freeBSD 8 firewall for web server

You’ll see many articles discussing various firewalls for BSD. freeBSD comes with three firewalls but I’ll lay out what I believe is the best freebsd firewall for a web server, pf.

I need firewall that will help negate DDoS attacks, spoofing and fingerprinting. Allows port 80 and 443 as well as ssh and is simple to test and configure.

Well PF handles all that and comes built into the freeBSD kernel so it’s pretty easy and quick to set up and test.

do a ifconfig to figure out what your interface is named

#ifconfig
bigkill# ifconfig
 re0:  flags=8843 metric 0 IC>
        ether 00:2c:c1:f9:5s:d3
        inet 224.210.155.13 netmask 0xfffffff8 broadcast 224.210.155.253
        media: Ethernet autoselect (100baseTX )
        status: active
lo0: flags=8049 metric 0
        inet 127.0.0.1 netmask 0xff000000

As you can see here the interface name is re0

so just replace re0 in the below configuration and apply it to /etc/pf.conf

 ### macro name for external interface.
ext_if = "re0"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
block all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  - Finish; end of session
### * S : SYN  - Synchronize; indicates request to start session
### * R : RST  - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK  - Acknowledgement
### * U : URG  - Urgent
### * E : ECE  - Explicit Congestion Notification Echo
### * W : CWR  - Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.

### set a rule that allows inbound ssh traffic with synproxy handshaking. yes I changed the ssh port
pass in on $ext_if proto tcp from any to any port 1229 flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port 443 flags S/SA synproxy state
 

If you want to allow any other port simple copy the last line and replace the port number.

Now issue a reboot command to restart the system in 5 minutes to test your pf configuration.

 shutdown -r +5
 

Okay not start PF and test it

 /etc/rc.d/pf onestart
 

Now “test” the current configuration to see what you got

 pfctl -s all" ### list all the current rules that are in effect and shows current connections
 

If you’re happy with your PF firewall configuration for freebsd 8 you’ll need to apply it at boot time by adding the following to your /etc/rc.conf

 pf_enable="YES"
pf_rules="/etc/pf.conf"
 

I’ll be using ports of course for this entire install. I’m assuming that you have the proper hardware for this type installation.

Start with a minimal installation of freeBSD 8

Bypass the headache and host on vps or dedicated servers with pre-installed LAMP here.

Update the server ports – freebsd guide on ports

First update your port tree

portsnap fetch update *if this is the first time do a portsnap fetch extract

List available update

pkg_version -vIL=

Once you have updated your Ports Collection, before attempting a port upgrade, you should check /usr/ports/UPDATING. This file describes various issues and additional steps users may encounter and need to perform when updating a port, including such things as file format changes, changes in locations of configuration files, or other such incompatibilities with previous versions.

Upgrade your ports with

portupgrade -rR

Okay now that your freeBSD server ports are updates lets do Binary updates freebsd-update.

freebsd-update fetch

freebsd-update install

Then reboot

shutdown -r now

Verify update took place

uname -a

Rollback if necessary

freebsd-update rollback

Now lets install Apache, PHP, mysql and phpMyAdmin on your freeBSD 8 web server.

First install the latest apache from ports.

cd /usr/ports/www/apache22/
make config install clean
echo 'apache22_enable="YES"' << /etc/rc.conf
echo 'apache22ssl_enable="YES"' << /etc/rc.conf
echo 'accf_http_ready="YES"' << /etc/rc.conf &amp;&amp; kldload accf_http

Now install PHP

cd /usr/ports/lang/php5
make config install clean
cd /usr/ports/lang/php5-extensions  ** enable <strong>mysql </strong>extensions **
make config install clean

Now modify your httpd.conf – Add the following entries to /usr/local/etc/apache22/httpd.conf directly after all the LoadModule lines

