# Hardening bsd.



## Alain De Vos (May 6, 2021)

There are a few sysctl settings I can think off,
loader.conf

```
security.bsd.allow_destructive_dtrace=0
```
sysctl.conf

```
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
kern.elf32.allow_wx=0
kern.elf64.allow_wx=0
kern.elf32.aslr.pie_enable=1
kern.elf32.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.enable=1
```
syctl.conf

```
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
net.inet6.ip6.temppltime=7200    # Maximum preferred lifetime for temporary addresses
net.inet6.ip6.tempvltime=14400   # Maximum valid lifetime for temporary addresses
```
Once I had inet settings below, but they might break rfc's , so I'm not certain it is a good idea ?

```
net.inet.icmp.drop_redirect=1              
net.inet.icmp.icmplim=50
net.inet.ip.check_interface=1                  
net.inet.ip.maxfragpackets=0     
net.inet.ip.maxfragsperpacket=0 
net.inet.ip.process_options=0                   
net.inet.ip.random_id=1                         
net.inet.ip.redirect=0
net.inet.tcp.always_keepalive=0            
net.inet.tcp.blackhole=2           
net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.drop_synfin=1                      
net.inet.tcp.nolocaltimewait=1           
net.inet.udp.blackhole=1           
net.inet6.icmp6.rediraccept=0              
net.inet6.ip6.redirect=0
net.link.tap.up_on_open=1
net.inet.tcp.icmp_may_rst=0
```
Maybe you have other idea's ?


----------



## matt_k (May 6, 2021)

in rc.conf


```
microcode_update_enable="YES"       #you need to have devcpu-data package installed
clear_tmp_enable="YES"
```

in /etc/fstab
make sure you have .eli on your swap partition, like so:


```
/dev/ada1p2.eli        none    swap    sw        0    0
```

did you do those sysctls according to this webpage? What's the general consensus on those things written there? I am curious. Some of them seem really nice IMO, but I am no FreeBSD expert by any stretch of imagination.


----------



## covacat (May 6, 2021)

```
#!/bin/sh
# protection against remote exploits / never fails
# do not try on a remote box :)
for i in $(ifconfig -l);do ifconfig $i down;done
echo you are now protected
```


----------



## Alain De Vos (May 6, 2021)

Firefox gives a segmentation fault. But this is known. Time to use qutebrowser.
In fstab,

```
/dev/ada2p2.eli    none         swap                          sw,ealgo=aes,keylen=128,sectorsize=16384 0 0
```


----------



## mer (May 6, 2021)

I think one needs to really determine "hardening against what"?  covacat solution will absolutely prevent all remote exploits.
If you are looking for hardening a user workstation that merely is used to connect to the internet, there are steps there that you may not want to do for a public facing server or that you want to do differently.

If you look at the HardenedBSD project (I'm going by memory, it's been a while since looking) they may have a good starting point for you on sysctls. 

If you are going to muck with sysctls, you should probably set kern.securelevel to a nondefault value.
security.jail.param.securelevel probably want to look at.

Mucking with network/IP sysctls can quickly get you to a point of "my system can't talk to anyone else".

I always run a local firewall on my machines, even workstations, either PF or IPFW.  PF lets you do a lot of good stuff;  
just remember start with a "default deny" stance and turn on only the things you need.
You can also do a lot with properties on ZFS datasets to prevent executables from running on say a dataset that is used only for MySQL databases.

Above is my opinion, based on my personal experiences.  Feel free to disagree or completely discount anything.


----------



## Alain De Vos (May 6, 2021)

zfs settings,

```
/usr/ports                   setuid           off                 
/usr/ports/distfiles      exec             off                   
/usr/ports/distfiles      setuid           off                   
/usr/ports/packages   exec                off                  
/usr/ports/packages   setuid              off                  
/usr/src               exec                   off                  
/usr/src               setuid                 off                   
/var/audit            exec                   off                   
/var/audit            setuid                 off                   
/var/crash           exec                   off                   
/var/crash           setuid                 off                   
/var/log               exec                   off                   
/var/log              setuid                 off                  
/var/mail             exec                   off                  
/var/mail             setuid                 off
```


----------



## SirDice (May 6, 2021)

Old thread but still contains a lot of good information: https://forums.freebsd.org/threads/unofficial-freebsd-security-checklist-links-resources.4108/


----------



## covacat (May 6, 2021)

hardening to aggressive will break things now and then
noexec on /tmp breaks make installworld unless you use alt TMPDIR or something


----------



## Alain De Vos (May 6, 2021)

I gone try to compile the kernel with,

```
nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries
nooption     COMPAT_FREEBSD4        # Compatible with FreeBSD4
nooption     COMPAT_FREEBSD5        # Compatible with FreeBSD5
nooption     COMPAT_FREEBSD6        # Compatible with FreeBSD6
nooption     COMPAT_FREEBSD7        # Compatible with FreeBSD7
nooption     COMPAT_FREEBSD9        # Compatible with FreeBSD9
nooption     COMPAT_FREEBSD10    # Compatible with FreeBSD10
nooption     COMPAT_FREEBSD11    # Compatible with FreeBSD11
nooption     COMPAT_FREEBSD12    # Compatible with FreeBSD12
```
I wonder what breaks...


----------



## SirDice (May 6, 2021)

Binaries built on 13.0 shouldn't break. Those COMPAT_FREEBSD* options are only for running binaries from older versions of FreeBSD. Or, in the case of COMPAT_FREEBSD32, to allow 32 bit binaries to run on a 64 bit OS. 

Although I had some issues on FreeBSD 12.0 when I removed COMPAT_FREEBSD11, but this was because those specific applications didn't account for some changed file structures. So your millage may vary, some applications may still use pre-12 kernel structures and will fail without COMPAT_FREEBSD11 and COMPAT_FREEBSD12.


----------



## covacat (May 6, 2021)

Alain De Vos said:


> I gone try to compile the kernel with,
> 
> ```
> nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries
> ...


probably safe. only needed that for some older closed source raid management software (hp/lsi/adaptec which usually didn't work anyway)


----------



## rootbert (May 6, 2021)

in /boot/loader.conf put kern.racct.enable=1 and enable resource limitations ... in case a software package is being attacked and excessive resource consumption renders your host unusable. And put your services into jails, one service per jail.


----------



## Alain De Vos (May 6, 2021)

Which brings me to what are reasonable resource limits.


----------



## rootbert (May 6, 2021)

Alain De Vos said:


> Which brings me to what are reasonable resource limits.


hm, that depends entirely on your service and usage. Just monitor your services and you will find out ... whether e.g. 80 processes/2GB of RAM is enough for your small mailserver or webserver or 300 processes/64GB of RAM is enough for your database server. you can also use the "log" action of rctl. I usually have a log entry at roughly 80% of the resource and a deny entry at 100%


----------



## richardtoohey2 (May 6, 2021)

There are also the items (they might already have been mentioned) that you are asked about during install: https://docs.freebsd.org/en/books/handbook/bsdinstall/#bsdinstall-post


----------



## Alain De Vos (May 7, 2021)

Alain De Vos said:


> I gone try to compile the kernel with,
> 
> ```
> nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries
> ...


Now the program "exa" spits out bad system call. And "firefox" spits out channel error.


----------



## Alain De Vos (May 7, 2021)

Apparantly you need COMPAT_FREEBSD12 & COMPAT_FREEBSD11 for a lot of programs to work correctly.
"rust" is dependent on COMPAT_FREEBSD11 !!!!
My KERNCONF is now,

```
nooption NFSCL
nooption NFSD
nooption NFSLOCKD
nooption NFS_ROOT
nooption         XENHVM                  # Xen HVM kernel infrastructure
nooption     COMPAT_FREEBSD4        # Compatible with FreeBSD4
nooption     COMPAT_FREEBSD5        # Compatible with FreeBSD5
nooption     COMPAT_FREEBSD6        # Compatible with FreeBSD6
nooption     COMPAT_FREEBSD7        # Compatible with FreeBSD7
nooption     COMPAT_FREEBSD9        # Compatible with FreeBSD9
nooption     COMPAT_FREEBSD10    # Compatible with FreeBSD10
nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries
```

No java for me .


----------



## TempleBSD (May 7, 2021)

mer said:


> I always run a local firewall on my machines, even workstations, either PF or IPFW.  PF lets you do a lot of good stuff;
> just remember start with a "default deny" stance and turn on only the things you need.


I feel like a "firewall" sounds cooler than it actually is, depending on how in-depth your config of it is. Disabling unneeded services and having a "lean" system which does not open ports will achieve the same without adding to the stack of software on the machine. Whilst the firewall will prevent applications trying to communicate without your permission, I fell that in that case the machine is running software which a user does not understand or has misconfigured (both often the case with me, dont treat this as an insult or elitism please) which is mostly fine except when security is of high importance. Additionally, there is not a router for sale today that doesn't have a basic firewall on it. To be clear, a firewall has its purpose, but I don't feel like it will be of much use when running on a desktop.


----------



## covacat (May 7, 2021)

assuming you have no manual installs

```
pkg query "%n-%v: %q"|egrep ":(11|10|12):"
```


----------



## Alain De Vos (May 7, 2021)

pkg query "%n-%v: %q" does not inform om compat needs. I would be nice to know what does.


----------



## mer (May 7, 2021)

TempleBSD I also do the same thing on workstations:  sockstat is your friend (or netstat -aln) to find open listening sockets.  I basically start with the same default deny attitude:  turn everything off, then back on only what is needed.  Typically only ntpd, sshd and syslogd.   syslog gets configured to only listen on localhost.  So the firewall is mostly the belt and suspenders approach and to keep my hand in configuring them.

But your point of turn off everything and then only on what you need to minimize listeners is a valid approach.


----------



## TempleBSD (May 7, 2021)

mer You should consider openntpd which does not open a socket by default as opposed to default ntpd. How come you're running sshd on workstations?


----------



## TempleBSD (May 7, 2021)

Alain De Vos said:


> pkg query "%n-%v: %q" does not inform om compat needs. I would be nice to know what does.


You have enabled ASLR (but not stackgap) Firefox sadly does not play too nicely with those two which means they should be disabled for the browser or you must find another way of surfing the web. Using 
	
	



```
# elfctl -e +aslr /usr/local/bin/firefox
```
 should do get FF to work again. This disables ASLR for firefox and has to be done on every browser update. That leaves one major path into your system unprotected and therefore you might consider jailing your browser in order to isolate it from the rest of your system.

Btw, what is your expected threat? If some expert hackers or a government is/are specifically targeting you, you might want to look into smashing your PC with a hammer.

https://vez.mrsk.me/freebsd-defaults.html is an interesting article I read a while ago which shows that FreeBSD can be Fort Knox if you want it to but like building a castle, requires attention and planning to get it to withstand serious threats. Have you looked at getting HardenedBSD? The defaults are probably as safe as can be but it might be a little harder to get your required programs to work there.

Not a security (- and or) expert, "pull that LAN cable" is the only sound advice I can wholeheartedly give.


----------



## Alain De Vos (May 8, 2021)

PS : Firefox uses rust , which uses COMPAT_FREEBSD11. So without COMPAT_FREEBSD11 no firefox.
I left aslr on firefox , just did a general "kern.elf64.aslr.stack_gap=0"
Qutebrowser has not such requirements but is a bit slower browsing experience.
ooh, openntpd works fine with aslr.


----------



## mer (May 8, 2021)

TempleBSD said:


> mer You should consider openntpd which does not open a socket by default as opposed to default ntpd. How come you're running sshd on workstations?


Thanks, I'll take a look at openntpd.
Why sshd on workstations?  Because this is at home, one is a "work" system, the other is my "home" system, I don't have a KVM to keep switching monitors/keyboards/etc and sometimes I just need to pop in and check something out.  So running a local firewall lets me restrict ssh from specific IPs on my home network (theres a separate box fronting everything to world that is default deny in and out) and honestly just to give me something to muck with to keep mind active.

Do I "need" to have sshd running?  No.  Is it conveinent for me to have it running?  Yes.  But anything running on a computer comes down to a choice between those 2, no?


----------



## TempleBSD (May 8, 2021)

mer said:


> Thanks, I'll take a look at openntpd.
> Why sshd on workstations?  Because this is at home, one is a "work" system, the other is my "home" system, I don't have a KVM to keep switching monitors/keyboards/etc and sometimes I just need to pop in and check something out.  So running a local firewall lets me restrict ssh from specific IPs on my home network (theres a separate box fronting everything to world that is default deny in and out) and honestly just to give me something to muck with to keep mind active.
> 
> Do I "need" to have sshd running?  No.  Is it conveinent for me to have it running?  Yes.  But anything running on a computer comes down to a choice between those 2, no?


Well then the firewall makes much more sense as well!


----------



## mer (May 8, 2021)

TempleBSD said:


> Well then the firewall makes much more sense as well!


Yep.  It always boils down to knowing what you need and what you don't.  I have some books on my shelf about "building firewalls" "FreeBSD and OpenBSD Security" and "PF" from the mid 1990s that I've read and re-read so many times I've forgotten, but they form the basis of my thinking.  Always start with Default Deny and add things.  Keep an eye on network traffic so you know what is going on.  Took a while, maybe somethings break for a little bit, but easier in the long run.


----------



## Vick Khera (May 10, 2021)

Alain De Vos said:


> Apparantly you need COMPAT_FREEBSD12 & COMPAT_FREEBSD11 for a lot of programs to work correctly.
> "rust" is dependent on COMPAT_FREEBSD11 !!!!


Based on your comment I discovered this is what was causing rclone to fail on FreeBSD 13. I had COMPAT_FREEBSD12 already to facilitate the upgrade of my packages. Rclone will fail with a kqueue error without COMPAT 11.


----------



## Alain De Vos (May 11, 2021)

falkon-qtonly browser has improved alot.
I you don't use google login it is a good alternative to firefox and its "kern.elf64.aslr.stack_gap=0"


----------



## debguy (May 12, 2021)

authenticated FTP allowed by default, ftpd installed by default.  that could GO.  i ran an ftp server once and other than a very few downloads all i got was attempts from france and china to upload a W95 ftp worm


----------



## debguy (May 12, 2021)

I found security holes in GNU linux's "login.c" which included pam login (borrowed from sun which bsd borrowed).  I hope FreeBSD doesn't use that code because I found a few holes fixed and posted them but no one ever looked.

Browsers?  I think all today's bloated web browsers used some webkit and or gecko that use 200MB per web page (u gotta upgrade) and have no sense of compatibility or security.  Google I'm sure is NOT secure, they will 'go' right into your compiler if you let them.

