Simple FreeBSD Firewall and Router

Synopsis

This post will explain the basic steps necessary to configure a FreeBSD system to perform the roles of a firewall and router.  It is assumed that the FreeBSD system is up and running with two NICs installed.  OpenBSD’s Packet Filter (PF) firewall package will be used to perform the firewalling, Network Address Translation (NAT), and routing services.

Installation

PF must be compiled into the FreeBSD kernel.  If you have not already done so, download the FreeBSD system source code to the /usr/src directory.  Create a custom kernel configuration based upon the default GENERIC kernel configuration.

# cd /usr/src/sys/i386/conf
# cp GENERIC CUSTOM

 

Modify the CUSTOM kernel configuration file to reflect the following settings.

cpu  I686_CPU
ident  CUSTOM

options  ALTQ
options  ALTQ_CBQ
options  ALTQ_RED
options  ALTQ_RIO
options  ALTQ_HFSC
options  ALTQ_PRIQ
options  ALTQ_NOPCC

device  pf
device  pflog
device  pfsync

 

Compile and install the newly configured CUSTOM kernel. Reboot the system once installation of the kernel has been completed.

# cd /usr/src
# make buildkernel KERNCONF=CUSTOM
[ ... Lots of Output ... ]
# make installkernel KERNCONF=CUSTOM
[ ... Lots of Output ... ]
# shutdown -r now

 

Configuration

Enable the PF firewall software to start at system boot by adding the following to the /etc/rc.conf file.

gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_program="/sbin/pflogd"

 

Create the PF ruleset in /etc/pf.conf. The following sample ruleset will provide Network Address Translation (NAT), protects against attacks based on the incorrect handling of packet fragments, defends against spoofed IP addresses, allows any internal system to access the outside, and blocks access to the internal systems from the outside. Be sure to set the ext_if and int_if variables to the name of your system’s external (connected to the Internet) and internal (connected to your LAN) NICs. For more information on creating more complex PF rulesets refer to "The Book of PF", available here.

ext_if = "ath0"
int_if = "fxp0"
localnet = $int_if:network

nat on $ext_if from $localnet to any -> ($ext_if)

block all

scrub in all
antispoof for $ext_if
antispoof for $int_if

pass from { lo0, $localnet } to any keep state

 

Reboot the system to activate PF and the new ruleset. Once the system has rebooted, check PF’s statistics to verify that PF is handling network traffic.

# pfctl -s info
Status: Enabled for 0 days 00:17:04      Debug: Urgent

State Table                     Total             Rate
  current entries                   0
  searches                       2800            2.7/s
  inserts                           0            0.0/s
  removals                          0            0.0/s
Counters
  match                          2800            2.7/s
  bad-offset                        0            0.0/s
  fragment                          0            0.0/s
  short                             0            0.0/s
  normalize                         0            0.0/s
  memory                            0            0.0/s
  bad-timestamp                     0            0.0/s
  congestion                        0            0.0/s
  ip-option                        12            0.0/s
  proto-cksum                       0            0.0/s
  state-mismatch                    0            0.0/s
  state-insert                      0            0.0/s
  state-limit                       0            0.0/s
  src-limit                         0            0.0/s
  synproxy                          0            0.0/s

 

References

• The Book of PF.
• FreeBSD Handbook – Chapter 30 – The OpenBSD Packet Filter (PF) and ALTQ.
• FreeBSD Handbook – Chapter 31 – Network Address Translation.
• PF: The OpenBSD Packet Filter FAQ.

 

  [EoF]

About these ads