FreeBSD: A Couple Of Dealbreakers 2024-09-08
I generally use Devuan GNU/Linux for both my servers and my desktops, but have been at least a little interested in trying my hand at a BSD. I figure FreeBSD is most likely to suit me, and today I was trying to setup pf as my firewall, and then GELI for disk encryption. I am used to iptables and ipset in Linux and was worried that pf might not be able to manage large sets of addresses and ranges as well. It turns out I am also a little weirded out by the LAST matching rule being applied. Anyways, it seems the tables feature of pf is capable of doing what I need. Here is a massively basic sample pf.conf file:
/etc/pf.conf
table <wanker> persist file "/etc/wanker"
table <whitelist> persist file "/etc/whitelist"
block all
pass out all
pass in proto tcp from any to any port http
block in proto tcp from <wanker> to any port http
pass in from <whitelist> to any
The wanker and whitelist files contain various IP addresses and ranges in CIDR notation, one per line. The next couple of lines essentially define some basic default policies, and the last three lines permit or deny access to http or "any" service. This basic structure will allow anyone to access the web server on my box, unless they are on the wanker list. To make sure I don't accidentally block myself I can just add my personal IP addresses to the whitelist. There is an additional keyword "quick" that can be used to shortcut rule processing, but I guess if I have shit in the correct order that shouldn't be necessary. The wanker list can be rewritten any time and then the firewall can be restarted with:
pfctl -F all -f /etc/pf.conf
which will reset all current state information and reread the ruleset [and the table files].
The other dealbreaker for me is that I must be able to encrypt my root filesystem. It seems FreeBSD's most common filesystems are UFS and ZFS. It also seems that an encrypted root on UFS isn't possible... at least not that I could find. I have little use for the extra features ZFS provides, but I guess it is what I'll end up using. Anyways, it turns out the installer actually allows you to simply select to encrypt your root filesystem and the swap partition too. The bad news is that the installer doesn't tell you much about the encryption it is using... but it DOES do the encryption. So, maybe with these dealbreakers out of the way I'll be able to make a little headway and try a publicly available service on a FreeBSD box.