From owner-freebsd-questions@FreeBSD.ORG Wed Feb 16 12:26:11 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F1EB16A4CE for ; Wed, 16 Feb 2005 12:26:11 +0000 (GMT) Received: from zephon.secspace.de (zephon.secspace.de [62.75.136.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA94D43D31 for ; Wed, 16 Feb 2005 12:26:10 +0000 (GMT) (envelope-from ml@ps102.de) Received: from [192.168.17.11] (pD9E1C4F8.dip.t-dialin.net [217.225.196.248]) by zephon.secspace.de (Postfix) with ESMTP id 228216EB29 for ; Wed, 16 Feb 2005 13:26:08 +0100 (CET) Message-ID: <42133BFD.1090004@ps102.de> Date: Wed, 16 Feb 2005 13:26:37 +0100 From: Volker Kindermann User-Agent: Mozilla Thunderbird 1.0 (X11/20050206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com> <810a540e05021420555412f1b0@mail.gmail.com> In-Reply-To: <810a540e05021420555412f1b0@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Configuring PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2005 12:26:11 -0000 Hi Pat, > Is there any place I can find a good default ruleset for a server, and > just change what ports I want open? pf originates at openbsd. There you'll find lots of documentation, the pf-faq, and the (as always in the BSD world) excellent manpages. In addition there's the pf-repository at: https://solarflux.org/pf/ And there are some books which include examples. > Also, I've noticed that some rulesets will have different flags and > keep state on for certain TCP ports, but not others. For example, at > https://www.section6.net/help/pf.php I found: > #WebServer, HTTPS, 8000 > pass in on $extif proto tcp from any to any port 80 flags S/SA > pass in on $extif proto tcp from any to any port $tcp_services flags > S/SA synproxy state > > tcp_services is {22, 443} > > I don't understand why they use synproxy state for 22 and 443, but not 80 Because synproxy as a security feature has a drawback: speed. Do you understand what synproxy does? It completes the three-way-handshake at the firewall first and only if this succeds it forwards the connection to the (web)server. This takes some small amount of time. Acceptable with protocolls like ssh and https but mostly unacceptable with http. -volker