Here's an old IBM trick:  delete your compiler and no one can make any binary on your machine that isn't already there !


----------



## TempleBSD (May 12, 2021)

debguy said:


> Here's an old IBM trick:  delete your compiler and no one can make any binary on your machine that isn't already there !


Pull out the LAN cable and you can kick anybody real hard that tries to.


----------



## ralphbsz (May 12, 2021)

debguy said:


> Here's an old IBM trick:  delete your compiler and no one can make any binary on your machine that isn't already there !


Sure they can: "cat > /bin/hack", followed by typing lots of strange key combinations.

Seymour cray toggled the first OS for the Cyber in from the front panel, rumor has it. We've all done binary programming in our (mis-spent) youth. I used to be my own assembler, where I would write the assembly program nicely on paper, and then hand-assemble the binary bytes into the left column.

Oh, and this was a Sun trick. IBM used to distribute the source code for the OS to its customers, long before the idea of "open source" was born, when Richard Stallman was still soiling diapers. Admittedly, it didn't came on binary media (because it was too big for tapes), but instead on microfilm.


----------



## fernandel (May 15, 2021)

Alain De Vos said:


> falkon-qtonly browser has improved alot.
> I you don't use google login it is a good alternative to firefox and its "kern.elf64.aslr.stack_gap=0"


Does falkon-qtonly support extension like uBlock Origin...?


----------



## Alain De Vos (May 15, 2021)

It contains an adblocker with subscribable block lists


----------



## kpedersen (May 15, 2021)

ralphbsz said:


> Sure they can: "cat > /bin/hack", followed by typing lots of strange key combinations.


Very true. And many exploits are shell code getting written to w&x memory and executed.
The bad guys are very good with lower level "languages" than C.


----------



## Deleted member 30996 (May 26, 2021)

I didn't see these lines posted from /etc/rc.conf:


```
clean_tmp_X="YES"
tcp_drop_synfin="YES"

ssh_enable="NO"
telnet_enable="NO"
cupsd_enable="NO"
portmap_enable="NO"
rlogin_enable="NO"
inetd_enable="NO"
webcamd_enable="NO"
samba_enable="NO"
lpd_enable="NO"
winbindd_enable="NO"
nfs_server_enable="NO"
nfs_client_enable="NO"
```



TempleBSD said:


> I feel like a "firewall" sounds cooler than it actually is, depending on how in-depth your config of it is.
> *snip*
> Additionally, there is not a router for sale today that doesn't have a basic firewall on it. To be clear, a firewall has its purpose, but I don't feel like it will be of much use when running on a desktop.


I can unhook/unplug my router and connect any of my laptops to the Internet by direct Ethernet connection, leave it for months and not give it a second thought. I had been running a pfSense firewall/router in a Dell tower when I got cable. It only came with a passthru modem. I retired my older equipment and ran without one online 24/7

It runs on all my FreeBSD laptops and ran on OpenBSD with a syntax change of one word on the outbound rule to egress


TempleBSD said:


> mer You should consider openntpd which does not open a socket by default as opposed to default ntpd. How come you're running sshd on workstations?


It blocks TCP port 25 and I still get my daily Security Report, which is all I use sendmail for. My rule blocking port 0 carried over from my Win98 ConSeal PC Firewall ruleset. Years later, while tweaking the Win10Pro firewall, I discovered it will stop Win10Pro from downloading updates and installing updates for the Windows 10 Service.

It's not even called an Operating System by Microsoft in their documentation:



> The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service.
> 
> 
> 
> ...



There can be an added cost at any time to keep that Service. Pretty slick and slipped it in after the masses were addicted and dumbed down sufficiently to have no choice but stay with it. Or ask for a desktop in our Base System.

I'll be openly asking for and expecting a Clan favor in the very near future sans Legal Lingo.
Second time today posting /etc/pf.conf.


```
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
```


----------



## Alain De Vos (May 26, 2021)

@trihexgonal,
inetd is obsolete.
Gonna add it to src.conf WITHOUT_INETD
src.conf is currenlty:

```
WITHOUT_BIND=yes
WITHOUT_BLUETOOTH=yes
WITHOUT_CROSS_COMPILER=yes
WITHOUT_DEBUG_FILES=yes
WITHOUT_FLOPPY=yes
WITHOUT_HYPERV=YES
WITHOUT_INETD=yes
WITHOUT_IPX=yes
WITHOUT_KDUMP=yes
WITHOUT_KERNEL_SYMBOLS=yes
WITHOUT_KVM_SUPPORT=yes
WITHOUT_KVM=yes
WITHOUT_LLVM_TARGET_AARCH64=yes
WITHOUT_LLVM_TARGET_ALL=yes
WITHOUT_LLVM_TARGET_ARM=yes
WITHOUT_LLVM_TARGET_BPF=yes
WITHOUT_LLVM_TARGET_MIPS=yes
WITHOUT_LLVM_TARGET_POWERPC=yes
WITHOUT_LLVM_TARGET_RISCV=yes
WITHOUT_LLVM_TARGET_SPARC=yes
WITHOUT_LOCATE=yes
WITHOUT_LPR=yes
WITHOUT_MAIL=yes
WITHOUT_MAILWRAPPER=yes
WITHOUT_NDIS=yes
WITHOUT_NVME=yes
WITHOUT_OPENSSH=yes
WITHOUT_RPCBIND_WARMSTART_SUPPORT=yes
WITHOUT_SENDMAIL=yes
WITHOUT_TCP_WRAPPERS=yes
WITHOUT_WIRELESS_SUPPORT=yes
WITHOUT_WIRELESS=yes
WITHOUT_WPA_SUPPLICANT_EAPOL=yes
```


----------



## mer (May 26, 2021)

Don't forget that /etc/rc.conf is combined with /etc/defaults/rc.conf.  A lot of "enabled" in defaults/rc.conf are set to NO, so you don't have to set them in /etc/rc.conf.

Now a really good reason to actually set things explicitly in /etc/rc.conf is upgrading.  Unless you explicitly check you could have an "enabled=NO" get flipped to YES.  But if you have it explicitly in /etc/rc.conf, you don't have to worry.

Trihexagonal Nice ruleset.  Good use of quick.  I tend to scrub in/out all (NFS may break doing this) , nice belt and suspenders blocking RFC non-routables in on ext_if.
One thing that is fun/easy to do with pf is default deny all, then macro with explicit pass protocols.  I've done this in the past and even with Windows systems on a network,  it's actually a pretty short list to have everything work.

pfSense:  been running that for a while, I've actually spent the money for the appliances because it's worth it to me.


----------



## Deleted member 30996 (May 26, 2021)

mer said:


> Trihexagonal One thing that is fun/easy to do with pf is default deny all, then macro with explicit pass protocols.  I've done this in the past and even with Windows systems on a network,  it's actually a pretty short list to have everything work.


When I used Win98 I would start ConsealPC Firewall with a blank ruleset. Then go to a site I visited regularly and allow a rule for that site on the fly to every site I visited and those rules only. I had a very tight ruleset and kept a close eye on it.

Now they keep a close eye on me and hope I don't come to chat. To say some words.

