# Mount two firewalls



## BSDAppentic3 (Apr 30, 2018)

I want to mount a firewall. I have the idea of that my traffic could be "sniffered" by somebody. So I will ask for how to mount a firewall, here, on my desktop installation but also on another equipment.
Besides, I want to know what else can I do for making the most miserable the attack of a hacker.
Sorry, I don't have paranoia nor something alike. I just get worried because of my security.


----------



## SirDice (May 1, 2018)

You don't mount a firewall, you enable it (mounting is done on filesystems). And enabling a firewall will not show you who's eavesdropping or stop them doing it. Which begs the question, what makes you think somebody is eavesdropping in the first place?


----------



## BSDAppentic3 (May 1, 2018)

SirDice said:


> You don't mount a firewall, you enable it (mounting is done on filesystems). And enabling a firewall will not show you who's eavesdropping or stop them doing it. Which begs the question, what makes you think somebody is eavesdropping in the first place?


Just in the case. I will make a test of the security in my network, and if I detect some hole, then...
I will send you messages explaining you why I need this.


----------



## sidetone (May 1, 2018)

For IPFW on a desktop, insert this into /etc/rc.conf:

```
firewall_enable="YES"
firewall_type="workstation"
firewall_quiet="YES" # optional line
```
There are other canned sets than "workstation", but that one will be a quick, minimal and up and running firewall. "workstation" is suited for the desktop, and "client" is not.

Of course you will have to use the `service`command to start IPFW, or reboot. That's the same for PF. Use the filenames in /etc/rc.d/ for the service(8) command. Compiling either firewall into the kernel doesn't allow firewall type to be used, and it limits other firewall options.

The setting to enable PF from /etc/rc.conf is:

```
pf_enable="YES"
pflog_enable="YES" #optional line
```
this of course requires setting up firewall rules in /etc/pf.conf, before it can work.

So, go ahead and enable IPFW, while you tinker with PF.


----------



## BSDAppentic3 (May 1, 2018)

sidetone said:


> Use the filenames in /etc/rc.d/


How?


----------



## BSDAppentic3 (May 1, 2018)

sidetone said:


> The setting to enable PF from /etc/rc.conf is:
> 
> ```
> pf_enable="YES"
> ...



How should I set them?


----------



## sidetone (May 1, 2018)

`service [filename] onestart`. The argument onerestart is also important. I don't remember if the filename is ipfw or firewall. There is a manpage for service, that I linked to above.


BSDAppentic3 said:


> How should I set them?


PF takes a steep learning curve, but it can be learned in a week or a month. You'll have to look at documentation on your own, from the forums, PF's website affiliated with OpenBSD, manpages, or "The Book of PF". You'll have to learn that mostly on your own. That's why I told you how to set a quick firewall with IPFW that is already configured.


----------



## BSDAppentic3 (May 1, 2018)

```
service -e
```
 shows me that 
	
	



```
/etc/rc.d/ipfw
```
 it's enabled.
What does it means? I done it well?


----------



## debguy (May 31, 2018)

You can use your interface configuration (by net mask) when you bring up the interface, routes to block traffic too.

If I assume you have an advanced modem to connect to internet: you can web browse its router admin address (IP should be written on it somewhere) and configure network boundaries there (ie, dmz and networks that should not go out on internet)

As far as being sniffed - if you send packets across a network then assume they can be sniffed by people on it !!   You'd have to use a VLAN with encryption to get around that (many methods to do that, too many).

You should be worried about "login attempts" and "direct port attacks", not just sniffing. You don't want someone using a port your PC is using for desktop fonts to be used to "root" your PC. They have your IP, so if they have a "route" (not firewalled) then they can send data to your ports - and whether these ports are protected from what trash they might inject; is my point.

Lastly: only apps listen on ports that are accessible by IP (some ports are protected otherwise I assume). If all your apps are safe then you don't need any firewall. But many people have apps that have no idea what users or networks are allowed to do what, likely have bugs allowing intrusion, and need firewalling to protect these.


----------

