# Is there a firewall running after fresh install - 7.1



## mbr661 (Apr 22, 2009)

Hello, I'm new to FreeBSD.

I just finished a fresh install of 7.1 and all went well. I used the standard/user options during installation.

Is there a firewall running on my system after this install?  I don't see a firewall entry in rc.conf, but my system is acting as if there was a firewall around it.

If there is one, how can I tell?

Thanks in advance


----------



## DutchDaemon (Apr 22, 2009)

GENERIC kernel? No. No firewall. If there's no firewall indicated using a custom kernel, it can only run as a module, which means it should show up in *kldstat*.


----------



## DutchDaemon (Apr 22, 2009)

What makes you think there might be a firewall? What are you trying to do that fails? Trying to use it as a router without gateway_enable, or something?


----------



## vivek (Apr 22, 2009)

No firewall is configured out of box. However default kernel does include pf and ipfw as module. For example, to configure pf add something as follows:

```
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pf_rules="/etc/pf.conf"
```
Once done create /etc/pf.conf:

```
tcp_services = "{ ssh, smtp, domain, www, https, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
 
table <blockedip> persist file "/etc/pf.block.ip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 

ext_if = "em1"
int_if = "em0"
 
scrub in all
 
block in all
block return 
 
pass out keep state
 
set skip on {lo0, $int_if}
 
block in quick from urpf-failed
 
antispoof log for $ext_if
 
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
 
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass in  on $ext_if proto tcp from any to any port 25 flags S/SA synproxy state
pass in on $ext_if proto tcp from ant to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
```

See pf man page or PF faq @ openbsd.org


----------



## DutchDaemon (Apr 22, 2009)

I think OP does _not_ want a firewall, but suspects he's saddled with one.


----------



## mbr661 (Apr 23, 2009)

*Is there a firewall after install?*

Thanks both of you for your help. 

I thought the server was behind a router because I'm trying to set up openVPN (bridge) and I can connect, but cannot ping or browse the local net computers.  I can browse the internet from the client too.  On the other hand, I can ping the client from the network.

If there is no firewall, then it must be my configuration...

On to the firewall. Is PF the better choice for 7.1? I found a book: the book of PF that looks like a good one.


----------



## DutchDaemon (Apr 24, 2009)

Each firewall has its fans, but I'll endorse PF without reservations.


----------



## medennis6 (May 16, 2009)

*Acts like a firewall...*



			
				DutchDaemon said:
			
		

> GENERIC kernel? No. No firewall. If there's no firewall indicated using a custom kernel, it can only run as a module, which means it should show up in *kldstat*.



If that is the case, why is ssh the only thing that shows up on a port scan?

On FreeBSD 7.1-RELEASE (GENERIC) #0: Thu Jan  1 14:37:25 UTC 2009


```
m4# kldstat
Id Refs Address    Size     Name
 1    7 0xc0400000 97f830   kernel
 2    1 0xc0d80000 6a2c4    acpi.ko
 3    1 0xc3136000 22000    linux.ko
```


----------



## DutchDaemon (May 16, 2009)

FreeBSD installs no network servers by default, so the fact that ssh is open means you must have opened it yourself (sshd_enable="YES" is probably in /etc/rc.conf). The fact that no other port is open does not mean there's a firewall installed. It just means that FreeBSD lets you decide which network servers to install/activate.


----------



## medennis6 (May 16, 2009)

Thanks (#190), that clears it up - now I'll get back to the manual :e


----------

