Struggling to adapt from the Linux world and UFW.

[Lorem-Ipsum]

Hi folks,

I'm an Archlinux user (until now) and am just getting to grips with FreeBSD. The only thing I'm really struggling with is the firewall configuration. Up till now I've used UFW on linux as firewall rules have always scared me. I've got IPFW set to run in rc.conf and have pointed it to /etc/ipfw.rules as a script but I have no idea what I'm doing when it comes to creating rules.

My plan is to allow all outbound traffic (for now), and deny all incoming traffic apart from ssh, at least until I understand how to write rules better. I've had a look at some example configurations but they all look rather complex. So I guess what I'm asking for is a dummy's guide to firewall rules using IPFW.

Any and all help much appreciated.

 

[wblock@]

There are four samples in /etc/rc.firewall. pf(4) has become popular. It may not be quite as fast as IPFW but is easier to use.

 

[Lorem-Ipsum]

There are four samples in /etc/rc.firewall. pf(4) has become popular. It may not be quite as fast as IPFW but is easier to use.

Thanks.

I just read the following in the book of PF:

Compared to working with iptables, PF is like this haiku:
A breath of fresh air,
floating on white rose petals,
eating strawberries.

I'm loving it already.

But I'll probably be back later with more problems....

 

[throAU]

There's 2 aspects to firewalling to know about:

1. how to configure what you want in a firewall's language (eg, Cisco ACLs, pf, ipfw, iptables, etc)
2. knowing what you want to tell the firewall to do

Part 1 requires you to learn the particular firewall language you decide to use. Part 2 requires understanding what ports/protocols your services use.

Essentially for what you want to do, what you want is something like this (to start with) - this is pseudocode, not in any particular firewall language:

allow port 22/tcp incoming on your external interface, from any IP to your external IP
allow port 53/udp incoming on your external interface (so DNS works properly)
allow icmp unreachable messages on your external interface
block any private IP subnets incoming on your external interface
block your internal interface's subnet coming in on your external interface
block everything else on your external interface
allow "established" connections back in through your external interface
allow all connections from your internal network on your inside interface
block all other IP ranges incoming on your inside interface

Note: I like to explicitly block my inside network from coming in on the outside interface (in addition to a catch all block all), to prevent me from inadvertently allowing that subnet in through the outside interface if I happen to screw up a rule when defining a rule for my inside network.

Firewall rules can be a little scary until you work out what services need what ports. However the new stateful firewalls allow things to be much simpler - essentially let everything out, allow "Established" connections back in, and allow a select few services back in that aren't already due to established connections (in your case, SSH).

Take your time, if your firewall choice supports keep-state on outgoing connections (I think they all do now?), use it.

Hope that helps.

 

[Lorem-Ipsum]

Thanks Throau.

I've done some reading up and got a simple configuration working. Managed to lock myself out of ssh a few times but it's all working now. I'll probably carry on tinkering away at it when I have time until I'm happy with it. PF is a dream to work with, if anything it's easier than UFW once I get the hang of it.

 

[SirDice]

Managed to lock myself out of ssh a few times but it's all working now.

# pfctl -f /etc/pf.conf && sleep 60 && pfctl -d

Loads the ruleset, sleeps for 60 seconds then disables the firewall. Should be enough time to test. If you happen to lock yourself out wait 60 seconds and the firewall will be disabled allowing you access again.

 

[Lorem-Ipsum]

# pfctl -f /etc/pf.conf && sleep 60 && pfctl -d

Loads the ruleset, sleeps for 60 seconds then disables the firewall. Should be enough time to test. If you happen to lock yourself out wait 60 seconds and the firewall will be disabled allowing you access again.

Thankyou, I'll make sure to use that in future.

Out of curiosity is there much difference between using

&&

and

;

in the shell?

Also I use zsh so will it behave in the same way as in Bash?

 

[SirDice]

Out of curiosity is there much difference between using

&&

and

;

in the shell?

There is. Sleep only gets executed if the previous command succeeds. Using a semicolon it would proceed the execution path whether the command worked or not.

dice@williscorto:~>something && echo hi!
something: Command not found.
dice@williscorto:~>something ; echo hi!
something: Command not found.
hi!
dice@williscorto:~>

Also I use zsh so will it behave in the same way as in Bash?

It should. Mind you FreeBSD doesn't use bash. Not unless you installed the port.

 

[throAU]

There are four samples in /etc/rc.firewall. pf(4) has become popular. It may not be quite as fast as IPFW but is easier to use.

Now a question of my own...

I've read that (in the past?) pf has had problems with running on multiple cores, or can't run on multiple cores very well.

Is this still the case? Is it any better/less supported than ipfw(4)?

I've been out of the firewalling space on FreeBSD for some time (been using Cisco ASA and router ACLs lately - last I did anything tricky with FreeBSD was circa 2002-2004) but am looking to add a second layer of protection to a couple of FreeBSD boxes.

The handbook unfortunately just says words to the effect of "there are 3 firewall types, here they are" without any real suggestion as to which one is recommended for any particular use.

I guess what I'm getting at is this: I like the look of pf(4), is there any "gotcha" I'm likely to run into down the track? The boxes I'm planning to run it on are mostly idle with plenty of CPU (virtual machines running on Xeon E5430s).

 

[donduq]

I would also like to know this because the learning curve is pretty steep. I, like OP, am using FreeBSD after using Archlinux. And all I know is iptables.

 

[Lorem-Ipsum]

I would also like to know this because the learning curve is pretty steep. I, like OP, am using FreeBSD after using Archlinux. And all I know is iptables.

After reading the examples and the book of PF it was quite simple to understand. Certainly more simple than IPtables and I preferred PF over the alternatives.