# Running FreeBSD firewall & webserver from home ip



## azathoth (Jan 22, 2018)

I am considering setting this up.

Anyone doing it now?

What is your stack?


----------



## tingo (Jan 24, 2018)

FreeBSD firewall on separate physical machine, also includes a nginx-based web proxy, for the web servers behind the firewall. Several web servers, based on FreeBSD, Apache / nginx, MySQL / Sqlite / flat files, PHP + frameworks on top of that. Using a Dynamic DNS client to get "static" hostnames for my web sites.


----------



## SirDice (Jan 24, 2018)

azathoth said:


> Anyone doing it now?


Yes.


> What is your stack?


Anything and everything I need at that moment.


----------



## azathoth (Jan 24, 2018)

tingo said:


> FreeBSD firewall on separate physical machine, also includes a nginx-based web proxy, for the web servers behind the firewall. Several web servers, based on FreeBSD, Apache / nginx, MySQL / Sqlite / flat files, PHP + frameworks on top of that. Using a Dynamic DNS client to get "static" hostnames for my web sites.


Whats a good dynamic dns client?
does that match your hostname to whatever ip your isp gives u?


----------



## azathoth (Jan 24, 2018)

SirDice said:


> Yes.
> 
> Anything and everything I need at that moment.



The cosmos!!!


----------



## tingo (Jan 26, 2018)

azathoth said:


> Whats a good dynamic dns client?
> does that match your hostname to whatever ip your isp gives u?


I'm still using dns/ddclient. Yes, a dynamic DNS client updates your hostname whenever the ip address changes.


----------



## Datapanic (Jan 26, 2018)

Firewall - pf with static and dynamic tables via antiscan rules that block bad guys
Fail2Ban - configured to detect http probes that are not wanted
Apache24 - many web sites with ./Includes configuration
Percona MySQL for db stuff


----------



## ralphbsz (Jan 26, 2018)

azathoth said:


> Anyone doing it now?
> 
> What is your stack?


Yes.

Stock FreeBSD (11.x, I forgot what x is, latest production version).  Small Atom-based machine.  Also used as a file server for inside the house, so it has two large disks in a ZFS mirror.  Boots of a tiny SSD (I think 32gig), with a second SSD the same size already installed as a spare.  External backup disk sits in a big fire-proof safe (actually, it doesn't right now, I had to take it out recently and haven't had time to thread the wires back through the tiny hole in the safe wall).  Off-site backup is a portable disk that gets stored at a remote location.  The backup software is self-written, and internally uses Berkeley DB (although switching to SQLite is on my to-do list, Berkeley DB is too painful to use with transactions, logging, and locking).

Normal firewall, using `pf`, with self-written rules.  The machine has two ethernet ports in hardware, so that works well for a firewall machine with internal router. Also acts as DHCP and NTP server for inside the house.  Used to also be the wireless AP, but I discovered that 802.11 drivers on *BSD were not reliable enough to function in production, and switched to a store-bought AP, which has been remarkably trouble free (this might have changed in the last few years, haven't had time to try it again).  No e-mail setup, all e-mail is read using the ISP as the e-mail server.  Got rid of `sendmail` (way too painful to configure and maintain, did that for 15 years, want to be done with it) and got the tiniest SMTP server I could find, namely `ssmtp`.  For DNS, I use stock `bind`, configured to be authoritative for the internal network, and caching for the rest of the world (with a dual-horizon DNS setup).  I should set up dynamic DNS sometime, but our dynamic address only changes once every few months, so it's not worth the effort.  I have a reverse tunnel into the machine (which is rather well secured and rather well hidden).  For a web server (mostly internal, also accessible via the secret tunnel) I use a stock apache, with certificates from LetsEncrypt.

It also handles some SCADA / equipment monitoring / industrial control functions, using serial ports and ethernet.

Yes, I use a single machine for the firewall/router and for the home server.  I know that purists suggest using separate machines.  Too much work, for little gain.


----------



## azathoth (Jan 29, 2018)

ralphbsz said:


> Yes.
> 
> Stock FreeBSD (11.x, I forgot what x is, latest production version).  Small Atom-based machine.  Also used as a file server for inside the house, so it has two large disks in a ZFS mirror.  Boots of a tiny SSD (I think 32gig), with a second SSD the same size already installed as a spare.  External backup disk sits in a big fire-proof safe (actually, it doesn't right now, I had to take it out recently and haven't had time to thread the wires back through the tiny hole in the safe wall).  Off-site backup is a portable disk that gets stored at a remote location.  The backup software is self-written, and internally uses Berkeley DB (although switching to SQLite is on my to-do list, Berkeley DB is too painful to use with transactions, logging, and locking).
> 
> ...


NICE
What web apps do you serve?


----------



## ralphbsz (Jan 29, 2018)

Static web pages, and a half dozen .cgi scripts that are all written in Python.  The typical .cgi script is between 100 and 200 lines long, and gathers information or does things.  Not very exciting.  No real "apps".


