Firewall your FreeBSD for Safety’s Sake
Date published: July 20th, 2008
Posted in FreeBSD, Networking | 3 Comments ยป
We all know the Internet can be a dangerous place and in order to be truly safe a computer must not be connected to it. But that puts an immense dent in productivity and the flow of information, so it’s not an option. Of course the flow of information is the important thing and with the proper firewall you can make sure that the data only flows how you want and to whom you want.
There are several options available since FreeBSD is a network enabled operating system. It has all the components available in it natively to act as a firewall or to firewall itself against external intrusions. In order to do it with the native support you’ll probably need to do a lot of reading, but isn’t securing your data worth the effort and time? A good, full-featured and robust firewall setup is detailed my Manuel Kasper over at his site and includes packet filtering, Network Address Translation, IP filtering and more. The complete write up is here (https://neon1.net/misc/firewall.html).
FreeBSD also comes with built-in, manually activated Packet Filtering, commonly called PF. It has been included in the kernel for some time and can be enabled by editing the rc.conf so that it contains: pf_enable=”YES” It must also have a ruleset to draw upon or it won’t activate. For more information on activating and creating a ruleset check out the FreeBSD HandBook pages on it.
http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
There is also an open source application called pfSense which is a customized distribution of FreeBSD made specifically to be used as a firewall and router. It has been around for several years and has bolt-on extensions that can extend the capabilities of the distribution keeping the core software secure but allowing for flexibility. You can find out more about it at the project pages (http://www.pfsense.com/).
Nothing in life is 100% and that goes doubly so for network security. Just putting up a firewall is not a complete network security solution and you need to implement other security protocols to block against a wide variety of threats. In the end if you’re not a network security professional it might be in your best interest to consult one.
Although I am new to FreeBSD I thought I would have a look at the Kasper site suggested but early in the article he says:
Make sure you’re sitting at a local console of the machine โ never tinker with the firewall via a remote connection, as it’s very easy to lock yourself out!
Have to save up for a flight to the USA .(
If you are using our Xen VPS service, there is still a backdoor you have to get in through VNC console. And we can manually remove the firewall in case it blows up completely ๐
Nick.. there is also a old way to do it remotely.
Copy your running firewall file-rule to a different location.
Add/change your rules.
Schedure a reboot (let’s say +3 mins)
Apply your rules from the new file
If all is fine just kill the reboot process, if all went wrong.. just wait 5 mins and your machine is up and running w/ the old ruleset.
It may sound tricky, but this way I never got the need for a flight or a trip ๐
Toni