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

now locate IfModule mod_dir.c and add index.php

DirectoryIndex index.php index.html index.htm

Last but not least get a good php.ini file setup

cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini

Restart apache and

/usr/local/etc/rc.d/apache22 start

Now its time for mySQL installation, configuration and setup

cd /usr/ports/databases/mysql50-server
make install WITH_OPENSSL=yes
make distclean
echo 'mysql_enable="YES"' << /etc/rc.conf

Start mysql server and change root password

/usr/local/etc/rc.d/mysql-server start
mysqladmin -u root password sumcrazypaswrd
mysql -u root -p    *make sure you can log in*
rm /root/.history  *remove history so password isn't exposed*

Create a configuration file for mysql in /etc/my.cnf

[client]
port=29912
[mysqld]
port=29912
bind-address=127.0.0.1

Now lets install configure and setup phpMyAdmin

cd /usr/ports/databases/phpmyadmin
make config install clean
cd /usr/local/www/phpMyAdmin && cp config.sample.inc.php
config.inc.php
vi config.inc.php
$cfg['blowfish_secret'] = 'sdf934sdfgHijh98Y';

open httpd.conf and Alias

Alias /phpmyadmin /usr/local/www/phpMyAdmin

Now allow who you want to access it

        <Directory "/usr/local/www/phpmyadmin'<
Order allow,deny
        Allow from all   *or allow from 222.114.123.0/12*
</Directory<

you’ll want https when you connect to phpmyadmin so lets enable https and make some httpd.conf changes

Create your certificate

In order to access phpmyadmin of ssl you need to get https going on apache. You can buy an SSL certificate generated by a trusted CA such as Thwate or Verisign, or you can generate one yourself using OpenSSL. I borrowed a ton of infor from freebsdmadeeasy.com

lets get the openssl.cnf file ready

vi /etc/ssl/openssl.cnf
dir = /root/sslCA
default_days = 3650

Now set up the directories

cd ~root/
mkdir sslCA
chmod 700 sslCA
chmod 700 sslCA
mkdir certs private newcerts
echo 1000 < serial
touch index.txt
cd ~root/sslCA
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf

The CA should now be all set.. test with more;

more ~root/sslCA/cacert.pem
more ~root/sslCA/private/cakey.pem

Now lets generate an SSL certificate for apache

cd ~root/sslCA
openssl req -new -nodes -out yourhostname-req.pem -keyout private/yourhostname-key.pem -config /etc/ssl/openssl.cnf
openssl ca -config /etc/ssl/openssl.cnf -out yourhostname-cert.pem -infiles yourhostname-req.pem

Lets put everything where it needs to be.

mkdir /etc/ssl/crt
mkdir /etc/ssl/key
cp ~root/sslCA/yourhostname-cert.pem /etc/ssl/crt
cp ~root/sslCA/private/yourhostname-key.pem /etc/ssl/key

And finally add the SSL virtual host

Find the below line in your httpd.conf and take the comment hash out.

# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf

Now modify your httpd-ssl.conf

ServerName ssl.yourhostname.com
SSLCertificateFile /etc/ssl/crt/yourhostname-cert.pem
SSLCertificateKeyFile /etc/ssl/key/yourhostname-key.pem
DocumentRoot "/etc/www/apache22/data"      ** whatever your location is**
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"

In /usr/local/etc/apache22/extra/httpd-default.conf, disable ServerSignature to prevent the server from showing more information than it has to. Make sure the server-status and the server-info sections in /usr/local/etc/apache22/extra/httpd-info.conf are commented out.

Finally restart apache

/usr/local/etc/rc.d/apache22 restart

Now install wordpress

cd /usr/ports/wordpress
make install clean

do a locate wordpress and move file to web root

locate wordpress
cp /usr/local/www/data/wordpress/* /usr/local/whatever web root is

go into web root and copy wp-config-sample.php to wp-config.php

navigate to https://hostname/phpmyadmin and create wordpress db – add that name to wp-config.php