How to install CrowdSec Firewall Bouncer on FreeBSD
This tutorial will give you all the needed configuration steps to have an up and running firewall protection with Crowdsec Agent on FreeBSD systems.
Packages installationโ
- Update the current package database and install the following packages. Make sure your systems is configured with a FreeBSD official repository either
latest
orquaterly
pkg -vvv|awk '/Repositories:/,/}/'
Repositories:
FreeBSD: {
url : "pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/latest",
enabled : yes,
...
You can edit the repository config file by editing /etc/pkg/FreeBSD.conf
. By default, it should have been setup correctly during the OS installation.
sudo pkg update
sudo pkg install crowdsec crowdsec-firewall-bouncer
Firewall Configurationโ
- The FreeBSD firewall
pf
is not loaded by default, you need to load the kernel module:
sudo kldload pf
- Enable it in your
/etc/rc.conf
permanently:
pf_enable="YES"
In order to be able to block and drop traffic, you need to append this minimal /etc/pf.conf
configuration in your pf rules:
# create crowdsec table
table <crowdsec-blacklists> persist
# create crowdsec6 table
table <crowdsec6-blacklists> persist
block drop in quick from <crowdsec-blacklists> to any
block drop in quick from <crowdsec6-blacklists> to any
For more details on the firewall configuration, you could refer to the pf.conf(5) man pages.
- Reload the rules and check config
sudo pfctl -f /etc/pf.conf
sudo pfctl -sr
sudo service pf check
sudo service pf status
Agent Configurationโ
- Copy the sample config:
sudo cp /usr/local/etc/crowdsec/config.yaml.sample /usr/local/etc/crowdsec/config.yaml
Review the YAML settings in the file and updates accordingly.
- Enable it in your
/etc/rc.conf
:
crowdsec_enable="YES"
crowdsec_config="/usr/local/etc/crowdsec/config.yaml"
crowdsec_flags=" -info"
- Start the service Crowdsec Agent
sudo service crowdsec start
sudo service crowdsec status
- List your current machine Agent settings
crowdsec-cli machines list
-------------------------------------------------------------------------------------------------------------
NAME IP ADDRESS LAST UPDATE STATUS VERSION
-------------------------------------------------------------------------------------------------------------
7fb0531dc09a40d288299c8377d6cfe5nJtGyC7TFsUR3XYZ 127.0.0.1 2021-07-22T09:41:47Z โ๏ธ v1.1.1-freebsd
-------------------------------------------------------------------------------------------------------------
Bouncer Configurationโ
- Copy the sample config
sudo cp /usr/local/etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml.sample /usr/local/etc/crowdsec-firewall-bouncer/crowdsec-firewall-bouncer.yaml
- Add the new bouncer and it will generate the token for
{your_api_key}
to use
crowdsec-cli bouncers add --name freebsd-pf-bouncer
- Edit the YAML settings in the file. Make sure the bouncer backend
mode
ispf
(automatically set at installation time).api_url
andapi_key
are mandatory to be set.
api_url: http://localhost:8080/
api_key: <your_api_key>
- List your current bouncers config
$ crowdsec-cli bouncers list
---------------------------------------------------------------------------------------------------------
NAME IP ADDRESS VALID LAST API PULL TYPE VERSION
---------------------------------------------------------------------------------------------------------
freebsd-pf-bouncer 127.0.0.1 โ๏ธ 2021-07-22T09:59:33Z crowdsec-firewall-bouncer v0.0.13-freebsd
---------------------------------------------------------------------------------------------------------
- Enable it in your
/etc/rc.conf
:
crowdsec_firewall_enable="YES"
- Start the service Crowdsec Firewall
sudo service crowdsec_firewall start
sudo service crowdsec_firewall status
Scenarios, Parsers and Collectionsโ
- Use the following scenarios, parsers and collections from the Hub:
sudo crowdsec-cli scenarios install crowdsecurity/ssh-bf
sudo crowdsec-cli parsers install crowdsecurity/sshd-logs
sudo crowdsec-cli parsers install crowdsecurity/syslog-logs
sudo crowdsec-cli collections install crowdsecurity/sshd
- Restart the crowdsec agent
sudo service crowdsec restart
You should now benefit from the Crowdsec signals from the community and your own and be protected against malevolant behaviour.