# Help needed freebsd firewall



## Amanat (Feb 9, 2010)

Dear All,
         Actually i need help regarding firewall for freebsd.

Kindly let me know, which firewall is best in freebsd and i want these functionality, according to my network requirements.

By Now i m using debian and fedora and using Firewall-jay, which is supporting first 4 functions mentioned below, but in my opinion freebsd is best then ubuntu/debian. so i need solution for freebsd. i m new to freebsd, but i can get help from internet. but i need the solution for all, if possible

1. Transparent squid
2. IP Block         # listed in a file
3. MAC Block        # listed in a file
4. VPN

if also possible

5. P2P Blocking

Any Help would be greatly appreciated.
Waiting for your reply.

Warm Regards!


----------



## SirDice (Feb 9, 2010)

1) http://forums.freebsd.org/showthread.php?t=10874
2) yes
3) not 100% sure but yes
4) security/openvpn good enough?

5) Tricky because just arbitrarily blocking ports doesn't work.

To prevent the last I would make sure *no* workstation can access the Internet directly. Browsing is done via a proxy, email is done via company mailserver. There's usually no real reason why any workstation would need to connect to something on the Internet directly. Proper configuration of the workstations is also key of course. If they're windows clients start by removing all local administrator access.


----------



## Amanat (Feb 9, 2010)

Dear Sir,
         Thanks for touching all the requisites number wise.
What actually the problem is that i have to block IPs and MAC Addresses for Windows Clients, when they are using p2p or some other software sucking bandwidth.

Just only help me making a script or a firewall rule that will get ips and mac from a txt file and block them as i have about 80 MAC and Ips blocked and saved in txt file which my firewall reads when it is reloaded.

e.g
mac.deny.txt
containing

AA:BB:CCD:EE:F1
AA:BB:CCD:EE:F2
AA:BB:CCD:EE:F3

you may get idea from dutchdeamon post http://forums.freebsd.org/showpost.php?p=35342&postcount=9


----------



## Amanat (Feb 9, 2010)

actually i want to put all MAC in one file and All ips in second file. So that whenever i update file and reload firewall it may read the file and get updates which ips and mac need to be blocked.

MY present firewall is doing that for me but its rpm file and i m using it in debain and fedora.

By now i want to use pf, as it also provides CBQ and other features. 

dutchdeamon has given an idea but i cannot understand what he said.

http://forums.freebsd.org/showpost.php?p=35342&postcount=9


----------



## SirDice (Feb 9, 2010)

DD gave an example of how to load a list of IPs and load them into ipfw, which is a different firewall. Do note that FreeBSD comes with 3 different firewalls. Pick one and stick with it. Personally I like PF. 

For storing lists of addresses PF uses tables. You can store those in a separate file. You can also add/remove addresses 'on-the-fly'.
http://www.openbsd.org/faq/pf/tables.html

Is this a company network or something else? If it's a company network I would make sure the regulations state that p2p software isn't allowed at all. Then simply make it impossible. No need to waste time finding hoggers


----------



## mbr661 (Feb 10, 2010)

Amanat,

I working on a very similar project myself. I'm running Squid (non transparent: LDAP Auth), OpenVPN, and PF on FreeBSD. I got everything working for the most part, so I may be able to help you.

Here is an example of my pf.conf with regards to tables:


```
table <emerging-threats> persist file "/usr/local/etc/IPBlocks/EmergingThreats"

block drop in log quick on $ext_if from <emerging-threats> to any
block drop out log quick on $ext_if from any to <emerging-threats>
```


----------



## Amanat (Feb 10, 2010)

I am also planning for the project you are working but i didnt found any good how to, so i havent not yet completed, plz do share your project of squid ldap etc.

I have been confused in pf or ipfw

which one to use that will allow me to do what i want.

mac blocking ip blocking transparent squid etc etc?

Any suggestions and god how to on transparent squid on freebsd 8.0 or 7.2

Thanks in advance?


----------



## dennylin93 (Feb 10, 2010)

Both IPFW and PF are able to block IPs. They can also be used to setup transparent proxies.

However, you won't be able to block MACs with PF though. Blocking MACs isn't really useful since MACs can be changed easily.

Just block everyone, and then let authenticated users through. Take a look at authpf.