When I disappeared offline for a year or so I got a PM at able2know .org where I do Alliteration Aggrandizement. I'm suspicious of such things and figured they were trying to draw me out but I had wanted to go back and tell the players something in the forum so that gave me the excuse. The account was new and the only thing done from it was send me that PM, which had the contents deleted.

That was like a Get Well card and they had been worried about me not being seen so long.. All we needed now was a Family Album of photos.  I said I wanted to talk to someone who knew me, not the caliber of people they passed watching me on to in the next generation. Pitiful. they are.

Well, you summoned the Demon and he doesn't go away if ignored. I wanted to talk in a civil manner to the last person that spoke to me the last time I had to show up because they had broken our undeclared truce. I played games, am quick as a bot in chat, practiced my impressions, told tall stories to nice people, played Bait and Switch on pedophiles who posed as Priests and terrified would be tough guys to the point things changed on the site.

So I got their attention and caused Chaos on a system wide scale but I got tired of the people who went there, cybersex all they know to talk about, and when I spotted one of them made myself known by asking questions.

He said "Hmmm. jigoku, that's Japanese. For Hell...

It is as I feared..."

My job was over so I left without another word and haven't been back. But when they wouldn't talk to me I talked to them and whoever opened it got the message for the sender and the words they didn't want to hear in a more powerful form to teach them a lesson

But I miss my old m8tes and have them to thank for the person I am today, and they watched me become more than I had been or ever thought I would become as it happen the last 20 years.

IT people had a name for people who fixated on firewall logs and filed false alarms to the Abuse desk listed. I believe it was something like "Goomers with a firewall."

I've used telnet before but none of the other things I have listed as "No". I'm not certain it keeps them from being started but I run my box like I learned how and do a lot of things differently. Never touched fstab to use or edit it for one.



Alain De Vos said:


> @trihexgonal,
> inetd is obsolete.
> Gonna add it to src.conf WITHOUT_INETD
> src.conf is currenlty:


Or used anything but the generic kernel. Never used buildworld or compiled a kernel.
FreeBSD is trhe most usr friendly desktop oriented OS I have ever taught myself to use.

You are no doubt much wiser than myself and wouldn't dare question you on FreeBSD facts, but I just saw something posted that included having inetd running.

I always use the same file System files saved to disk after a rebuild on all my machines. I read in Hacking Exposed 1st Edition about NFS being a Security risk before I ever left Win98 and one of the things that stuck with me from reading it.


```
root@bakemono:/ # rpcinfo -p
rpcinfo: can't contact portmapper: RPC: Port mapper failure - RPC: Success
root@bakemono:/ # showmount
RPC: Port mapper failure
showmount: can't do mountdump rpc
root@bakemono:/ #
```


----------



## aragats (May 26, 2021)

> Alain De Vos said:
> falkon-qtonly browser has improved alot.
> I you don't use google login it is a good alternative to firefox and its "kern.elf64.aslr.stack_gap=0"





fernandel said:


> Does falkon-qtonly support extension like uBlock Origin...?


Recenly I tried using Falkon as the main browser for a while, however, found it's significantly slower compared to Firefox.
Also, it does not honor Xorg's DPI setting. I think, it's a Qt problem, and using QT_SCALE_FACTOR makes it ugly.


----------



## Menelkir (May 26, 2021)

debguy said:


> Here's an old IBM trick: delete your compiler and no one can make any binary on your machine that isn't already there !


Statically linked binaries doesn't agree with that.


----------



## Phishfry (May 26, 2021)

aragats said:


> I think, it's a Qt problem


Try compiling Falkon from ports. There was something I turned off that made it nicer. I think it was webkit? Not sure. I messed with the ports options and found something OK.
I am not saying its faster but it is an alternative to the Mozilla monoculture.
I gave up on Otter. It works but captcha's don't.


----------



## mer (May 26, 2021)

Phishfry said:


> Try compiling Falkon from ports. There was something I turned off that made it nicer. I think it was webkit? Not sure. I messed with the ports options and found something OK.
> I am not saying its faster but it is an alternative to the Mozilla monoculture.
> I gave up on Otter. It works but captcha's don't.


pkg search falkon shows 2 flavors:  falkon and falkon-qtonly.  Qt only says "no integration with KDE Plasma" so maybe that?


----------



## aragats (May 26, 2021)

mer said:


> Qt only says "no integration with KDE Plasma" so maybe that?


That's exactly what is needed ― I don't need KDE bindings. Qt is used by KDE as back-end, not opposite.


----------



## mer (May 26, 2021)

aragats said:


> That's exactly what is needed ― I don't need KDE bindings. Qt is used by KDE as back-end, not opposite.


I can verify that it at least works, plays video and audio, renders fast enough for me on my normal websites.  Looks like the memory usage may be a bit less than firefox, based on a simple test of logging into this site, this thread in both.
Gotta love web "standards" where some things only work on browser-X others on browser-Y.


----------



## Aeterna (May 28, 2021)

Alain De Vos said:


> Firefox gives a segmentation fault. But this is known. Time to use qutebrowser.
> In fstab,
> 
> ```
> ...



I have

```
/dev/ada0p2.eli    none    swap    sw,ealgo=AES-XTS,keylen=256,sectorsize=4096    0    0
```
and firefox works fine.


----------



## Alain De Vos (May 29, 2021)

I was referring to aslr & Firefox. (not the swap)


----------



## Aeterna (May 29, 2021)

Alain De Vos said:


> I was referring to aslr & Firefox. (not the swap)


That is what I thought: strange that firefox crashes with swap enabled.

Thank you for very useful thread.


----------



## TempleBSD (May 30, 2021)

Trihexagonal said:


> Second time today posting /etc/pf.conf. [...]


Could you explain to me, why one would want a firewall running on a desktop? I have all my devices sitting behind my pfsense-router with restrictive firewall and suricata-IDS (for the servers). If I don't explicitly make a mistake, no device should ever (try to) communicate with the internet in a way not intended by me. And then there is still the firewall on my router. Recently saw this bit on yt and that is about what I'm trying to say: 



 Its titled "Linux" but this part really does apply to all computers which the admin actually owns/controls. Video is only playing from the relevant chapter on.
_View: https://youtu.be/fKuqYQdqRIs?t=823_


----------



## Alain De Vos (May 30, 2021)

If you don't run a server a firewall is not needed.
To see the services you are running,

```
sockstat -46
```


----------



## fbsd_ (May 30, 2021)

You may want to disable core dumps. They are storing large areas in disc and for a normal computer user(I dont think normal users uses FreeBSD, mostly developers and hackers etc.) but for a developer core dumps can be useful so:
This disables coredump:
`kern.corefile=/tmp`
changes core dumps path to /tmp so will removed soon or
`kern.coredump=0 
kern.coredump=/dev/null`
for disabling core dumps.


----------



## Deleted member 30996 (May 30, 2021)

Alain De Vos said:


> If you don't run a server a firewall is not needed.
> To see the services you are running,...


