From owner-freebsd-questions@FreeBSD.ORG Sun Feb 20 18:42:42 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DBD616A4CE for ; Sun, 20 Feb 2005 18:42:42 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A80D43D49 for ; Sun, 20 Feb 2005 18:42:42 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so754342wri for ; Sun, 20 Feb 2005 10:42:41 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=jPSYkTOJfNkr0OJ5XwKpFcmW3FFCih5R5I2XdF18Z7fvTpseojngsTtl8Yw6ZzuuiquzU3mmkTx4wNi7h2vE4oM4FIy0Jwqf0OWdjWz0eMP70XiNvRq+hI6dlidurZN+iAdP39nwICXE7QTMLfW0QsUbZ72UbW3eDx65/F0MIPM= Received: by 10.54.56.1 with SMTP id e1mr194249wra; Sun, 20 Feb 2005 10:42:41 -0800 (PST) Received: by 10.54.42.28 with HTTP; Sun, 20 Feb 2005 10:42:41 -0800 (PST) Message-ID: <810a540e05022010423f076b4c@mail.gmail.com> Date: Sun, 20 Feb 2005 11:42:41 -0700 From: Pat Maddox To: "Loren M. Lang" In-Reply-To: <20050220142339.GD4471@alzatex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <810a540e050214203221952797@mail.gmail.com> <20050220142339.GD4471@alzatex.com> cc: freebsd-questions@freebsd.org Subject: Re: Configuring PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2005 18:42:42 -0000 On Sun, 20 Feb 2005 06:23:39 -0800, Loren M. Lang wrote: > On Mon, Feb 14, 2005 at 09:32:25PM -0700, Pat Maddox wrote: > > I want to install a firewall on my system. First of all, is PF the > > one I should be using? It seems to get the most recommendations. > > > > I don't actually seem to have any problems configuring it - I just > > have some problems testing the configuration. I can ssh to the box, > > and I can access port 80...but I'd like to be able to just scan it to > > quickly see what's up. When PF is disabled, I can nmap it in about 9 > > seconds. When I turn it on, it takes over 3 minutes to do. These > > machines are on the same network, so the connection is obviously fast. > > This is a good thing, IMHO. Think about all those script kiddies > sitting out there looking for a nice, juicy server to compromise. If it > takes them 3 minutes to port scan your machine, they'll probably cancel > it before it's finished and move on. That makes sense to me. I'd still like to be able to scan it the first time around to make sure everything's working, then I can just set it to drop packets, so it takes longer. I'd still like to find a good example config file that works well for a web server. > > I believe what's happening is that all ports that aren't open are > configured to drop packets instead of reject them like is default. > Reject means send back an error message saying port is closed where > dropping just ignores it. The port scanner sends out a request and > waits for a response, either "Hello," or "Sorry, I'm closed." It will > wait quite a while before it decides that nothings there. > > > > > Are there any good, pretty simple guides on setting up PF? I'm having > > a tough time understanding what the rulesets all mean. > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > -- > I sense much NT in you. > NT leads to Bluescreen. > Bluescreen leads to downtime. > Downtime leads to suffering. > NT is the path to the darkside. > Powerful Unix is. > > Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc > Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C > >