BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Building a Desktop Firewall
Pages: 1, 2, 3

Creating a Simple Firewall Ruleset

You now have everything you need to create a simple firewall ruleset that allows your personal computer to access the internet and prevents anyone on the internet from accessing your computer.



Click on the Rules menu and select Insert Rule (Figure 2). Notice that the default rule denies any source from reaching any destination using any TCP/UDP service. To allow the system running the firewall, right-click your firewall object and select Copy. Right-click inside the Source box of the rule and Paste. Your firewall should now show as the source of packets. Next, right-click the Deny word under Action and change it to Accept. In the Options box, right-click and select Logging Off--you don't want to log every one of your successful packets.

Thumbnail, click for full-size image.
Figure 2. Inserting a rule (Click for full-size image)

You should always add a comment to remind yourself why you made a rule. If you double-click on the box, you can type in your comment. I wrote:

allow my computer to access the internet

That one rule is enough to give you a working firewall. If you want, you can add a second rule. Click on the Rules menu and select Add Rule Below. Add a comment:

deny all other traffic

If you don't plan on looking at your firewall logs, turn off logging in the Options box.

Note that this second rule isn't necessary for this setup, because the pf firewall assumes you want to deny any traffic you didn't explicitly accept. This is an implicit deny. You may find it useful to add the rule with a comment to remind you of this behavior.

Tip: A quick administrator's trick is to add this rule only when you are troubleshooting a problem and to leave the Logging option on.

Installing your Firewall Rules

You've just created a firewall ruleset, but it won't start working until you install it.

First, you need to configure sshd to allow the superuser to connect and install the firewall rules. By default, FreeBSD doesn't allow superuser ssh sessions. Change this default by typing the next line very carefully and double-checking your upper- and lowercase and your >> before pressing enter:

# echo "PermitRootLogin yes"  >> /etc/ssh/sshd_config

Don't worry; no one on the internet will be able to ssh to your computer once you install your firewall rules. Next, tell sshd about that change:

# /etc/rc.d/sshd reload
Reloading sshd config files.

If you see an error:

sshd not running? (check /var/run/sshd.pid).

use this command instead:

# /etc/rc.d/sshd start
Starting sshd.

Double-check that sshd is running with:

# /etc/rc.d/sshd status
sshd is running as pid 5467.

Next, select Install from the Rules menu. You'll receive this message:

    Some objects have been modified since
    you compiled the policy last time.
    Do you want to recompile it before you install?

You do, so click the Compile button. A text box should open and the last message should read "Policy compiled successfully." Click the Install button. Under authentication information, enter root for the username and type in the password for your superuser account, then press Next. You should receive a New RSA key message:

    You are connecting to the firewall 'my_firewall'
    for the first time. It has provided you its
    identification in a form of its host public key. The
    fingerprint of the host public key is: "
    b6:76:30:aa:01:27:64:48:3b:18:28:18:5b:c9:ae:e4"
    You can save the host key to the local database
    by pressing YES, or you can cancel connection
    by pressing NO. You should press YES only if
    you are sure you are really connected to the 
    firewall 'my_firewall'.

It is safe to press Yes because you know you are connecting to your own firewall. However, it is good to know how to check a host's fingerprint in case you ever connect to a remote FreeBSD system:

# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
1024     b6:76:30:aa:01:27:64:48:3b:18:28:18:5b:c9:ae:e4

Note: you will only need to verify the fingerprint the very first time you install your firewall.

Once you click Yes, a text box will open (mine was minimized). You will get a message about No ALTQ support in the kernel, but that's OK, as you aren't using it. Simply close the message box. Your firewall is now running.

Pages: 1, 2, 3

Next Pagearrow





Sponsored by: