![]() |
|
FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD. |
![]() |
|
Thread Tools | Display Modes |
|
|||
![]()
Hi guys,
Is there a port or some open source package that i can use to manage a PF firewall on FBSD? I do not want to use anything from pfsense or monowall as they are xml driven. Any suggestion will be greatly appreciated. Thanks. tetra |
|
|||
![]()
I use the vi(1) editor, but that is probably not the kind the firewall management package that you are lookin for
![]()
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
![]()
Hello, and welcome!
You've mentioned pfSense; there was also PfPro which has been unmaintained for 10 years. It, too, used XML. I'm unaware of any non-XML GUI tools for PF. Disclaimer: I have no experience with any GUI tool for PF. Like J65nko, I use an $EDITOR and pfctl(8). Last edited by jggimi; 3rd June 2014 at 06:45 PM. Reason: typos. clarity. again. |
|
|||
![]()
Thanks for the tips guys! I actually found something which i was looking for sourceforge.net/projects/freebsdadmin But then again it is totally without documentation and not a single support channel is posted there. For a middle level tester and curious guy like myself, its too hard to get it going. I am still looking and open for other options though.
|
|
|||
![]() Quote:
![]() Thank you. |
|
||||
![]()
FreeBSD admin seems to have last been updated in 2011.
![]() As for pf, the basic setup isn't that hard. I have a somewhat dated page on it, that I like to think explains the basic well. http://srobb.net/pf.html |
|
|||
![]()
I'm not an admin, but I would use a text editor to configure it as that would give _me_ full control over it.
Best to learn & understand what & why you are doing these sorts of thing concerning security. Forums such as these will have experienced admins on who are the best people to ask for advice, as they actually use these tools on a daily basis to keep their machines secure.
__________________
Linux since 1999, & also a BSD user. ![]() |
|
||||
![]()
Peter Hansteen, author of the The Book of PF (2nd Ed. ISBN-13: 978-1-59327-274-6, and 3rd edition in development) recommends using an editor rather than any of the GUI tools.
For an introduction to PF, see his tutorial. Quote:
|
|
||||
![]()
I have to boast that Mr. Hansteen said nice things about my page, way back when. (Though he may have just been being polite--his page had requested that if you link to it, he would like to know, my page linked to it, and so I emailed him for permission, to which he responded thanks, and nice page.)
I've always considered my page a real beginner's introduction to his page and to the OpenBSD PF FAQ. |
|
||||
![]()
Scott,
Your page does have an interesting ... well, to use Mr. Hansteen's words, unix trick. A cron job to automatically disable PF while modifying a remote server is something I would not have considered. In my case, I don't normally need it -- my remote firewalls are paired and coupled together by null-modem cables, which mitigates the risk of finger fumbles on one of them. I note you recommend the OpenBSD PF Users' Guide. There has been significant divergence since FreeBSD last forked PF, and significant syntax change. The FreeBSD Handbook (29.3) warns about the version differences, but does not tell the reader that they could obtain an HTML extraction of the PF Users' Guide that matches the FreeBSD version being used. I'm a little surprised no one has bothered to do that for Handbook readers. You might consider adding these older guides to your page, since they're not in the Handbook. For example, to obtain the OpenBSD 4.1-release and 4.5-release versions of the User's Guide, something like these should work, though I have not tested the command. I selected the day following each release, and an AnonCVS server in Canada, though a nearer server will be faster, see the list at http://www.openbsd.org/anoncvs.html For 4.1: $ cvs -d anoncvs@anoncvs1.ca.openbsd.org:/cvs get -D "May 2, 2007" www/faq/pf For 4.5: $ cvs -d anoncvs@anoncvs1.ca.openbsd.org:/cvs get -D "May 2, 2009" www/faq/pf
Last edited by jggimi; 6th June 2014 at 04:52 PM. Reason: removed the links created by the @ characters in the examples |
|
||||
![]()
Thank you. I've added that info. I did say thanks to daemonforums jggimi for the tip, hopefully, that's OK with you. If not, let me know and I'll remove the mention.
That cron job is probably overkill, but when I first wrote the page, a friend had mentioned how they'd done it and it had saved them, so I decided to follow suit. |
|
|||
![]()
You can't imagine how thankful i am to you guys for your warnings and advise.
![]() |
|
||||
![]() Quote:
Developing a tool would require learning PF, of course. ![]() |
|
|||
![]()
I take your advise very serious. Thank you for that. What would it take for me to add Webmin on a NanoBSD driven NAT router instead? It has firewall module that i could use. I am strictly against any type of GUI as vulnerabilities emerge once in a while though but this is something that might help with work and stuff. Or perhaps an easy to use shell script to create / modify PF rules?? Any suggestions guys?
Last edited by tetra_user; 8th June 2014 at 04:46 PM. |
|
|||
![]() Quote:
Quote:
This can't be guaranteed. When this GUI layer fails, users still need to have the knowledge to fix the rulesets the tool fails to create and/or maintain. Why now simply learn the syntax & grammar of PF? You have mentioned your consultancy a number of times which indicates that you may or may not be responsible for day-to-day maintenance. Yet if an organization is to be responsive to ever changing needs & requirements, learning how to write firewall rules ultimately is a job requirement -- whether it is you or someone else doing the work. I am not convinced that having the expectation for tools to absolve you from developing such knowledge is realistic. |
|
||||
![]() Quote:
PLEASE TAKE NOTE: I do not advise using Webmin or this module -- and this is because I do not have direct knowledge of either. I am aware that Webmin has had security issues, and I do not know if they have ever been resolved. Webmin was disabled and then removed from the OpenBSD ports tree more than twelve years ago due to what were then described as serious security concerns. Please be careful. I have not looked at Webmin or this third party module. I cannot tell you what the module does (or doesn't do), if it will meet your requirements, or if it adds any additional security issues over those which may still reside with Webmin. Last edited by jggimi; 8th June 2014 at 09:26 PM. Reason: clarity |
![]() |
Thread Tools | |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to replace "ectags" with "ctags"? | fender0107401 | OpenBSD Packages and Ports | 5 | 16th April 2013 10:01 AM |
Need to move wireless access "inside" the firewall | thefronny | OpenBSD Security | 2 | 13th December 2010 09:01 PM |
Opera Port - conflicting pkgs in "make install" | IronForge | OpenBSD Packages and Ports | 5 | 29th October 2009 05:10 AM |
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" | jb_daefo | Guides | 0 | 5th October 2009 09:31 PM |
"free" command/perl script for freebsd | unixdude | FreeBSD General | 0 | 17th November 2008 09:23 PM |