Help with *nix firewalls

[Spleeze]

I've been looking for a guide on how to setup a firewall on a *nix machine, but most guides are along the lines of 'how to make a NAT firewall with *nix.' I don't want a NAT box, I just want to setup a firewall on the machine that is just going to be used for it, and nothing else.

For example, say I want to us PF to only allow access to a port on my box from a certain ip range, say from my work to my box. My router doesn't offer this feature so I would have to just forward say, port 22 to my nix box from the router. But this would let any IP ssh into my box, and I'd rather only allow a certain IP range in, example 200.200.0.0/16 or something.

So I figured I could try my hand at then tightening it down on the*nix box's end. Any help with setting up PF for this sort of thing or a link to a nice 'easy-to-read-for-a-PF-noob' guide would be greatly appreciated.

I hope any of that made sense

 

[eeyrjmr]

WHat you are looking for is IPtables.
This is something that can be built into/modular for your kernel. IF you are using a binary distrobution (FedoraCore,SuSe,Madriva,...) then I am all but certain you already have the required kernel support enabled.

What you now need is the actual IPtables program so yum,apt-get,emerger or whatever you do to install a program

Now you enter the "fun" bit. IPtables are an apsolute pain, there is alot of writing for a very simple thing.


I would personally suggest also getting a program called FireHol what this is is a kind of IPtables parcer/controller. It has its own syntax for its config file (but it is extreamly easy to follow) so you can easily and quickly in the likes of 5lines setup a firewall (the equiv for IPtables would be near on 50lines).


Now this is where Firehol comes into its own you can either leave it in control and at startup let it initislse and configure IPtables OR you can run firehol from the command line (with one of its options) to save the IPTable file it then uses.

You can then use that IPtable file with IPtables and not worry abt firehol ever again (except for changing the rules)

 

[XOR != OR]

If the OP is mentioning PF, it means he's working from a *bsd box ( unless I miss my guess ). We have several resident *bsd folks, so someone should be along shortly to help.

re: iptables. It's fair to say that all modern distros have the required modules AND the iptables firewall software installed by default. I would also say that iptables is fairly easy to understand once you get how a packet flows through the system.

 

[eeyrjmr]

If the OP is mentioning PF, it means he's working from a *bsd box ( unless I miss my guess ). We have several resident *bsd folks, so someone should be along shortly to help.

Ahh my bad, ill leave now

re: iptables. It's fair to say that all modern distros have the required modules AND the iptables firewall software installed by default. I would also say that iptables is fairly easy to understand once you get how a packet flows through the system.

Yer induvidual lines make sense in IPTABLES its just there is alot of lines and well when Firehol can generate a 50line IPTABLE with 5lines I know what I chose .
I keep meaning to get around to really understanding IP-rules, its just, well soooo boring

 

[ameoba]

You could probably find worse places to start than the FreeBSD Handbook page on PF (or the coresponding Open/NetBSD docu).

 

[Xipher]

I don't think NetBSD has picked up PF yet, but I can't be certian. I am using OpenBSD myself, and its working quite well. OpenBSD has a nice FAQ dedicated to PF as well, and the manual pages are well writen.

 

[HHunt]

Take a look at /etc/pf.conf , which should be a well-commented example file. You'll need to add pf_enable="YES" to /etc/rc.conf for it to be read on boot, or you can use pfctl -f /etc/pf.conf to load it.

I'm a bit rusty with pf, but a basic (untested) config could be something like this:

card="em0"
scrub in all

# Default: allow anything
pass in all
pass out all

# Drop all incoming tcp traffic to port 22 
block in on $card proto tcp from any to $card port ssh
# except when it's from an ok subnet
pass in on $card proto tcp from 1.2.3.0/24 to $card port ssh

Basically, "allow all traffic except incoming ssh that's not from 1.2.3.x"
Pf uses the last matching rule, unless you use the "quick" keyword (as in "pass in quick on $card proto tcp from any to $card port 80"), which basically means "use this rule, don't look any further".

If you want to allow more subnets, you could either add new lines, specify them in place with curly brackets, or use a table.