Note: Be sure you have a pf enabled kernel or see this link compiling the kernel on FreeBSD
Add the following to /etc/rc.conf
pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags=""
Create the “control files” which we will use for white and blacklisting.
touch /etc/pf_hosts_any_port /etc/pf_hosts_ssh_port /etc/pf_hosts_www_port /etc/pf_hosts_ftp_port /etc/pf_hosts_bad
Get the name of the current network card.
cat /etc/rc.conf |grep "inet" |awk -F'[_=]' '{print $2}'
Next create the firewall configuration file. The example below is a typical Web / Sql starter configuration.
vi /etc/pf.conf
Change network card from xn0 to reflect the actual network card.
Change ssh_service port from 22 to reflect the current setup.
Change ftp port from 40000:40200 to reflect the current setup.
ext_if="xn0" icmp_types="echoreq" scrub in on $ext_if all fragment reassemble block log all set skip on lo0 antispoof for $ext_if block in quick from urpf-failed # # Simple PF Ruleset By Allan Christensen Last Modified 31-05-2014 # ssh_service = 22 # # Tables Trusted Hosts # table <pf_hosts_any_port> persist file "/etc/pf_hosts_any_port" table <pf_hosts_ssh_port> persist file "/etc/pf_hosts_ssh_port" table <pf_hosts_www_port> persist file "/etc/pf_hosts_www_port" table <pf_hosts_ftp_port> persist file "/etc/pf_hosts_ftp_port" pass in quick on $ext_if from <pf_hosts_any_port> to any pass in quick on $ext_if proto tcp from <pf_hosts_ssh_port> to $ext_if port $ssh_service pass in quick on $ext_if proto tcp from <pf_hosts_www_port> to $ext_if port http # # Tables Bad Hosts # table <badhosts> persist file "/etc/pf_hosts_bad" table <brutessh> persist table <brutewww> persist block in quick from <badhosts> block in quick proto tcp from <brutessh> to $ext_if port $ssh_service block in quick proto tcp from <brutewww> to $ext_if port http # # Block Probes That May Reveal Our Os # block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in log quick on $ext_if proto tcp flags /WEUAPRSF block in log quick on $ext_if proto tcp flags SR/SR block in log quick on $ext_if proto tcp flags SF/SF # # Incomming Traffic # # TCP pass in proto tcp to $ext_if port http synproxy state (source-track rule, max-src-states 64, max-src-conn 30, max-src-conn-rate 10/5, overload <brutewww> flush global) pass in proto tcp to $ext_if port $ssh_service keep state (max-src-conn 5, max-src-conn-rate 5/3, overload <brutessh> flush global) # FTP pass in on $ext_if proto tcp from <pf_hosts_ftp_port> to $ext_if port ftp pass in on $ext_if proto tcp from <pf_hosts_ftp_port> to $ext_if port 40000:40200 pass out proto tcp from $ext_if to <pf_hosts_ftp_port> port ftp # ICMP pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types # # Outgoing Traffic # # TCP pass out quick on $ext_if inet proto tcp from $ext_if to any port smtp pass out quick on $ext_if inet proto tcp from $ext_if to any port domain pass out quick on $ext_if inet proto tcp from $ext_if to any port http pass out quick on $ext_if inet proto tcp from $ext_if to any port https pass out quick on $ext_if inet proto tcp from $ext_if to any port $ssh_service # UDP pass out quick on $ext_if inet proto udp from $ext_if to any port domain pass out quick on $ext_if inet proto udp from $ext_if to any port ntp # ICMP pass out quick on $ext_if inet proto icmp from $ext_if to any pass out keep state
Once done start the firewall.
/etc/rc.d/pf start
Check firewall configuration:
pfctl -vvnf /etc/pf.conf
Start firewall:
/etc/rc.d/pf start
Stop firewall:
/etc/rc.d/pf stop
Restart firewall:
/etc/rc.d/pf restart
Reload firewall configuration:
/etc/rc.d/pf reload