On 8/24/05, Jason Crawford <[EMAIL PROTECTED]> wrote: > On 8/23/05, Will H. Backman <[EMAIL PROTECTED]> wrote: > > > -----Original Message----- > > > From: j knight [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, August 23, 2005 4:47 PM > > > To: Will H. Backman > > > Subject: Re: /usr/share/pf/ suggestion > > > > > > --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400: > > > > > > > Would it be useful to add an example pf rule set for just a simple > > host? > > > > All of the examples assume a router. > > > > > > > > > > This would be more useful in the faq. Please send what you've written. > > > > > > :-) > > > > > > > > > > > > .joel > > > > # pf rules for a stand alone machine. > > > > #Change external interface to match yours > > ext_if=xl0 > > > > scrub in all > > > > block in all > > > > pass out keep state > > > > pass quick on lo all > > > > First off, it should be, set skip on lo0 (or lo, but by default > there's only one lo interface anyways). Secondly, it seems pretty > pointless to setup pf on a single host. >
Actually you need not see PF as a tool that can be implemented only on a firewall an so on. For example. If you have a LAN that has webservers, ftpservers and so on in it, Protecting the entire LAN and its Servers from the Internet with an OpenBSD firewall and PF is good! but doing that alone would put the systems on your LAN especially servers at risk from Internal threats. You could enable PF on your servers and have appropriate rules to allow only certain hosts or users to access certain services on them. You could enable PF on your work stations and with appropriate rules it will act as an excellent personal firewall. This is especially true if you are directly connecting your servers, computers, laptops directly to the internet. Jacek Arymiak explains its importance in his book "Building Firewalls with OpenBSD and PF >Instead of worrying about the > firewall, which takes up more memory and cpu and all that, just shut > off services that you don't need and be done with it. If the attacker > can hurt your OpenBSD machine, then your firewall is vulnerable as > well, and it won't protect any applications that need open ports > listening. Turning off services is always much better than turning on > services (pf) if you need protection. > I think turning on PF and putting the right kind of rules in /etc/pf.conf is the best thing you can do on any OpenBSD system if your concern is security. > And the way OpenBSD is setup by > default, nothing is listening except a couple inetd services (which I > always turn off), > If you enable PF and want FTP traffic to function properly with Active ftp-servers then you must enable ftp-proxy in inetd.conf and should not disable it. >and sshd if you said y in install, that's it. > Following the patches and applying them as soon as they are released should keep you securely running the ssh service in your OpenBSD. Ofcourse you should be careful not to allow direct root access and follow best practices like not giving dictinary words as passwords etc to your users. Hope this helps :-) kind regards Siju
