[wplug-bsd] firewalling in freebsd

Brandon Kuczenski brandon at 301south.net
Thu Mar 31 12:14:10 EST 2005 

On Wed, 30 Mar 2005, Duncan Hutty wrote:

> Would you mind giving your opinion on firewall options in freebsd?
> I assume that each of them will do the job just fine for the purposes of 
> protecting a single box so it can be used as a fairly simple server for http, 
> smtp, imap and ssh from 2 specific hosts, but there may be reasons of 
> convenience or something that might sway the choice.
>
> Rate each of pf, IPfilter, ipfw for learning curve (coming from 
> iptables/netfilter), convenience and power/flexibility? Is one considered 
> more 'standard freebsd'? Is one overwhelmingly more common?
>

I can't speak with much authority, since I've only run two BSD boxes, but 
on my systems I use ipf (I don't know if that's the same as pf? cursory 
web search says: no.)  As far as packet filters and nat goes, it seems to 
work fine.  The periodic machinery seems to be geared more towards ipfw, 
but I receive enough info from 510.ipfdenied to make me happy.

Actually, its rule setup is rather counterintuitive: it has a "last 
matching rule wins" methodology, which is opposite to iptables.  It's a 
little clumsy but I'm pretty sure I have it doing exactly what I want it 
to do so I really can't complain.  The nmap results:

bkuczens at aux:~$ nmap -P 0 301south.net

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-31 12:10 
EST
Interesting ports on 14.piel1.xdsl.nauticom.net (209.195.172.207):
(The 1651 ports scanned but not shown below are in state: filtered)
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    open   smtp
80/tcp    open   http
113/tcp   closed auth
443/tcp   closed https
993/tcp   open   imaps
49400/tcp closed compaqdiag
54320/tcp closed bo2k
61439/tcp closed netprowler-manager
61440/tcp closed netprowler-manager2
61441/tcp closed netprowler-sensor
65301/tcp closed pcanywhere

Nmap run completed -- 1 IP address (1 host up) scanned in 28.314 seconds
bkuczens at aux:~$

I also have ftp on a nonstandard port, NAT masquerading, and other 
services only open on my internal interface.  The "high port numbers" show 
up as closed instead of filtered because I redirect ftp PASV operation to 
ports 49152-65535 and leave them open.

I found a good howto: it's apparently famous, it's called the "IPF howto" 
(one google link describes it as "world-renowned"):

http://www.obfuscation.org/ipf/ipf-howto.html

I'll also provide you with my startup script and rules file by request.

-Brandon

More information about the wplug-bsd mailing list