Configuring a PF Firewall on FreeBSD

This page describes how to install and configure PPPD and PF (Packet Filter) as a home firewall connected to the net with an external modem using PAP authentication with ihug Australia. The ISP Ihug is no longer exists. There probably no point using PF now that PFsense is avaiable with it's easy to use web GUI.

Once the configuration of the server is complete all that's necessary to do is set the default route of the local machines to the internal interface of the firewall and change the nameserver address.

Hardware

P166 computer
External 56k modem

Software

FreeBSD 5.3
PPPD (point to point protocol daemon)
PF (packet filter - firewall)

1. Enable ip forwarding in /etc/sysctl.conf.

	net.inet.ip.forwarding=1
	net.inet6.ip6.forwarding=0
	

2. Enable PF at startup in /etc/rc.conf by adding the following line.

	pf_enable="YES"                 #Enable PF (load module if required)
	

3. Configure /etc/pf.conf

	ext_if="ppp0"
	int_if="fxp0"
	internal_net="192.168.1.0/24"
	#table <private> { 10/8, 172.16/12, 192.168/16 }
	scrub in all
	nat on $ext_if from $internal_net to any -> ($ext_if)

	# redirect dns to remote
	#rdr on $int_if inet proto { tcp, udp } from $internal_net to ($int_if) port 53 - > { 203.2.75.132, 198.142.0.51 } port 53 round-robin
	# block all by default on $ext_if
	block in on $ext_if all
	block out on $ext_if all
	# pass all by defauly on $int_if
	pass in on $int_if all
	pass out on $int_if all
	#allow in ssh
	pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state

	allow all connections out
	pass out on $ext_if proto { tcp, udp } all keep state
	# pass incoming packets destined to the addresses given in table .
	pass in on $ext_if proto { tcp, udp } from any to  port 80 keep state

	block any packets destined to a private address
	#block in on $ext_if proto any from any to 
	#block out on $ext_if proto any from any to 
	

4. Create the ihug chat script

	REPORT CONNECT ABORT BUSY ABORT 'NO CARRIER'
	'' \d\dAT OK \dATDTphone_number CONNECT ''
	

5. Create the ihug start script eg /etc/ppp/ihug.start

	#!/bin/sh
	#
	# User settings...
	# What serial device to use
	COM_PORT=/dev/cuaa0

	# What speed to use
	COM_SPEED=115200

	# What username to use for pap challange
	ISP_USERNAME=username

	# End of User settings

	CHAT_SCRIPT=/etc/ppp/ihug.chat
	#/sbin/pfctl -d

	exec pppd $COM_PORT $COM_SPEED noauth user $ISP_USERNAME defaultroute connect "chat -f $CHAT_SCRIPT -t 30 -r /var/log/ppp.log"
	

6. Create ihug stop eg /etc/ppp/ihug.stop

	#!/bin/sh
	if [ -e "/var/run/ppp0.pid" ];
	then
	kill `cat /var/run/ppp0.pid`
	else
	echo "PPPD is not running"
	fi
	

7. What to do before starting a connection /etc/ppp/if-up.

	#!/bin/sh
	#i use the line below to stop pf if it's already running
	/sbin/pfctl -d
	#this line starts pf
	/sbin/pfctl -e -f /etc/pf.conf
	

8. What to do when the connection closes /etc/ppp/if-down

	#!/bin/sh
	/sbin/pfctl -d 
	

9. Create the PAP secrets file.

	#Secrets for authentication using PAP
	#Client      Server     Secret     IP address
	username       *      password        *
	

10. To dial your isp run the ihug.start script.

	#/etc/ppp/ihug.start
	

11. To close the connection run the ihug.stop script.

	#/etc/ppp/ihug.stop
	

12. To view the log file /var/log/ppp/ppp.log

	#less /var/log/ppp.log
	

13. To get the process ID of the ppp0 interface/process

	less /var/run/ppp0.pid
	or
	ps ax | less
	

14. To get pf to re-read the rules file:

	pfctl -f /etc/pf.conf