OSETC TECH

How to Setup PF Firewall on FreeBSD

This post will guide you how to setup PF (Packet Filter) firewall to secure your FreeBSD server. How do I configure PF firewall on my FreeBSD server to protect my Web server.

PF is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter, ipfw, and ipfilter. PF was developed for OpenBSD, but has been ported to many other operating systems.

Setup PF Firewall


If you want to configure PF firewall on your FreeBSD server, just do the following steps:

Step1: you need to create a configuration file called pf.conf to define your PF rules with vim text editor:

$ sudo vim /etc/pf.conf
ext_if = "fxp0"
int_if = "dc0"
lan_net = "192.168.0.0/24"

# scrub incoming packets
scrub in all

# setup a default deny policy
block in all
block out all

# pass traffic on the loopback interface in either direction
pass quick on lo0 all

# activate spoofing protection for the internal interface.
antispoof quick for $int_if inet

# only allow ssh connections from the local network if it‘s from the
# trusted computer, 192.168.0.15. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.15 \
to $int_if port ssh flags S/SA

# pass all traffic to and from the local network
pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net

# pass tcp, udp, and icmp out on the external (Internet) interface.
# keep state on udp and icmp and modulate state on tcp.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# allow ssh connections in on the external interface as long as they‘re
# NOT destined for the firewall (i.e., they‘re destined for a machine on
# the local network). log the initial packet so that we can later tell
# who is trying to connect. use the tcp syn proxy to proxy the connection.
pass in log on $ext_if proto tcp from any to { !$ext_if, !$int_if } \
port ssh flags S/SA synproxy state

Step2: you need to change /etc/rc.conf file to add the following lines:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"

save and close the file.

Note:
• pf_enable -turn on/off PF service
• pf_rules – contain PF rules
• pflog_enable – turn on/off the logging support for PF firewall
• pflog_logfile – specified the log file for pflogd service

Step3: you need to start the pf service with the following command:

# service pf start

Or you can also reboot the system:

# reboot

You can use tcpdump command to check who is trying to connect to your FreeBSD server in real-time with the following command:

# tcpdump -n -e -ttt -I pflog0

Conclusion


You should know that how to setup PF firewall on FreeBSD. If you want to see more detailed information about PF, you can directly go to its official web site.