# Router, NAT, PF to secure the desktop



## max21 (Aug 1, 2014)

Hi _everyone_!

All-in-one; I need to set up a router, PF and all else it takes to secure a FreeBSD GNOME desktop.  I am running FreeBSD 10.0 GNOME desktop.  I have Virtualbox installed running Windows XP.  I have never done much beyond keeping an eye on both without any true technical know-how.

As of now, I have everything running perfectly like it was since 8.2.  It’s high-time that I address any and all possible security issues for this foundation which is the desktop, and the latter a web server running a few jails.


Is it possible to run a FreeBSD desktop as a router to jails and Virtualbox very securely?

To elaborate; I *never* use the FreeBSD desktop applications to surf the web. I don't need or want any web connections made possible to any program running under FreeBSD GNOME desktop or FreeBSD by itself. In other words, I want all packets to bypass the FreeBSD desktop (other than what has to be done by the router and PF) and go *only* to Virtualbox and/or jails and back again.

I read that an internet connection on a FreeBSD desktop is more vulnerable than on a raw FreeBSD server. This makes sense because any desktop can be full of holes. It’s easier to replace a VDI file or jail than the entire hosting desktop system in front of it.

I don’t know much about sockets but if that is what it takes to bypass the desktop gateway, straight to the router, straight to the PF, than to Virtualbox and jails, that is what I want to do, or something like it.  Hope you can word this better in your mind to understand what I am trying to say.

The only connection I want for the FreeBSD desktop is the SSH connection for FreeBSD updates and such, and absolutely nothing else should be capable to stop by to probe the desktop.

How would I do this?
Could someone provide the complete router scripts and application needed?
What PF rules are to be used?
In the end would it be fairly safe to run at full production from a fairly trusted co-location?
Thanks in advance.


----------



## SirDice (Aug 1, 2014)

max21 said:
			
		

> 1-- Is it possible to run a FreeBSD desktop as a router to jails and Virtualbox very securely?


Sure.



> To elaborate; I NEVER use the FreeBSD desktop applications to surf the web.  I done need or want any web-connections made possible to any program running under FreeBSD Gnome desktop or FreeBSD by itself.  In other words, I want all packets to bypass the FreeBSD desktop (other than what has to be done by the router and PF) and go ONLY to Virtualbox and/or jails and back again.


And how are you supposed to update the desktop if it cannot connect to the internet? Keeping up to date is an integral part of staying secure. Browsing the web with FreeBSD is a lot better compared to browsing the web with Windows for example. Of course a bug in Firefox could potentially infect your FreeBSD desktop but almost all exploits that are "in the wild" are targeted at Windows. Very rarely are they targeted at Linux and almost never at FreeBSD. So you're already a step ahead of the game by using FreeBSD.



> I read that internet connects on a FreeBSD desktop is more vulnerable than on a raw FreeBSD server.


More or less true but it's not its functionality that makes it more vulnerable. It's the fact that a lot of malware is targeted at desktop systems. But because of the above reasons you don't have a lot to fear. Granted it's not impossible to infect a FreeBSD desktop but it's also not impossible to infect a FreeBSD server. It's all about risk management.



> This makes since because any desktop can be full of holes.


Servers can have even bigger holes. Just set up FreeBSD and put an old Wordpress on it. See how long it'll take to get infected. 



> I don’t know much about sockets but if that is what it takes to bypass the desktop gateway, straight to the router, straight to the PF, than to Virtualbox and jails, that is what I want to do, or something like it.  Hope you can word this better in your mind to understand what I am trying to say.


If there's no socket listening it cannot be attacked. But desktops usually don't have anything listening on the 'outside'. So this risk is quite low. You have more to fear from yourself by entering personal data on some rogue website. Or by downloading a fake "codec" to play some movie file. I've been using Windows for a very long time without any anti-virus and I've _never_ infected any of my Windows machines. You simply have to watch and think about what you're doing.



