Creating a router / firewall using FreeBSD

[toxic.influx]

First off, thanks in advance to anyone who helps and replies. Now, here we go...

I've used FreeBSD in the past at my workplace for servers and the such. I work on the IT / Networking end of the company and thus I've never actually been involved in configuring and the such, however, I have administered on a basic level. I want to create a router / firewall at my home using FreeBSD and PF. The reason I chose this setup was due to the stability and configurability I have experienced at work with our FreeBSD servers, and the good reviews on PF I have read on the internet compared to IPTables in Linux, and IPFW, etc.

Like I said above, I've never actually configured or played around with partitioning, PF, or other more in depth aspects of FreeBSD, just basic administration (i.e., updates, loading services, killing services). So I ask for some assistance, and before you yell at me I will be searching AO and reading through the FreeBSD docs for help.

* This box will only operate as a router and firewall...nothing else*

My setup :

WAN ----> Cable Modem ---> FreeBSD Router/Firewall ------> Switch -----> Private LAN

1 - I was wondering what a stable, secure, efficient partition scheme would be for the router/firewall. This will be on a 40GB drive.

2 - Can anyone recommend some appropriate reading for securing/hardening a FreeBSD box, setting up PF rules, etc. that would pertain to a router/firewall.

I will be reviewing the threads on this site to setup some IDS and other various security measures as well on the box. Any recommendations??


Thanks again for any help.


--Toxic.Influx

[SirDice]

1) the default is good enough to start with.

2) start with the handbook No kidding, most of the info I needed was in there..


You'll need to build a custom kernel though. See the handbook on how to do that.

You'll need at least device pf and device pflog if you want to use PF.

Installing snort is easy.. Use the ports, Luke

cd /usr/ports/security/snort && make all install clean

You should add these to /etc/rc.conf:
gateway_enable="YES" # to route the traffic
syslogd_flags="-ss" # prevents syslog from opening a port
sendmail_enable="NO" # This runs sendmail as a local only MTA
# If you want PF enabled:
pf_enable="YES"
pflog_enable="YES"

# If Snort is installed:
snort_enable="YES" # Set to YES to enable snort
snort_flags="-Dq" # Extra flags passed to snort; Default: -Dq
snort_interface="rl1" # Network interface to sniff; Default: ""
snort_conf="/usr/local/etc/snort/snort.conf" # Snort configuration file


That should give you a basic firewall/router. PF on OpenBSD is the same, so are the rules/howto's.

[bupati]

Have you try monowall? http://m0n0.ch/wall/ it's router firewall on freebsd

[SirDice]

Monowall is based on FreeBSD 4.x. 4.x will be EoL on 31 jan. 2007.

And by using a regular FreeBSD install you'll have more control on what's being installed. It may take a little more time but you'll learn a lot

[bAgZ]

SirDice gives good advice, the only thing i want to add and i am not sure if its only me, i had to enable birdging option in a kernel before i was able to pass traffic between interfaces successfuly. Hope that helps you.

[crowchy]

Hello everybody i am a new member here and this is my first proper post.

This topic is abit advanced for me but it just so happens that i came across a popular BSD forum last night that could be of use to you.

The site is: http://www.bsdforums.org/forums

[bupati]

I just try pfsense...and it is really good, pfsense even support 32 NICS.. ! I think IPCOP (linux one) support max 4 NICS and others is 3 NICs (standard).

Ok this is the link http://pfsense.com/

[toxic.influx]

Thank you all for the suggestions.


Toxic.Influx

[cgkanchi]

I don't know, isn't 40 gb a bit much for a router/firewall. You may want to try to get your hands on a smaller hard disk, even 1 gb should be more than enough.

Cheers,
cgkanchi