Help choosing the right firewall

proton666 · 12-26-2004, 04:20 PM

I am going to connect to my FreeBSD server from school. I will only be using ssh/port 22 because that is the only outbound port the school keeps open on the segment of the network I'll be on. I have the ip range that my school uses for workstations. I have a router at my house so I will only need to forward port 22 to my BSD server. I dont need NAT or anything fancy. So seeing that port 22 is only going to be open and I know a range of ip's that are going to connect to my server, what is the best firewall setup for me?

Moy Easwaran · 12-26-2004, 05:09 PM

I'd use pf, which is OpenBSD's packet-filter that FreeBSD 5.3 also comes with. There's a howto at http://openbsd.org/faq/pf/index.html

It's quite straightforward, and the example in the howto should be enough to get you going.

Moy

mrcheeks · 12-26-2004, 05:19 PM

any bsd firewall can do it. I used to use ipfw because i found it easy.

I am now using pf. I wanted to see if it was that good and easy to configure. I am very pleased with it.

whatever you choose you only allow ssh, you don't have to spend hours choosing one. pick one and try to configure it.

proton666 · 12-26-2004, 05:28 PM

I couldn't find anything good to help me with ipfw. It seemed pretty hard and way above what I needed. Having to compile ipfw options with kernel is what I was having trouble with. Pf seems like a lighter choice for what I want to do. Thanks for the help!

proton666 · 12-27-2004, 08:37 AM

I am having a tough time with the config of pf. Like what does internal_net, external_addr, #ext_if="ext0", #int_if="int0" mean?

24jedi · 12-27-2004, 04:50 PM

This may not be what you are looking for, but I'll post anyway.

http://m0n0.ch/wall/

I was looking at building a FW. Then someone here told me about m0n0wall. You can download an ISO to run from a cdrom. The cdrom version won't over-write you existing HD if you don't want it to. It will load the entire FreeBSD OS/FW into RAM for testing.

AND...it is configureable from the LAN side via http...much like a Linksys broadband router. I did some quick vulnerability testing and it appears to be pretty secure.

If you don't like it, just shutdown and take out the cd.

chort · 12-28-2004, 07:45 PM

internet_net, external_addr, etc are generally macros (actually, you prefix them with $ ex: $internal_net). You must define them in your config file, most people do that at the top, such as:
internal_net=192.168.0.0/16
Then later you can refer to them, like
pass out on fxp1 from $internal_net

Have you read the PF User's Guide on the OpenBSD site? It does an extremely good job of explaining everything. For information on this specific question, look at the section entitled "Lists and Macros".