Thanks. I already know those documentation. I wish i could find a documentation about this on PF:
#___________________________________________________________________________ # Protecao do KERNEL #___________________________________________________________________________ #Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. if [ $IPSEC = "sim" ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f done else for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $f done fi #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies #echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack I Will ask Eduardo Alvarenga. Thanks anyway. -----Mensagem original----- De: Jason Dixon [mailto:ja...@dixongroup.net] Enviada em: segunda-feira, 4 de maio de 2009 14:59 Para: Ricardo Augusto de Souza Cc: misc@openBSD.org Assunto: Re: Migration from IPTABLES to PF On Mon, May 04, 2009 at 02:17:33PM -0300, Ricardo Augusto de Souza wrote: > Hi, > > I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy > Who installed it left our company some months ago. > I spent some years far from iptables, now i have to migrate this firewall to > PF. > THere are some 'special' features on this firewall, i need some documentation > or help about implementing this features at new firewall ( PF ). The documentation is available online: http://www.openbsd.org/faq/pf/index.html http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf I made a quick review of your ruleset. I gave up after a few PgDn's. I belive it's in your best interests to contact someone that provides commercial support. http://www.openbsd.org/support.html On a good day, someone might step up and help you with this. But I wouldn't expect it. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
