Creating a router / firewall using FreeBSD
Results 1 to 9 of 9

Thread: Creating a router / firewall using FreeBSD

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    16

    Creating a router / firewall using FreeBSD

    First off, thanks in advance to anyone who helps and replies. Now, here we go...

    I've used FreeBSD in the past at my workplace for servers and the such. I work on the IT / Networking end of the company and thus I've never actually been involved in configuring and the such, however, I have administered on a basic level. I want to create a router / firewall at my home using FreeBSD and PF. The reason I chose this setup was due to the stability and configurability I have experienced at work with our FreeBSD servers, and the good reviews on PF I have read on the internet compared to IPTables in Linux, and IPFW, etc.

    Like I said above, I've never actually configured or played around with partitioning, PF, or other more in depth aspects of FreeBSD, just basic administration (i.e., updates, loading services, killing services). So I ask for some assistance, and before you yell at me I will be searching AO and reading through the FreeBSD docs for help.

    * This box will only operate as a router and firewall...nothing else*

    My setup :

    WAN ----> Cable Modem ---> FreeBSD Router/Firewall ------> Switch -----> Private LAN

    1 - I was wondering what a stable, secure, efficient partition scheme would be for the router/firewall. This will be on a 40GB drive.

    2 - Can anyone recommend some appropriate reading for securing/hardening a FreeBSD box, setting up PF rules, etc. that would pertain to a router/firewall.

    I will be reviewing the threads on this site to setup some IDS and other various security measures as well on the box. Any recommendations??


    Thanks again for any help.


    --Toxic.Influx
    QFT!!

    22 49 6e 73 61 6e 69 74 79 20 69 73 20 6f 66 74 65 6e 20 74 68 65 20 6c 6f 67 69 63 20 6f 66 20 61 6e 20 61 63 63 75 72 61 74 65 20 6d 69 6e 64 20 6f 76 65 72 2d 74 61 78 65 64 2e 22 20 20 2d 2d 4f 6c 69 76 65 72 20 57 65 6e 64 65 6c 6c 20 48 6f 6c 6d 65 73 0d 0a 0d 0a

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    1) the default is good enough to start with.

    2) start with the handbook No kidding, most of the info I needed was in there..


    You'll need to build a custom kernel though. See the handbook on how to do that.

    You'll need at least device pf and device pflog if you want to use PF.

    Installing snort is easy.. Use the ports, Luke

    cd /usr/ports/security/snort && make all install clean

    You should add these to /etc/rc.conf:
    gateway_enable="YES" # to route the traffic
    syslogd_flags="-ss" # prevents syslog from opening a port
    sendmail_enable="NO" # This runs sendmail as a local only MTA
    # If you want PF enabled:
    pf_enable="YES"
    pflog_enable="YES"

    # If Snort is installed:
    snort_enable="YES" # Set to YES to enable snort
    snort_flags="-Dq" # Extra flags passed to snort; Default: -Dq
    snort_interface="rl1" # Network interface to sniff; Default: ""
    snort_conf="/usr/local/etc/snort/snort.conf" # Snort configuration file


    That should give you a basic firewall/router. PF on OpenBSD is the same, so are the rules/howto's.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    May 2006
    Posts
    22
    Have you try monowall? http://m0n0.ch/wall/ it's router firewall on freebsd

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Monowall is based on FreeBSD 4.x. 4.x will be EoL on 31 jan. 2007.

    And by using a regular FreeBSD install you'll have more control on what's being installed. It may take a little more time but you'll learn a lot
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    SirDice gives good advice, the only thing i want to add and i am not sure if its only me, i had to enable birdging option in a kernel before i was able to pass traffic between interfaces successfuly. Hope that helps you.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  6. #6
    Junior Member
    Join Date
    Aug 2006
    Posts
    10
    Hello everybody i am a new member here and this is my first proper post.

    This topic is abit advanced for me but it just so happens that i came across a popular BSD forum last night that could be of use to you.

    The site is: http://www.bsdforums.org/forums

  7. #7
    Junior Member
    Join Date
    May 2006
    Posts
    22
    I just try pfsense...and it is really good, pfsense even support 32 NICS.. ! I think IPCOP (linux one) support max 4 NICS and others is 3 NICs (standard).

    Ok this is the link http://pfsense.com/

  8. #8
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    Thank you all for the suggestions.


    Toxic.Influx
    QFT!!

    22 49 6e 73 61 6e 69 74 79 20 69 73 20 6f 66 74 65 6e 20 74 68 65 20 6c 6f 67 69 63 20 6f 66 20 61 6e 20 61 63 63 75 72 61 74 65 20 6d 69 6e 64 20 6f 76 65 72 2d 74 61 78 65 64 2e 22 20 20 2d 2d 4f 6c 69 76 65 72 20 57 65 6e 64 65 6c 6c 20 48 6f 6c 6d 65 73 0d 0a 0d 0a

  9. #9
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    I don't know, isn't 40 gb a bit much for a router/firewall. You may want to try to get your hands on a smaller hard disk, even 1 gb should be more than enough.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •