DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd June 2014
tetra_user tetra_user is offline
New User
 
Join Date: Jun 2014
Posts: 9
Thanked 0 Times in 0 Posts
Default FreeBSD port for "PF" firewall management?

Hi guys,

Is there a port or some open source package that i can use to manage a PF firewall on FBSD? I do not want to use anything from pfsense or monowall as they are xml driven. Any suggestion will be greatly appreciated.

Thanks.

tetra
Reply With Quote
  #2   (View Single Post)  
Old 3rd June 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,143
Thanked 182 Times in 149 Posts
Default

I use the vi(1) editor, but that is probably not the kind the firewall management package that you are lookin for
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 5th June 2014
tetra_user tetra_user is offline
New User
 
Join Date: Jun 2014
Posts: 9
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
I use the vi(1) editor, but that is probably not the kind the firewall management package that you are lookin for
You are a senior administrator and VI is the best. But for a junior guy like me, i would use a GUI like pfsense is offering.

Thank you.
Reply With Quote
  #4   (View Single Post)  
Old 3rd June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Hello, and welcome!

You've mentioned pfSense; there was also PfPro which has been unmaintained for 10 years. It, too, used XML.

I'm unaware of any non-XML GUI tools for PF.

Disclaimer: I have no experience with any GUI tool for PF. Like J65nko, I use an $EDITOR and pfctl(8).

Last edited by jggimi; 3rd June 2014 at 06:45 PM. Reason: typos. clarity. again.
Reply With Quote
  #5   (View Single Post)  
Old 5th June 2014
tetra_user tetra_user is offline
New User
 
Join Date: Jun 2014
Posts: 9
Thanked 0 Times in 0 Posts
Default

Thanks for the tips guys! I actually found something which i was looking for sourceforge.net/projects/freebsdadmin But then again it is totally without documentation and not a single support channel is posted there. For a middle level tester and curious guy like myself, its too hard to get it going. I am still looking and open for other options though.
Reply With Quote
  #6   (View Single Post)  
Old 6th June 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 302
Thanked 31 Times in 25 Posts
Default

FreeBSD admin seems to have last been updated in 2011.

As for pf, the basic setup isn't that hard. I have a somewhat dated page on it, that I like to think explains the basic well.

http://srobb.net/pf.html
Reply With Quote
  #7   (View Single Post)  
Old 6th June 2014
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,068
Thanked 198 Times in 156 Posts
Default

GUI tools to create (potentially complex) text files can be dangerous. For example, OSX uses FreeBSD ipfw as a firewall. A few years ago a number of vulnerabilities were found in the OSX GUI tool to manage this because it generated a "wrong" ipfw config file.

You have been warned

And, as pointed out, it's not that hard to create a basic pf setup. And you will learn more along the way And if you have any problems/more specific questions, you can of course always ask them.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #8   (View Single Post)  
Old 6th June 2014
bsd-keith bsd-keith is offline
Real Name: Keith
Linux from 1999 & now BSD
 
Join Date: Jun 2014
Location: Surrey/Hants Border, England
Posts: 13
Thanked 0 Times in 0 Posts
Default

I'm not an admin, but I would use a text editor to configure it as that would give _me_ full control over it.
Best to learn & understand what & why you are doing these sorts of thing concerning security.
Forums such as these will have experienced admins on who are the best people to ask for advice, as they actually use these tools on a daily basis to keep their machines secure.
__________________
Linux since 1999, now a BSD user.
Reply With Quote
  #9   (View Single Post)  
Old 6th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Peter Hansteen, author of the The Book of PF (2nd Ed. ISBN-13: 978-1-59327-274-6, and 3rd edition in development) recommends using an editor rather than any of the GUI tools.

For an introduction to PF, see his tutorial.
Quote:
In case you are wondering, there are web interfaces available for admin tasks (such as the FreeBSD based pfSense and the OpenBSD based and supposedly portable pfPro), but they are not parts of the base system. The PF developers are not hostile to these things, but rather have not seen any graphical interface to PF configuration which without a doubt is preferable to pf.conf in a text editor, backed up with pfctl invocations and a few unix tricks.
Reply With Quote
Old 6th June 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 302
Thanked 31 Times in 25 Posts
Default

I have to boast that Mr. Hansteen said nice things about my page, way back when. (Though he may have just been being polite--his page had requested that if you link to it, he would like to know, my page linked to it, and so I emailed him for permission, to which he responded thanks, and nice page.)

I've always considered my page a real beginner's introduction to his page and to the OpenBSD PF FAQ.
Reply With Quote
Old 6th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Scott,

Your page does have an interesting ... well, to use Mr. Hansteen's words, unix trick. A cron job to automatically disable PF while modifying a remote server is something I would not have considered. In my case, I don't normally need it -- my remote firewalls are paired and coupled together by null-modem cables, which mitigates the risk of finger fumbles on one of them.

I note you recommend the OpenBSD PF Users' Guide. There has been significant divergence since FreeBSD last forked PF, and significant syntax change.

The FreeBSD Handbook (29.3) warns about the version differences, but does not tell the reader that they could obtain an HTML extraction of the PF Users' Guide that matches the FreeBSD version being used. I'm a little surprised no one has bothered to do that for Handbook readers.

You might consider adding these older guides to your page, since they're not in the Handbook.

