Date: Wed, 16 Feb 2005 13:26:37 +0100 From: Volker Kindermann <ml@ps102.de> To: freebsd-questions@freebsd.org Subject: Re: Configuring PF Message-ID: <42133BFD.1090004@ps102.de> In-Reply-To: <810a540e05021420555412f1b0@mail.gmail.com> References: <810a540e050214203221952797@mail.gmail.com> <64a8ad9805021420444eb3ccd2@mail.gmail.com> <810a540e05021420555412f1b0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Pat, > Is there any place I can find a good default ruleset for a server, and > just change what ports I want open? pf originates at openbsd. There you'll find lots of documentation, the pf-faq, and the (as always in the BSD world) excellent manpages. In addition there's the pf-repository at: https://solarflux.org/pf/ And there are some books which include examples. > Also, I've noticed that some rulesets will have different flags and > keep state on for certain TCP ports, but not others. For example, at > https://www.section6.net/help/pf.php I found: > #WebServer, HTTPS, 8000 > pass in on $extif proto tcp from any to any port 80 flags S/SA > pass in on $extif proto tcp from any to any port $tcp_services flags > S/SA synproxy state > > tcp_services is {22, 443} > > I don't understand why they use synproxy state for 22 and 443, but not 80 Because synproxy as a security feature has a drawback: speed. Do you understand what synproxy does? It completes the three-way-handshake at the firewall first and only if this succeds it forwards the connection to the (web)server. This takes some small amount of time. Acceptable with protocolls like ssh and https but mostly unacceptable with http. -volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42133BFD.1090004>