Building a Desktop Firewall
by Dru Lavigne08/03/2006
Everyone knows that you should be behind a firewall whenever you go online. However, not everyone knows that it's easy to create a personal firewall for a FreeBSD (or PC-BSD or DesktopBSD) system. This article shows how even a casual home user can get a firewall up and running in about ten minutes.
The Software
Like all of the BSDs, FreeBSD has always been security conscious. It offers several built-in firewalls to choose from: ipfw, ipf, and pf. I use pf because it is built into all of the BSDs, including OpenBSD, NetBSD, and DragonFly BSD.
I also recommend using a GUI firewall editor called fwbuilder. While my examples will demonstrate this utility from a FreeBSD system, it is available for Linux, Mac OS X, and Windows XP and supports iptables, ipfilter, pf and ipfw.
pf comes with FreeBSD, but double-check that it is loaded on your system by typing the following as the superuser:
# kldload pf.ko
If you get your prompt back, you just loaded it manually. If you're in the habit of turning off your computer, add a line to /etc/rc.conf to reload pf when your system boots:
pf_enable="YES"
If you instead get an error like:
kldload: can't load pf.ko: File exists
it means that your system is already configured to load pf for you.
Installation
Become the superuser and install fwbuilder:
# pkg_add -r fwbuilder
# rehash
# fwbuilder
The fwbuilder
command will open up the Welcome to Firewall Builder screen. A prompt will ask if you want to open an existing project file or create a new one. Click on the Create new project file button and give it a filename; the program will add the .fwb extension. Click on the Next button to proceed.
The next screen offers two possibilities:
- Activate Revision Control system for this file (if you don't do this now, you can always activate it later)
- Let the program automatically open this file when you start it next time (you can activate this option later using Preferences dialog)
Revision control is a very good thing. Every time you start fwbuilder, it maintains a copy of your existing project file (i.e., your last session). This gives you a history of all of your sessions. More importantly, if you mess things up, you can go back to a previous working session. I recommend selecting both options, then pressing Finish.
Configuring the Firewall Object
This will take you to the fwbuilder GUI, which is divided into two main sections. The left frame contains an Object tree and the right frame contains your firewall rules (after you have defined some objects). Using objects is a very powerful visual aid, allowing you to quickly see your networks, computers, and services, and to cut and paste these objects into firewall rules.
The first object you create should represent your firewall. Click on the New Object icon (it looks like a sheet of paper) and select New Firewall from the drop-down menu. Give your firewall a name (I called mine my_firewall
), select PF from the drop-down menu of firewall software, and click Next. Keep the default to Configure interfaces manually, and press Next.
You should see a screen like Figure 1.
Figure 1. Your new firewall
Note: if your screen doesn't include the Netmask and MAC options, you didn't start fwbuilder
as the superuser. Only the superuser can create firewall objects and firewall rules.
Be sure to Add the interface information for each NIC in your computer as well as the loopback. If your firewall will protect only your personal computer, you need only one physical NIC installed in your computer. If you wish your computer to provide NAT to other computer(s) on your home network, you need to have two NICs installed.
If your ISP assigns you a DHCP address, check the Dynamic address option. Otherwise, enter your static IP address and subnet mask.
To determine the FreeBSD names of your interfaces as well as the associated IP addressing information, type:
# ifconfig
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 192.168.2.49 netmask 0xffffff00 broadcast 192.168.2.255
ether 00:04:75:ee:e0:21
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
With my information, I entered into the New Firewall screen:
Name: xl0
Address: (greyed out because I checked Dynamic address)
Netmask: (greyed out because I checked Dynamic address)
MAC: 00:04:75:ee:e0:21
Label: external
Name: lo0
Address: 127.0.0.1
Netmask: 255.0.0.0
MAC: (leave empty)
Label: loopback
When choosing a label, "external" is good for the NIC you use to access the internet, and "internal" is good for the NIC attached to your home network. If you need to add a static subnet mask, you must first convert that hex number (0xffffff00
, for example) to decimal. Ignore the 0x, as that simply indicates a hex number. What remains is four pairs of numbers: ff ff ff 00. ff is easy; it represents 255, and 00 represents 0, so this mask is: 255.255.255.0. If you have a pair that isn't an ff or a 00, use a conversion table:
Hex | Decimal |
---|---|
80 | 128 |
c0 | 192 |
e0 | 224 |
f0 | 240 |
f8 | 248 |
fc | 252 |
fe | 254 |
Note to users of modems: your interface name will be either ppp0
or tun0
. Running ifconfig
while connected to the internet will make it easier to spot your IP address.
Once you've entered the information for a NIC, click Add and repeat for each of your NIC(s). When finished, click on the Finish button. The Firewall properties menu will stay open for you, but you can close it to keep the defaults. If you take a look at your Object tree, it now contains some new objects: one for your firewall and one for each interface you defined.
You have one last change to finish the firewall object--marking one of the interfaces as a Management interface. For a personal firewall, it should be the loopback. Double-click your loopback object and check the Management interface box, then close that screen.
