Enable And Configure The Firewall On FreeBSD

Note: Be sure you have a pf enabled kernel or see this link compiling the kernel on FreeBSD

Add the following to /etc/rc.conf

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Create the “control files” which we will use for white and blacklisting.

touch /etc/pf_hosts_any_port /etc/pf_hosts_ssh_port /etc/pf_hosts_www_port /etc/pf_hosts_ftp_port /etc/pf_hosts_bad

Get the name of the current network card.

cat /etc/rc.conf |grep "inet" |awk -F'[_=]' '{print $2}'

Next create the firewall configuration file. The example below is a typical Web / Sql starter configuration.

vi /etc/pf.conf

Change network card from xn0 to reflect the actual network card.

Change ssh_service port from 22 to reflect the current setup.

Change ftp port from 40000:40200 to reflect the current setup.

ext_if="xn0"
icmp_types="echoreq"
scrub in on $ext_if all fragment reassemble

block log all
set skip on lo0
antispoof for $ext_if
block in quick from urpf-failed

#
# Simple PF Ruleset By Allan Christensen Last Modified 31-05-2014 
#

ssh_service = 22 

#
# Tables Trusted Hosts
#

table <pf_hosts_any_port> persist file "/etc/pf_hosts_any_port"
table <pf_hosts_ssh_port> persist file "/etc/pf_hosts_ssh_port"
table <pf_hosts_www_port> persist file "/etc/pf_hosts_www_port"
table <pf_hosts_ftp_port> persist file "/etc/pf_hosts_ftp_port"

pass in quick on $ext_if from <pf_hosts_any_port> to any
pass in quick on $ext_if proto tcp from <pf_hosts_ssh_port> to $ext_if port $ssh_service
pass in quick on $ext_if proto tcp from <pf_hosts_www_port> to $ext_if port http

#
# Tables Bad Hosts
#

table <badhosts> persist file "/etc/pf_hosts_bad"
table <brutessh> persist
table <brutewww> persist  

block in quick from <badhosts>
block in quick proto tcp from <brutessh> to $ext_if port $ssh_service
block in quick proto tcp from <brutewww> to $ext_if port http

#
# Block Probes That May Reveal Our Os
#

block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF

#
# Incomming Traffic
#

# TCP
pass in proto tcp to $ext_if port http synproxy state (source-track rule, max-src-states 64, max-src-conn 30, max-src-conn-rate 10/5, overload <brutewww> flush global)
pass in proto tcp to $ext_if port $ssh_service keep state (max-src-conn 5, max-src-conn-rate 5/3, overload <brutessh> flush global)

# FTP
pass in on $ext_if proto tcp from <pf_hosts_ftp_port> to $ext_if port ftp
pass in on $ext_if proto tcp from <pf_hosts_ftp_port> to $ext_if port 40000:40200
pass out proto tcp from $ext_if to <pf_hosts_ftp_port> port ftp

# ICMP
pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types 

#
# Outgoing Traffic
#

# TCP
pass out quick on $ext_if inet proto tcp from $ext_if to any port smtp
pass out quick on $ext_if inet proto tcp from $ext_if to any port domain 
pass out quick on $ext_if inet proto tcp from $ext_if to any port http 
pass out quick on $ext_if inet proto tcp from $ext_if to any port https
pass out quick on $ext_if inet proto tcp from $ext_if to any port $ssh_service

# UDP
pass out quick on $ext_if inet proto udp from $ext_if to any port domain
pass out quick on $ext_if inet proto udp from $ext_if to any port ntp

# ICMP
pass out quick on $ext_if inet proto icmp from $ext_if to any

pass out keep state

Once done start the firewall.

/etc/rc.d/pf start

Useful firewall commands

Check firewall configuration:

pfctl -vvnf /etc/pf.conf

Start firewall:

/etc/rc.d/pf start

Stop firewall:

/etc/rc.d/pf stop

Restart firewall:

/etc/rc.d/pf restart

Reload firewall configuration:

/etc/rc.d/pf reload