I know exactly what services are running on all 7 of the laptops I have running FreeBSD. (I never have gotten around to converting my T61 Kali box to FreeBSD, but will eventually.)


```
root@bakemono:/ # sockstat -46
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
jitte    firefox    6594  33 tcp4   192.168.1.24:36322    172.217.8.214:443
jitte    firefox    6594  69 tcp4   192.168.1.24:19951    192.0.73.2:443
jitte    firefox    6594  74 tcp4   192.168.1.24:41533    104.26.9.142:443
jitte    firefox    6594  90 tcp4   192.168.1.24:19949    172.217.4.110:443
jitte    firefox    6594  114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    3560  69 tcp4   192.168.1.24:20731    104.26.9.142:443
jitte    firefox    3560  73 tcp4   192.168.1.24:45701    172.217.8.214:443
jitte    firefox    3560  74 tcp4   192.168.1.24:21964    194.1.236.159:443
jitte    firefox    3560  99 tcp4   192.168.1.24:32835    172.217.4.110:443
jitte    firefox    3560  114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    3560  121 tcp4  192.168.1.24:52357    104.91.166.200:80
jitte    firefox    3560  127 tcp4  192.168.1.24:12513    185.248.101.126:443
jitte    firefox    3560  191 tcp4  192.168.1.24:59240    194.1.236.213:443
jitte    firefox    2551  33 tcp4   192.168.1.24:56266    173.194.54.73:443
jitte    firefox    2551  69 tcp4   192.168.1.24:20731    104.26.9.142:443
jitte    firefox    2551  73 tcp4   192.168.1.24:45701    172.217.8.214:443
jitte    firefox    2551  99 tcp4   192.168.1.24:32835    172.217.4.110:443
jitte    firefox    2551  114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    96329 68 tcp4   192.168.1.24:32834    172.217.8.214:443
jitte    firefox    96329 99 tcp4   192.168.1.24:32835    172.217.4.110:443
jitte    firefox    96329 114 tcp4  192.168.1.24:43428    35.165.120.205:443
jitte    firefox    96329 124 tcp4  192.168.1.24:32836    104.26.9.142:443
jitte    firefox    96329 141 tcp4  192.168.1.24:32837    173.194.162.200:443
jitte    firefox    96329 144 tcp4  192.168.1.24:32838    173.194.162.200:443
jitte    firefox    96329 161 tcp4  192.168.1.24:32839    172.217.6.110:443
jitte    firefox    96329 167 tcp4  192.168.1.24:32840    142.250.190.1:443
jitte    firefox    94365 54 tcp4   192.168.1.24:43423    34.107.221.82:80
jitte    firefox    94365 55 tcp4   192.168.1.24:23631    99.84.160.40:443
jitte    firefox    94365 68 tcp4   192.168.1.24:30388    34.107.221.82:80
jitte    firefox    93712 25 tcp4   192.168.1.24:41055    204.109.59.195:443
jitte    firefox    93712 74 tcp4   192.168.1.24:41533    104.26.9.142:443
jitte    firefox    93712 90 tcp4   192.168.1.24:19949    172.217.4.110:443
jitte    firefox    93712 114 tcp4  192.168.1.24:43428    35.165.120.205:443
root     sendmail   33515 3  tcp4   127.0.0.1:25          *:*
avahi    avahi-daem 31540 14 udp4   *:5353                *:*
avahi    avahi-daem 31540 15 udp6   *:5353                *:*
avahi    avahi-daem 31540 16 udp4   *:40212               *:*
avahi    avahi-daem 31540 17 udp6   *:50354               *:*
ntpd     ntpd       26589 20 udp6   *:123                 *:*
ntpd     ntpd       26589 21 udp4   *:123                 *:*
ntpd     ntpd       26589 22 udp4   192.168.1.24:123      *:*
ntpd     ntpd       26589 23 udp6   ::1:123               *:*
ntpd     ntpd       26589 24 udp6   fe80::1%lo0:123       *:*
ntpd     ntpd       26589 25 udp4   127.0.0.1:123         *:*
root@bakemono:/ #
```

I also know exactly what traffic my ruleset will and will not allow. I've ran a rule-based firewall for over 20 years and carried my port 0 rule over from my Win98 box running ConSeal PC Firewall:


```
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.24 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.24:43428 -> 35.165.120.205:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:59330 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.24:54387 -> 104.78.127.155:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.24:46509 -> 192.0.73.2:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.24:14910 -> 104.26.9.142:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:40342 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.24:46074 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2

INFO:
Status: Enabled for 1 days 10:49:40           Debug: Urgent

State Table                          Total             Rate
  current entries                        7             
  searches                          617292            4.9/s
  inserts                             3767            0.0/s
  removals                            3760            0.0/s
Counters
  match                               8825            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #
```

I'll gladly post it again because I want to be able to support my argument with facts.

IPv6 is blocked both ways and I don't even set it up during the build. I don't enable SSH during the build either or allow any remote access even for myself, because I only need local access.

I still get my daily Security Report and TCP Port 25 is blocked from outside access. As is avahi-daemon, NTP, everything is fully functional and the ruleset doesn't break anything.



TempleBSD said:


> Could you explain to me, why one would want a firewall running on a desktop? I have all my devices sitting behind my pfsense-router with restrictive firewall and suricata-IDS (for the servers). If I don't explicitly make a mistake, no device should ever (try to) communicate with the internet in a way not intended by me. And then there is still the firewall on my router.


I don't watch videos people post to make their case.

I have a commercial NetGear router with a firewall running SPI between a passthru cable modem and my laptops. I usually keep 3 online and am going to have to set up one to run some interface for the upcoming Online Touring Test June 5th Demonica is participating in I believe wants TCP port 8000.

Could either of you explain to me on the basis of facts alone, backed up with said facts, why I would not want a tight pf ruleset running on my laptops?

Opinion based statements like "If you don't run a server a firewall is not needed." just don't move me like cold hard facts. Not like they did the guy in chat when I told him the LAN designation of every one of his machines on it:



			Firewalk
		


That was years ago but it was available in the ports tree until relatively recently and still is on Kali.


----------



## mer (May 30, 2021)

An interesting aspect of security, especially for networks, is redundancy.
You have a firewall between your home network and your broadband connection?  Fantastic, that is step 0 in keeping your systems secure.
But what if it goes down or is compromised?  The rest of your assets are at risk.
Having a firewall on each individual machine is the redundant part.
A simple "workstation" profile that basically is default deny and only allows a few things out or in is not going to be noticeable unless you are running explicit 10G speed tests on the network.
If your home network is a mix of FreeBSD and Windows and Macs, running a firewall on your workstation can drop all the noise that a Win10 machine makes for no good reason.

Keep in mind how most machines are compromised now:  phishing/scams/malware that a user winds up loading onto their machine.  That compromised machine will try and reach out to others on the same network, so again a firewall on a machine can help mitigate that.

I am not trying to convince anyone they must or must not run a firewall on a workstation.  Simply "I have always done so, even though the network is behind a firewall device".  The above is my reasoning, because my systems, my choice.  Conversely, your systems, your choice.


----------



## Deleted member 67440 (May 30, 2021)

> Could either of you explain to me on the basis of facts alone, backed up with said facts, why I would not want a tight pf ruleset running on my laptops?



Of course you can do it, the CPU and memory load has now become minimal and it does not give negative side effects (as long as you can physically connect to the console in case of troubles. Luxury you don't have managing remote machines, where a mistake can cost you hundreds of bucks, for service block and KVM rental over IP. And it happens).
As far as I'm concerned, desktop firewalls are essentially useful for logging (debugging), not much more.
As well known, if something is not there ...it cannot malfunction, this is especially true for services and software in general.
If I don't have an FTP server, I don't really need a firewall blocking its ports.
Just an example.

However, it would be interesting, conversely, for you to explain how the security of a normal desktop PC connected to a normal router (like FRITZ!Box or whatever) from 50-200 euros would improve.

