Re: easy Firewall setup
A Is there an easy firewall setup available somewhere (like the one A referenced below but for FreeBSD)? Here's a script you can use to generate a rules file for IPF. -- Karl, I have used your script and it generated me a nice ipf.rules file /* ipf.rules / quadcore# cat /etc/ipf.rules # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011 # # NAME: #/etc/ipf.rules # # DESCRIPTION: #Ruleset for IPF packet filter. # # AUTHOR: #Antonio Olivares olivares14...@gmail.com # # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. block in quick on msk0 proto udp from any to any port = 68 block in quick on msk0 proto udp from any to any port = 137 block in quick on msk0 proto udp from any to any port = 138 block in quick on msk0 proto igmp from any to any # # Now block everything coming down the network. block in log on msk0 all block out log on msk0 all # # Get rid of anything with options, as these can be used to hack. block in log quick from any to any with ipopts # # Get rid of short TCP/IP fragments (too small for valid comparison) # as these can be used to hack. block in log quick proto tcp from any to any with short # # Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # # Block all the private routable addresses, as these should never # come down the network, nor should we be talking to them. block out quick on msk0 from any to 192.168.0.0/16 block out quick on msk0 from any to 172.16.0.0/12 block out quick on msk0 from any to 127.0.0.0/8 block out quick on msk0 from any to 10.0.0.0/8 block out quick on msk0 from any to 0.0.0.0/8 block out quick on msk0 from any to 169.254.0.0/16 block out quick on msk0 from any to 192.0.2.0/24 block out quick on msk0 from any to 204.152.64.0/23 block out quick on msk0 from any to 224.0.0.0/3 block in quick on msk0 from 192.168.0.0/16to any block in quick on msk0 from 172.16.0.0/12 to any block in quick on msk0 from 10.0.0.0/8to any block in quick on msk0 from 127.0.0.0/8 to any block in quick on msk0 from 0.0.0.0/8 to any block in quick on msk0 from 169.254.0.0/16to any block in quick on msk0 from 192.0.2.0/24 to any block in quick on msk0 from 204.152.64.0/23 to any block in quick on msk0 from 224.0.0.0/3 to any # # Block and log portmapper attempts. block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state # # Allow outbound state related packets. pass out quick on msk0 proto tcp from any to any flags S keep state pass out quick on msk0 proto udp from any to any keep state # # Allow ping and traceroute. Since we're doing everything quick, # we must have passes before blocks. pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state block in log quick on msk0 proto icmp from any to any # # Allow DNS; should this be just from nameservers? pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state pass in quick on msk0 proto udp from any to any port = 53 keep state # # Allow ssh and mail from anywhere: tcpserver filters addresses pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state # # Allow http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state pass in quick on msk0 proto tcp from 1.2.3.5 to any port = 80 flags S keep state # # Allow secure http from selected addresses. pass in quick on msk0 proto
Re: easy Firewall setup
On Sun, Jul 31, 2011 at 11:15 AM, Antonio Olivares olivares14...@gmail.com wrote: A Is there an easy firewall setup available somewhere (like the one A referenced below but for FreeBSD)? Here's a script you can use to generate a rules file for IPF. -- Karl, I have used your script and it generated me a nice ipf.rules file /* ipf.rules / quadcore# cat /etc/ipf.rules # Generated by make-ipf-rules v1.10 at Sun Jul 31 10:42:21 CDT 2011 # # NAME: # /etc/ipf.rules # # DESCRIPTION: # Ruleset for IPF packet filter. # # AUTHOR: # Antonio Olivares olivares14...