There is an old saying that the only safe computer is one that’s disconnected from the network, turned off, and locked in an underground bunker—and even then you can’t be sure!

Since most of us can’t afford to keep our servers in an underground bunker, the least little thing that could have been done in order to keep their threat exposure at rock-bottom is protecting them by running a combination of a firewall and an intrusion prevention system or IPS (a.k.a intrusion detection and prevention systems or IDPS). Surely, that alone proved insufficient and other security measures and best practices should also be considered.

This blog post covers setting up a basic secure and stateful IPFW firewall on FreeBSD along with Sshguard by iXsystems Inc as intrusion prevention system.
IPFW
Sshguard
Unban
Sshguard Won’t Start
Source Code

IPFW

Traditionally FreeBSD has three firewalls built into its base system: PF, IPFW, and IPFILTER, also known as IPF. In my estimation, IPFW would be the natural choice on FreeBSD if we set aside the pros and cons of each. In contrast to the other two, IPFW was originally written for FreeBSD and its main development platform – if we do not count the DragonFly‘s fork – is still FreeBSD. This means that the latest features are always available on FreeBSD. On the contrary, this is not true for PF or IPF on FreeBSD. So, that’s why I chose to go with IPFW.

Before I begin, I have to mention that this guide was written for FreeBSD 10.1-RELEASE and 10-STABLE, and it may not work with older releases. I cannot verify this since all my servers and workstations are either running FreeBSD 10.1-RELEASE or 10-STABLE at the time of writing. So, you are on your own if you are trying this on an older release.

OK, in order to configure our firewall we have to modify /etc/rc.conf. First, you should make sure no other firewall is running by looking for pf_enable=“YES” or ipfilter_enable=“YES” inside /etc/rc.conf. If you have any of them, you should disable them by either setting their value to “NO” or removing them completely. After that we can enable and configure our IPFW firewall inside /etc/rc.conf:

/etc/rc.conf
1
2
3
4
5
6
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_myservices="11011 domain http https imap imaps pop3 pop3s smtp smtps"
firewall_allowservices="any"
firewall_logdeny="YES"

[Read more…]