----------



## herrbischoff (Jan 29, 2018)

azathoth said:


> Whats a good dynamic dns client?



I'm using http://freedns.afraid.org and a basic curl script to update the IP. I created a subdomain from one of their offerings and simply put a CNAME entry on the TLD I use for my home server. Has worked for me since forever.


----------



## michael_hackson (Jan 29, 2018)

Following.


----------



## azathoth (Jan 30, 2018)

ralphbsz said:


> Static web pages, and a half dozen .cgi scripts that are all written in Python.  The typical .cgi script is between 100 and 200 lines long, and gathers information or does things.  Not very exciting.  No real "apps".



werc.cat-v.org


----------



## mefizto (Jan 30, 2018)

Hi ralphbsz,



ralphbsz said:


> I have a reverse tunnel into the machine (which is rather well secured and rather well hidden).



Could you kindly add some implementation details?

Kindest regards,

M


----------



## ralphbsz (Jan 30, 2018)

My home server is connected via phone company DSL, so its IP address (which is in theory dynamic, but in practice only changes every few months) is of the form "123-45-67-89.local.att.com".  The DSL "modem" is configured to not allow incoming connections.  Furthermore, I run pf on the FreeBSD server (which is the only thing connected to the DSL line), and that pf is configured to not allow incoming connections either.  So in principle, my machine is not reachable from the outside.

Yet, in reality, there is need for two forms of outside access: I want to be able to remotely log in (for example from my office, via ssh), and to be able to view a few web pages served by my internal Apache server.  That doesn't have to be fast or convenient, since our family are the only users of this.  The real need is to look up things (like scanned documents, our household has gone paperless for long-term archival records management), and see what our equipment control system is doing (we have our own water supply, with wells and pumps, which requires a little bit of care and feeding).  It also allows doing things like turning on heating, cooling, fans, and some lights, so on a cold day I can turn the heater on before people get home in the evening.

I have my own DNS domain, and I can control the DNS server for it.  I also have access to a trustworthy host (shell machine) at my ISP that's publicly reachable.  So I create a DNS A record that happens to resolve to the dynamic IP address of our DSL line, and has a non-obvious name.  Then I configure the DSL modem to tunnel two ports from the outside to the inside: on the outside I use highly non-obvious port numbers which have no resemblance to ports 22, 443 (I do not allow incoming http, only https), and on the inside traffic from these incoming ports is routed to ports 2222 and 8888.  Then I configure sshd and apache to have separate services running for these ports: on 2222 (which corresponds to a bizarre number on the public internet), it allows ssh access, but only with keys (not passwords), and only from the trustworthy host on the outside.  On port 8888, apache serves a separate directory (apache calls it a "virtual host") which is highly restricted, and only has a small set of static web pages and a few CGI scripts that I've carefully reviewed for security holes.  It also requires a log in, with a username and password that's not shared with anything else.

This allows me (and pretty much nobody else) to remotely log in, by double-hopping: first log in to the trustworthy host at the ISP, then ssh to a bizarre port number at a non-obvious host name.  And by pointing the web browser at a strange port at the non-obvious host, and logging in, I can for example view scanned documents or the status page of the water pump monitoring system.


----------



## mefizto (Jan 30, 2018)

Hi ralphbsz,

thank you for your time to write the answer.  I have similar needs, to log in and retrieve documents when on travel.  I think that I can understand the concept and can set-up similar infrastructure.  The one question is how to practically implement allowing ssh access only from the trustworthy host.  IP address, MAC address?  But, please do not add any details on this public forum, if it could compromise your network.

Kindest regards,

M


----------



## ralphbsz (Jan 30, 2018)

The trustworthy host has a fixed IP address, so I did that in my pf.conf file.  Although honestly, I don't think it makes a lot of difference: If an adversary is dead set on hacking my account (and do it well enough that they have managed to get my personal ssh key), then I have no reason to believe that the "trustworthy host" is any more secure than my home machine.

In the end, security is not about provably making unauthorized access impossible.  It is about making it more difficult, so you hope that a determined attacker gives up, and goes after a softer target, and that script-kiddies fail on your relatively low defense.

Old joke: What caliber gun should you carry in bear country?  A very small .22, to shoot your hiking partner in the knee when the bear comes.


----------



## azathoth (Feb 1, 2018)

ralphbsz said:


> The trustworthy host has a fixed IP address, so I did that in my pf.conf file.  Although honestly, I don't think it makes a lot of difference: If an adversary is dead set on hacking my account (and do it well enough that they have managed to get my personal ssh key), then I have no reason to believe that the "trustworthy host" is any more secure than my home machine.
> 
> In the end, security is not about provably making unauthorized access impossible.  It is about making it more difficult, so you hope that a determined attacker gives up, and goes after a softer target, and that script-kiddies fail on your relatively low defense.
> 
> Old joke: What caliber gun should you carry in bear country?  A very small .22, to shoot your hiking partner in the knee when the bear comes.



zomg terrible joke
shoot the bear with hollow point in mouth!
or better with a full metal jacket round


----------