@gmail.com # # We don't care about NETBIOS broadcast crap, bootpc requests, or IGMP. block in quick on msk0 proto udp from any to any port = 68 block in quick on msk0 proto udp from any to any port = 137 block in quick on msk0 proto udp from any to any port = 138 block in quick on msk0 proto igmp from any to any # # Now block everything coming down the network. block in log on msk0 all block out log on msk0 all # # Get rid of anything with options, as these can be used to hack. block in log quick from any to any with ipopts # # Get rid of short TCP/IP fragments (too small for valid comparison) # as these can be used to hack. block in log quick proto tcp from any to any with short # # Allow all traffic on loopback. pass in quick on lo0 all pass out quick on lo0 all # # Block all the private routable addresses, as these should never # come down the network, nor should we be talking to them. block out quick on msk0 from any to 192.168.0.0/16 block out quick on msk0 from any to 172.16.0.0/12 block out quick on msk0 from any to 127.0.0.0/8 block out quick on msk0 from any to 10.0.0.0/8 block out quick on msk0 from any to 0.0.0.0/8 block out quick on msk0 from any to 169.254.0.0/16 block out quick on msk0 from any to 192.0.2.0/24 block out quick on msk0 from any to 204.152.64.0/23 block out quick on msk0 from any to 224.0.0.0/3 block in quick on msk0 from 192.168.0.0/16 to any block in quick on msk0 from 172.16.0.0/12 to any block in quick on msk0 from 10.0.0.0/8 to any block in quick on msk0 from 127.0.0.0/8 to any block in quick on msk0 from 0.0.0.0/8 to any block in quick on msk0 from 169.254.0.0/16 to any block in quick on msk0 from 192.0.2.0/24 to any block in quick on msk0 from 204.152.64.0/23 to any block in quick on msk0 from 224.0.0.0/3 to any # # Block and log portmapper attempts. block in log quick on msk0 proto tcp/udp from any to any port = 111 keep state # # Allow outbound state related packets. pass out quick on msk0 proto tcp from any to any flags S keep state pass out quick on msk0 proto udp from any to any keep state # # Allow ping and traceroute. Since we're doing everything quick, # we must have passes before blocks. pass in quick on msk0 proto icmp from any to any icmp-type 0 keep state pass in quick on msk0 proto icmp from any to any icmp-type 8 keep state pass in quick on msk0 proto icmp from any to any icmp-type 11 keep state pass out quick on msk0 proto icmp from any to any icmp-type 0 keep state pass out quick on msk0 proto icmp from any to any icmp-type 8 keep state pass out quick on msk0 proto icmp from any to any icmp-type 11 keep state block in log quick on msk0 proto icmp from any to any # # Allow DNS; should this be just from nameservers? pass in quick on msk0 proto tcp from any to any port = 53 flags S keep state pass in quick on msk0 proto udp from any to any port = 53 keep state # # Allow ssh and mail from anywhere: tcpserver filters addresses pass in quick on msk0 proto tcp from any to any port = 22 flags S keep state pass in quick on msk0 proto tcp from any to any port = 25 flags S keep state # # Allow http from selected addresses. pass in quick on msk0 proto tcp from 1.2.3.4 to any port = 80 flags S keep state pass in quick on msk0 proto tcp from 1.2.3.5 to any port
Re: easy Firewall setup
Thanks Karl for your script :) this will help tremendously Also thanks to Daniel Polytropon Krad Warren Fbsd for your suggestions help. Sorry I could not get back since the network went down. I will report back as soon as I can get going again. Regards, Antonio On Tue, Apr 26, 2011 at 1:48 PM, Karl Vogel vogelke+u...@pobox.com wrote: On Mon, 25 Apr 2011 19:43:33 -0500, Antonio Olivares olivares14...@gmail.com said: A Is there an easy firewall setup available somewhere (like the one A referenced below but for FreeBSD)? Here's a script you can use to generate a rules file for IPF. -- Karl Vogel I don't speak for the USAF or my company The only freedom which deserves the name, is that of pursuing our own good in our own way, so long as we do not attempt to deprive others of theirs, or impede their efforts to obtain it. --John Stuart Mill, On Liberty --- #!/bin/sh # This is a shell archive (produced by GNU sharutils 4.6). # To extract the files from this archive, save it to some FILE, remove # everything before the `!/bin/sh' line above, then type `sh FILE'. # # Existing files will *not* be overwritten unless `-c' is specified. # This format requires very little intelligence at unshar time. # if test, echo, mkdir, and sed may be needed. # # This shar contains: # length mode name # -- -- -- # 7197 -rw-r--r-- ipf-sample-ruleset # 71 -rw-r--r-- ipf.break # 144 -rw-r--r-- ipf.header # 64 -rw-r--r-- ipf.whitelist # 4977 -rwxr-xr-x make-ipf-rules # echo=echo shar_tty= shar_n= shar_c=' ' mkdir _sh14472 || ( echo 'failed to create locking directory' '_sh14472'; exit 1 ) # = ipf-sample-ruleset == if test -f 'ipf-sample-ruleset' test $first_param != -c; then $echo 'x -' SKIPPING 