For example, to obtain the OpenBSD 4.1-release and 4.5-release versions of the User's Guide, something like these should work, though I have not tested the command. I selected the day following each release, and an AnonCVS server in Canada, though a nearer server will be faster, see the list at http://www.openbsd.org/anoncvs.html

For 4.1:

$ cvs -d anoncvs@anoncvs1.ca.openbsd.org:/cvs get -D "May 2, 2007" www/faq/pf

For 4.5:

$ cvs -d anoncvs@anoncvs1.ca.openbsd.org:/cvs get -D "May 2, 2009" www/faq/pf

Last edited by jggimi; 6th June 2014 at 04:52 PM. Reason: removed the links created by the @ characters in the examples
Reply With Quote
Old 6th June 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 302
Thanked 31 Times in 25 Posts
Default

Thank you. I've added that info. I did say thanks to daemonforums jggimi for the tip, hopefully, that's OK with you. If not, let me know and I'll remove the mention.

That cron job is probably overkill, but when I first wrote the page, a friend had mentioned how they'd done it and it had saved them, so I decided to follow suit.
Reply With Quote
Old 7th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

That's fine, thanks.

I was actually thinking you might add the pages directly, rather than passing along the CVS commands. But either way certainly works.
Reply With Quote
Old 7th June 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 302
Thanked 31 Times in 25 Posts
Default

I'm far too lazy to add the pages directly.
Reply With Quote
Old 7th June 2014
tetra_user tetra_user is offline
New User
 
Join Date: Jun 2014
Posts: 9
Thanked 0 Times in 0 Posts
Default

You can't imagine how thankful i am to you guys for your warnings and advise. The link is really informative but if i was to deploy a FreeBSD based firewall then the lazy net admins ask for a Firewall GUI and that is a drawback for my consultancy.
Reply With Quote
Old 8th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by tetra_user View Post
...the lazy net admins ask for a Firewall GUI and that is a drawback for my consultancy.
You have stated that a requirement is a GUI that avoids XML. I think you may may need to develop your own tool, or else eliminate this self-imposed requirement.

Developing a tool would require learning PF, of course.
Reply With Quote
Old 9th June 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by tetra_user View Post
...the lazy net admins ask for a Firewall GUI and that is a drawback for my consultancy.
I write and execute dozens of IT service contracts every year, as both recipient and provider of services. However, I am not an attorney, so the following does not constitute legal advice.
If your solution includes a third party tool that either causes damage or permits damage to be caused, your business may be held liable for that damage. Neither you nor your customers will be able to claim compensation from the tool maker, both because your customers have no chain of privity with the third party you selected, and because you will have only a free software product's license (commonly either a GPL or BSD/ISC license) that will normally expressly exclude any warranty or claim of fitness for any purpose.

Before deciding to meet the demand of your customers' lazy net admins, I recommend you review the terms and conditions of your service contract(s) to determine your company's liability and to seek the advice of counsel should clarification be needed.

Last edited by jggimi; 9th June 2014 at 12:08 PM. Reason: clarity, typos
Reply With Quote
Old 7th June 2014
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
Spam Deminer
 
Join Date: Apr 2008
Location: NYC
Posts: 302
Thanked 31 Times in 25 Posts
Default

In that case, the only one that I've any experience with (and my experience has been limited to doing some very basic customer requests), is pfsense.
Reply With Quote
Old 8th June 2014
tetra_user tetra_user is offline
New User
 
Join Date: Jun 2014
Posts: 9
Thanked 0 Times in 0 Posts
Default

I take your advise very serious. Thank you for that. What would it take for me to add Webmin on a NanoBSD driven NAT router instead? It has firewall module that i could use. I am strictly against any type of GUI as vulnerabilities emerge once in a while though but this is something that might help with work and stuff. Or perhaps an easy to use shell script to create / modify PF rules?? Any suggestions guys?

Last edited by tetra_user; 8th June 2014 at 04:46 PM.
Reply With Quote
Old 8th June 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,880
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by tetra_user View Post
I am strictly against any type of GUI as vulnerabilities emerge once in a while though but this is something that might help with work and stuff.
...which is part of the legacy of Webmin. As I recall, there were exploits specific to Webmin many year ago. As you allude, it is more prudent to simply stay away from these types of tools layered on top of tools which are more important/fundamental.
Quote:
Or perhaps an easy to use shell script to create / modify PF rules??
It appears that you are looking for some intermediate layer which will save you from learning the underlying firewall technology. Unfortunately, all software has issues, & your hope is that this layer will always create rules which both do as you want, & translate to the underlying technology correctly.

This can't be guaranteed. When this GUI layer fails, users still need to have the knowledge to fix the rulesets the tool fails to create and/or maintain.

Why now simply learn the syntax & grammar of PF? You have mentioned your consultancy a number of times which indicates that you may or may not be responsible for day-to-day maintenance. Yet if an organization is to be responsive to ever changing needs & requirements, learning how to write firewall rules ultimately is a job requirement -- whether it is you or someone else doing the work. I am not convinced that having the expectation for tools to absolve you from developing such knowledge is realistic.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to replace "ectags" with "ctags"? fender0107401 OpenBSD Packages and Ports 5 16th April 2013 10:01 AM
Need to move wireless access "inside" the firewall thefronny OpenBSD Security 2 13th December 2010 09:01 PM
Opera Port - conflicting pkgs in "make install" IronForge OpenBSD Packages and Ports 5 29th October 2009 05:10 AM
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM
"free" command/perl script for freebsd unixdude FreeBSD General 0 17th November 2008 09:23 PM


All times are GMT. The time now is 12:20 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick