By Xiujun Ma in FreeBSD

Setting Up pf on FreeBSD for Hosting a Website

Setting Up pf on FreeBSD for Hosting a Website

Setting up a secure and efficient firewall is crucial when hosting a website. On FreeBSD, pf (Packet Filter) is a powerful firewall tool that can help you manage and control network traffic. This guide will walk you through the steps to configure pf on FreeBSD for hosting a website.

Prerequisites

Before you begin, ensure you have the following:

  1. A FreeBSD server with root access.
  2. Basic knowledge of the command line.
  3. A web server (e.g., Nginx or Apache) installed and configured.

Step 1: Enable pf

First, you need to enable pf in your FreeBSD system. Edit the /etc/rc.conf file to enable pf at startup:

sudo nano /etc/rc.conf

Add the following lines:

pf_enable="YES"
pflog_enable="YES"

These lines ensure that pf and pflog (for logging) start automatically when the system boots.

Step 2: Create the pf Configuration File

Next, create the pf configuration file. This file will define the rules for your firewall. Open /etc/pf.conf in a text editor:

sudo nano /etc/pf.conf

Add the following basic configuration:

# Define the network interfaces
ext_if = "em0"  # Replace em0 with your network interface

# Define the IP addresses
web_server = "your_server_ip"

# Normalize and log traffic
scrub in all

# Default deny rule
block in all
block out all

# Allow loopback traffic
set skip on lo0

# Allow traffic on specific ports
pass in on $ext_if proto tcp to $web_server port 80
pass in on $ext_if proto tcp to $web_server port 443

# Allow outgoing traffic
pass out on $ext_if proto tcp from $web_server to any
pass out on $ext_if proto udp from $web_server to any

# Allow ICMP (ping)
pass in inet proto icmp all
pass out inet proto icmp all

# Logging
match log on $ext_if all

In this configuration:

  • ext_if is your external network interface (replace em0 with your actual interface name, which you can find using ifconfig).
  • web_server is the IP address of your web server.
  • The rules allow incoming traffic on ports 80 (HTTP) and 443 (HTTPS) and block all other traffic by default.

Step 3: Load the pf Configuration

Once you have configured your rules, load the pf configuration with the following command:

sudo pfctl -f /etc/pf.conf
sudo pfctl -e

The first command loads the configuration file, and the second command enables pf.

Step 4: Verify pf Status and Logs

To check the status of pf, use:

sudo pfctl -sr

This command displays the currently loaded rules. You can also view the pf logs with:

sudo tcpdump -n -e -ttt -i pflog0

Step 5: Test Your Configuration

Ensure your web server is accessible from the outside. Open a web browser and navigate to your domain. You should be able to see your website. Additionally, test accessing other services and ensure they are blocked as expected.

Step 6: Customize Rules (Optional)

Depending on your requirements, you may need to customize your pf rules further. For example, you can add rules to:

  • Allow SSH access on a specific port.
  • Block traffic from specific IP addresses or networks.
  • Limit the rate of incoming connections to mitigate DoS attacks.

Here is an example of adding a rule to allow SSH access:

# Allow SSH access on port 22
pass in on $ext_if proto tcp to $web_server port 22

Conclusion

You've successfully set up pf on FreeBSD for hosting a website. Your firewall is now configured to allow traffic on HTTP and HTTPS ports while blocking other unwanted traffic. Regularly review and update your pf rules to maintain a secure hosting environment. If you encounter any issues or need more advanced configurations, refer to the FreeBSD Handbook for further guidance. Happy hosting!