From owner-freebsd-questions@FreeBSD.ORG Tue Apr 27 19:47:05 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6706106564A for ; Tue, 27 Apr 2010 19:47:05 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id 5E8B08FC0C for ; Tue, 27 Apr 2010 19:47:05 +0000 (UTC) Received: from vhoffman-macbook.local ([10.0.0.173]) (authenticated bits=0) by unsane.co.uk (8.14.4/8.14.3) with ESMTP id o3RJkfO7051452 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 27 Apr 2010 20:46:42 +0100 (BST) (envelope-from vince@unsane.co.uk) Message-ID: <4BD73F21.1030504@unsane.co.uk> Date: Tue, 27 Apr 2010 20:46:41 +0100 From: Vincent Hoffman User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20100427193106.GA91570@elwood.starfire.mn.org> In-Reply-To: <20100427193106.GA91570@elwood.starfire.mn.org> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Really simple spam trap - /dev/pf permissions? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 19:47:05 -0000 On 27/04/2010 20:31, John wrote: > This seems to be working pretty well, and I'll eventually take the > print statement out, but I'm not sure why I had to make /dev/pf > public read/write in order to get the pfctl command to work. > > What is the best solution to be able to add to my spammers table > in pf without making it public read/write? > It would probably make more security sense to add the user that the script is running as to a group (say pfctl) then make the /dev/pf device group owned by the pfctl group and group writable. Other options include sudo access for your scripts user to run a specific pfctl command. Vince