monotux.tech


Firewall for FreeBSD jails

FreeBSD, firewall, Ansible, YAML

Another note for my future self - this is more or less stolen from Daniel Schmid's blog entry.

Just using a firewall is not security. However, having a firewall in place doesn't hurt. This is one way to use a firewall on a FreeBSD jail.

Update firewall_myservices and firewall_allowservices to your preferences. This is done in your jail, given that you use VNET.

  sysrc firewall_type="workstation"
  sysrc firewall_allowservices="any"
  sysrc firewall_logdeny="yes"
  sysrc firewall_quiet="yes"
  sysrc firewall_enable="yes"
  sysrc firewall_myservices="80/tcp 443/tcp"
  service ipfw restart

Update - Ansible

Of course I wrote a ansible playbook to apply the above on my jails.

  # roles/freebsd/firewall/tasks/main.yml
  ---
  - name: Set firewall type (workstation)
    community.general.sysrc:
      name: firewall_type
      value: "workstation"
    when: firewall_type is not defined
    register: firewall_changed

  - name: Set custom firewall type
    community.general.sysrc:
      name: firewall_type
      value: "{{ firewall_type }}"
    when: firewall_type is defined
    register: firewall_changed

  - name: Set firewall allowservices (any)
    community.general.sysrc:
      name: firewall_allowservices
      value: "any"
    when: firewall_allowservices is not defined
    register: firewall_changed

  - name: Set custom firewall allowservices
    community.general.sysrc:
      name: firewall_allowservices
      value: "{{ firewall_allowservices }}"
    when: firewall_allowservices is defined
    register: firewall_changed

  - name: Set firewall myservices
    community.general.sysrc:
      name: firewall_myservices
      value: "{{ firewall_myservices }}"
    when: firewall_myservices is defined
    register: firewall_changed

  - name: Set firewall logdeny (yes)
    community.general.sysrc:
      name: firewall_logdeny
      value: "yes"
    when: firewall_logdeny is not defined
    register: firewall_changed

  - name: Set custom firewall logdeny
    community.general.sysrc:
      name: firewall_logdeny
      value: "{{ firewall_logdeny }}"
    when: firewall_logdeny is defined
    register: firewall_changed

  - name: Set firewall quiet (yes)
    community.general.sysrc:
      name: firewall_quiet
      value: "yes"
    when: firewall_quiet is not defined
    register: firewall_changed

  - name: Set custom firewall quiet
    community.general.sysrc:
      name: firewall_quiet
      value: "{{ firewall_quiet }}"
    when: firewall_quiet is defined
    register: firewall_changed

  - name: Set firewall enable (yes)
    community.general.sysrc:
      name: firewall_enable
      value: "yes"
    when: firewall_enable is not defined
    register: firewall_changed

  - name: Set custom firewall enable
    community.general.sysrc:
      name: firewall_enable
      value: "{{ firewall_enable }}"
    when: firewall_enable is defined
    register: firewall_changed

  - name: Restart firewall if necessary
    ansible.builtin.service:
      name: ipfw
      state: restarted
    when: firewall_changed.changed

And a few variables:

  firewall_myservices: "22/tcp 80/tcp 443/tcp 443/udp"