'ipf-sample-ruleset' '(file already exists)' else $echo 'x -' extracting 'ipf-sample-ruleset' '(text)' sed 's/^X//' 'SHAR_EOF' 'ipf-sample-ruleset' X# X# http://www.pc-freak.net/handbook/firewalls-ipf.html X# No restrictions on Inside LAN Interface for private network X# Not needed unless you have LAN X# X X#pass out quick on xl0 all X#pass in quick on xl0 all X X# X# No restrictions on Loopback Interface X# Xpass in quick on lo0 all Xpass out quick on lo0 all X X# X# Interface facing Public Internet (Outbound Section) X# Interrogate session start requests originating from behind the X# firewall on the private network X# or from this gateway server destine for the public Internet. X# X X# Allow out access to my ISP's Domain name server. X# xxx must be the IP address of your ISP's DNS. X# Dup these lines if your ISP has more than one DNS server X# Get the IP addresses from /etc/resolv.conf file Xpass out quick on dc0 proto tcp from any to xxx port = 53 flags S keep state Xpass out quick on dc0 proto udp from any to xxx port = 53 keep state X X# Allow out access to my ISP's DHCP server for cable or DSL networks. X# This rule is not needed for 'user ppp' type connection to the X# public Internet, so you can delete this whole group. X# Use the following rule and check log for IP address. X# Then put IP address in commented out rule delete first rule Xpass out log quick on dc0 proto udp from any to any port = 67 keep state X#pass out quick on dc0 proto udp from any to z.z.z.z port = 67 keep state X X X# Allow out non-secure standard www function Xpass out quick on dc0 proto tcp from any to any port = 80 flags S keep state X X# Allow out secure www function https over TLS SSL Xpass out quick on dc0 proto tcp from any to any port = 443 flags S keep state X X# Allow out send get email function Xpass out quick on dc0 proto tcp from any to any port = 110 flags S keep state Xpass out quick on dc0 proto tcp from any to any port = 25 flags S keep state X X# Allow out Time Xpass out quick on dc0 proto tcp from any to any port = 37 flags S keep state X X# Allow out nntp news Xpass out quick on dc0 proto tcp from any to any port = 119 flags S keep state X X# Allow out gateway LAN users non-secure FTP ( both passive active modes) X# This function uses the IPNAT built in FTP proxy function coded in X# the nat rules file to make this single rule function correctly. X# If you want to use the pkg_add command to install application packages X# on your gateway system you need this rule. Xpass out quick on dc0 proto tcp from any to any port = 21 flags S keep state X
Re: easy Firewall setup
On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares olivares14...@gmail.com wrote: Thanks for sharing this. I have a base FreeBSD 8.2 system on one machine and I would like to setup a firewall that allows me to visit websites and not allow incoming traffic. Something easy to set up and start like /etc/local/rc.d/rc.pf start or similar. A nice example which I can change somethings like name of network device, i.e, nv0, or similar device. I will try further reading and try to set something up as I am afraid to screw things up. You can easily do this with IPFW (from the base system) Step 1: Create a file /etc/ipfw.conf which will contain your firewall rules. Depending on what you need, try out something like this: -f flush add allow ip from any to any add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add deny ip from any to any Of course you'll have to replace xl0 with the correct device name; ifconfig -a will surely tell you. Please see that this is just an excerpt of an example. In this case, FTP and SSH should be allowed for incoming, everything else will be denied. If you do not want to use FTP - nobody seriously wants that :-) - do not enable it. The reference for SSH also goes to the default port, maybe you want to choose a different one. Step 2: Edit /etc/rc.conf to contain the following lines: firewall_enable=YES firewall_type=/etc/ipfw.conf Step 3: Start (or restart) the firewall: # /etc/rc.d/ipfw start See the information contained in man ipfw; it's strong tobacco, but it provides very good knowledge about how to properly configure the firewall, containing examples that you can use for form your own rules, like allow anything from inside to outside, but deny any requests coming from outside. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
