Date: Mon, 09 Feb 2015 14:20:43 -0500 From: Daniel Corbe <corbe@corbe.net> To: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> Cc: freebsd-questions <freebsd-questions@freebsd.org>, Chris Stankevitz <chrisstankevitz@gmail.com> Subject: Re: /etc/pf.conf missing Message-ID: <87twyuj3hw.fsf@corbe.net> In-Reply-To: <44h9uvvwkd.fsf@lowell-desk.lan> (Lowell Gilbert's message of "Mon, 09 Feb 2015 12:12:02 -0500") References: <CAPi0pss6Sd7VWcDSR6JgSnJjOXVuxBLteL12dqM8KD=kpnBsAg@mail.gmail.com> <44h9uvvwkd.fsf@lowell-desk.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> writes: > Chris Stankevitz <chrisstankevitz@gmail.com> writes: > >> Q: Should I be alarmed? >> >> Handbook section 30.3.1 says "The default ruleset is already created >> and is named /etc/pf.conf" but that file does not exist on my hard >> drive. > > The Handbook (or at least the obvious interpretation of what it says; > the awkward phrasing may mean that it was mis-edited at some point) is > incorrect. > > I'm not sure that a one-size-fits-all default ruleset (of the sort that > exists for ipfw) is practical for pf. > > The first time I ever messed with pf it was extremely difficult finding practical examples. Maybe what the distribution needs is more of this and less of a one-size-fits-all approach. Teaching tools in the form of configuration examples is also a great way to get people thinking about security issues. For example: How do you get small offices and home users thinking about inbound connectivity to their IPv6 endpoints now that NAT is no longer a thing? And I know NAT is a terrible example of a security model; but generally speaking, people are going to want NAT-like functionality in IPv6 where you're only passing inbound traffic to inside hosts on established connections. IE: # Default deny block out inet6 all block in inet6 all # NAT-like behavior pass out inet6 proto tcp flags S/SA keep state pass out inet6 proto {udp, icmp6} flags S/SA modulate state # Inbound rules go here ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87twyuj3hw.fsf>