-
August 9th, 2006, 03:52 PM
#1
Junior Member
Creating a router / firewall using FreeBSD
First off, thanks in advance to anyone who helps and replies. Now, here we go...
I've used FreeBSD in the past at my workplace for servers and the such. I work on the IT / Networking end of the company and thus I've never actually been involved in configuring and the such, however, I have administered on a basic level. I want to create a router / firewall at my home using FreeBSD and PF. The reason I chose this setup was due to the stability and configurability I have experienced at work with our FreeBSD servers, and the good reviews on PF I have read on the internet compared to IPTables in Linux, and IPFW, etc.
Like I said above, I've never actually configured or played around with partitioning, PF, or other more in depth aspects of FreeBSD, just basic administration (i.e., updates, loading services, killing services). So I ask for some assistance, and before you yell at me I will be searching AO and reading through the FreeBSD docs for help.
* This box will only operate as a router and firewall...nothing else*
My setup :
WAN ----> Cable Modem ---> FreeBSD Router/Firewall ------> Switch -----> Private LAN
1 - I was wondering what a stable, secure, efficient partition scheme would be for the router/firewall. This will be on a 40GB drive.
2 - Can anyone recommend some appropriate reading for securing/hardening a FreeBSD box, setting up PF rules, etc. that would pertain to a router/firewall.
I will be reviewing the threads on this site to setup some IDS and other various security measures as well on the box. Any recommendations??
Thanks again for any help.
--Toxic.Influx
QFT!!
22 49 6e 73 61 6e 69 74 79 20 69 73 20 6f 66 74 65 6e 20 74 68 65 20 6c 6f 67 69 63 20 6f 66 20 61 6e 20 61 63 63 75 72 61 74 65 20 6d 69 6e 64 20 6f 76 65 72 2d 74 61 78 65 64 2e 22 20 20 2d 2d 4f 6c 69 76 65 72 20 57 65 6e 64 65 6c 6c 20 48 6f 6c 6d 65 73 0d 0a 0d 0a
-
August 9th, 2006, 04:34 PM
#2
1) the default is good enough to start with.
2) start with the handbook No kidding, most of the info I needed was in there..
You'll need to build a custom kernel though. See the handbook on how to do that.
You'll need at least device pf and device pflog if you want to use PF.
Installing snort is easy.. Use the ports, Luke
cd /usr/ports/security/snort && make all install clean
You should add these to /etc/rc.conf:
gateway_enable="YES" # to route the traffic
syslogd_flags="-ss" # prevents syslog from opening a port
sendmail_enable="NO" # This runs sendmail as a local only MTA
# If you want PF enabled:
pf_enable="YES"
pflog_enable="YES"
# If Snort is installed:
snort_enable="YES" # Set to YES to enable snort
snort_flags="-Dq" # Extra flags passed to snort; Default: -Dq
snort_interface="rl1" # Network interface to sniff; Default: ""
snort_conf="/usr/local/etc/snort/snort.conf" # Snort configuration file
That should give you a basic firewall/router. PF on OpenBSD is the same, so are the rules/howto's.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 10th, 2006, 12:20 AM
#3
Junior Member
Have you try monowall? http://m0n0.ch/wall/ it's router firewall on freebsd
-
August 10th, 2006, 08:54 AM
#4
Monowall is based on FreeBSD 4.x. 4.x will be EoL on 31 jan. 2007.
And by using a regular FreeBSD install you'll have more control on what's being installed. It may take a little more time but you'll learn a lot
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 14th, 2006, 03:53 PM
#5
SirDice gives good advice, the only thing i want to add and i am not sure if its only me, i had to enable birdging option in a kernel before i was able to pass traffic between interfaces successfuly. Hope that helps you.
----------------------------------------------------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford
-
August 14th, 2006, 05:39 PM
#6
Junior Member
Hello everybody i am a new member here and this is my first proper post.
This topic is abit advanced for me but it just so happens that i came across a popular BSD forum last night that could be of use to you.
The site is: http://www.bsdforums.org/forums
-
August 14th, 2006, 10:30 PM
#7
Junior Member
I just try pfsense...and it is really good, pfsense even support 32 NICS.. ! I think IPCOP (linux one) support max 4 NICS and others is 3 NICs (standard).
Ok this is the link http://pfsense.com/
-
August 15th, 2006, 07:18 PM
#8
Junior Member
Thank you all for the suggestions.
Toxic.Influx
QFT!!
22 49 6e 73 61 6e 69 74 79 20 69 73 20 6f 66 74 65 6e 20 74 68 65 20 6c 6f 67 69 63 20 6f 66 20 61 6e 20 61 63 63 75 72 61 74 65 20 6d 69 6e 64 20 6f 76 65 72 2d 74 61 78 65 64 2e 22 20 20 2d 2d 4f 6c 69 76 65 72 20 57 65 6e 64 65 6c 6c 20 48 6f 6c 6d 65 73 0d 0a 0d 0a
-
August 15th, 2006, 07:47 PM
#9
I don't know, isn't 40 gb a bit much for a router/firewall. You may want to try to get your hands on a smaller hard disk, even 1 gb should be more than enough.
Cheers,
cgkanchi
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|