# I don't want to configure my own firewall. I want a good firewall.What can I do?



## drp (Jul 24, 2010)

I'm not using FreeBSD as a server, but I want to protect it as a desktop. I've read things that say that you don't really (necessarily) need a firewall, and I know this, but I just want to set up a firewall for home desktop use.
Since I don't need anyone able to access anything on my computer as a server, I just need to be able to use the internet and allow no one to do anything with my computer. I'm not paranoid, but that's what I want: an absolutely paranoid configuration. I want everything very paranoid and simple. I don't know how to say this in exact terms. (maybe, allow outgoing, only allow incoming when I'm the one who starts the connection? or something like that). I want a paranoid, simple configuration so that I can use the internet (browse, download, upload, etc.) but not allow any connections to my computer. I would think this would be a pretty simple configuration.
I can't find anything already-made to download that works like this, or anything. Where can I find a ready-to-use firewall that is simple and paranoid (for a computer not being used as a server at all) to download?
It just really bothers me because I don't want to sit here and read for hours and hours and figure out how to configure everything just right. I just want to set up a real strong home desktop firewall. I can't find an explanation of how to do this anywhere.

I don't use a router, and I connect using DHCP. I use a cable modem. I'm only using this computer for home desktop use.

If not paranoid, at least very good protection for a home desktop. I've been searching and reading and I can't find any help on this at all.


----------



## jb_fvwm2 (Jul 24, 2010)

I found several ipfw.conf's on the internet (maybe not their
real name, ...) and tested a .conf patterned after most of
them (the larger ones will have sections and 
#comments).  So if you find one that works, someone else
has done the months of study and testing for you.  The only
thing remaining is for you to test, implement, and if it
works, back it up to somewhere in case of a reinstall.
...
You need then to search the forums here or the 
internet about the rc.conf lines and kernel configuration,
if any also.
...


----------



## drp (Jul 24, 2010)

It seems like I should start reading about all of it pretty soon, then...

If you use the internet, and browse, then you can't just block all incoming connections, can you? You have to exchange information, right?


----------



## aragon (Jul 24, 2010)

FreeBSD's firewall startup script has some "simple" modes of operation.  You can probably use one of them, eg.


```
firewall_enable="YES"
firewall_type="client"
firewall_client_net="192.168.x.y/24"
```

Which would enable ipfw with a ruleset that allows all outgoing traffic, all traffic from firewall_client_net, and incoming SMTP from anywhere.  Everything else is blocked.

There's also:


```
firewall_enable="YES"
firewall_type="workstation"
```

Read /etc/rc.firewall if you want details.


----------



## aragon (Jul 24, 2010)

drp said:
			
		

> If you use the internet, and browse, then you can't just block all incoming connections, can you? You have to exchange information, right?


Some services should be kept open, eg. DNS, ICMP, maybe NTP.  The rest of incoming traffic can be blocked if you track connection state in some way.


----------



## drp (Jul 24, 2010)

I saw that before, and I was planning on using it. Then I noticed that in the handbook it says that the default configurations are so simple that they would probably not be used, normally. I started thinking that they're not any good, and so I was trying to find some other way of doing it. What I was just thinking, is figuring out what the default configuration is for PC-BSD's firewall, because I just saw a picture of the GUI of it, and it has a button on it that says "restore default configuration", and it uses PF.
If the client or workstation (which I didn't notice existed when I was reading before) would likely be good enough, I would definitely use one of those. 

I can't edit yet, but I would edit the above to make it clear what I meant:
"If the client or workstation (which I didn't notice existed ..." - I meant that I didn't realize the workstation option existed, but I was aware of the client. 
It's just the wording in the handbook makes it seem like they're not all that great, but if I don't really need one, and it's better than nothing, it would probably have to be enough to ease my mind. 

Do you think the workstation type would be better than the client type?
Also, do you think it would take much effort to copy PC-BSD's default configuration? It might just involve getting the pf.conf file, right?


----------



## aragon (Jul 24, 2010)

I haven't seen PC-BSD before, but it's so similar to FreeBSD so I guess it'll be very easy.  Workstation type uses proper stateful tracking so it should be safer than client type.


----------



## drp (Jul 24, 2010)

I just rebooted with client type and it's working well. Shields Up failed it because a couple of ports showed up closed instead of stealthed, but no big deal. I'll try workstation, also.
Thanks.


----------



## vivek (Jul 25, 2010)

pf is another good option, easy to follow and use. There are good books available too. And finally, fwbuilder (GUI tool) can build pf polices for you.


----------



## vand777 (Jul 25, 2010)

Packet Filter


----------



## drp (Jul 26, 2010)

vivek said:
			
		

> pf is another good option, easy to follow and use. There are good books available too. And finally, fwbuilder (GUI tool) can build pf polices for you.


Does it have any ready-to-use configurations available? I looked around in the FAQ and the wiki on the fwbuilder site and didn't see any information on it.


----------



## drp (Jul 26, 2010)

Sorry about that. I see now that it has templates, and that they are (as far as I've read) complete firewalls that you can start with and add to. I'll install it pretty soon and try it.


----------

