Posted by: jasonk2600 | January 10, 2010

Simple FreeBSD Firewall and Router


This post will explain the basic steps necessary to configure a FreeBSD system to perform the roles of a firewall and router.  It is assumed that the FreeBSD system is up and running with two NICs installed.  OpenBSD’s Packet Filter (PF) firewall package will be used to perform the firewalling, Network Address Translation (NAT), and routing services.


PF must be compiled into the FreeBSD kernel.  If you have not already done so, download the FreeBSD system source code to the /usr/src directory.  Create a custom kernel configuration based upon the default GENERIC kernel configuration.

# cd /usr/src/sys/i386/conf


Modify the CUSTOM kernel configuration file to reflect the following settings.

cpu  I686_CPU
ident  CUSTOM

options  ALTQ
options  ALTQ_CBQ
options  ALTQ_RED
options  ALTQ_RIO
options  ALTQ_HFSC
options  ALTQ_PRIQ
options  ALTQ_NOPCC

device  pf
device  pflog
device  pfsync


Compile and install the newly configured CUSTOM kernel. Reboot the system once installation of the kernel has been completed.

# cd /usr/src
# make buildkernel KERNCONF=CUSTOM
[ ... Lots of Output ... ]
# make installkernel KERNCONF=CUSTOM
[ ... Lots of Output ... ]
# shutdown -r now



Enable the PF firewall software to start at system boot by adding the following to the /etc/rc.conf file.



Create the PF ruleset in /etc/pf.conf. The following sample ruleset will provide Network Address Translation (NAT), protects against attacks based on the incorrect handling of packet fragments, defends against spoofed IP addresses, allows any internal system to access the outside, and blocks access to the internal systems from the outside. Be sure to set the ext_if and int_if variables to the name of your system’s external (connected to the Internet) and internal (connected to your LAN) NICs. For more information on creating more complex PF rulesets refer to "The Book of PF", available here.

ext_if = "ath0"
int_if = "fxp0"
localnet = $int_if:network

nat on $ext_if from $localnet to any -> ($ext_if)

block all

scrub in all
antispoof for $ext_if
antispoof for $int_if

pass from { lo0, $localnet } to any keep state


Reboot the system to activate PF and the new ruleset. Once the system has rebooted, check PF’s statistics to verify that PF is handling network traffic.

# pfctl -s info
Status: Enabled for 0 days 00:17:04      Debug: Urgent

State Table                     Total             Rate
  current entries                   0
  searches                       2800            2.7/s
  inserts                           0            0.0/s
  removals                          0            0.0/s
  match                          2800            2.7/s
  bad-offset                        0            0.0/s
  fragment                          0            0.0/s
  short                             0            0.0/s
  normalize                         0            0.0/s
  memory                            0            0.0/s
  bad-timestamp                     0            0.0/s
  congestion                        0            0.0/s
  ip-option                        12            0.0/s
  proto-cksum                       0            0.0/s
  state-mismatch                    0            0.0/s
  state-insert                      0            0.0/s
  state-limit                       0            0.0/s
  src-limit                         0            0.0/s
  synproxy                          0            0.0/s






  1. How do i do this command?

    ext_if = “ath0”
    int_if = “fxp0”
    localnet = $int_if:network

    nat on $ext_if from $localnet to any -> ($ext_if)

    block all

    scrub in all
    antispoof for $ext_if
    antispoof for $int_if

    pass from { lo0, $localnet } to any keep state

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: