After nearly a week of fighting the dual problem of OpenBSD 3.6 release freezing on my hardware, and some rather odious personalities on the [EMAIL PROTECTED] mailing list, I decided to install FreeBSD 5.3-RELEASE on the web server I am deploying and stick to it.
I went through the webpage on firewalling on FreeBSD (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html) and decided to pick pf as my firewall solution. The OpenBSD guide on this simply and elegantly written and is very easy to get the hang of. I have created a packet filtering ruleset in /etc/pf.conf, enabled the switches in /etc/rc.conf and am fiddling around with it. I tried to connect on port ssh (22, I think) and did a few tests with different IP addresses and it works as I expect. Since this beast is going to be a webserver, I wrote the following filter for port www : (previously blocking all and scrubbing all of course) pass in on $ext_if proto tcp from any to $ext_if \ port www flags S/SA keep state \ (max 200,source-track rule,max-src-nodes 100,max-src-states 3) Question : Is the above a reasonably good rule for my situation (if you have further questions, fire away) ? Second, whenever I load my rule set (pfctl -f /etc/pf.conf), I get a warning : No ALTQ support in kernel ALTQ related functions disabled Now, I would probably want to use queueing and bandwidth allotment if I am to run a webserver that allows a few IP addresses to connect via ssh. Question : How do I enable ALTQ support in the kernel ? And since I have the choice of either using a loadable module for pf (like I am doing) or compiling in PF support into the kernel, which is better from a security and performance pov ? Another issue, unrelated to pf : I am trying to install plone, zope (and a bunch of zope/plone related packages) and apache on the machine. However, the pkg_add process quit with some errors for some of the packages and refered me to some log (which log ?) during installation. Question : Are versions in the ports tree for these packages "kosher", i.e., do they compile, install and work cleanly ? _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
