Difference between revisions of "Firewall Manager/9.2"

From PC-BSD Wiki
Jump to: navigation, search
m
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
<noinclude>{{NavHeader|back=Network Configuration|forward=Adobe Flash Player preferences}}</noinclude>
 
<noinclude>{{NavHeader|back=Network Configuration|forward=Adobe Flash Player preferences}}</noinclude>
  
PC-BSD uses the {{citelink|url=http://www.openbsd.org/faq/pf/|PF firewall}} to protect your system. By default, the firewall is configured to let your system make Internet connections, use the '''ping''' utility, and to communicate with other Windows and Unix-like systems using SMB and NFS.
+
PC-BSD® uses the {{citelink|url=http://www.openbsd.org/faq/pf/|txt=PF firewall}} to protect your system. By default, the firewall is configured to let your system make Internet connections, use the '''ping''' utility, and to communicate with other Windows and Unix-like systems using SMB and NFS.
  
 
Advanced users who are already familiar with pf will find the default rulebase in ''/etc/pf.conf''. Users who are not familiar with directly editing this file can instead use the Firewall Manager GUI utility to view and modify the existing firewall rules.
 
Advanced users who are already familiar with pf will find the default rulebase in ''/etc/pf.conf''. Users who are not familiar with directly editing this file can instead use the Firewall Manager GUI utility to view and modify the existing firewall rules.
Line 7: Line 7:
 
'''NOTE:''' typically it is not necessary to change the firewall rules. You should not remove any existing rules unless you fully understand what the rule does. Similarly, you should only add rules if you understand the security implications of doing so, especially if the rule allows connections to your computer.
 
'''NOTE:''' typically it is not necessary to change the firewall rules. You should not remove any existing rules unless you fully understand what the rule does. Similarly, you should only add rules if you understand the security implications of doing so, especially if the rule allows connections to your computer.
  
To access the Firewall Manager, go to ''[[Control Panel]]'' ➜ ''[[Firewall Manager]]'' or type '''pc-su pc-pfmanager'''. You will be prompted to input the administrative password. Figure 8.15a shows the initial screen when you launch this utility:
+
To access the Firewall Manager, go to ''[[Control Panel]]'' ➜ ''[[Firewall Manager]]'' or type '''pc-su pc-pfmanager'''. You will be prompted to input the administrative password. Figure 8.16a shows the initial screen when you launch this utility:
  
'''Figure 8.15a: Firewall Manager Utility'''
+
'''Figure 8.16a: Firewall Manager Utility'''
  
 
[[File:Firewall1.png]]
 
[[File:Firewall1.png]]
  
The General Settings tab of this utility allows you to:
+
The "General Settings" tab of this utility allows you to:
  
 
* determine whether or not the firewall starts when the system boots; unless you have a reason to do so and understand the security implications, this box should be so that your system is protected by the firewall
 
* determine whether or not the firewall starts when the system boots; unless you have a reason to do so and understand the security implications, this box should be so that your system is protected by the firewall
Line 21: Line 21:
 
* restore default configuration: this button allows you to return to the original, working configuration should you not like the changes you make to your firewall rules
 
* restore default configuration: this button allows you to return to the original, working configuration should you not like the changes you make to your firewall rules
  
To view or modify the firewall rules, click on the Exceptions tab, seen in Figure 8.15b:
+
To view or modify the firewall rules, click on the "Exceptions" tab, seen in Figure 8.16b:
  
'''Figure 8.15b: Adding a New Firewall Rule'''
+
'''Figure 8.16b: Adding a New Firewall Rule'''
  
 
[[File:Firewall2b.jpeg]]
 
[[File:Firewall2b.jpeg]]
Line 29: Line 29:
 
In this example, the user has clicked on the "Add entry" button to add a new firewall rule. The following information is needed when creating a rule:
 
In this example, the user has clicked on the "Add entry" button to add a new firewall rule. The following information is needed when creating a rule:
  
* '''Service or Port:''' you can either select the name of the service you wish to allow or block from the drop down menu or type in the number of the port used by the service. Which you choose does not matter as the firewall will match the name and number for you and display both after you save the rule.
+
* '''Service or Port:''' you can either select the name of the service you wish to allow or block from the drop-down menu or type in the number of the port used by the service. Which you choose does not matter as the firewall will match the name and number for you and display both after you save the rule.
  
 
* '''Policy:''' you need to choose whether to allow or block this service/port.
 
