FreeBSD Firewall Host Based Firewalls

[delo-]

FreeBSD supports 3 firewall systems in 5.x and 2 in 4.x they are.

5.x
IPFW2 native freebsd firewall.
IPF http://coombs.anu.edu.au/~avalon/
PF http://www.openbsd.org/faq/pf/index.html

4.x
IPFW
IPF

As for sample scripts you can use the one located in /etc/rc.firewall. By default there is a 3 types. "open" "simple" "client" If you view the rc.firewall file with a text edit you can read the comments for more information on each type. The one you will want to use on a FreeBSD server is "simple". You can use the script /usr/share/examples/ipfw/change_rules.sh to modify and reload the IPFW firewall. You will need to be familar with 'vi' to use the change_rules script unless you have changed your default editor to something else.

IPFW is a pretty nice firewall with some built in traffic shaping tools that are availble with 'dummynet' The syntax is pretty easy to understand and write yourself.

For more information on ipfw read

man firewall
man ipfw

http://www.allneo.com/freebsd/rc.firewall

You can download a 'simple' firewall that I use on some of my WWW hosting servers. This is a good basic firewall and could be tuned to make it much more secure and fine grained control. READ THE COMMENTS IN THE rc.firewall there is a few settings you need to change to match your host.

IPF is another firewall package that is written by Darren Reed. Its a very nice firewall package and the next release will have features like 'altq' for traffic shapping and other class of service tools. I use to run IPF on my gateway firewalls until I found 'pf' and never turned back.

PF so far from what I have found is a swiss army knife of firewalls. You can do everything from traffic shapping and packet filters, Load balancing with rdr, Failover support (CARP), builtin nat support, firewall failover tools with 'pfsync' and other nice features to piss off spammers with 'spamd'. If you have 5.x installed and are experienced with firewalls I would compile my kernel to support the 'pf' port and use it. The syntax is very easy to understand and has great features like $macros, $lists and <tables> and a similar syntax to 'ipf' but shorter and easier to write.

Using $macros, $liists and <tables> allows you to write the same rules for 1 host or 100000 hosts and store the IP or Port and other rules information in txt files to include. This has 2 advantages. 1 it allows you to keep your pf.conf really neat and tidy and 2 using tables instead of multiple rules speeds up things quite a bit.

[dunxd]

I would really like to implement this on my server, but don't really know where to start.

I ran change_rules.sh script, which opened up rc.firewall in vi. However, this file also mentions rc.conf which requires configuring too.

I am unclear about what to put for net, mask and IP - where would I find this information about my server? I know the IP address(es) but not net or mask for local network.

For newbies like myself, is there anything simpler which will get me up and running faster?

Dunx