From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 17:24:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79EF316A421 for ; Tue, 29 Jan 2008 17:24:03 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from donald.cts.cwu.edu (donald.cts.cwu.edu [198.104.67.147]) by mx1.freebsd.org (Postfix) with ESMTP id 598F413C514 for ; Tue, 29 Jan 2008 17:24:03 +0000 (UTC) (envelope-from spomerg@cwu.EDU) Received: from CONVERSION-CWU-DAEMON.DONALD.CTS.CWU.EDU by DONALD.CTS.CWU.EDU (PMDF V6.3-x13 #31358) id <01MQNSA75FJ4000GR0@DONALD.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 29 Jan 2008 09:24:02 -0800 (PST) Received: from hermes.cwu.edu (hermes.cwu.edu [172.16.21.28]) by DONALD.CTS.CWU.EDU (PMDF V6.3-x13 #31358) with ESMTP id <01MQNSA6FJ7O000GU6@DONALD.CTS.CWU.EDU> for freebsd-pf@freebsd.org; Tue, 29 Jan 2008 09:24:01 -0800 (PST) Received: from cwugate1-MTA by hermes.cwu.edu with Novell_GroupWise; Tue, 29 Jan 2008 09:24:00 -0800 Date: Tue, 29 Jan 2008 09:23:48 -0800 From: Gavin Spomer To: freebsd-pf@freebsd.org Message-id: <479EF0A402000090000132D4@hermes.cwu.edu> MIME-version: 1.0 X-Mailer: Novell GroupWise Internet Agent 7.0.2 HP Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Content-disposition: inline Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 17:24:03 -0000 >>> David DeSimone 01/28/08 3:50 PM >>> Gavin Spomer wrote: > > Although it was new to me, a couple of quick glances at man pages and > experiments produced a /dev/pf for me. Can you tell us what it was that you changed? Someone else may need to know, someday. You're absolutely right. I guess I forgot my obligation in my excitement= to go home yesterday. ;) Here's what I did: 1. cp /etc/defaults/devfs.rules /etc/ 2. chmod u+w /etc/devfs.rules 3. vi /etc/devfs.rules: Added "add path pf unhide" to the [devfsrules= _unhide_basic=3D2] ruleset 4. vi /etc/devfs.conf: Added "own pf root:wheel" and "perm pf 0660". = * 5. shutdown -r now * I don't know if my permissions/ownerships for /dev/pf are correct, = but I looked at other devices and made a guess. Anyone know what they're supposed to be? Just noticed I don't have pflog or pfsync devices either, so I guess = I'll create those too. > One thing I really dig so far about pf versus the firewall I use on my > SuSE machines (iptables), is that I don't have to reboot for changes > to take effect. Way happy about that! :) It has been a while since I worked with iptables, but I have NEVER had to reboot in order to make changes to it. That is just bizarre! I never took the time to actually write my own iptables rules, but SuSE = has a built in mechanism that simplified it: SuSEfirewall2. Basically you just have a fairly simple config file to = edit and SuSEconfig writes the rules for you. In the O-Reilly book Linux Server Security (2nd Edition), it says "... = all you do is edit the file /etc/sysconfig/SUSEfirewall2=20 (in earlier versions of SUSE, /etc/rc.conf.d/firewall2.rc.config), run = SUSEconfig, and reboot". So I've been doing it that way ever since. But after a quick Googling, it seems that maybe I don't = have to reboot and can just run "/sbin/rcSuSEfirewall2 restart". Just an example of one of the times I = wasn't very thorough in investigating something. ;) - Gavin