> The only connection I want for the FreeBSD desktop is the SSH connection for FreeBSD updates and such, and absolutely nothing else should be capable to stop by to probe the desktop.


Outgoing connections are different from incoming connections. There's nothing listening on a normal desktop for incoming connections so there's nothing to 'probe'. And if you have a 'normal' home setup you will be sitting behind a router that blocks all incoming connections. So there's never anything going to reach your desktop from the internet.


----------



## max21 (Aug 3, 2014)

Something must be very wrong with my English and writing because nothing I ask is ever  understandable or always questionable.  Lately I been wondering if the Big Guy up stairs forgot about me when he was passing out brains 



> And how are you supposed to update the desktop if it cannot connect to the internet?


I have *everything* I need on my desktop and I aim to protect it according to the basic idea behind my post.  You said *Sure.* to the question; _is it is possible to run a FreeBSD desktop as a router to jails and Virtualbox very securely?_.

Coming for you, seals the fact that FreeBSD is smart enough to be invisible, without holes or backdoor and if so, I will close them anyway.  I have no real need protect or update the *desktop*.



> Keeping up to date is an integral part of staying secure.


Sir Dice, I did not say I was totally lame.  Of course I will update the base and ports system but not under desktop mode.  That would be just plan stupid. Now you got bug-buddy and all of Gnome friends in the way digging holes large enough to bury you..



> Browsing the web with FreeBSD is a lot better compared to browsing the web with Windows.


I use FreeBSD desktop for only two reason.

I) To run vm’s to connect to the wicket internet so that my Uncle Sam and others can keep an eye one me and our bank-account.  It takes less than 30 seconds to replace a 2GB Windows vdi.  I don’t stop using Windows just because FreeBSD is host.  I care nothing of which is better for surfing.  I use Windows for that, just like 90% of all FreeBSD users, including yourself I read.

2) To keep the INTERNET out my freaking desktop.  You must physically steal the whole computer if you want to see all my pictures.  I use FreeBSD for my personal business and  computer  programming attempts, as I try to study the FreeBSD system.  I have no plan to get confuse at which is on the INTERNET, the vm-bsd or the real system.  Is it live or is it memorex.  I been there and done that.  Do what floats boat.  My mind been made-up.

All else you said is very educational but I still don’t know how to achieve what I am after.  A bypass just like in a country town, no matter what other short-cuts are available, you still want the bypass in place.


----------



## max21 (Aug 6, 2014)

For a long time I_'ve_ been reading that it’s best not to use _a_ standard internet connection to surf the web on BSD desktop systems other than SSH for privately connecting to needed resources. With the use of Jails and Virtualbox the idea was to ensure this security where even web-surfing will bypass any possibility of risking the desktop system. As a common user, this lead me to believe that with the use of these tools, the base system, has more of a chance to take care of its own, as it accommodate the desktop, other than the use of the kernel to deal with web pages and its own security through a well-configured or a few custom built sockets.  

So I think I now understand your point about listening sockets, and now I’m surfing _the_ GNOME forums to find where to turn off listening in the GNOME desktop system. I guest this should bypass any listening on GNOME, including using only _Work Offline_ in Empathy and other [GNOME] applications.  So that would mean that listening on to the base system *should* go straight to the Jails and the Virtualbox network all on a single machine even before the help of PF.  This should help to  avoid any unknown application active inside the GNOME desktop.

Your idea got me to working on the Virtualbox windows. Under Virtualbox all I did was to turn off NAT and under one of the OS'es under Virtualbox, I included disabling the _Internet Protocol (TCP/IP) under Local Area Connection Properties. For GNOME I will go as far as removing its driver(s). Who really needs them when you got Jails and Virtualbox for FreeBSD? 

If my thinking is correct, having my own FreeBSD ROUTER included behind all of that would still important part for my system. Now I can move the system anywhere! Anyway, no need to worry, a powerful how-to include a router with PF on a single machine is out here somewhere and I aim to find it.

Thanks again @SirDice for those extraordinary tips that even a noob can understand, if given a little time._


----------

