How To Configure Firewall in FreeBSD with PF Linux
In this tutorial we explain how to enable, configure and use the firewall in FreeBSD with PF Linux
What is PF?
PF (Packet Filter – Packet Filter) has been developed as a software firewall for FreeBSD systems with which we can create hundreds of rules that allow us to manage in a much more centralized way the access and behavior of all elements of the system.
Now we will see how to enable and configure pf in FreeBSD.
Step 1: Enable Firewall
Although pf is integrated into FreeBSD, we must add the following lines in the file /etc/rc.conf with the desired editor:
nano /etc/rc.conf
The lines to add are:
echo 'pf_enable="YES"' >> /etc/rc.conf echo 'pf_rules="/usr/local/etc/pf.conf"' >> /etc/rc.conf echo 'pflog_enable="YES"' >> /etc/rc.conf echo 'pflog_logfile="/var/log/pflog"' >> /etc/rc.conf
Once we add these lines, we save the changes using the Ctrl + O keys and exit the editor using Ctrl + X.
Step 2: Create Rules in /usr/local/etc/pf.conf
Once the previous lines have been added, we will access the file /usr/local/etc/pf.conf to create the rules that pf should read and which will be taken into account at the time of protection.
We access using some editor:
nano /usr/local/etc/pf.conf
As it is a new file, the possibilities of rules are thousands, for this case, we can go to the following link and copy the rule, which applies to a web server, and paste it into our configuration file:
https://gist.github.com/rosstimson/5826279
There we must take into account modify the network adapter in the ext_if field by the correct one in each case.
Something vital to keep in mind is that pf has a defined order to establish the rules and this is:
Macros
Macros must be defined before they are referenced in pf.conf
Tables
The tables provide a mechanism to increase the performance and flexibility of the rules
Options
The options adjust the behavior of the packet filtering engine.
Traffic Normalization
This rule protects internal machines against inconsistencies in Internet protocols and implementations.
Queueing
Provides bandwidth control based on defined rules
Translation
This option specifies how the addresses should be mapped or redirected.
Packet Filtering
Offers a rule-based blocking
Once the rules are created, we save the changes using Ctrl + O and exit the editor using Ctrl + X.
Step 3: Enable PF Service
Then we will execute a series of commands to check and start the pf service in FreeBSD.
To verify the enabling status of pf we execute the line:
pfctl -e
To start the pf service we run the following line:
service pf start
We check the service by executing:
service pf check
At this point we can also run any of the following options:
/etc/rc.d/pf checkpfctl -n -f /usr/local/etc/pf.conf
If we want to stop the pf service we run:
service pf stop
To restart the pf service:
service pf restart
If we're going to see the current status of the pf service:
service pf status
The pf firewall uses the pflog service to store and record all security events that occur in the system, the usage options are:
service pflog start service pflog stop service pflog restart
Step 4: How To Use PF on FreeBSD
It will be necessary to use the pfctl command to be able to visualize the set of pf rules and the configuration of the parameters, including the status information of the packet filter.
To see this information we execute the following:
pfctl -s rules
We can see how pf is a practical tool when working with the firewall on FreeBSD.
#facepalm# You opened the rc.conf with an editor, then pasted in the lines that you’d enter from the command line *instead of* using an editor — including the comment markers! So your edits do nothing, and your filewall won’t work. Obviously you just pasted things from another website here without even understanding what it means. If you can’t be bothered to test what you tell others to do, I’m certainly not going to bother reading the rest of your pretend article.
Why is Linux mentioned in this article?
pf(4) was written by the BSD boys, and has nothing to do with Linux.
Otherwise a good article.
L8r