Building a Desktop Firewall
Pages: 1, 2, 3

Controlling the Firewall

Use the pfctl (pf control) command to see what's happening with your firewall and to stop and start the firewall. Use the show switch (-s) to view the rules currently running on the firewall:

# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
pass out quick inet from (xl0) to any keep state label "RULE 0 -- ACCEPT "
block drop in quick inet all label "RULE 1 -- DROP "
block drop out quick inet all label "RULE 1 -- DROP "
block drop in quick inet all label "RULE 10000 -- DROP "
block drop out quick inet all label "RULE 10000 -- DROP "

If you compare that text to the rules you made in fwbuilder, you'll recognize rules 0 and 1. Rule 10000 is that implicit deny rule.

If you ever wish to stop your firewall, use the disable switch:

# pfctl -d

To restart the firewall, specify the name of your ruleset. It will be in /etc and have the same name as your firewall. In my case, it is in /etc/my_firewall.conf. To start this firewall, I use pfctl at the command line with the enable switch:

# pfctl -e /etc/my_firewall.conf

Alternatively, I can right-click the firewall in the Objects tree and choose Install from the drop-down menu. (Note that this will fail for the current set of rules. It's easy to fix though.)

Note: if you added the line to /etc/rc.conf mentioned at the beginning of this article, add another line to load your ruleset if you reboot your computer:

pf_rules="/etc/my_firewall.conf"

where my_firewall.conf is the name of your ruleset. It is always a good idea to run pfctl -s rules after a reboot to double-check that your firewall is running.

Fine-Tuning the Rules

If you take a look at your first rule, it allows the firewall to go anywhere as a Source. However, nothing can connect to the firewall as a Destination. This includes the firewall making a connection to itself in order to install a policy, so if you were to add a rule you would get an error when you tried to install it. This is fine if you are happy with your firewall as is. Try it out--you should be able to surf, send/receive email, and do most of the things you normally do on the internet.

However, if you find you need to add more rules, you must start with a rule that allows the firewall to install a policy. Click on the number 0 in the first rule, go to the Rules menu, and select Insert Rule. Because the firewall needs to access the loopback management interface over ssh, it makes sense to have the rule look like this:

Source:        my_firewall
Destination:    my_firewall:lo0:ip    (you'll find this if you click the + 
                     by your loopback object)

Service:    ssh
Action:        Accept
Options:    Logging On
Comment:    allow firewall to install policy

You haven't made a ssh object yet, so do so now. Click + next to Services to expand its tree. Right-click TCP and select New TCP Service. Under Name:, enter ssh. Under Destination Port Range Start, enter 22 and click the Apply Changes button. When finished, your firewall rules should resemble Figure 3.

Figure 3. Firewall rules that allow ssh (Click for full-size image)

Before you can install the new rule, you will have to temporarily stop the firewall--remember, it currently doesn't allow any connections to itself.

# pfctl -d

Install the rulebase as usual; it will restart the firewall for you. You should be able to see your new rule if you type:

# pfctl -s rules

My new rule looks like:

pass out log quick inet proto tcp from (xl0) to 127.0.0.1 port = ssh keep 
state label "RULE 0 -- ACCEPT "

Conclusion

Today, I've demonstrated how to make a personal firewall that protects your system while allowing you to access the internet. My next article will show you how to install a NAT policy with fwbuilder and explore some of its other features.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Return to the BSD DevCenter.

What other kinds of rules do you use?
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 2 of 2.

• Nice article just one minor correction and a suggestion
  2006-08-06 18:11:11  Mark.S [Reply | View]
  
  
  A very interesting article. Thanks a lot.
  There's just one minor thing I'd like to point out. The configuration file for sshd is not 'sshd.config' but 'sshd_config' at least on FreeBSD 6 and upwards.
  So this is the file you would have to add/uncomment the line :
  
  'PermitRootLogin yes'
  
  To be on the very safe side with root logins through ssh you also could add the line
  
  AllowUsers root@127.0.0.1
  
  to the afore mentioned configuration file which would allow root to only connect through the loopback device but this option would only be useful for people who want to maintain the firewall directly on the computer (desktop systems) and not remotely.
  
  Thanks again for the article :)
• Nice article just one minor correction and a suggestion
  2006-08-10 06:08:24  Dru Lavigne | [Reply | View]
  
  
  Thanks for pointing out the typo, it has been fixed.