Setup Freebsd PF on a single NIC seedbox

Goals:

1) Setup PF on a seedbox.

Requirements:

1) Dedicated server with root access.

Step 1) Configure pf

As root make a note of your primary interface, usually em0 or rm1 or similar.

ifconfig

As root add PF kernel module

kldload pf

Create a new pf.conf file if one does not already exist.

ee /etc/pf.conf

Example pf.conf where:
Interface = em0
SSH port number = 1850 (should change to 22 if ssh port on default)
Transmission port number = 7140

## pf.conf FreeBSD 10.1

####### Interfaces

ext_if = “em0”

####### Variables

services_in = “{ 1850, 7140 }”

######## Options:
set block-policy drop
set debug urgent
set limit { frags 10000, states 30000 }
set loginterface $ext_if
set optimization normal
set ruleset-optimization none
set skip on lo
set state-policy if-bound

######## Normalization

# Scrub
scrub in all no-df min-ttl 100 max-mss 1440 fragment reassemble

#
# Packet Filtering
#

# Block invalid packets
block in log quick on $ext_if from no-route
block in log quick on $ext_if from urpf-failed

# Incoming traffic on $ext_if
block drop in on $ext_if all

# Pass in
pass in on $ext_if proto tcp from any to $ext_if port $services_in keep state

# Outgoing traffic on $ext_if
pass out on $ext_if keep state

This will block all incoming and allow all outgoing by default. With exceptions for SSH and Transmission.

To enable PF and Flush PF and start pf with the config from /etc/pf.conf. (note: this will disconnect your ssh session)

pfctl -e | pfctl -F all | pfctl -f /etc/pf.conf

PF is now enabled. Set your transmission as follows:

Disable random port.
Set incoming port to 7140.

Advertisements