From owner-freebsd-questions@FreeBSD.ORG Tue Mar 1 16:44:32 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 529A616A4CE for ; Tue, 1 Mar 2005 16:44:32 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id B938643D54 for ; Tue, 1 Mar 2005 16:44:31 +0000 (GMT) (envelope-from singh.madhusudan@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so1112056rng for ; Tue, 01 Mar 2005 08:44:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=SIyu6u4VaZr8eOwqrOHAo0m40dqB8OzLO4YDedLjEfC53kusXgB/AWDEzmT4HOHeHTaG+U4U71s142+RFESERJSl33S4XXgkBaeXMPQu2lcmP1xym3MEEz3E6C/n2FV+0BoEZwu8fPe1kCJ7YSgb2nUj7d92WiVz5/+HEn5DcrM= Received: by 10.38.90.62 with SMTP id n62mr162180rnb; Tue, 01 Mar 2005 08:44:21 -0800 (PST) Received: by 10.39.1.41 with HTTP; Tue, 1 Mar 2005 08:44:19 -0800 (PST) Message-ID: Date: Tue, 1 Mar 2005 11:44:19 -0500 From: Madhusudan Singh To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: A possibly simple query about pf on FreeBSD 5.3-RELEASE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Madhusudan Singh List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 16:44:32 -0000 After nearly a week of fighting the dual problem of OpenBSD 3.6 release freezing on my hardware, and some rather odious personalities on the misc@openbsd mailing list, I decided to install FreeBSD 5.3-RELEASE on the web server I am deploying and stick to it. I went through the webpage on firewalling on FreeBSD (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html) and decided to pick pf as my firewall solution. The OpenBSD guide on this simply and elegantly written and is very easy to get the hang of. I have created a packet filtering ruleset in /etc/pf.conf, enabled the switches in /etc/rc.conf and am fiddling around with it. I tried to connect on port ssh (22, I think) and did a few tests with different IP addresses and it works as I expect. Since this beast is going to be a webserver, I wrote the following filter for port www : (previously blocking all and scrubbing all of course) pass in on $ext_if proto tcp from any to $ext_if \ port www flags S/SA keep state \ (max 200,source-track rule,max-src-nodes 100,max-src-states 3) Question : Is the above a reasonably good rule for my situation (if you have further questions, fire away) ? Second, whenever I load my rule set (pfctl -f /etc/pf.conf), I get a warning : No ALTQ support in kernel ALTQ related functions disabled Now, I would probably want to use queueing and bandwidth allotment if I am to run a webserver that allows a few IP addresses to connect via ssh. Question : How do I enable ALTQ support in the kernel ? And since I have the choice of either using a loadable module for pf (like I am doing) or compiling in PF support into the kernel, which is better from a security and performance pov ? Another issue, unrelated to pf : I am trying to install plone, zope (and a bunch of zope/plone related packages) and apache on the machine. However, the pkg_add process quit with some errors for some of the packages and refered me to some log (which log ?) during installation. Question : Are versions in the ports tree for these packages "kosher", i.e., do they compile, install and work cleanly ?