Date: Mon, 14 Feb 2005 21:55:51 -0700 From: Pat Maddox <pergesu@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Configuring PF Message-ID: <810a540e05021420555412f1b0@mail.gmail.com> In-Reply-To: <64a8ad9805021420444eb3ccd2@mail.gmail.com> References: <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Is there any place I can find a good default ruleset for a server, and just change what ports I want open? Also, I've noticed that some rulesets will have different flags and keep state on for certain TCP ports, but not others. For example, at https://www.section6.net/help/pf.php I found: #WebServer, HTTPS, 8000 pass in on $extif proto tcp from any to any port 80 flags S/SA pass in on $extif proto tcp from any to any port $tcp_services flags S/SA synproxy state tcp_services is {22, 443} I don't understand why they use synproxy state for 22 and 443, but not 80 On Mon, 14 Feb 2005 23:44:32 -0500, chip <chip.gwyn@gmail.com> wrote: > > quickly see what's up. When PF is disabled, I can nmap it in about 9 > > seconds. When I turn it on, it takes over 3 minutes to do. These > > machines are on the same network, so the connection is obviously fast. > > I believe this is becuase nmap is having to wait on the connections to > time out. If you tell PF to 'reject' instead of 'drop' it may go a > bit faster. > > -- > Just my $.02, your mileage may vary, batteries not included, etc.... >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810a540e05021420555412f1b0>