There are currently 3 options for firewalls in FreeBSD: IPF, IPFW, and PF. Each is configured differently on FreeBSD. OSSEC will attempt to check for IPFW and then PF, falling back to IPF if neither of these was found at the time of installation.
The OSSEC install script will check rc.conf to determine which firewall is currently active.
It first greps for firewall_enable=”YES”, and enables IPFW if this is found. IPFW support is enabled by copying the
The installation script will then look for ``pf_enable=”YES”` in the rc.conf, and will enable PF instead if this is found. The script for pf is pf.sh.
If neither of these is found, the default firewall-drop.sh script will be installed. This script will use attempt to use IPF to block IPs.
Copy the appropriate script from the OSSEC source to
/var/ossec/active-response/bin/firewall-drop.sh on the agent.