I'm in the process of learning how to configure PF on a couple of FreeBSD servers. Here's what I've done so far, in order:
1. I read chapter 31. I kinda agree with
decuser because I had no idea which of the 3 firewalls/packet filters to choose. But I did some Googling and people generally said PF was easier to configure (I have no idea if that's true of course) so I went with PF. I'd say chapter 31 is a bit... sparse. I had lots of unanswered questions.
2. I tried the example and BOOM I blocked myself from connecting to the server at my office. I had to get dressed and drive to my office at 2am, sit down at the terminal, and turn off PF. After returning home and sleeping a bit, I decided to Google some PF guides or tutorials. I found the one
sidetone linked above, and...
-
http://artemisa.unicauca.edu.co/~mtrujillo/OpenBSD/pf/filter.html
-
http://home.nuug.no/~peter/pf/en/intro.html (many pages of info)
-
https://www.digitalocean.com/community/tutorials/how-to-configure-packet-filter-pf-on-freebsd-12-1 (recent)
3. I made a FreeBSD virtual machine on my home computer. Then I opened a second terminal window, connected to the VM over SSH and kept playing with pf.conf. After the 4th or 5th time of locking myself out of the SSH connection, I was REALLY HAPPY I could just click in the VM window to turn off PF instead of driving to my office in the middle of the night.
4. Once I had a reasonably working set of rules for my VM, I made a new ruleset for the server at our office. The office server has a few web sites so it needs to be public facing. No one except me needs SSH access outside of the office, and only a couple workstations in the office need FTP access (for reasons lol). Here's what I did:
(for anyone new to PF reading this, these are NOT ACTUAL RULES, I'm just summarizing)
- created a whitelist with the office workstations on the local network
- pass my home IP on my custom SSH port
- pass the whitelist for all ports (this lets FTP work on the local network without any weird FTP rules)
- block martians
- block IPs on the blocklist
- block return in log all (<--- that one's an actual rule)
- pass on tcp ports 80, 443, etc
- pass on udp ports 53, 123, etc
I'm still figuring this out and I have LOTS of questions that don't seem to be answered in any of the tutorials. Yes, everyone's firewall rules are going to be different. But I think there's a LOT of room for improvement to the docs. For example...
- should I always use "return" or should I use "drop" sometimes?
- why are the lists of martians slightly different in almost every guide/tutorial?
- why doesn't traceroute work on the server when PF is running?
- should I still use antispoof if I'm blocking all the martians? (someone gave a good reason in another thread)
- should I use the built-in blacklistd or should I use fail2ban?
- do I need to use fail2ban if no one outside of the local network is accessing SSH or FTP?
- and many more... but I'm still studying and learning.
Anyway, I hope this helps someone.