Creating a Simple Firewall Ruleset
You now have everything you need to create a simple firewall ruleset that allows your personal computer to access the internet and prevents anyone on the internet from accessing your computer.
Click on the Rules menu and select Insert Rule (Figure 2). Notice that the default rule denies any source from reaching any destination using any TCP/UDP service. To allow the system running the firewall, right-click your firewall object and select Copy. Right-click inside the Source box of the rule and Paste. Your firewall should now show as the source of packets. Next, right-click the Deny word under Action and change it to Accept. In the Options box, right-click and select Logging Off--you don't want to log every one of your successful packets.
You should always add a comment to remind yourself why you made a rule. If you double-click on the box, you can type in your comment. I wrote:
allow my computer to access the internet
That one rule is enough to give you a working firewall. If you want, you can add a second rule. Click on the Rules menu and select Add Rule Below. Add a comment:
deny all other traffic
If you don't plan on looking at your firewall logs, turn off logging in the Options box.
Note that this second rule isn't necessary for this setup, because the pf firewall assumes you want to deny any traffic you didn't explicitly accept. This is an implicit deny. You may find it useful to add the rule with a comment to remind you of this behavior.
Tip: A quick administrator's trick is to add this rule only when you are troubleshooting a problem and to leave the Logging option on.
Installing your Firewall Rules
You've just created a firewall ruleset, but it won't start working until you install it.
First, you need to configure
sshd to allow the superuser to connect and install the firewall rules. By default, FreeBSD doesn't allow superuser
ssh sessions. Change this default by typing the next line very carefully and double-checking your upper- and lowercase and your >> before pressing enter:
# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
Don't worry; no one on the internet will be able to
ssh to your computer once you install your firewall rules. Next, tell
sshd about that change:
# /etc/rc.d/sshd reload Reloading sshd config files.
If you see an error:
sshd not running? (check /var/run/sshd.pid).
use this command instead:
# /etc/rc.d/sshd start Starting sshd.
sshd is running with:
# /etc/rc.d/sshd status sshd is running as pid 5467.
Next, select Install from the Rules menu. You'll receive this message:
Some objects have been modified since you compiled the policy last time. Do you want to recompile it before you install?
You do, so click the Compile button. A text box should open and the last message should read "Policy compiled successfully." Click the Install button. Under authentication information, enter
root for the username and type in the password for your superuser account, then press Next. You should receive a New RSA key message:
You are connecting to the firewall 'my_firewall' for the first time. It has provided you its identification in a form of its host public key. The fingerprint of the host public key is: " b6:76:30:aa:01:27:64:48:3b:18:28:18:5b:c9:ae:e4" You can save the host key to the local database by pressing YES, or you can cancel connection by pressing NO. You should press YES only if you are sure you are really connected to the firewall 'my_firewall'.
It is safe to press Yes because you know you are connecting to your own firewall. However, it is good to know how to check a host's fingerprint in case you ever connect to a remote FreeBSD system:
# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 b6:76:30:aa:01:27:64:48:3b:18:28:18:5b:c9:ae:e4
Note: you will only need to verify the fingerprint the very first time you install your firewall.
Once you click Yes, a text box will open (mine was minimized). You will get a message about No ALTQ support in the kernel, but that's OK, as you aren't using it. Simply close the message box. Your firewall is now running.