In practice, and not just in theory.


----------



## fernandel (May 30, 2021)

fcorbelli said:


> Of course you can do it, the CPU and memory load has now become minimal and it does not give negative side effects (as long as you can physically connect to the console in case of troubles. Luxury you don't have managing remote machines, where a mistake can cost you hundreds of bucks, for service block and KVM rental over IP. And it happens).
> As far as I'm concerned, desktop firewalls are essentially useful for logging (debugging), not much more.
> As well known, if something is not there ...it cannot malfunction, this is especially true for services and software in general.
> If I don't have an FTP server, I don't really need a firewall blocking its ports.
> ...


As a desktop user from FreeBSD 6.? I have firewall active all the time and I didn't have any problems and my wife running Windows on her computer all her computer life and she didn't have any problems too.
Now I am using IPFW firewall and IMO is very "tight" but it is because I am learning on my days network and firewall too . BTW, I am running unbound too which help me to block some Firefox default links.
And as mer wrote, my firewall catches all noise from my wife machine.


----------



## Phishfry (May 30, 2021)

TempleBSD said:


> Could you explain to me, why one would want a firewall running on a desktop


How about more generally, why would you want to run a firewall behind a firewall.
Here is my real life example. I use a xSense firewall behind my cable modem.
But on my NanoBSD Wireless Access Point I also use pf for NAT.
So my though was, since I am using pf why not lock down wireless with a different set of rules. More restrictive.
It makes it harder for my wireless clients but I like it.
It all comes down to creating a security posture you are happy with.


----------



## Aeterna (May 30, 2021)

Phishfry said:


> How about more generally, why would you want to run a firewall behind a firewall.
> Here is my real life example. I use a xSense firewall behind my cable modem.
> But on my NanoBSD Wireless Access Point I also use pf for NAT.
> So my though was, since I am using pf why not lock down wireless with a different set of rules. More restrictive.
> ...


I use firewall on laptop.
I don' have IPv6 (deleted from kernel including servers that I don't need) as this destroys anything related to privacy and still has a lot of bugs.
I use chained ssl tunneled VPNs and Tor if I need to protect my privacy.
For connecting I use only VM clients and browse internet with firefox that has heavily modified prefs.js and block default firefox connections at startup  with pf (e.g.  3.0.0.0/8, 13.0.0.0/8, 34.0.0.0/8). But this is about privacy more than security. I doubt that I stand a chance against someone who would target my box so best not to piss of people online.


----------



## richardtoohey2 (May 30, 2021)

TempleBSD said:


> Could you explain to me, why one would want a firewall running on a desktop?


Defence-in-depth.  Layer upon layer.  Any flaws, mistakes, vulnerabilities in the higher layers caught by the lower layers.  Redundancy.  (EDIT: oops posted this before reading all the replies, so just repeated what others have said).


----------



## Tieks (May 30, 2021)

Aeterna said:
			
		

> block default firefox connections at startup  with pf (e.g.  3.0.0.0/8, 13.0.0.0/8, 34.0.0.0/8)


Why do you block these ranges? Or do you mean /24 instead of /8?
I don't use a firewall on the desktop other than for logging. I think it's better to keep an eye on server processes with `# sockstat -46`.


----------



## Deleted member 30996 (May 31, 2021)

Phishfry said:


> How about more generally, why would you want to run a firewall behind a firewall.


Redundancy and Layered Security.


Phishfry said:


> Here is my real life example. I use a xSense firewall behind my cable modem.
> But on my NanoBSD Wireless Access Point I also use pf for NAT.
> So my though was, since I am using pf why not lock down wireless with a different set of rules. More restrictive.
> It makes it harder for my wireless clients but I like it.


I have WiFi and Bluetooth diabled on every device and run an Ethernet LAN. Makes it twice as hard to hack my wireless as yours.

Who's to say my NetGear router is not going to become vulnerable to the Next Big Thingy? And who's to say how long that will go undetected/unannounced/unpatched?

It keeps logs and is stopping a lot of traffic. If I'm logged in here and spoof my MAC like in my tutorial and refresh the browser I'll lose Internet connectivity if that MAC doesn't appear in the tables of those allowed net access.
de:ad:be:ef:b0:0b doesn't fly unless I've already said let's go to McDonald's.


But I have Limited_Control over it and Can_Not_Block one NetGear_Administration_Port with a rule on Their_Firewall.


I have total control and full Admin Rights over pf and my ruleset works to protect those Rights.

I've had a pfSense router/firewall and liked it a lot. Except for the fact the Dell tower I was running gave me some of the highest electricity bills I've had in the 13 years I've lived here.

If I could run one off a Thinkpad with an inexpensive network card adaptor, like we talked about once, I'd have a pf FreeBSD router/firewall in between my cable modem and each laptop running my ruleset.


I have to host the Loebner Prize Protocol 2 (LPP2) socket standards interface, meaning it wants port 8080 which is a proxy hunters port, for Demonica on one of my machines and leave it on for 24 hours the day of the Online Turing Test.

I'll run `pftop` and `tcpdump` to see exactly what it wants and that only. I have a T400 with Intel Core2 Duo P8600 @ 2.4GHz and 8GB RAM that far exceeds the hardware of my Dell tower.

Because I know you're all going to vote for the best conversational bot. I'll be posting about it soon.



Phishfry said:


> It all comes down to creating a security posture you are happy with.


I could have just stopped there but it's been a long time since Court Adjourned, Counselor.


----------



## Deleted member 67440 (May 31, 2021)

Do someone really think that a firewall or two or ten that allow connections to 8080 is more secure?
This is a non sense, until you make a list of external IP.
I do all the day to allow only my static IPs to connect to costumers firewall (and log)
But if you run *something* on port X where are the benefits?
Lets say your netgear do a NAT 1:1 to your laptop.
So... what will happen?
This is the question I pose myself when dealing with security.
Really is hard to me to understand why block port 80 for example, if nothing is listening on that port

You cannot do the same thing on Windows, where you have dozens of services that silently open ports and even sends data to microsoft. In this case I prefer cheap zywall box because it is easyer to get periodical Html logs with the IP to be blocked (i am very lazy), but this is Windows

PS for Opnsense or whatever the best electrical choice is a ESXi server (consolidating servers nas whatever) or a little NUC if you do not like vsphere
Ps2 damned Chinese smartphone keyboard!!


----------



## Alain De Vos (May 31, 2021)

I think firewalls are totally useless for this kind of issue,








						New virus first to infect Macromedia Flash
					

Proof-of-concept shows that Flash player can open up one more way to damage your PC




					www.zdnet.com


----------



## mer (May 31, 2021)

Starting to sound like arguing in circles here.

Do firewalls protect against everything?  No, of course not.
Do they help prevent things?  Yes.
Does every single machine need to run one?  Probably not.

So the point that I have been trying to make, is computer security is largely about what you feel you need.  If running a firewall locally on your machine makes sense to you, it really doesn't matter what other people think or try to tell you.


----------



## Deleted member 67440 (May 31, 2021)

mer said:


> Starting to sound like arguing in circles here.
> 
> Do firewalls protect against everything?  No, of course not.
> Do they help prevent things?  Yes.
> ...


I do not think so. 
It is computer science, not music nor art.

