From owner-freebsd-questions@FreeBSD.ORG Mon Jan 31 11:01:51 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99B561065675 for ; Mon, 31 Jan 2011 11:01:51 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 4BB288FC14 for ; Mon, 31 Jan 2011 11:01:51 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.186]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 995845C44 for ; Mon, 31 Jan 2011 21:08:56 +1000 (EST) Message-ID: <4D4695D0.1040604@herveybayaustralia.com.au> Date: Mon, 31 Jan 2011 20:58:24 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20101227 Thunderbird/3.0.11 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4D437DD6.4030202@herveybayaustralia.com.au> <20110131113058.71d4e4e8@mr129041.univ-rennes1.fr> In-Reply-To: <20110131113058.71d4e4e8@mr129041.univ-rennes1.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: PF firewall rules and documentation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2011 11:01:51 -0000 On 01/31/11 20:30, Patrick Lamaiziere wrote: > Le Sat, 29 Jan 2011 12:39:18 +1000, > Da Rock a écrit : > > >> I spent some time playing with pf and pf.conf, and followed the >> directions in the handbook. It redirected me to the openbsd site for >> pf.conf, and recommended it as the most comprehensive documentation >> for pf. >> >> Firstly, I didn't find that. I had to translate the instructions into >> the current version used in FreeBSD, OpenBSD appears to be further >> advanced than this based on the current docs. >> > Yes, you should refer to the OpenBSD 4.1 Packet FAQ : > http://ftp.openbsd.org/pub/OpenBSD/doc/history/pf-faq41.pdf > > >> Secondly, some of the rules don't appear to be following. From my >> understanding based on the documentation in the handbook and on the >> site pf is default allowing traffic. >> > According to a current discussion on misc@openbsd.org. It allows > traffic to pass but without creating states. > Exactly. 'permitting' is the term in the handbook I believe. > >> So explicit rules to block >> should be set first and then rules set to allow what is needed in. >> Some assumptions are made in the rules by the interpreter, so >> according to OpenBSD one can (even in the older versions) simply >> state block and it is interpreted as 'block on $interfaces all'. This >> turned out to not be the case. >> > Ah? Do have an example for this? > Yes. Me unfortunately, but I did manage to pick it up quite quickly though. I had a little thief attack one of my ports and attempt login on the firewall. I had to change it to 'block in $log on $ext_if all block out $log on $ext_if all' to actually block the traffic. Bit of a doozy really, I'm still monitoring the traffic very closely with tcpdump on the interface and not the log. Thankfully I was also getting ready to update and completely rebuild most (scratch that- all) of my systems to newer and more manageable levels. > > >> I know this has come up before, but I think it might be time to >> document pf.conf properly. It seems to be a bit of security risk not >> to. Users may be mistaken in their belief of their security on the >> network using pf, and may be less likely to trust again when it >> breaks. >> > This is true, many things are now more precise in the manual page of > OpenBSD's PF. But it will be hard to merge only these precisions in our > pf.conf manual page. > > There are some plans to update PF to a more recent version. So may > be it will be better. > Actually, that sounds like a better idea than mine ;) Kills 2 birds with one stone then...