# The default/optimal firewall settings



## Pwkepkw (Jul 29, 2019)

I learned that freebsd doesn't have a firewall running out of the box. I have no network knowledge. And as a desktop user, I find it a little bit unneccesary to learn little to moderate level of networking. Is there a GUI I can use to configure my fiewall to optimal settings?


----------



## Deleted member 30996 (Jul 30, 2019)

I show you how to set up pf firewall and supply a basic ruleset that should suffice for a simple desktop:









						Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch
					

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started:  Insert your boot media and at the Welcome...




					forums.freebsd.org
				




It's a trimmed down version of the one I use on my boxen that is provided on the second page in the comments.


GUI? We don't need no stinkin' GUI! You either.


----------



## SirDice (Jul 30, 2019)

Pwkepkw said:


> And as a desktop user, I find it a little bit unneccesary to learn little to moderate level of networking.


If you're on a typical home network, modem/router with NAT, you don't actually _need_ a local firewall any way.


----------



## sidetone (Jul 30, 2019)

```
firewall_enable="YES"
firewall_type="workstation"
```
That's for desktop. There are other ones to choose from.


----------



## Deleted member 30996 (Jul 31, 2019)

SirDice said:


> If you're on a typical home network, modem/router with NAT, you don't actually _need_ a local firewall any way.



Over the past few days surfing new sites I did my normal NoScript thing to selectively allow JavaScript for the site I was visiting. I noticed that each of the sites only had 2 scripts listed that wanted JS enabled. One for the domain I was visiting needed JS enabled for full functionality (not all do including mine) but the second was the same plain IP address on every site that wanted JS enabled as well. Didn't happen. Thank you, NoScript

When I checked the IP# it belonged to my ISP and it was not even the same sub-net my machine was using. So I made a new rule and blocked it, rebooted and am still able to access the net.

That doesn't mean my ISP can't track me but they'll be doing it without JS enabled and not from that IP# or any other NoScript alerts me to thanks to pf.

I'm on a typical home Ethernet LAN with a commercial router/firewall but don't trust it nearly as much as pf and wouldn't think of going online without it enabled. Setting up pf is the first thing I do when rebuilding my system.


Edit: It wasn't quite as easy as only making a block in rule. It still showed up when visiting a site tonight so I made one to block outgoing traffic to that IP#. Now I can't access the site from my machine but was able to access the forums without any problem.




Seems Charter wants to see what certain sites I visit consist of. This was a medical related site I was visiting with nothing to do with Charter and nothing nefarious about it whatsoever. Neither is it any of their business, or my only option to get online and beat that kind of thing.


----------