* '''Policy:''' you need to choose whether to allow or block this service/port.
  
* '''Direction:''' use the drop down menu to determine whether the policy applies to incoming or outgoing connections. The direction is from the perspective of your computer. Do you want others to connect to your service (incoming) or do you want to connect to the service running on another system (outgoing).
+
* '''Direction:''' use the drop-down menu to determine whether the policy applies to incoming or outgoing connections. The direction is from the perspective of your computer. Do you want others to connect to your service (incoming) or do you want to connect to the service running on another system (outgoing).
  
* '''Protocol:''' use the drop down menu to select whether the service uses the TCP or UDP protocol.
+
* '''Protocol:''' use the drop-down menu to select whether the service uses the TCP or UDP protocol.
  
* '''Interface:''' use the drop down menu to select the interface that will make or receive the connection.
+
* '''Interface:''' use the drop-down menu to select the interface that will make or receive the connection.
  
Once you have made your selections, press Ok to save the new rule.  
+
Once you have made your selections, press "Ok" to save the new rule.
  
'''NOTE:''' the new rule will not be used by the firewall until the firewall is restarted by clicking the Restart button in the General tab.
+
'''NOTE:''' the new rule will not be used by the firewall until the firewall is restarted by clicking the "Restart" button in the "General" tab.
  
Test that your new rule(s) work as expected. For example, if you create a rule to allow an SSH connection, try connecting to your PC-BSD system using SSH to verify that the firewall is now allowing the connection.
+
Test that your new rule(s) work as expected. For example, if you create a rule to allow an SSH connection, try connecting to your PC-BSD® system using SSH to verify that the firewall is now allowing the connection.
  
 
<noinclude>{{refheading}}</noinclude>
 
<noinclude>{{refheading}}</noinclude>

Revision as of 11:19, 6 November 2012

(Sorry for the inconvenience)

PC-BSD® uses the PF firewall[1] to protect your system. By default, the firewall is configured to let your system make Internet connections, use the ping utility, and to communicate with other Windows and Unix-like systems using SMB and NFS.

Advanced users who are already familiar with pf will find the default rulebase in /etc/pf.conf. Users who are not familiar with directly editing this file can instead use the Firewall Manager GUI utility to view and modify the existing firewall rules.

NOTE: typically it is not necessary to change the firewall rules. You should not remove any existing rules unless you fully understand what the rule does. Similarly, you should only add rules if you understand the security implications of doing so, especially if the rule allows connections to your computer.

To access the Firewall Manager, go to Control PanelFirewall Manager or type pc-su pc-pfmanager. You will be prompted to input the administrative password. Figure 8.16a shows the initial screen when you launch this utility:

Figure 8.16a: Firewall Manager Utility

Firewall1.png

The "General Settings" tab of this utility allows you to:

  • determine whether or not the firewall starts when the system boots; unless you have a reason to do so and understand the security implications, this box should be so that your system is protected by the firewall
  • start, stop, or restart the firewall: if you add, delete, or modify a firewall rule, restart the firewall for your changes to take effect
  • restore default configuration: this button allows you to return to the original, working configuration should you not like the changes you make to your firewall rules

To view or modify the firewall rules, click on the "Exceptions" tab, seen in Figure 8.16b:

Figure 8.16b: Adding a New Firewall Rule

Firewall2b.jpeg

In this example, the user has clicked on the "Add entry" button to add a new firewall rule. The following information is needed when creating a rule:

  • Service or Port: you can either select the name of the service you wish to allow or block from the drop-down menu or type in the number of the port used by the service. Which you choose does not matter as the firewall will match the name and number for you and display both after you save the rule.
  • Policy: you need to choose whether to allow or block this service/port.
  • Direction: use the drop-down menu to determine whether the policy applies to incoming or outgoing connections. The direction is from the perspective of your computer. Do you want others to connect to your service (incoming) or do you want to connect to the service running on another system (outgoing).
  • Protocol: use the drop-down menu to select whether the service uses the TCP or UDP protocol.
  • Interface: use the drop-down menu to select the interface that will make or receive the connection.

Once you have made your selections, press "Ok" to save the new rule.

NOTE: the new rule will not be used by the firewall until the firewall is restarted by clicking the "Restart" button in the "General" tab.

Test that your new rule(s) work as expected. For example, if you create a rule to allow an SSH connection, try connecting to your PC-BSD® system using SSH to verify that the firewall is now allowing the connection.

References


  1. http://www.openbsd.org/faq/pf/
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox