I won’t put any system on the Internet without some sort of packet filter or firewall. Especially not a file server containing important data. While I have a FreeNAS 8 box, it doesn’t come with a firewall. FreeBSD includes three firewalls, IPFW, IPF, and PF. Any one of these would do, but I’m most comfortable with PF, so I decided to add PF to my FreeNAS install.
This will not add a firewall to the GUI. You must manage your rules remotely. The FreeNAS backup will not back up your rules. The good news is, once your firewall works the rules don’t change very frequently.
First, get the appropriate kernel module. You’ll need the ISO for the version of FreeBSD that your FreeNAS is based on. FreeNAS 8.0 is based on FreeBSD 8.2. I’m running the amd64 version of FreeNAS, so I need the amd64 version of FreeBSD 8.2. The version must match as exactly as possible: your 8-stable amd64 desktop might work, but it might make your FreeNAS box crash and die.
Mount the ISO.
$ mdconfig -a -t vnode -f $HOME/FreeBSD-8.2-RELEASE-amd64-livefs.iso
md0
$ mount -t cd9660 /dev/md0 /mnt
I previously installed FreeNAS on a 2GB USB stick. For this process, I shut down my FreeNAS box and mounted the USB drive on my FreeBSD machine. You could work directly on the FreeNAS image and re-install it on the USB drive, or even work directly on the live FreeNAS box. I’m assuming you’re working on a USB stick.
$ mount /dev/da0s1 /mnt
Start by getting the PF kernel module from the ISO onto your USB drive.
$ cp /media/boot/kernel/pf.ko /mnt/boot/kernel/
Now for the tricky bit. FreeNAS is based on the FreeBSD diskless system. (Obligatory plug: I did half a chapter on diskless operation in Absolute FreeBSD.) It uses the /conf directory to create a series of memory-based filesystem overlays, creating a MFS /tmp, /etc, and so on. This means that any changes you make to, say, /etc/pf.conf will not survive a reboot. You must edit the original versions of these files, in /conf/base/etc.
In /conf/base/etc/rc.conf, add
pf_enable=YES
Put your pf.conf in the same directory. Configuring PF is left as an exercise for the reader.
Any firewall changes made to a running system must appear in /etc/pf.conf and in /conf/base/etc/pf.conf. I suggest changing the base file, and copying changes to /etc.
I’d assume pf/etc aren’t built into FreeNAS since it’s not that common to put NAS/file server devices on the public internet.
Not that it shouldn’t have a firewall anyway.
So in what scenario is this FreeNAS box on the internet?
I need extra disk on some virtualization machines.
Should there be a firewall? Sure. Once the economy loosens, there probably will be.
hi,
thanks for the tutorial, I’ll try it on v 8.3
If I login and make mount -rw /, can I copy the .ko mudules online, would I get the same results?
I am with hdd installation, not with usb, and it’s much easier for me to do so…
what do you think?
Dilyan