On 01/31/11 20:30, Patrick Lamaiziere wrote:
Le Sat, 29 Jan 2011 12:39:18 +1000,
Da Rock<freebsd-questi...@herveybayaustralia.com.au> a écrit :
I spent some time playing with pf and pf.conf, and followed the
directions in the handbook. It redirected me to the openbsd site for
pf.conf, and recommended it as the most comprehensive documentation
for pf.
Firstly, I didn't find that. I had to translate the instructions into
the current version used in FreeBSD, OpenBSD appears to be further
advanced than this based on the current docs.
Yes, you should refer to the OpenBSD 4.1 Packet FAQ :
http://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq41.pdf
Secondly, some of the rules don't appear to be following. From my
understanding based on the documentation in the handbook and on the
site pf is default allowing traffic.
According to a current discussion on m...@openbsd.org. It allows
traffic to pass but without creating states.
Exactly. 'permitting' is the term in the handbook I believe.
So explicit rules to block
should be set first and then rules set to allow what is needed in.
Some assumptions are made in the rules by the interpreter, so
according to OpenBSD one can (even in the older versions) simply
state block and it is interpreted as 'block on $interfaces all'. This
turned out to not be the case.
Ah? Do have an example for this?
Yes. Me unfortunately, but I did manage to pick it up quite quickly
though. I had a little thief attack one of my ports and attempt login on
the firewall. I had to change it to 'block in $log on $ext_if all
block out $log on $ext_if all' to actually block the traffic. Bit of a
doozy really, I'm still monitoring the traffic very closely with tcpdump
on the interface and not the log.
Thankfully I was also getting ready to update and completely rebuild
most (scratch that- all) of my systems to newer and more manageable levels.
I know this has come up before, but I think it might be time to
document pf.conf properly. It seems to be a bit of security risk not
to. Users may be mistaken in their belief of their security on the
network using pf, and may be less likely to trust again when it
breaks.
This is true, many things are now more precise in the manual page of
OpenBSD's PF. But it will be hard to merge only these precisions in our
pf.conf manual page.
There are some plans to update PF to a more recent version. So may
be it will be better.
Actually, that sounds like a better idea than mine ;) Kills 2 birds with
one stone then...
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
