Controlling the Firewall
pfctl (pf control) command to see what's happening with your firewall and to stop and start the firewall. Use the show switch (
-s) to view the rules currently running on the firewall:
# pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled pass out quick inet from (xl0) to any keep state label "RULE 0 -- ACCEPT " block drop in quick inet all label "RULE 1 -- DROP " block drop out quick inet all label "RULE 1 -- DROP " block drop in quick inet all label "RULE 10000 -- DROP " block drop out quick inet all label "RULE 10000 -- DROP "
If you compare that text to the rules you made in
fwbuilder, you'll recognize rules 0 and 1. Rule 10000 is that implicit deny rule.
If you ever wish to stop your firewall, use the disable switch:
# pfctl -d
To restart the firewall, specify the name of your ruleset. It will be in /etc and have the same name as your firewall. In my case, it is in /etc/my_firewall.conf. To start this firewall, I use
pfctl at the command line with the enable switch:
# pfctl -e /etc/my_firewall.conf
Alternatively, I can right-click the firewall in the Objects tree and choose Install from the drop-down menu. (Note that this will fail for the current set of rules. It's easy to fix though.)
Note: if you added the line to /etc/rc.conf mentioned at the beginning of this article, add another line to load your ruleset if you reboot your computer:
where my_firewall.conf is the name of your ruleset. It is always a good idea to run
pfctl -s rules after a reboot to double-check that your firewall is running.
Fine-Tuning the Rules
If you take a look at your first rule, it allows the firewall to go anywhere as a Source. However, nothing can connect to the firewall as a Destination. This includes the firewall making a connection to itself in order to install a policy, so if you were to add a rule you would get an error when you tried to install it. This is fine if you are happy with your firewall as is. Try it out--you should be able to surf, send/receive email, and do most of the things you normally do on the internet.
However, if you find you need to add more rules, you must start with a rule that allows the firewall to install a policy. Click on the number 0 in the first rule, go to the Rules menu, and select Insert Rule. Because the firewall needs to access the loopback management interface over
ssh, it makes sense to have the rule look like this:
Source: my_firewall Destination: my_firewall:lo0:ip (you'll find this if you click the + by your loopback object) Service: ssh Action: Accept Options: Logging On Comment: allow firewall to install policy
You haven't made a ssh object yet, so do so now. Click + next to Services to expand its tree. Right-click TCP and select New TCP Service. Under Name:, enter ssh. Under Destination Port Range Start, enter 22 and click the Apply Changes button. When finished, your firewall rules should resemble Figure 3.
Before you can install the new rule, you will have to temporarily stop the firewall--remember, it currently doesn't allow any connections to itself.
# pfctl -d
Install the rulebase as usual; it will restart the firewall for you. You should be able to see your new rule if you type:
# pfctl -s rules
My new rule looks like:
pass out log quick inet proto tcp from (xl0) to 127.0.0.1 port = ssh keep state label "RULE 0 -- ACCEPT "
Today, I've demonstrated how to make a personal firewall that protects your system while allowing you to access the internet. My next article will show you how to install a NAT policy with
fwbuilder and explore some of its other features.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Return to the BSD DevCenter.