[wplug-bsd] firewalling in freebsd
brandon at 301south.net
Thu Mar 31 12:14:10 EST 2005
On Wed, 30 Mar 2005, Duncan Hutty wrote:
> Would you mind giving your opinion on firewall options in freebsd?
> I assume that each of them will do the job just fine for the purposes of
> protecting a single box so it can be used as a fairly simple server for http,
> smtp, imap and ssh from 2 specific hosts, but there may be reasons of
> convenience or something that might sway the choice.
> Rate each of pf, IPfilter, ipfw for learning curve (coming from
> iptables/netfilter), convenience and power/flexibility? Is one considered
> more 'standard freebsd'? Is one overwhelmingly more common?
I can't speak with much authority, since I've only run two BSD boxes, but
on my systems I use ipf (I don't know if that's the same as pf? cursory
web search says: no.) As far as packet filters and nat goes, it seems to
work fine. The periodic machinery seems to be geared more towards ipfw,
but I receive enough info from 510.ipfdenied to make me happy.
Actually, its rule setup is rather counterintuitive: it has a "last
matching rule wins" methodology, which is opposite to iptables. It's a
little clumsy but I'm pretty sure I have it doing exactly what I want it
to do so I really can't complain. The nmap results:
bkuczens at aux:~$ nmap -P 0 301south.net
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-31 12:10
Interesting ports on 14.piel1.xdsl.nauticom.net (126.96.36.199):
(The 1651 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
113/tcp closed auth
443/tcp closed https
993/tcp open imaps
49400/tcp closed compaqdiag
54320/tcp closed bo2k
61439/tcp closed netprowler-manager
61440/tcp closed netprowler-manager2
61441/tcp closed netprowler-sensor
65301/tcp closed pcanywhere
Nmap run completed -- 1 IP address (1 host up) scanned in 28.314 seconds
bkuczens at aux:~$
I also have ftp on a nonstandard port, NAT masquerading, and other
services only open on my internal interface. The "high port numbers" show
up as closed instead of filtered because I redirect ftp PASV operation to
ports 49152-65535 and leave them open.
I found a good howto: it's apparently famous, it's called the "IPF howto"
(one google link describes it as "world-renowned"):
I'll also provide you with my startup script and rules file by request.
More information about the wplug-bsd