The question is easy. 
If you do not want to log, or restrict to 'someone' connecting to you (and you do not use Windows), what do in practice a desktop firewall? 
How? 

The answer is simple: nothing, if you do not have services (sharing something in your LAN) for example

In a mixed LAN, with Windows and maybe samba and maybe a NAS and maybe a IP printer and smartphones with ftp sharing and SMART TV a firewall on a Bsd machine does not make anything to protect the printer or the NAS or the fridge

Those are facts, non an opinion or feeling

Therefore desktop firewall yes or no? 

Do as you like, but don't pretend to affirm opinion over facts


----------



## Deleted member 30996 (May 31, 2021)

Alain De Vos said:


> I think firewalls are totally useless for this kind of issue,


And you're right. A firewall is not the End All Answer To All solution to computer security. I never said it was.

That link is to a 2002 article on Flash being a delivery system for malware. Do a forum search for the mention of NoScript in my previous posts. I can't begin to guess how many times I've said the biggest threat to surfing the net is allowing JavaScript globally, but I should have been getting paid as a representative long ago.

Control of the clicking finger something only the user can implement in themselves.



fcorbelli said:


> Do someone really think that a firewall or two or ten that allow connections to 8080 is more secure?
> This is a non sense, until you make a list of external IP.


That's why I'm going to run `pftop` and `tcpdump` to see exactly what it wants when I write a rule for it. I have to keep the interface loaded in Firefox and up 24 hours for the Touring Test.

You can believe I won't be allowing access to anything that isn't needed for it to run. It should only serve as a link to her Personality Forge chat page using my API to allow remote chat.

TCP ports 25, 80, 110, 3128, 8000, and 8080 are ports I've personally used as proxies on unsecured machines around the World, so I know that time it is in Irkutsk when it comes to leaving them open to random access.


----------



## Phishfry (May 31, 2021)

fcorbelli said:


> Therefore desktop firewall yes or no?


YES. My desktop is a laptop connected to cellular network.
So at home I may be on wifi while at work I am on the net directly.

Security is a posture. You layer for best effect.
I use tools to mitigate application layer miscreants.
Custom hosts file and uBlock work well for my web usage.


----------



## Deleted member 30996 (May 31, 2021)

Phishfry said:


> Security is a posture. You layer for best effect.
> I use tools to mitigate application layer miscreants.
> Custom hosts file and uBlock work well for my web usage.


So we are in agreement. 

Court Adjourned.


----------



## Aeterna (Jun 1, 2021)

Tieks said:


> Why do you block these ranges? Or do you mean /24 instead of /8?
> I don't use a firewall on the desktop other than for logging. I think it's better to keep an eye on server processes with `# sockstat -46`.


1) reboot your desktop and run


> sockstat -46


2) load firefox (configured with blank page at start so in theory firefox should not make any connections and (temporary) disabled extensions or configured without update checking)
run sockstat again
/24 will not work as address at restart will change (reason I blocked the range).
you can ignore this or not. These are firefox default connections,not something cryptic that should not happen. I just like to control as much as I can networking. I use firewall to block outgoing connections


----------



## Alain De Vos (Jun 1, 2021)

run,

```
sockstat -46s
```
You will see a lot of connections are in CLOSE_WAIT state. But this is inherit on the tcp protocol.


----------



## richardtoohey2 (Jun 1, 2021)

fcorbelli said:


> If you do not want to log, or restrict to 'someone' connecting to you (and you do not use Windows), what do in practice a desktop firewall?
> How?
> 
> The answer is simple: nothing, if you do not have services (sharing something in your LAN) for example


So - you never install anything on the desktop machine?  There's NO chance of a virus or malware or a repository being taken over that installs something on your machine that makes it start listening on port 80 or a high port?

You check everything single line of code and binary before you install anything?  After install you check for where files have gone, you check what ports are open?

You constantly check for open ports, you check every executable that is running, etc?

You never mis-configure anything and you never make any mistakes?

Your computer's operating system and firmware are perfect, all the software you install is perfect, you are perfect. Hurrah!

In that case - no need for a firewall on the desktop.

If maybe you think that you're not perfect, and maybe just this little extra layer might protect you - then why not?  It's just another tool in the toolbox - make sure things aren't listening that don't need to be, be careful what you install, read the prompts, check your system's logs, investigate anything that you don't understand, use the lowest privileges, keep patched, and ... if you want, add that extra protection and block incoming (and why not outgoing if you want!) traffic (just in case something goes wrong or you miss something.)


----------



## Deleted member 67440 (Jun 1, 2021)

No, in fact no. 
I never check that something voodoo do a demoniac possession and open port 80 or whatever on a BSD machine.
Because a virus does not need an open port, just connect outside TO port 80 or 443 and start transmitting and receiving data
Therefore if you do not make application-specific firewall rules it is simply useless. 
Because you log every application you install, don't you? 

So no, your example does not seems realistic to me. 
It does not add anything, and nothing at all for even a cheap FRITZ!box user or whatever

PS yeah, I AM 'perfect' because I know very well how software works and even how OS do. 
I am not the only one in the world, of course.


----------



## covacat (Jun 1, 2021)

i never bother with desktop firewalls and never had a problem because of it
however I rm-ed -r important stuff several times, or clobbered my just typed program/script with a a careless redirection
ran huge sql table update with the wrong *where* (read without one)
live installed shared libs with cp and everything segv-ed
so in my experience the most fuckups were self induced


----------



## Deleted member 67440 (Jun 1, 2021)

This is an example of a useful firewall: what (an unused) Windows 10 will do?


----------



## Tieks (Jun 1, 2021)

covacat said:
			
		

> so in my experience the most fuckups were self induced



Same experience here, and I'm sure we are not alone. The biggest problem usually sits between the chair and the keyboard. Users are a bigger risk then a few outgoing connections to Microsoft sites. It's better to make sure you don't run browsers with known security issues, because these will be exploited (and not by Microsoft sites). And is automounting usb-sticks a good idea when users have access to a system...

P.S.: Of course I mean OTHER users only.


----------



## Deleted member 67440 (Jun 1, 2021)

Do you really think that automout usb on BSD is a security problem?


----------



## Deleted member 30996 (Jun 1, 2021)

Tieks said:


> The biggest problem usually sits between the chair and the keyboard.


Always has been and always will be.



Tieks said:


> Users are a bigger risk then a few outgoing connections to Microsoft sites.


They must have missed the part where I said my port 0 rule broke MS updating on Win10Pro when used in their firewall. ^



> My rule blocking port 0 carried over from my Win98 ConSeal PC Firewall ruleset. Years later, while tweaking the Win10Pro firewall, I discovered it will stop Win10Pro from downloading updates and installing updates for the Windows 10 Service.



Probably the part where it isn't even considered an OS in MS Docs, too. Hidden right under that, lost somewhere in my ramblings...



Tieks said:


> And is automounting usb-sticks a good idea when users have access to a system...


Some people who do it for a living, here in the forums, think so.

"Do you really think that automout usb on BSD is a security problem?"

Told you. And I wasn't even talking about them while I was typing that.


----------



## Deleted member 67440 (Jun 1, 2021)

Trihexagonal said:


> Some people who do it for a living, here in the forums, think so.
> 
> "Do you really think that automout usb on BSD is a security problem?"
> 
> Told you. And I wasn't even talking about them while I was typing that.


