From owner-freebsd-questions@FreeBSD.ORG Tue Mar 1 17:24:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FC0E16A4CE for ; Tue, 1 Mar 2005 17:24:48 +0000 (GMT) Received: from smtpauth05.mail.atl.earthlink.net (smtpauth05.mail.atl.earthlink.net [209.86.89.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05F7443D5F for ; Tue, 1 Mar 2005 17:24:48 +0000 (GMT) (envelope-from algould@datawok.com) Received: from [206.255.31.21] (helo=[192.168.63.10]) by smtpauth05.mail.atl.earthlink.net with asmtp (TLSv1:RC4-MD5:128) (Exim 4.34) id 1D6B71-0000eg-CG; Tue, 01 Mar 2005 12:24:47 -0500 From: "Andrew L. Gould" To: freebsd-questions@freebsd.org, Madhusudan Singh Date: Tue, 1 Mar 2005 11:25:35 -0600 User-Agent: KMail/1.6.2 References: In-Reply-To: MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200503011125.35214.algould@datawok.com> X-ELNK-Trace: ee791d459e3d6817d780f4a490ca69563f9fea00a6dd62bceeed870a0c65205e91220c47b1547f2d350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 206.255.31.21 Subject: Re: A possibly simple query about pf on FreeBSD 5.3-RELEASE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 17:24:48 -0000 On Tuesday 01 March 2005 10:44 am, Madhusudan Singh wrote: > After nearly a week of fighting the dual problem of OpenBSD 3.6 > release freezing on my hardware, and some rather odious personalities > on the misc@openbsd mailing list, I decided to install FreeBSD > 5.3-RELEASE on the web server I am deploying and stick to it. > > I went through the webpage on firewalling on FreeBSD > (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls- >pf.html) and decided to pick pf as my firewall solution. The OpenBSD > guide on this simply and elegantly written and is very easy to get > the hang of. > > I have created a packet filtering ruleset in /etc/pf.conf, enabled > the switches in /etc/rc.conf and am fiddling around with it. I tried > to connect on port ssh (22, I think) and did a few tests with > different IP addresses and it works as I expect. > > Since this beast is going to be a webserver, I wrote the following > filter for port www : > > (previously blocking all and scrubbing all of course) > > pass in on $ext_if proto tcp from any to $ext_if \ > port www flags S/SA keep state \ > (max 200,source-track rule,max-src-nodes 100,max-src-states 3) > > Question : > > Is the above a reasonably good rule for my situation (if you have > further questions, fire away) ? > > Second, whenever I load my rule set (pfctl -f /etc/pf.conf), I get a > warning : > No ALTQ support in kernel > ALTQ related functions disabled > > Now, I would probably want to use queueing and bandwidth allotment if > I am to run a webserver that allows a few IP addresses to connect via > ssh. > > Question : > > How do I enable ALTQ support in the kernel ? And since I have the Add the following line to your kernel configuration file and compile/install a new kernel. options ALTQ For instructions regarding kernel configuration/installation, see Chapter 8 of the online manual: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html > choice of either using a loadable module for pf (like I am doing) or > compiling in PF support into the kernel, which is better from a > security and performance pov ? pf is compiled into the GENERIC kernel by default in FreeBSD 5.3. > > Another issue, unrelated to pf : > > I am trying to install plone, zope (and a bunch of zope/plone related > packages) and apache on the machine. However, the pkg_add process > quit with some errors for some of the packages and refered me to some > log (which log ?) during installation. > > Question : > > Are versions in the ports tree for these packages "kosher", i.e., do > they compile, install and work cleanly ? Best of luck, Andrew Gould