This post will guide you how to setup PF (Packet Filter) firewall to secure your FreeBSD server. How do I configure PF firewall on my FreeBSD server to protect my Web server.
PF is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter, ipfw, and ipfilter. PF was developed for OpenBSD, but has been ported to many other operating systems.
Setup PF Firewall
If you want to configure PF firewall on your FreeBSD server, just do the following steps:
Step1: you need to create a configuration file called pf.conf to define your PF rules with vim text editor:
$ sudo vim /etc/pf.conf
ext_if = "fxp0" int_if = "dc0" lan_net = "192.168.0.0/24" # scrub incoming packets scrub in all # setup a default deny policy block in all block out all # pass traffic on the loopback interface in either direction pass quick on lo0 all # activate spoofing protection for the internal interface. antispoof quick for $int_if inet # only allow ssh connections from the local network if it‘s from the # trusted computer, 192.168.0.15. use "block return" so that a TCP RST is # sent to close blocked connections right away. use "quick" so that this # rule is not overridden by the "pass" rules below. block return in quick on $int_if proto tcp from ! 192.168.0.15 \ to $int_if port ssh flags S/SA # pass all traffic to and from the local network pass in on $int_if from $lan_net to any pass out on $int_if from any to $lan_net # pass tcp, udp, and icmp out on the external (Internet) interface. # keep state on udp and icmp and modulate state on tcp. pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state # allow ssh connections in on the external interface as long as they‘re # NOT destined for the firewall (i.e., they‘re destined for a machine on # the local network). log the initial packet so that we can later tell # who is trying to connect. use the tcp syn proxy to proxy the connection. pass in log on $ext_if proto tcp from any to { !$ext_if, !$int_if } \ port ssh flags S/SA synproxy state
Step2: you need to change /etc/rc.conf file to add the following lines:
pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pf.log"
save and close the file.
Note:
• pf_enable -turn on/off PF service
• pf_rules – contain PF rules
• pflog_enable – turn on/off the logging support for PF firewall
• pflog_logfile – specified the log file for pflogd service
Step3: you need to start the pf service with the following command:
# service pf start
Or you can also reboot the system:
# reboot
You can use tcpdump command to check who is trying to connect to your FreeBSD server in real-time with the following command:
# tcpdump -n -e -ttt -I pflog0
Conclusion
You should know that how to setup PF firewall on FreeBSD. If you want to see more detailed information about PF, you can directly go to its official web site.