Secure FreeBSD by Allowing Access Only Through Cloudflare Tunnels

Secure FreeBSD by Allowing Access Only Through Cloudflare Tunnels

freebsd cloudflare

This guide shows you how to configure your FreeBSD server to accept connections only through Cloudflare Tunnels, blocking all other inbound traffic. You can then control access using Cloudflare Zero Trust.

Steps

Prerequisites

This article assumes the following:

  • You have a FreeBSD server with SSH access.
  • The server has a properly configured Cloudflare tunnel. If you need help with this, you can follow our Cloudflare Tunnels on FreeBSD 14.3 guide to install cloudflared and setup a tunnel.

Now, let's get started! 🚀

1. Create a private network address for your server.

In the Cloudflare Zero Trust dashboard navigate to Networks > Tunnels > Routes > Add a route.

Under CIDR, create a single IP address for your server by setting the CIDR to [IP address]/32. For example, if your server's IP address is 10.8.8.2, then the CIDR should be 10.8.8.2/32.

NOTE: Make sure to only add ip addresses that are within private network ranges. For example, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are valid private network ranges.

Under 'Tunnel' select the existing tunnel for your server.

Click 'Create'.

2. Add the private network address to your server.

Add the private network address to your local loopback interface. In this example, we're using the IP address 10.8.8.2.

ifconfig lo0 alias 10.8.8.2 netmask 255.255.255.255

Check that the private network address has been added.

ifconfig lo0
ping 10.8.8.2

Persist the changes across reboots by using the following command.

sysrc -f /etc/rc.conf ifconfig_lo0_alias0="inet 10.8.8.2 netmask 255.255.255.255"

3. WARP installed and running on your desktop or laptop.

Install WARP on your desktop or laptop.

With WARP running on your desktop or laptop you can now ssh to the private Cloudflare tunnel network address of your server.

ssh [email protected]

4. Secure inbound traffic to your server.

Create a rules file at '/etc/ipfw.rules' with the following content:

#!/bin/sh
ipfw -q -f flush
ipfw -q add 10 allow ip from any to any via lo0 # Allow loopback traffic
ipfw -q add 20 allow tcp from any to any established # Allow established TCP connections
ipfw -q add 30 allow icmp from any to any icmptypes 0,3,8,11 # Allow ICMP types 0, 3, 8, and 11 which are ping, echo request, echo reply, and time exceeded.
ipfw -q add 40 allow ip from me to any keep-state # Allow outbound IP traffic (includes UDP and TCP outbound) and inbound that was initiated by the server.
ipfw -q add 1000 deny log limited ip from any to me # Deny and log inbound traffic to the server. Sets 'limited' so logs are not flooded.
ipfw -q add 1001 deny ip from any to any # Deny all other traffic

Make the rules file executable.

chmod +x /etc/ipfw.rules

Persist the rules across reboots.

sysrc -f /etc/rc.conf firewall_enable="YES"
sysrc -f /etc/rc.conf firewall_script="/etc/ipfw.rules"

5. Reboot and verify.

Connect via SSH to the private Cloudflare tunnel network address of your server.

reboot
ssh [email protected]

Verify that the IPFW service is running after restart.

service ipfw status

Verify rules.

ipfw list

Conclusion

Enjoy your FreeBSD server with Cloudflare Tunnels!

Cheers 🥂

More Articles