how to do basic configuration and setup for freebsd 6.3 pf firewall

Jephe Wu - http://linuxtechres.blogspot.com

Environment: FreeBSD PF firewall.
Objective: understanding Packet Filter firewall


Steps:

1. OS installation part

    use just first CD of FreeBSD 6.3.
    1. use 'F - DD' mode to configure partition since we are using the server dedicated for FreeBSD only, no other OS.
    2. use 'Automatic' mode to make partitions
    3. select 'full binary, doc and kernel source only' category to install

    2. user and dns configuration
      During OS installation, you need to create a normal user (e.g. jephe), because you cannot login as root after OS finishs installation. Also, in order to 'su - ' as root, you have to add user 'jephe' to 'wheel' group

      If your environment doesn't have DNS server, you have to wait for a long time before getting a login prompt when you try to ssh into the server. The solution is to vi /etc/nsswitch.conf to take out 'dns' from hosts line.

      3. setup up PF firewall
        After OS installation, it's no firewall enabled by default, you can configure the following to enable it:

        a. put to /etc/rc.conf:
        pf_enable="YES"
        pf_flags=""
        pf_rules="/etc/pf.conf"
        pflogd_enable="YES"
        pflog_logfile="/var/log/pflog"
        pflog_flags=""


        b. edit the default /etc/pf.conf
        ext_if="fxp0" # replace with actual external interface name i.e., dc0
        int_if="fxp1" # replace with actual internal interface name i.e., dc1
        scrub in all  # normalize all packets
        block in log all  # default deny policy


        # enable ssh from the specific internal IP to internal NIC of firewall
        pass in on $int_if proto tcp from 192.168.0.2 to $int_if port 22 keep state

        # enable all outgoing traffic on internet NIC for tcp and udp
        pass out on $int_if proto { tcp, udp } all keep state

        #enable incoming ssh from trusted external IP
        pass in on $ext_if from x.y.z.a keep state
        pass out on $ext_if from $ext_if to x.y.z.a keep state