What's the best option for setting up a simple firewall for a newby like myself on 5.3? :xmas:

I like pf but you'll have to compile it and a kernel out of the ports tree. It may be easier to go with ipfw, though I'm not as fimiliar with that. :)

I like pf but you'll have to compile it and a kernel out of the ports tree. It may be easier to go with ipfw, though I'm not as fimiliar with that. :)

5.3 has pf in it now. :silly:

It's hard to beat pf for your firewall. I love it.

5.3 has pf in it now. :silly:

It's hard to beat pf for your firewall. I love it.

But it seems FreeBSD doesn't support Spanning Tree Protocol yet. It would be great to build redundant bridge firewalls. :(

Linux and OpenBSD have this support.

But it seems FreeBSD doesn't support Spanning Tree Protocol yet. It would be great to build redundant bridge firewalls. :(

Linux and OpenBSD have this support.

My experiences with STP didn't make want to use it for servers. It has way too many ways to be broken to be relied on for my taste.

I would think you'd be better off with VRRP/CARP for high availability. This webserver is sitting behind a couple load balanced CARP firewalls and it works great. I don't think I've had more fun watch tcpdump packets as I did when elmore set those up originally. FreeBSD does have kernel patches (http://people.freebsd.org/~mlaier/CARP/) for CARP and there's freevrrpd (http://www.b0l.org/?idcategory=3&idsection=1) and ucarp (http://www.ucarp.org/) in the userland.

STP? VRRP? CARP?
Was not the question
What's the best option for setting up a simple firewall for a newby like myself
?
:icon_wink
hehehe.... That said, I have no idea about firewalls, but I've heard nothing but good things about PF. :0)

I would think you'd be better off with VRRP/CARP for high availability. This webserver is sitting behind a couple load balanced CARP firewalls and it works great.

I tried CARP on Linux (ucarp) and it works quite well but all it does is IP address migration ! Here, I speak of transparent-stealth-bridge-firewall that uses no IP addresses at all (It can have administrative IP addr but one not used for any firewalling/rules etc.). Consequently, I mentioned STP because there has to be some form of network loop avoidance when you use bridges.

FreeBSD's man page for bridge(4) states: "Care must be taken not to construct loops in the bridge topology. The kernel supports only a primitive form of loop detection, by disabling some interfaces when a loop is detected. No support for a daemon running the spanning tree algorithm is currently provided."

Consequently, I mentioned STP because there has to be some form of network loop avoidance when you use bridges.


Your switch should be able to do this. And IMHO it's better to let the switch handle it.

We should try and stay on topic in this thread though as pleeb pointed out, though I wouldn't mind discussing this further in another thread if anyone is so inclined to start one. :)

Sorry newmab1, we are getting a little carried away here.

I think most people here would agree that pf would be the easiest to get you started. The format to setup is easy to read and understand and yet it has very advanced features as you need them.

Read the PF User's Guide (http://www.openbsd.org/faq/pf/index.html) a few times until you get a handle on what you want to do (probably not much at first :icon_smil ). There's some good examples to look at the PF Repository (https://solarflux.org/pf/) too.

Whatever you do, let us know if you run into any snags and we'll fix you up. There's usually someone hanging on IRC (irc.freenode.net #screamingelectron). You might have to idle for a bit until someone wakes up but we have fun on IRC.

Yes, go with pf. Among all features a quality firewall has to have, pf also has a very intuitive rule syntax in contrast with say, iptables used in linux whose native rule syntax is based on some form of semi-cryptic cli switches. I mean, this is definitely a good feature for any firewall newbie.

Sounds like I need to read up on "PF" and give it a go.

Thanx

I need a little advice.I started using "IPFW" and am using a basic ruleset which has been working great. I started up my computer ready to hop on the internet.
When I got dialed up no web pages would load. "Could not find such and such address. So I thought ck nslookup, worked fine. Then disabled my ruleset and bam, pages loaded just fine. Seems a little odd the thing worked great just the night before.

Thanx

You might want to go with a rule like "ipfw add 00001 deny all from all" and then start from there. Add 'ipfw add 00002 allow all from 127.0.0.1 to any' to allow any outgoing requests to get through (web browsing, downloads, etc. Anything that you start on your end) which is what it sounds like it's blocking.

KK ,
It was just another Dumb A** blunder on my behalf.
Somehow I typed "ddial" so I had a "tun" device running in the backround and when I dialed out it used "tun1" which is not stated in my ruleset. Doesthat make any sense at all? So I paniced and created this post.

Thanx for the help!!