From owner-freebsd-questions@FreeBSD.ORG Sun Feb 20 14:23:40 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89C9C16A4CE for ; Sun, 20 Feb 2005 14:23:40 +0000 (GMT) Received: from hosea.tallye.com (joel.tallye.com [216.99.199.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23EE343D46 for ; Sun, 20 Feb 2005 14:23:40 +0000 (GMT) (envelope-from lorenl@alzatex.com) Received: from hosea.tallye.com (hosea.tallye.com [127.0.0.1]) by hosea.tallye.com (8.12.8/8.12.10) with ESMTP id j1KENdXq027965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 20 Feb 2005 06:23:39 -0800 Received: (from sttng359@localhost) by hosea.tallye.com (8.12.8/8.12.10/Submit) id j1KENd8V027963; Sun, 20 Feb 2005 06:23:39 -0800 X-Authentication-Warning: hosea.tallye.com: sttng359 set sender to lorenl@alzatex.com using -f Date: Sun, 20 Feb 2005 06:23:39 -0800 From: "Loren M. Lang" To: Pat Maddox Message-ID: <20050220142339.GD4471@alzatex.com> References: <810a540e050214203221952797@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <810a540e050214203221952797@mail.gmail.com> User-Agent: Mutt/1.4.1i X-GPG-Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc X-GPG-Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C cc: freebsd-questions@freebsd.org Subject: Re: Configuring PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2005 14:23:40 -0000 On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote: > I want to install a firewall on my system. First of all, is PF the > one I should be using? It seems to get the most recommendations. > > I don't actually seem to have any problems configuring it - I just > have some problems testing the configuration. I can ssh to the box, > and I can access port 80...but I'd like to be able to just scan it to > quickly see what's up. When PF is disabled, I can nmap it in about 9 > seconds. When I turn it on, it takes over 3 minutes to do. These > machines are on the same network, so the connection is obviously fast. This is a good thing, IMHO. Think about all those script kiddies sitting out there looking for a nice, juicy server to compromise. If it takes them 3 minutes to port scan your machine, they'll probably cancel it before it's finished and move on. I believe what's happening is that all ports that aren't open are configured to drop packets instead of reject them like is default. Reject means send back an error message saying port is closed where dropping just ignores it. The port scanner sends out a request and waits for a response, either "Hello," or "Sorry, I'm closed." It will wait quite a while before it decides that nothings there. > > Are there any good, pretty simple guides on setting up PF? I'm having > a tough time understanding what the rulesets all mean. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C