FreeBSD as a Router with Packet Filter June 4th, 2010
In this howto We will learn how to configure FreeBSD as a Router using PF (Packet Filter).
PF (Packet Filter, know as pf) is a BSD licensed statefull firewall. It is comparable to linux iptables, ipfw and ipfilter. PF is developed by OpenBSD, but has been ported to many other operating system like FreeBSD.
FreeBSD 7.2 will be used for this tutorial. Let’s breakdown that what we want and what should we do.
PRELIMINARY SETUP
1) Configure network cards for internal and external network in /etc/rc.conf file.
ifconifg_rl1=”inet 202.199.199.199 netmask 255.255.255.240″
2) Set the defaultrouter in /etc/rc.conf assigned by your ISP.
3) We need to enable gateway function of FreeBSD in /etc/rc.conf
Enabling/Implementing PF
There are several ways to enable PF, like compile into kernel, or load through module. I added these options into my /etc/rc.conf file to ensure that PF starts up at boot time.
pf_flags=”"
pflog_enable=”YES”
pflog_file=”/var/log/pflog”
pflog_flags=”"
I have chosen a non-default value for PF rules. The default value, as found in /etc/default/rc.conf. The default install comes with many fine examples in /etc/pf.conf and I urge you to read them.
Enabling PF
The main interface between PF and the outside world is pfctl. To load PF on a run time, issue this command.
# kldstat
Id Refs Address Size Name
1 8 0xc0400000 6721fc kernel
2 1 0xc0a73000 58554 acpi.ko
3 1 0xc4eb5000 16000 linux.ko
4 1 0xc5e20000 2d000 pf.ko
Now we have to see what does PF load for us, we can display the filter parameters using this command.
No ALTQ support in kernel
ALTQ related functions disabled
FILTER RULES:
Status: Disabled Debug: None
etc………………..
As you see notice indicates that PF is disabled. Let’s enable PF, issue this command:
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
There are no filter rules loaded. Now we need to create our own firewall rules in /etc/pf.conf file then we will load that rules.
Here is the cut down of what I use at rl0 for my local network and rl1 for my ISP network. Here is the pf rules.
ext_if = “rl1″
lan_net = “192.168.1.0/24″
external_addr = “202.199.199.199″
wwwhost=”192.168.1.49″
HOME=”a.b.c.d”
OFFICE=”a.b.c.d”
set limit { states 150000, frags 5000 }
scrub in all
nat on $ext_if from $lan_net to any -> ($ext_if)
rdr on $int_if proto tcp from $lan_net to port 80 -> 192.168.1.50 port 3128
rdr on $ext_if proto tcp from any to $external_addr port 80 -> $wwwhost
block log all
block in log quick from urpf-failed
block in log quick on $ext_if from $NoRouteIPsNet to any
block out log quick on $ext_if from any to $NoRouteIPsNet
pass in log on $int_if from $lan_net to any
pass out log on $int_if from any to $lan_net
pass out on $ext_if proto { tcp udp icmp } all modulate state
port 80 flags S/SA synproxy state
pass in log on $ext_if inet proto tcp from to $external_addr port 22 synproxy state
A few hints on specific lines define above:
1-2 – Define my internal and external NICs.
3-4 – Define my internal network and my public IP address.
7 – My local webserver’s ip address.
10-11 – Define my trusted host for SSH connectivity.
13 – Define the table of those trusted hosts.
26 – Define the nat rules
27 – Define squid proxy server’s ip address.
28 – Redirection of port 80 on my gateway to my local webserver
50 – Allowing trusted hosts to SSH in
source here
I hope that’s enough to get you started with your own ruleset.
This entry was posted on Friday, June 4th, 2010 at 8:42 pm and is filed under feebsd, Networking. You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.
3 Responses
amanat Says:
these are private ip addresses and shud be stopped from ISP as on public networks are not usable and also not allowed, mostly use for spams and fake ips etc etc
amanat Says:
http://www.easydesksoftware.com/news/news28.htm have a look at this link, many articles are avilable, simply they are non routable.
