Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 09 Feb 2015 14:20:43 -0500
From:      Daniel Corbe <corbe@corbe.net>
To:        Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>, Chris Stankevitz <chrisstankevitz@gmail.com>
Subject:   Re: /etc/pf.conf missing
Message-ID:  <87twyuj3hw.fsf@corbe.net>
In-Reply-To: <44h9uvvwkd.fsf@lowell-desk.lan> (Lowell Gilbert's message of "Mon, 09 Feb 2015 12:12:02 -0500")
References:  <CAPi0pss6Sd7VWcDSR6JgSnJjOXVuxBLteL12dqM8KD=kpnBsAg@mail.gmail.com> <44h9uvvwkd.fsf@lowell-desk.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 

Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> writes:

> Chris Stankevitz <chrisstankevitz@gmail.com> writes:
>
>> Q: Should I be alarmed?
>>
>> Handbook section 30.3.1 says "The default ruleset is already created
>> and is named /etc/pf.conf" but that file does not exist on my hard
>> drive.
>
> The Handbook (or at least the obvious interpretation of what it says;
> the awkward phrasing may mean that it was mis-edited at some point) is
> incorrect. 
>
> I'm not sure that a one-size-fits-all default ruleset (of the sort that
> exists for ipfw) is practical for pf.
>
>

The first time I ever messed with pf it was extremely difficult finding
practical examples.   Maybe what the distribution needs is more of this
and less of a one-size-fits-all approach.

Teaching tools in the form of configuration examples is also a great way
to get people thinking about security issues.  For example:

How do you get small offices and home users thinking about inbound
connectivity to their IPv6 endpoints now that NAT is no longer a thing?

And I know NAT is a terrible example of a security model; but generally
speaking, people are going to want NAT-like functionality in IPv6 where
you're only passing inbound traffic to inside hosts on established
connections.

IE:

# Default deny
block out inet6 all
block in inet6 all

# NAT-like behavior
pass out inet6 proto tcp flags S/SA keep state
pass out inet6 proto {udp, icmp6} flags S/SA modulate state

# Inbound rules go here
...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87twyuj3hw.fsf>