how to do basic configuration and setup for freebsd 6.3 pf firewall

Jephe Wu - http://linuxtechres.blogspot.com

Environment: FreeBSD PF firewall.
Objective: understanding Packet Filter firewall


Steps:

1. OS installation part

use just first CD of FreeBSD 6.3.
1. use 'F - DD' mode to configure partition since we are using the server dedicated for FreeBSD only, no other OS.
2. use 'Automatic' mode to make partitions
3. select 'full binary, doc and kernel source only' category to install

2. user and dns configuration

During OS installation, you need to create a normal user (e.g. jephe), because you cannot login as root after OS finishs installation. Also, in order to 'su - ' as root, you have to add user 'jephe' to 'wheel' group

If your environment doesn't have DNS server, you have to wait for a long time before getting a login prompt when you try to ssh into the server. The solution is to vi /etc/nsswitch.conf to take out 'dns' from hosts line.

3. setup up PF firewall

After OS installation, it's no firewall enabled by default, you can configure the following to enable it:

a. put to /etc/rc.conf:
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"
pflogd_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""


b. edit the default /etc/pf.conf
ext_if="fxp0" # replace with actual external interface name i.e., dc0
int_if="fxp1" # replace with actual internal interface name i.e., dc1
scrub in all  # normalize all packets
block in log all  # default deny policy


# enable ssh from the specific internal IP to internal NIC of firewall
pass in on $int_if proto tcp from 192.168.0.2 to $int_if port 22 keep state

# enable all outgoing traffic on internet NIC for tcp and udp
pass out on $int_if proto { tcp, udp } all keep state

#enable incoming ssh from trusted external IP
pass in on $ext_if from x.y.z.a keep state
pass out on $ext_if from $ext_if to x.y.z.a keep state