Some other, who do it for a living, does not think so.
Please explain exactly how an USB automount on FreeBSD create a security problem
There is always something to learn

PS Windows update what? We are talking about BSD


----------



## Deleted member 30996 (Jun 1, 2021)

fcorbelli said:


> Please explain exactly how an USB automount on FreeBSD create a security problem
> There is always something to learn


I was trying to get around doing this:









						Solved - Users not allowed to use USB keys?
					

Well, I entered this thread, and you almost brought me near to a heart attack. I am shipping electrochemical laboratory equipment and the controlling device and data acquisition is done by a PC operated by FreeBSD 12 with the GNOME3 desktop environment. I rely on the functionality of USB...




					forums.freebsd.org
				






fcorbelli said:


> PS Windows update what? We are talking about BSD


That's a FreeBSD boxen?



fcorbelli said:


> This is an example of a useful firewall: what (an unused) Windows 10 will do?
> View attachment 10023


----------



## Deleted member 67440 (Jun 1, 2021)

Trihexagonal said:


> I was trying to get around doing this:
> 
> 
> 
> ...





> The question is easy.
> If you do not want to log, or restrict to 'someone' connecting to you (and you do not use Windows), what do in practice a desktop firewall?
> How?



About USB and BSD. It is still not clear to me what the risk of a USB automount might be.
Will some kind of program be launched automatically?
Maybe, I never use GNOME or GUI in general.
Can you explain if, by inserting a USB stick, the same happens for BSD as for Windows?
Thank you


----------



## Phishfry (Jun 1, 2021)

fcorbelli said:


> Do you really think that automonut usb on BSD is a security problem?


Yes. I run some kiosks and the last thing I would want is an inserted USB stick to be automounted.
Thankfully automount is optional.
FreeBSD is used in many environments so please consider many different use cases concerning hardening.


----------



## Tieks (Jun 1, 2021)

fcorbelli said:
			
		

> It is still not clear to me what the risk of a USB automount might be.



Simply because you don't know what is on that USB-stick, it may contain all sorts of malware. Automount allows users to bring that stuff in and that may turn your FreeBSD into a FleaBSD sooner than you like. It may not be as bad as that autorun facility on Windows (do they still have that?), but is a security hole. A bigger one than a port not covered by a firewall where no process is listening to imho.
Because normal users don't have rights to mount a USB-stick, no automount is a very effective measure.


----------



## mer (Jun 1, 2021)

Phishfry said:


> FreeBSD is used in many environments so please consider many different use cases concerning hardening.


Right here.  This is the key point that seems to have been missed in this topic.  
Different users have different needs.
What is mandatory/common sense for one, could make no sense to another.
Just because one disagrees with or doesn't understand another users "use case" does not mean either of them are wrong.

If I want to wear a red shirt today, why do I have to justify it to you or convince you that it's a valid choice?  Maybe I just want to wear a red shirt.

USB automount:  A lot of *nix DE's seem to be drifting towards "work the way Microsoft Windows works".  For a long time (maybe still is) Windows will automount and autoplay inserted devices.  I'm not sure if any *nix DEs (I don't use any) try to do the autoplay yet, but if so they could run into similar issues, especially if the automount process is running under root privs.


----------



## Deleted member 30996 (Jun 2, 2021)

mer said:


> Right here.  This is the key point that seems to have been missed in this topic.
> Different users have different needs.
> What is mandatory/common sense for one, could make no sense to another.


I give someone an old i386 laptop running FreeBSD, access to using my old account with a password of 11111. They have no concept of tapping a key to enter a password, still can't do it after a month on their own, so I take it back. That's as simple as it gets. If they can't do that no point in them having one.

I gave it to someone else and am teaching them how to Drag and Drop a Window. Ports? That side of the ship, swabby. He was in the Navy so he will sink or swim if I leave him treading water long enough.

I am surrounded by computer illiterate people who have no idea what I'm talking about when I mention a bot or FreeBSD. Somebody stared at my FreeBSD Power to Serve T-shirt today like what Devil Worshiping witchcraft wear does he have on today...

It wasn't my Sheri Moon Zombie Living Dead Girl "Say You Love Satan" shirt, but Demon/Daemon what's the difference? He's got a Devil on his shirt and He's serving something. Probably Satan... Don't let him hear you say anything or he will cast a curse on you.

I could switch to another workspace, unplug the mouse and that would be enough for local Security if I left it running and was gone a week and everybody came into look. Watch for him and tell us if he's coming, he's wearing a red shirt.



mer said:


> Just because one disagrees with or doesn't understand another users "use case" does not mean either of them are wrong.


Neither does it make bad policy to change my password to 11111 into good policy. Or smart or ass/u/me everyone in the World is as computer illiterate as they are. Underestimating me the worst thing you can do. I don't underestimate the rest of the World no matter how stupid I think they are, they might just steal the laptop to sell it.

Darn it... Not being a thief I never thought of that... Hey, catch that guy in the red shirt! That one! The one with the laptop. Oh, forget it... I'll cast a curse on him.



mer said:


> If I want to wear a red shirt today, why do I have to justify it to you or convince you that it's a valid choice?  Maybe I just want to wear a red shirt.


I prefer black and nobody says anything, unless it's a compliment on my Exorcist or Werewolf Women of the SS Sheri Moon shirt. Or when I go into the Pharmacy and hear, "You're right, he does look good in a mask" continued talk between themselves.

One of the guys at the Pharmacy tried to get me to let him set up an online account with Medicare for me. I said I just woke up and would have to think what password I wanted to use and get back with him. No, not 11111.

1111111a. I always put a 1 and an a on the end of all my passwords. Makes it hard to guess. My Yahoo password is mudpuddle1a.

Naw, he'll never remember that... He's got a Devil on his shirt.


----------



## covacat (Jun 2, 2021)

Trihexagonal said:


> Somebody stared at my FreeBSD Power to Serve T-shirt today like what Devil Worshiping witchcraft wear does he have on today...


back in the 3.x  days i replaced netware with a freebsd box running samba
the office was full of old ladies doing accounting stuff (they were all logging in as supervisor with no password)
after several weeks they called and said:
 Well the computer works ok, email works, we can print but can you remove the devil from the server screen 
we dont like devils ....
beastie screensaver


----------



## Deleted member 30996 (Jun 11, 2021)

Alain De Vos said:


> @trihexgonal,
> inetd is obsolete.
> Gonna add it to src.conf WITHOUT_INETD


I knew I had seen something mention using inetd recently but couldn't remember what it was. I happened on it again:

"Microproxy is a very small Unix-based HTTP/HTTPS proxy. It runs from inetd,
which means its performance is poor. But for low-traffic sites, it's quite
adequate."
net/micro_proxy


----------



## Deleted member 30996 (Jun 14, 2021)

I have no idea who "Jon" is or where I got it but he wrote this tutorial on Hardening FreeBSD. I've had it on file since 2005 and it mentions FreeBSD 5.3. That was the version FreeBSD was at, and when, I started using PC-BSD:



> Hardening FreeBSD
> June 27, 2005 by Jon
> 
> After a fresh install, it is important to harden the security on a server before it hits your network for use. Not only making configuration changes aid in the security of your box, but there are some practical rules to abide by. These are some hardening tips to make your FreeBSD box more secure and will apply to both the 5.x and 4.x branches, but I will assume you are running 5.x. If a 4.x change is different, I will note it.
> ...


----------

