Notes on OS intalls
git clone
Log | Files | Refs | LICENSE

commit 0e24f2886b419717ac32676bc5fbdd8886ca11f0
parent 97a05e62a30ae50c49dfc6e52c26ebd934d2bd75
Author: Chris Bracken <>
Date:   Fri,  8 May 2020 14:30:10 -0700

FreeBSD: add section on configuring pf

Also lightly touches on blacklistd.

Diffstat: | 113+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 113 insertions(+), 0 deletions(-)

diff --git a/ b/ @@ -485,6 +485,119 @@ Use the mechanism described (`vidfont` and `vidcontrol`) elsewhere in this document to set the font. +Optionally set up pf firewall +------------------------------ + +Canonical reference in the FreeBSD Handbook: + + +An excellent tutorial on the OpenBSD packet filter: + + +Another decent starter reference: + + +### Enable pf + +We'll need to populate `/etc/pf.conf`. A minimal config file that blocks +all incoming connections other than SSH (port 22): + + # Our external-facing network interface. + ext_if="em0" + + # Block spoofed IP addresses on em0. + antispoof for $ext_if + + # Allow all connections over loopback. + # "quick" means if rule is matched, stop processing here. + pass quick on lo0 all + + # Block all incoming connections. + block in all + + # Allow incoming SSH connections. + pass in proto tcp to port 22 + + # Allow all outgoing connections. + pass out all keep state + +To run a check on our config file without yet applying it: + + pfctl -nvf /etc/pf.conf + +Next, we'll start `pf`, but since many a system administrator has found +themselves locked out of their own server by applying a bad config, it's +useful to queue up a command to disable the firewall after two minutes. +In another terminal, log into the remote machine, get a root shell using +`sudo -s`, then run the following: + + # Sleep 2 minutes, then disable pf. + sleep 120; pfctl -d + +Then, before the two minutes is up, run these commands in another +terminal to start the firewall: + + # Load the pf kernel module. + sudo kldload pf + + # Enable pf. + sudo pfctl -e + +It's likely your SSH sessions will hang when you enable the packet +filter. Quickly try connecting via SSH to verify you can connect before +the two minute timeout above expires. If it worked, re-enable the packet +filter on the server using `sudo pfctl -e`. + +Once everything checks out, enable the packet filter on startup by +adding the following lines to `/etc/rc.conf`: + + pf_enable="YES" + pflog_enable="YES" + + +### Reading pf logs + +To read the pf logs, run: + + sudo tcpdump -netttr /var/log/pflog + + +### Enabling blacklistd + +Canonical reference in the FreeBSD Handbook: + + +If you've got an external-facing SSH port, you'll be continuously +spammed with bogus connection attempts from people attempting to get +access to badly-configured machines. The less clever of these tend to +attack your machine repeatedly from the same IP address. FreeBSD +includes the `blacklistd` service which can be used to temporarily ban +IP addresses after repeated failed connection attempts. + +First, we'll add a pf anchor for blacklistd blocks in `/etc/pf.conf`: + + anchor "blacklistd/*" in on $ext_if + +Next we'll enable it on boot. Add the following line to `/etc/rc.conf`: + + blacklistd_enable="YES" + +Nest, start the blacklistd service: + + sudo service blacklistd start + +Finally, we'll enable blacklist support in sshd. Edit +`/etc/ssh/sshd_config` and uncomment the line: + + UseBlacklist yes + +Then we'll restart sshd: + + sudo service sshd restart + +at this point, everything should be up and running. + + Editing kernel sources ----------------------