From owner-freebsd-questions@freebsd.org Sat Dec 10 02:24:32 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 421F0C6F12A for ; Sat, 10 Dec 2016 02:24:32 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from a-painless.mh.aa.net.uk (a-painless.mh.aa.net.uk [81.187.30.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0D5E7661 for ; Sat, 10 Dec 2016 02:24:31 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from woodcruft.co.uk ([81.187.49.114] helo=lime.woodcruft.co.uk) by a-painless.mh.aa.net.uk with esmtp (Exim 4.84_2) (envelope-from ) id 1cFXKw-0005BA-1q; Sat, 10 Dec 2016 02:24:30 +0000 Received: by lime.woodcruft.co.uk (Postfix, from userid 1001) id B1E8B65BDE; Sat, 10 Dec 2016 02:23:47 +0000 (GMT) Date: Sat, 10 Dec 2016 02:23:47 +0000 From: Frank Shute To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD Firewalls Message-ID: <20161210022347.GA44570@lime.woodcruft.co.uk> Reply-To: Frank Shute Mail-Followup-To: byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org References: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca> <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5; VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL X-Operating-System: FreeBSD 11.0-RELEASE-p1 amd64 X-Organisation: 'woodcruft.co.uk' User-Agent: Mutt/1.7.1 (2016-10-04) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2016 02:24:32 -0000 On Thu, Dec 08, 2016 at 04:44:43PM -0500, James B. Byrne via freebsd-questions wrote: > > > With these rules in effect when I run gvim from the sh -X session on > the FreeBSD host I get this error: > > gvim /etc/pf.conf > backupdir=~/.vim/tmp > > E233: cannot open display > Press ENTER or type command to continue > > If the firewall is not enabled then the gvim X-window opens on my > remote desktop (gnome2) without error. > > What ports, besides 22, is gvim trying to open? Why is this traffic > not passed (tunnelled) along the established ssh connection? > > Thanks, My advice: don't use gvim as root and over ssh, use vim instead. With the latter not using X, you avoid a pile of permission problems and it will be a lot quicker whether you're on a crappy link or not. With regards pf, there are a few resources I've found useful. The OpenSBD FAQ for a start: https://www.openbsd.org/faq/pf/ One thing to note, is that some features of pf are not built into the GENERIC kernel. For example, to enable tables, you need to stick some lines in your kernconf to build altq(4). So in my kernconfig, I've got these lines: options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_CDNR options ALTQ_PRIQ There's some options above that I don't and possibly will never use but for the minimal performance hit they may cause, it saves me possibly doing a buidkernel/world cycle in the mysterious future. Of course, by building your own kernel it means you can no longer use freebsd-update(8) and have to use: make buildworld/installworld procedure as documented in the Handbook and /usr/src/UPDATING When expressing blocks of addresses, pf uses CIDR format: https://web.archive.org/web/20150213012421/http://public.swbell.net/dedicated/cidr.html Something that I was completely ignorant about; it was all class a/b/c with netmasks 32/24/16/8 when I was a lad.... One of the first things you will want to do is write a rule for all the muppets who try to persistently log on to 22 without a key and hence fill up your logs: https://home.nuug.no/~peter/pf/en/bruteforce.html When creating your rules use "log" liberally. When a rule is behaving itself, then you can remove the "log" keyword from the rule. You can see what's going on with tcpdump(1) and a useful utility in ports: sysutils/pftop, which I tend to keep running 24/7 in an xterm so I can keep an eye on any possible irregularities and addresses I need to add to my table/file. Regards, -- Frank https://woodcruft.co.uk/