From owner-freebsd-questions@FreeBSD.ORG Mon Jan 31 10:31:00 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 411F51065673 for ; Mon, 31 Jan 2011 10:31:00 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [91.121.44.19]) by mx1.freebsd.org (Postfix) with ESMTP id 0977B8FC1E for ; Mon, 31 Jan 2011 10:30:59 +0000 (UTC) Received: from mr129041.univ-rennes1.fr (mr129041.cri.univ-rennes1.fr [129.20.129.41]) by smtp.lamaiziere.net (Postfix) with ESMTPA id A21866332BE; Mon, 31 Jan 2011 11:30:58 +0100 (CET) Received: from mr129041.univ-rennes1.fr (localhost [127.0.0.1]) by mr129041.univ-rennes1.fr (Postfix) with ESMTP id 57A46B872; Mon, 31 Jan 2011 11:30:58 +0100 (CET) Date: Mon, 31 Jan 2011 11:30:58 +0100 From: Patrick Lamaiziere To: freebsd-questions@freebsd.org Message-ID: <20110131113058.71d4e4e8@mr129041.univ-rennes1.fr> In-Reply-To: <4D437DD6.4030202@herveybayaustralia.com.au> References: <4D437DD6.4030202@herveybayaustralia.com.au> X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; i386-portbld-freebsd8.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Da Rock Subject: Re: PF firewall rules and documentation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2011 10:31:00 -0000 Le Sat, 29 Jan 2011 12:39:18 +1000, Da Rock a écrit : > I spent some time playing with pf and pf.conf, and followed the > directions in the handbook. It redirected me to the openbsd site for > pf.conf, and recommended it as the most comprehensive documentation > for pf. > > Firstly, I didn't find that. I had to translate the instructions into > the current version used in FreeBSD, OpenBSD appears to be further > advanced than this based on the current docs. Yes, you should refer to the OpenBSD 4.1 Packet FAQ : http://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq41.pdf > Secondly, some of the rules don't appear to be following. From my > understanding based on the documentation in the handbook and on the > site pf is default allowing traffic. According to a current discussion on misc@openbsd.org. It allows traffic to pass but without creating states. > So explicit rules to block > should be set first and then rules set to allow what is needed in. > Some assumptions are made in the rules by the interpreter, so > according to OpenBSD one can (even in the older versions) simply > state block and it is interpreted as 'block on $interfaces all'. This > turned out to not be the case. Ah? Do have an example for this? > I know this has come up before, but I think it might be time to > document pf.conf properly. It seems to be a bit of security risk not > to. Users may be mistaken in their belief of their security on the > network using pf, and may be less likely to trust again when it > breaks. This is true, many things are now more precise in the manual page of OpenBSD's PF. But it will be hard to merge only these precisions in our pf.conf manual page. There are some plans to update PF to a more recent version. So may be it will be better. Regards.