# Best software to use for firewalling



## Innocast (Aug 13, 2009)

Hi,

I've used Google to find a suitable software firewall solution for my FreeBSD web server. I'm just checking in here to see what you guys think is the best.

Thank you for any respons.


----------



## graudeejs (Aug 13, 2009)

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

from handbook


> The reason that FreeBSD has multiple built in firewall packages is that different people have different requirements and preferences. No single firewall package is the best.


----------



## Innocast (Aug 13, 2009)

Well, guess I've seen all guides. My question was what YOUR opinion was in the use of a firewall (interface etc).


----------



## DutchDaemon (Aug 13, 2009)

What do you mean by 'interface'? A GUI? None of the built-in firewalls (ipf, ipfw, pf) have a GUI, they're command-line firewalls. 

Look into pfsense or m0n0.


----------



## Innocast (Aug 13, 2009)

OK... What software should you use if you should protect your web server?


----------



## DutchDaemon (Aug 13, 2009)

There is no generic answer to that. All firewalls can do that. You will find though, that a lot of forum members are partial to pf(4), which will (among many other things) allow you to limit connections to your webserver's port (amount of simultaneous connections, connection rate) and to use firewall tables to ward off IP addresses/ranges on the fly. Then there's traffic prioritising/shaping, redirection, anti-spoofing, etc.

All is explained in pf.conf(5) and the 'reference faq'


----------



## Innocast (Aug 13, 2009)

OK! Well, I used this guide to complete the firewall installation (pf):

http://sites.google.com/site/clickdeathsquad/Home/cds-bsdfirewall

Works like a charm, host just responds on SSH and WWW, nothing else


----------



## SirDice (Aug 13, 2009)

For ssh you may also like to install security/sshguard-pf. It will help keeping the bruteforce attacks somewhat in check.


----------



## Innocast (Aug 13, 2009)

Ah, looks like a nice application! Do I understand correctly that it will analyze the logs of SSH-login attempts and then block unwanted / failed attempts?


----------



## ervin23 (Aug 13, 2009)

http://m0n0.ch/wall/

FreeBSD based, stable and a perfect interface. Works low powered on a headless Soekris box


----------



## DutchDaemon (Aug 13, 2009)

Innocast said:
			
		

> Ah, looks like a nice application! Do I understand correctly that it will analyze the logs of SSH-login attempts and then block unwanted / failed attempts?



Correct. It is basically a logfile analyser that feeds straight into pf.


----------



## Innocast (Aug 13, 2009)

sshguard works like a charm! Also the firewall. Thank you very much for your help!


----------



## rusma (Dec 3, 2009)

The state of PF in FreeBSD (i've heard) is not good - the cvs is a bit old compared to what is available from the openbsd project to this date. 

I have not tried it out yet, so it does not trouble be much  

I've also heard the config is clear and easy to follow - compared to ie. iptables in linux...


----------



## hedwards (Dec 6, 2009)

rusma said:
			
		

> The state of PF in FreeBSD (i've heard) is not good - the cvs is a bit old compared to what is available from the openbsd project to this date.


That's in relative terms, it's sort of like ZFS. The code isn't bad, it just might not support the newest bells and whistles. It does however do a pretty good job at the things which people generally want to do, even if it doesn't yet support one of the newest additions to the firewall.

Looking into it, there isn't really anything that's must have since they ported the version from OpenBSD 4.1.

PF is nice, and it can do far more than most people could possibly want to do with it. If you consider it, I'd spend the time to read "Book of PF" it's a good read and covers more than you're likely to need to know about it.


----------



## rusma (Dec 6, 2009)

hedwards said:
			
		

> [...]
> Looking into it, there isn't really anything that's must have since they ported the version from OpenBSD 4.1.
> [...]



I can't believe you - 2.5 years is a pretty long time  I thought there were some CARP-stuff that has been improved since last time.


----------



## hedwards (Dec 7, 2009)

rusma said:
			
		

> I can't believe you - 2.5 years is a pretty long time  I thought there were some CARP-stuff that has been improved since last time.


Eh, different opinions of must have. The things which most people would want were in there by that point. There's been changes, but PF matured very quickly, most of the work that's been done in the last probably 4 years has been extending functionality. Looking through the summary of changes since then, there's very little listed, and only a couple changes that seem to be of any sort of significance to me.


----------