On 26 April 2011 08:52, Polytropon free...@edvax.de wrote: On Mon, 25 Apr 2011 21:34:41 -0500, Antonio Olivares olivares14...@gmail.com wrote: Thanks for sharing this. I have a base FreeBSD 8.2 system on one machine and I would like to setup a firewall that allows me to visit websites and not allow incoming traffic. Something easy to set up and start like /etc/local/rc.d/rc.pf start or similar. A nice example which I can change somethings like name of network device, i.e, nv0, or similar device. I will try further reading and try to set something up as I am afraid to screw things up. You can easily do this with IPFW (from the base system) Step 1: Create a file /etc/ipfw.conf which will contain your firewall rules. Depending on what you need, try out something like this: -f flush add allow ip from any to any add allow tcp from any to any ftp in recv xl0 add allow tcp from any to any ssh in recv xl0 add deny ip from any to any Of course you'll have to replace xl0 with the correct device name; ifconfig -a will surely tell you. Please see that this is just an excerpt of an example. In this case, FTP and SSH should be allowed for incoming, everything else will be denied. If you do not want to use FTP - nobody seriously wants that :-) - do not enable it. The reference for SSH also goes to the default port, maybe you want to choose a different one. Step 2: Edit /etc/rc.conf to contain the following lines: firewall_enable=YES firewall_type=/etc/ipfw.conf Step 3: Start (or restart) the firewall: # /etc/rc.d/ipfw start See the information contained in man ipfw; it's strong tobacco, but it provides very good knowledge about how to properly configure the firewall, containing examples that you can use for form your own rules, like allow anything from inside to outside, but deny any requests coming from outside. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org If you are new to firewalls and dont want to use something like pfsense, i would stay away from ipfw (wait for flames 8) ) . This is not for any technical reason as it is a perfectly good and well featured firewall. It is however in my experience from a few years ago a little trickier to get the rule orderings correct when you are natting things. Therefore I would advise you use pf. Here is a simple starter ruleset to get you going. Is provides no external access but you can easily uncomment the bits to allow things through. Just drop it into /etc/pf.conf and run echo -en pf_enable=yes\npflog_enable=yes /etc/rc.conf.local /etc/rc.d/pf start /etc/rc.d/pflog start ruleset -- ext_if=xl0 int_if=xl1 #table sshhosts const { 1.1.1.1, 2.2.2.2 } table internal_nets const { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } # Options: tune the behavior of pf, default values are given. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 80, adaptive.end 120 } set limit { states 100, frags 5, src-nodes 30 } #set loginterface none set optimization normal set block-policy drop set state-policy if-bound set skip on lo0 #set skip on $vpn_ints set require-order yes set fingerprints /etc/pf.os set skip on lo0 set skip on $int_if # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub all random-id fragment reassemble nat on $ext_if from internal_nets to any - ($ext_if) # dump everything by default block log on $ext_if all # uncomment this to allow ssh through # let ssh work and let those ppl ping me #block in on $ext_if proto tcp from any to any port ssh #pass in quick on $ext_if proto tcp from sshhosts to any port ssh keep state #pass in quick on $ext_if inet proto icmp from sshhosts to any icmp-type echoreq keep state #pass out quick on $ext_if proto tcp from any to any port ssh keep state pass out on $ext_if from any to any keep state --- ps i have ripped this out of my existing rule set so its possible typos have crept in ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