----------



## DutchDaemon (Feb 10, 2010)

If you *really* _really_ *really* *really* want something based on MAC address, you can write a small script that lifts the MAC addresses from [cmd=]arp -a[/cmd], takes the IP addresses associated with them, and adds the ones you need to block to a table in pf by IP address. 

Put the offending MAC address(es) in a textfile, use [cmd=]grep -f[/cmd] against the output of [cmd=]arp -a[/cmd], use [cmd=]cut/awk[/cmd] to get the IP, use [cmd=]pfctl -t some_table -Ta IP-address[/cmd], put it in cron, let it run every 5 minutes, etc etc.


----------



## Amanat (Feb 10, 2010)

Sir,
        Are you suggesting PF or IPFW, i am also interested in Bandwidth shaping with pf as squid delay pools are not controlling uploads.

At the begining i have compiled four times freebsd kernel for pf.

Still i didnt got Step by step tutorial for transparent squid, to bring smile on my tired face. Lolz.

Please send me links for pf and transparent proxy, SBS would be better.

Thanks for all for are helping me solve problems.

awaiting


----------



## Amanat (Feb 10, 2010)

DutchDaemon said:
			
		

> If you *really* _really_ *really* *really* want something based on MAC address, you can write a small script that lifts the MAC addresses from [cmd=]arp -a[/cmd], takes the IP addresses associated with them, and adds the ones you need to block to a table in pf by IP address.
> 
> Put the offending MAC address(es) in a textfile, use [cmd=]grep -f[/cmd] against the output of [cmd=]arp -a[/cmd], use [cmd=]cut/awk[/cmd] to get the IP, use [cmd=]pfctl -t some_table -Ta IP-address[/cmd], put it in cron, let it run every 5 minutes, etc etc.



Sir, I lack experience in scripting, that is why i still havent been able to run my firewall, for transparent proxy, secondly i am new to freebsd.


----------



## dennylin93 (Feb 10, 2010)

Amanat said:
			
		

> Are you suggesting PF or IPFW, i am also interested in Bandwidth shaping with pf as squid delay pools are not controlling uploads.



For traffic shaping, there's altq() for PF, and dummynet() for IPFW.



> At the begining i have compiled four times freebsd kernel for pf.



You can just load the module for pf (`# kldload pf`). No need to compile a custom kernel unless ALTQ is in use.



> Still i didnt got Step by step tutorial for transparent squid, to bring smile on my tired face. Lolz.
> 
> Please send me links for pf and transparent proxy, SBS would be better.



Transparent proxy has been asked quite a few times already. A quick search should produce some promising results.

There are also some other examples on the web:

Intercepting traffic with IPFW on FreeBSD
Intercepting traffic with PF on OpenBSD
Transparent proxying with squid and pf

The configuration for Squid should be the same for all OSes. Only the firewall settings should vary.

For people new to PF, I'd recommend reading these:

PF FAQ
pf.conf()
pfctl()

Hope it helps.


----------



## Amanat (Feb 10, 2010)

Transparent proxying with squid and pf didnt worked for me as i cannot run 

```
# chgrp _squid /dev/pf
```
it gives error
without it i think it wont work and it didnt.


----------



## SirDice (Feb 10, 2010)

Remove the underscore from the username.


----------



## Amanat (Feb 10, 2010)

SirDice said:
			
		

> Remove the underscore from the username.



[CMD="chgrp squid /dev/pf"][/CMD]

also not working

squid is perfectly running


----------



## DutchDaemon (Feb 10, 2010)

Do you _have_ a user/group 'squid'?

`# grep squid /etc/group /etc/passwd`

`# ps aux | grep squid`


----------



## gigs (Feb 10, 2010)

Which version of pf is on FreeBSD 8.0? I see but not found for 8.0 (In RELENG_7 - pf is at OpenBSD 4.1). Also OpenBSD 4.5 have patch for pf. Is pf on 8.0 sure enough?


----------



## DutchDaemon (Feb 10, 2010)

I've been using Squid/PF since dinosaurs roamed the earth (roughly 6,000 years, some say). There's nothing new about (or needed for) this setup.


