Setting up PF firewall in FreeBSD 10
FreeBSD 10 provides several firewall options built into the base system. PF (Packet Filter) is the most advanced among them.
PF configuration is defined by the ruleset configuration file. The default ruleset is named /etc/pf.conf.
## Macros
# External network interface
ext_if="re0"
# Allowed ICMP message types
icmp_types="echoreq"
## Options
# Skip the loopback interface
set skip on lo0
## Normalization
scrub in all
## Filtering
# Protect against spoofed traffic
antispoof for $ext_if
# Block all incoming traffic by default
block in all
# Allow incoming connections to SSH service
pass in inet proto tcp to $ext_if port ssh
# Allow specified ICMP messages
pass inet proto icmp all icmp-type $icmp_types keep state
# Allow outgoing connections
pass out all keep state
The ruleset statements should be grouped by their types. More details and other possible rules and options can be found in the corresponding FreeBSD Handbook Chapter.
Warning! If you have access to the server only through SSH then make sure the ruleset is correct and don’t block incoming SSH connections.
Finally enable PF in /etc/rc.conf:
pf_enable="YES"
And start it:
service pf start
Also there is pfctl command available which has some useful options.