Antonio Olivares wrote: Dear kind folks, Is there an easy firewall setup available somewhere(like the one referenced below but for FreeBSD)? i.e, like I saw reading in Distrowatch an easy way(using a page on the net: http://connie.slackware.com/~alien/efg/) I have read that there is pf and there is an implementation by OpenBSD and both are available on FreeBSD via ports system/packages. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html I don't know which one to use, is there a page, howto (build a firewall or convert an existing one) to use here? All I want is to be allowed to visit websites but don't allow anyone out there to come in somehow a template that I can use and try out to see if I can get it working. Of course the network name might be different, but I can try to figure things out. ne0, fe0, ra0, ..., etc After figuring this out, my next big job/task is to use FreeBSD to make up a new router/dhcp server to give/assign ip numbers to machines from one and give to many. This has been something hard that I have failed at several times. Maybe with FreeBSD I can be successfull? Thanks, Antonio The Freebsd handbook has a very detailed section on the firewalls that are part of the base system. Start there. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
On Tue, 26 Apr 2011, Polytropon wrote: You can easily do this with IPFW (from the base system) Step 1: Create a file /etc/ipfw.conf which will contain your firewall rules. /etc/rc.firewall has a bunch of predefined firewall types, usable as-is or as examples. Instructions are in that file. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
--As of April 25, 2011 7:43:33 PM -0500, Antonio Olivares is alleged to have said: I don't know which one to use, is there a page, howto (build a firewall or convert an existing one) to use here? All I want is to be allowed to visit websites but don't allow anyone out there to come in somehow a template that I can use and try out to see if I can get it working. Of course the network name might be different, but I can try to figure things out. If all you want is a firewall, I'd go with this: http://www.pfsense.org/ Based on FreeBSD, but they've set it up nice and put an easy-to-use interface on top of it. Of course if you wanted you could always just install the base system, turn on routing, and configure pf/iptables. There's not really a whole lot to either one, really... But if you don't feel like learning their syntax right now, or doing everything via a text editor, I'd really go with pfsense. (Even if you *do* know their syntax, in most cases I'd go with pfsense...) After figuring this out, my next big job/task is to use FreeBSD to make up a new router/dhcp server to give/assign ip numbers to machines from one and give to many. This has been something hard that I have failed at several times. Maybe with FreeBSD I can be successfull? pfsense has a DHCP server, no problem there. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: easy Firewall setup
On Mon, Apr 25, 2011 at 9:06 PM, Daniel Staal dst...@usa.net wrote: --As of April 25, 2011 7:43:33 PM -0500, Antonio Olivares is alleged to have said: I don't know which one to use, is there a page, howto (build a firewall or convert an existing one) to use here? All I want is to be allowed to visit websites but don't allow anyone out there to come in somehow a template that I can use and try out to see if I can get it working. Of course the network name might be different, but I can try to figure things out. If all you want is a firewall, I'd go with this: http://www.pfsense.org/ Based on FreeBSD, but they've set it up nice and put an easy-to-use interface on top of it. Of course if you wanted you could always just install the base system, turn on routing, and configure pf/iptables. There's not really a whole lot to either one, really... But if you don't feel like learning their syntax right now, or doing everything via a text editor, I'd really go with pfsense. (Even if you *do* know their syntax, in most cases I'd go with pfsense...) After figuring this out, my next big job/task is to use FreeBSD to make up a new router/dhcp server to give/assign ip numbers to machines from one and give to many. This has been something hard that I have failed at several times. Maybe with FreeBSD I can be successfull? pfsense has a DHCP server, no problem there. Daniel T. Staal --- Thanks for sharing this. I have a base FreeBSD 8.2 system on one machine and I would like to setup a firewall that allows me to visit websites and not allow incoming traffic. Something easy to set up and start like /etc/local/rc.d/rc.pf start or similar. A nice example which I can change somethings like name of network device, i.e, nv0, or similar device. I will try further reading and try to set something up as I am afraid to screw things up. Regards, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org