----------



## Amanat (Feb 10, 2010)

while creating cache dir, i used nobody:nobody, i am away from system as i came home from office, by tomorrow i will verify,
After enabling pf i wasn't abled to ssh , so i thought lets quarrel with it tomarrow.
what i think it don't have as i compiled squid my self.


----------



## dennylin93 (Feb 11, 2010)

Use the ports tree. It'll save you a lot of time and energy, and you won't shoot yourself in the foot.

Just:

```
# cd /usr/ports/www/squid
# make config install clean
```

For Squid 3.0, switch to www/squid30 instead.

Remember to select the correct options for transparent proxy.


----------



## mbr661 (Feb 11, 2010)

*FreeBSD, Squid, OpenVPN, and PF*



			
				Amanat said:
			
		

> I am also planning for the project you are working but i didnt found any good how to, so i havent not yet completed, plz do share your project of squid ldap etc.



Dear Amanat, 

Unfortunately, there is no shortcuts for this project, you need to study until you understand your system.  I will recommend you read and follow the book "Squid: The Definitive Guide". By the time you go through it you'll understand Squid well enough to be able to maintain it later. I read the book and many how to's before I got it working. I never found one how to that had everything I needed.

Following is the portion of my squid.conf that relates to LDAP authentication:


```
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=yourdomain,dc=net" -D "cn=Squid,cn=Users,dc=yourdomain,dc=net" -w 
"S1quid!@#$" -f "sAMAccountName=%s" -h 192.168.75.101(this is the ip of your AD server)
auth_param basic children 5
auth_param basic realm Internet Access Authentication
auth_param basic credentialsttl 5 minutes
```

For OpenVPN, I recommend your read the book "Building a Server with FreeBSD 7", chapter 19. This was the easiest part of the project because the instructions are very clear. OpenVPN works great!!

Once I got these three systems working together (FreeBSD, Squid, and OpenVPN), then I stared working on pf, which is where I am now.

Good luck and keep asking questions as you go.


----------



## Amanat (Feb 11, 2010)

Dear mbr661,
              I am intrested in transparent squid + freeradius + mysqlauth. I want to run squid as transparently, and i wana use freeradius and mysql for authentication and user logins as i have more then 1000 concurrent clients.


----------



## Amanat (Feb 11, 2010)

i have configured squid from source squid 2.7 stable 7
now i want.

The freebsd box to act as 
1. transparent proxy
2. local caching name server
3. firewall


when i put of firewall

squid using browser proxy setting works
local caching name/dns also works

but firewall is creating problem.

there is no user squid on my machine, i chown nobody:nobody cache directory

squid is working but i want to work it transparently
also i want to aloow dns from localnet and ssh from external and internal.

Help plz


----------



## dennylin93 (Feb 14, 2010)

It might be a good idea to start *reading* some documentation yourself.


----------



## Amanat (Feb 14, 2010)

dennylin93 said:
			
		

> It might be a good idea to start *reading* some documentation yourself.



i followed this tutorial but when using transparent squid using pf i get problems, what are the problems in this tutorial.
http://askaa.wordpress.com/2009/09/03/install-freebsd-7-2-compile-kernel-squid-3-x/

its in Indonesian language i followed it thrice, also tried others but i think there is problem in pf.

Any help!


----------



## dennylin93 (Feb 14, 2010)

Can you post any details of the errors? Check the logs and output.

I don't understand Indonesian, but the tutorial compiles and installs Squid manually. This isn't what most FreeBSD users do. Try using the ports tree instead.


----------



## Amanat (Feb 14, 2010)

its working fine, i also tried using ports but the same situation.

my firewall is attached. pf.conf
when i start it manual squid setting at browser also stops working.


----------



## Amanat (Feb 14, 2010)

Amanat said:
			
		

> its working fine, i also tried using ports but the same situation.
> 
> my firewall is attached. pf.conf
> when i start it manual squid setting at browser also stops working.



also i cannot start|stop|restart squid

using
/usr/local/squid/sbin/squid 
or /usr/local/etc/rc.d/squid
or /etc/rc.d/squid

none of them are working but when i stop firewall squid works but i don't know how to stop squid or restart.

-k parse and NCd1 works with first command


----------



## Amanat (Feb 15, 2010)

Thanks to All, Solved after brain storming search with google.

Thanks who tried to help.


----------

