do the right thing and give you your local changes as one chunk.