From owner-freebsd-pf@FreeBSD.ORG Mon Jan 17 20:37:42 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF82216A4CE for ; Mon, 17 Jan 2005 20:37:41 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2C9643D54 for ; Mon, 17 Jan 2005 20:37:41 +0000 (GMT) (envelope-from johnc909@comcast.net) Received: from [172.16.1.34] (postini-internal3.postinicorp.com[12.158.40.254]) by comcast.net (rwcrmhc11) with ESMTP id <200501172037410130080pqne>; Mon, 17 Jan 2005 20:37:41 +0000 Message-ID: <41EC2215.7080303@comcast.net> Date: Mon, 17 Jan 2005 12:37:41 -0800 From: johnc User-Agent: Mozilla Thunderbird 0.7.3 (Macintosh/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <41EB7268.7090802@comcast.net> <1105986198.41ec0296e22ae@mail.fluidhosting.com> In-Reply-To: <1105986198.41ec0296e22ae@mail.fluidhosting.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Looking for docs on installing pf with FreeBSD 5.2.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 20:37:42 -0000 Hmm, yeah, given the state of documentation, etc, on 5.2.1 for pf, patching up to 5.3 is probably the way to go. I do run a low volume web server/NAT gateway at home, and was just hoping to get it up with a minimum of perturbing the core of my system. But if I really want pf, I guess that's inevitable, it seems. Well, time to try my hand at cvsup :) Thanks, -John pf-r@solarflux.org wrote: >>>I'm running FreeBSD 5.2.1, and can't seem to find any comprihensive docs >>>on getting pf running on it. I've followed what's in the handbook, but >>>the kernel config file doesn't recognize the device statements for pf. >>>I really would like to avoid upgrading the system to 5.3+, if possible. >>> >>>Any pointers? >>> >>> > >The best and easiest way to have the most secure system and recent pf code is to >cvsup your FreeBSD 5.2.1 system to a patched 5.3-RELEASE, IMO. Not sure if >-STABLE or -CURRENT would offer newer pf code, but if this is a production box, >neither -STABLE nor -CURRENT are recommended anyway. > >There are plenty of comprehensive docs on updating (via cvsup) your 5.2.1 system >to the latest security branch (RELENG_5_3). Then you'll have pf as a loadable >kernel module already in the system. I believe the pf-enabling instructions in >the handbook are for 5.3. > >Quick and dirty cvsup steps (see Appendix A.5 in the handbook): > >Create a supfile referencing RELENG_5_3 >Cvsup >Make buildworld >Add appropriate pf* lines in kernel config (copy of GENERIC) >Make buildkernel >Make installkernel >Reboot to single user mode (optional) >Make installworld >Mergemaster >Exit to multiuser (only if you are in single user mode) >Play with PF > >I've built PF and ALTQ the manual way (on 5.0/5.1) and longed for the day when I >could just cvsup my system and be done with it. > > > >>there is a port: /usr/ports/security/pf. >>Installing PF from there is pretty straightforward. >>I use it on several FreeBSD 5.2.1 machines. >> >> > >The ports version is based on OpenBSD 3.4 code, so it's fairly dated. Not >saying it's bad, but it doesn't have many of the newer features that the >recent/latest code provides. > >HTH >_______________________________________________ >freebsd-pf@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > >